The EnergyShield project will develop an integrated toolkit covering the complete EPES value chain (generator, TSO, DSO, consumer). The toolkit combines novel security tools from leading European technology vendors and will be validated in large-scale demonstrations by end-users. The EnergyShield toolkit will combine the latest technologies for vulnerability assessment (automated threat modelling and security behaviour analysis), monitoring & protection (anomaly detection and DDoS mitigation) and learning & sharing (security information and event management). The integrative approach of the project is unique as insights produced by the various tools will be combined to provide a unique level of visibility to the users. For example, it will be possible to combine vulnerability scanning with automated threat modelling to provide insights into software vulnerabilities present in an architecture in combination with insights into what are the key assets, risks and weak links of the architecture. The toolbox will allow end-users to predict future attacks (as it provides insights to what attacks can be applied to the weakest links of the architecture) and learn from past attacks (for example using the insights from the vulnerability assessment and threat modelling to prevent attacks, and learning from attacks to update the probabilistic meta-model of the threat modelling). The toolkit will be implemented with the complete EPES value chain who will contribute to the specification, prototyping and demonstration phases of the project. Although the toolkit will be tailored to the needs of EPES operators, many of the technology building blocks and best practices will be transferable to other types of critical infrastructures. The consortium consists of 2 large industrial partners (SIVECO and PSI), whereof SIVECO is taking the lead supported by 6 innovative SMEs, 3 academic research organizations and 7 end-users representing various parts of the EPES value chain.

Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks, and to enable organisations to structurally stay ahead of the threat. SOCCRATES will develop and implement a new security platform for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs), that will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks. The SOCCRATES Platform consists of an orchestrating function and a set of innovative components for automated infrastructure modelling, attack detection, cyber threat intelligence utilization, threat trend prediction, and automated analysis using attack defence graphs and business impact modelling to aid human analysis and decision making on response actions, and enable the execution of defensive actions at machine-speed. The SOCCRATES platform will be implemented and deployed at two pilot environments with highly complex and diverse ICT environments and typical application scenarios: an organisation’s internal SOC, and a Managed Security Service Provider. The threat trend prediction component will be deployed at a third pilot environment at which large amount of malicious infrastructure data is collected and analysed. The aim is to exploit the SOCCRATES platform and its components in commercial products. The SOCCRATES platform and innovative components enables organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the SOC. SOCCRATES’s outcome contributes to a more secure cyberspace and strengthens competitiveness in the EU digital single market.

The ICT environments of critical infrastructures (such as energy distribution systems) are composed of a large number of systems connected to form a complex system of systems. Recent initiatives to upgrade power systems into smart grids target an even tighter integration with information technologies to enable the integration of renewable energy sources, local and bulk generation and demand response. To fully estimate the security of an enterprise’s system architecture, a large number of issues must be considered. Enterprise systems security managers must be able to assess how vulnerabilities in one system influence vulnerabilities in other systems. In addition, security managers must be able to assess how individual vulnerabilities influence the security of the entire system of systems, given the protection solutions that are used in different locations in the architecture. The project will deliver and validate a tool that helps to 1) better understand current cyber security levels across complex enterprise-wide architectures, including relationships and interdependencies between systems, 2) prioritize areas to address and cyber security investments to pursue and 3) proactively manage cyber security e.g. when building or modifying architectures. The solution is based on a cybersecurity metamodel that 1) describes the qualitative structure (which assets, attacks and defences that should be included, and how these should be associated and 2) populates this qualitative structure with quantitative data (how likely different attacks are to succeed given the system parameter values and the presence or absence of different defences, using Bayesian networks). The tool generates a vulnerability “heat map” for each system configuration, allowing a user-friendly and visual comparison of the different alternatives. The project will validate the tool in 2 pilots with energy utilities in Sweden and Germany. The project duration is 24 months and the requested EC funding €1.6M.