DOSS elaborates a secure-by-design methodology and implements related technology for complex IoT architectures, based on supply chain monitoring, component testing and architecture modelling. The project establishes a “Supply Trust Chain” with integrating key stages of the IoT supply chain into a digital communication loop to facilitate security related information exchange. The technology includes security verification of all hardware and software components of the modelled architecture. A new “Device Security Passport” will be defined for 3rd party hardware and its components. 3rd party software, open-source applications, as well as in-house developments will be tested and assessed. The centrepiece of the proposed solution is a flexibly configurable Digital Cybersecurity Twin, able to simulate diverse IoT architectures. It will employ AI for modelling complex attack scenarios, discovering attack surfaces, and elaborating the necessary protective measures. The digital twin will provide input for a configurable, automated Architecture Security Validator module which will assess and provide pre-certification for the modelled IoT architecture in respect of relevant, selectable security standards and KPIs. To also ensure adequate coverage for the back end of the supply chain the operation of the architecture will also be protected by secure device onboarding, diverse security and monitoring technologies and a feedback loop to the digital twin and actors of the supply chain, sharing security relevant information. The procedures and technology will be validated in three IoT domains: automotive, energy and smart home. This new secure-by-design approach for complex IoT operations will be an early implementation of the concept and requirements of the proposed European Cyber Resilience Act and will provide an operational reference model. Based on our learnings and experiences we will make policy recommendations and will contribute to standardisation.

IoTAC project aims to deliver a novel, secure and privacy-friendly IoT architecture that will facilitate the development and operation of more resilient IoT service environments through (i) monitoring and evaluation of applications security throughout the broader software development lifecycle; (ii) the introduction of an advanced access control mechanism based on new interactions and workflow using chip card and PKI technology; (iii) the runtime monitoring of the system as well as provisioning of security countermeasures that are implemented both at hardware- and at software-level and (iv) associated platforms which will provide security certification of the produced applications and system, based on international security standards, best practices and the research results of the project. The results will be demonstrated (TRL5) with four IoT use case implementations. The consortium comprises all stakeholders of the IoT ecosystem, service operators, OEMs, technology providers, developers, security experts, as well as research and academic partners. The end users will be involved by using a living lab environment. Objectives of the project will be fostered by a strong dissemination and communication program also comprising standardisation and community building, supporting the commercial and scientific exploitation of the results.

The more complex and critical that many systems becoming nowadays, the more they are developed by integrating different (sub-)components, even third-party hardware/software components. With the pressure of time to market, and the ever-evolving security threats, getting more complicated than ever with the breakthroughs in Generative Artificial Intelligence (GenAI), how to enable more secure development and integrations of critical systems to be assured for security? These huge challenges must be addressed to make “secure services, processes and products, as well as to robust digital infrastructures capable to resist and counter cyber-attacks and hybrid threats” as called for in the EC’s Strategic Plan 2021-2024. Addressing exactly these challenges, the overall objective of SECASSURED is to deliver innovative security engineering solutions with (AI-based) security services to achieve novel holistic assurance-driven security engineering, capable of (1) increasing software, hardware and supply chain security by identifying cybersecurity and regulatory risks while integrating (both commercial and open-source) components, even third party ones, (2) providing virtual, secure environments for the automated assessment of system components including AI components and their secure integration, and (3) continuous assurance-driven security engineering with a holistic toolbox of (AI-based) security services. It paves the way of secure continuous system integration of (third-party) components, including AI components, across the computing continuum, and implements EC's evolving security and privacy regulations, as well as the strategy of human-centric AI.