An increasing number of vital services depend on digital systems – commercial transactions, health, safety, security and others that contribute to our general well-being. Disruptions to these systems – through deliberate "cyber" attacks, natural disasters or technical failure – could cause major economic and social damage. Moreover, the lack of users' trust regarding the security of online services and privacy protection jeopardises the exploitation of the full potential of information and communication technologies to foster innovation, economic growth and progress.
A coordinated action at the EU level is needed to respond to cyber-attacks and reinforce rules on personal data protection, as well as to ensure that critical networked systems are sufficiently secure and resilient.
The EU initiative on Critical Information Infrastructure Protection (CIIP) aims to strengthen the security and resilience of vital Information and Communication Technology (ICT) infrastructures.
Enhancing the EU preparedness to large-scale cyber attacks
The JRC is supporting the EU Critical Information Infrastructure Protection (CIIP) Action Plan by contributing to the organisation of pan-European cyber-security exercises. The JRC is also researching technical solutions to increase the level of realism of these exercises and is developing technical guidelines to help the preparation and implementation of cyber exercises in a multinational context.
Cyber-security exercises aim to raise the level of preparedness by confronting participants with artificial events and studying their reactions. These hypothetical events are structured around an exercise scenario. The process of presenting these events to the players according to the scenario is called "event injection". EXITO, the Exercise event Injection Toolkit, has been developed by the JRC in order to help the moderators of large scale, multi-party exercises. It has been designed as a communication and coordination tool to keep on track the execution of complex exercises with a large number of injects and players.
Cybersecurity training, research and development
Cyber-security exercises, tests and experiments might be disruptive and dangerous, due to the use of malicious code for example. Therefore, general purpose networking infrastructures are not suitable. Since 2009 the JRC has been developing an Experimental Platform for Internet Contingencies (EPIC), a network test-bed specifically designed to support the execution of repeatable and safe cyber-security experiments in a fully controllable experimentation environment.
The EPIC platform can efficiently recreate realistic network topologies and conditions for example, delay and loss characteristics of wide-area network (WAN) links of the Internet infrastructure. Furthermore, EPIC has the operational capability to recreate, in a controllable manner, a wide range of disruptions such as host and link failures, BGP hijacking or distributed denial of service attacks (DDoS) attacks.
Cyber-security in the context of smart grids
Cyber attacks constitute one of the main threats to critical infrastructures. Combining modelling and simulation with experimental activities, the JRC studies the cyber-security threats that cyber-physical systems like smart grids face.
In 2011 the JRC Experimental Platform for ICT Contingencies (EPIC) was extended in order to allow researchers to conduct real-time experiments with simulated physical systems tightly coupled with real cyber systems. The results demonstrated the magnitude of the threat posed by isolated and coordinated cyber-attacks, providing for the first time experimental evidence that today’s heavily interconnected power grids would hardly withstand sophisticated cyber-attacks without coordinated actions of grid operators in case of crises. These experiments provided a first insight in the security challenges of smart grids, paving the way for future research.
Classifying critical infrastructures and cyber-incidents
The JRC is building a classification system for the field of critical infrastructures protection. The work entails the construction of taxonomy in at least three languages, leveraging and eventually updating the methodology used in the sixties by the JRC while building a similar taxonomy for the nuclear field. The first expected result is draft taxonomy with a clear focus to the cyber-security sector. An additional element of this activity is the construction of a qualitative measurement system on the severity of cyber-incidents. This measurement system should be addressed both to the wider public for generic communications and to the information exchange systems active in the field for a "quick and dirty" assessment of the severity of incidents.
European Reference Network for Critical Infrastructure Protection
The JRC coordinates the European Reference Network for Critical Infrastructure Protection (ERNCIP), which aims at providing a framework for networking and co-operation between experimental installations experts and other stakeholders. Activities include sharing information on threats against critical infrastructures and their vulnerabilities, collaborating on appropriate measures to mitigate risk and boost resilience, carrying out critical infrastructure-related security experiments, as well as testing new technology, developing and harmonising testing methodologies, agreeing on evaluation, qualification and quality assurance methods and proposing standards.
Security for privacy and data protection
The JRC is carrying out research to assess new and emerging Information and Communication Technologies (ICT) in respect to their impact and associated risks for the European citizen, with the aim to identify ways and measures to protect the citizen against cyber-related threats.
Security of travel documents
Document security is high on the European agenda. In the State of the Union address in September 2016, President Junker mentioned the security of travel documents as “crucial for establishing the identity of a person” and that the Commission will adopt an action plan on document security to make residence cards, identity documents and Emergency Travel Documents (ETD) more secure.
For many years, travel documents have been subject to standards and security measures as defined in the ICAO Document 9303. Such security measures work on a double layer: traditional paper security features and electronic security features. Travel documents contain an electronic chip embedded which contains data about the document holder (including biometrics) which are protected using cryptographic measures based on the so-called public key cryptography. This type of algorithm uses two cryptographic keys. One of them, called public key, must be distributed in a secure way to allow trusted verification of the information secured by the algorithm. In chipped travel documents, this algorithm is called Passive Authentication and it relies on the fact that document issuers, i.e. countries, distribute their public keys in a secure manner to any authority that may need to verify the authenticity of travel documents identifying their citizens.
Ethical aspects of new ICT technologies
The JRC works towards early identification and characterisation of security related challenges posed by new and emerging Information and Communication Technologies (ICT)
Citizens' digital footprint
The JRC investigates how emerging technologies and digital trends affect the user’s safety and security in order to help forecast and tackle potential misuse of citizens’ digital information.
Cybersecurity Competence Survey
In the September 2017 Joint Communication "Resilience, Deterrence, and Defence: Building strong cybersecurity for the EU", the European Commission announced the intention to support the creation of a network of cybersecurity competence centres, with a European Cybersecurity Competence Centre at its heart, to stimulate the development and deployment of technology in cybersecurity.
To this end, the Joint Research Centre (JRC), in collaboration with DG CONNECT, proposed a cybersecurity taxonomy and classification scheme.
This taxonomy and classification scheme were used in an online survey, addressed to the European cyber-security research community, aiming to identify the cybersecurity competence centres.
Around 700 centres participated in this survey.