Unrestricted
Horizon2020Program(2014-2020)
Cybersecurity,TrustworthyICTResearch&InnovationActionsSecurity-by-designforend-to-endsecurity
H2020-SU-ICT-03-2018
CybersecuritycOmpeteNCefOrResearchanDInnovAtion1†
DeliverableD3.1:1styearreportoncommunitybuildingandsustainability
Abstract:D3.1providesanoverviewofthekeyWP3achievementsinY1ofCONCORDIA.Wepresentahigh-leveloverviewoftheresultsweattainedineachof
thefivetasks,ourlessonslearned,andourwayforwardforY2.
ContractualDateofDelivery Dec31,2019ActualDateofDelivery Dec23,2019DeliverableDisseminationLevel PublicEditors MarcoCaselli(T3.1)
CristianHesselman(T3.2,D3.1)ReinhardGloger(T3.3)FeliciaCutas(T3.4)AljosaPasic(T3.5)
Contributors SiemensSIDNCODE/MUNI/BADW-LRZEITDigitalATOS
QualityAssurance JakubCegan(MUNI)DanielTovarnak(MUNI)DetlefHoudeau(IFAG)ThibaultCholez(UL)
1†ThisprojecthasreceivedfundingfromtheEuropeanUnion'sHorizon2020researchandinnovationprogrammeundergrantagreementNo830927.
Ref. Ares(2019)7925128 - 29/12/2019
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted2www.concordia-h2020.eu 23December2019
The CONCORDIA Consortium CODE ResearchInstituteCODE(Coordinator) GermanyFORTH FoundationforResearchandTechnology-Hellas GreeceUT UniversityofTwente NetherlandsSnT UniversityofLuxembourg LuxembourgUL UniversityofLorraine FranceUM UniversityofMaribor SloveniaUZH UniversityofZurich SwitzerlandJUB JacobsUniversityBremen GermanyUI UniversityofInsubria ItalyCUT CyprusUniversityofTechnology CyprusUP UniversityofPatras GreeceTUBS TechnicalUniversityofBraunschweig GermanyTUD TechnicalUniversityofDarmstadt GermanyMUNI MasarykUniversity CzechRepublicBGU Ben-GurionUniversity IsraelOsloMET OsloMetropolitanUniversity NorwayICL ImperialCollegeLondon UKUMIL UniversityofMilan ItalyBADW-LRZ LeibnizSupercomputingCentre GermanyEITDIGITAL EITDIGITAL BelgiumTELENOR Telenor NorwayACS AirbusCybersecurity GermanySECT secunetSecurityNetworks GermanyIFAG Infineon GermanySIDN SIDN NetherlandsSNET SurfNet NetherlandsCYD CyberDetect FranceTID TelefonicaI+D SpainRD RUAGDefence SwitzerlandBD Bitdefender RomaniaATOS AtosSpainS.A. SpainSAG Siemens GermanyFlowmon FlowmonNetworks CzechRepublicTÜVTRUSTIT TUVTRUSTITGmbH GermanyTI TelecomItalia ItalyEFA EFACEC PortugalALBV Arthur’sLegalB.V. NetherlandsEI eesyinnovation GermanyDFN-CERT DFN-CERT GermanyCAIXA CaixaBank Spain
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted3www.concordia-h2020.eu 23December2019
BMW BMW GermanyGSDP MinistryofDigitalPolicy,Telecommunicationsand
MediaGreece
RISE RISEResearchInstitutesofSwedenAB SwedenEricsson EricssonAB SwedenSBA SBAResearchgemeinnutzigeGmbH AustriaIJS InstitutJozefStefan SloveniaDocument Revisions & Quality Assurance Internal Reviewers
1. JakubCegan(MUNI)2. DanielTovarnak(MUNI)3. DetlefHoudeau(IFAG)4. ThibaultCholez(UL)5. ChristianKeil(DFN-CERT)
Revisions:wecontinuallyupdateddraftsofD3.1onConfluence
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted4www.concordia-h2020.eu 23December2019
Executive summary ThegoalofWP3istoreinforceEurope’scybersecurityleadershipbydevelopingandevaluatingbuildingblocksforaEuropeancross-sectorcybersecurityinfrastructure,specifically for collaborative threat handling, technology and serviceexperimentation, training and education, and starting up new businesses. WP3utilizesWP1’stechnologydevelopmentsandWP2’sindustrypilotsandthisinter-WPcooperationhasbeensuccessfullyinitiatedinY1.TheoverallYear1WP3achievementsincludethefollowing:
• Task 3.1 has successfully met Y1 targets to establish the groundwork forinformationsharingofcyberthreats.TheThreatIntelligencePlatformisunderdevelopmentandutilizestheMISPopensourcethreat intelligenceplatformthatwassuccessfullyvalidatedatDFN-CERT.TestingwithWP2'sTelecomandFinancepilotshascommenced.
