PHOENIX Project helping to Uncover the pan-European Cyber Threat Intelligence (CTI) Data Wealth
Sharing CTI information has been recognized worldwide as a significant step in fighting against cybersecurity breaches. What if, instead of sharing plain cybersecurity incident data, EPES could receive coordinated or cascading context of cyber-attacks at pan-European level? The PHOENIX Incidents Information Sharing Platform (I2SP) employs AI methods to achieve this.
Confidentiality, Integrity and Availability are the properties of communication networks, services or data that could be negatively impacted by a security incident. To cope with the violation of those properties, security is embedded in the architectural designs of communication networks and services. However, security incidents cannot be excluded from happening and one needs to handle them and capitalise on the knowledge obtained. In this respect, sharing of security incident information seems to be a feature, rather than an option, that needs to be inherently supported and maintained, in terms of necessary infrastructure and related processes. Two distinctive roles are foreseen, the Data Owner, which maintains the source information, and the Data Receiver, which is going to obtain information.
Sharing of security incident data could be done without any further processing of such data. In this case, the Data Owner determines the security information that can be shared, indicating also the specific Data Receivers that may obtain such information. The security incident information shared is not processed, enhanced or augmented with information coming from any other Data Owners. This kind of information sharing may be relevant, in case the Data Receiver operates in a similar domain as the Data Owner. Furthermore, it would require an explicit agreement between the Data Owner and the Data Receivers, regarding the type of information to be shared, according to what the Data Receiver may perceive as relevant.
However, the security incident information shared in this case is limited to specific Data Owners and it lacks a holistic or aggregated view of security incidents. A Data Facilitator/Processor, placed between Data Owners and Data Receivers, can support the regional or cross-national perception of security incidents. This new actor could maintain and implement the necessary data sharing policies and communication capabilities for sharing security incident information between Data Owners and Data Receivers. Additionally, it could process the shared information, making the results available to the Data Receivers. In this way, it provides added value services for them, while eliminating any data processing costs for the Data Owners.
In the context of the PHOENIX project, the role of a Data Owner can be undertaken by the Electrical Power and Energy System (EPES) providers, including Utilities, Aggregators and Energy Generators. These are the primary sources of security incident information. They just need to determine which information will be shared and agree that the results of the processed information can also be shared with relevant or interested Data Receivers.
The Data Receivers can be understood as the Computer Emergency Response Teams (CERT) or the Computer Security Incident Response Teams (CSIRT) of EPES or any National or EU-relevant (e.g. ENISA) security organisations. Such entities may have a national, regional or European interest on security incidents.
Finally, the Data Facilitator/Processor role is fulfilled by the PHOENIX Incidents Information Sharing Platform (I2SP). I2SP is a distributed Pan-European IT platform, aimed for sharing Cyber Threat Intelligence (CTI) data and alerts, between the EPES Stakeholders, Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs), at Pan-European level. I2SP considers the sharing authorisations defined by Data Owners, the registered interest of Data Receivers for obtaining security incident information, providing, at the same time, security incident processing services.
I2SP employs statistical and machine learning analysis, in order to process security incident information with the goal to:
- Suggest possible mitigation actions and counter measures
- Determine possible targets of attacks in terms of
- Geographical location/area that could be affected
- Time window of potential attack
- Administrative entities that could be affected
- Identify any coordinated attacks or cascading effects and alert the relevant Data Receivers
In this manner, the introduced Data Facilitator/Processor provides both data sharing and processing capabilities, interconnecting the Data Owners with the Data Receivers. At the same time, I2SP frames this process into a proper sharing policy context which aims to protect and enable the collaboration and coordination among the providers and the relevant cyber security entities.