• Task3.2 isontrack fordeveloping thehigh-levelarchitecture for theDDoSClearingHouse,runningafirstversionofthepilot,anditsassociatedusability“cookbook”.AsignificantachievementwastheestablishmentofthelegaldatasharingagreementforthepilotintheNetherlands.ThiswillformtheblueprintforthebroaderagreementneededforeffectivedeploymentattheEUlevel.
• Task 3.3 is on track to create a cyber security ecosystem to validate anddemonstrateCONCORDIA’s results and to foster cyber security trainings.Asteadily growing inventory of tools, cyber range platforms, and trainingofferingshavebeencreated.Task3.3alsoresearchedthepossibilityofsharingtestingandtrainingcontentacrosscyberrangeplatformsinCONCORDIA.
• Targeting the development of an EU-wide cybersecurity educationalecosystem,Task 3.4 has successfully conducted the assessment of theEU'seducational portfolio to develop the initial methodology for creatingcybersecuritycoursesandanassociatedcertificationschema.
• Task3.5addressingofcommunitybuildingactivitiestosupportstartupsisontrack. The background tasks of identifying startup stakeholder motives,challenges,influencefactorsandtheestablishmentofperformanceindicatorshasbeencompleted.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted5www.concordia-h2020.eu 23December2019
Contents1 Introduction......................................................................................................................6
2 BuildingathreatintelligenceplatformforEurope(T3.1)................................72.1 Taskobjective......................................................................................................................72.2 Status......................................................................................................................................72.3 KeyachievementsY1.........................................................................................................72.4 FurtherContributionsandOutlookforY2.................................................................9
3 PilotingaDDoSclearinghouseforEurope(T3.2)...............................................93.1 Taskobjective......................................................................................................................93.2 Status....................................................................................................................................103.3 KeyachievementsY1.......................................................................................................103.4 OutlookY2...........................................................................................................................14
4 DevelopingCONCORDIA’secosystem(T3.3).......................................................154.1 Taskobjective....................................................................................................................154.2 Status....................................................................................................................................154.3 KeyachievementsY1.......................................................................................................154.4 OutlookY2...........................................................................................................................18
5 EstablishingaEuropeaneducationecosystemforcybersecurity(T3.4)..195.1 Taskobjective....................................................................................................................195.2 Status....................................................................................................................................195.3 KeyachievementsY1.......................................................................................................195.4 OutlookY2...........................................................................................................................24
6 Communitybuilding,supportandincentivemodels(T3.5).........................246.1 Taskobjective....................................................................................................................246.2 Status....................................................................................................................................246.3 KeyachievementsY1.......................................................................................................256.4 OutlookY2...........................................................................................................................28
7 Conclusionsandoutlook............................................................................................288 References......................................................................................................................28
Annex A: Assessing the courses for Cybersecurity professionals alreadydevelopedbyCONCORDIApartners(T3.4)..................................................................29A.1 Executivesummary..........................................................................................................29A.2 TheLandscape...................................................................................................................31A.3 CONCORDIAecosystem...................................................................................................42A.4 Conclusions.........................................................................................................................51A.5 Annexes...............................................................................................................................54
AnnexB:Startupscene(T3.5)..........................................................................................62
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted6www.concordia-h2020.eu 23December2019
1 Introduction ThegoalofCONCORDIA’sWP3 is todevelopbuildingblocks foraEuropeancross-sector(“horizontal”)cybersecurityinfrastructure,specificallyfor:
• Collaborativethreathandling(T3.1,T3.2),• Developingandevaluatingnewtechnologiesandservices(T3.3),• Trainingandeducation(T3.3,T3.4),and• Startingupnewbusinesses(T3.5)
Table1providesanoverviewofthekeybuildingblocksthatWP3providesandthetangibleformsthattheytake:
• Technical designs (TD), such as for cybersecurity platforms (e.g., for threatintelligence),labs,testbeds,andtools(e.g.,simulatingadversarybehaviour)
• Methodologies (M), for instance for setting up pan-European cybersecuritycourses,trainings,andstart-ups.
• Use cases (UC) of the technical designs and methodologies, for instancethroughactualcybersecuritycoursesandtechnicalpilots.
Forexample,theDDoSclearinghouse(T3.2)consistsofatechnicaldesignthatwewillusetwicethroughapilotintheNetherlandsandinItalyandthatwillalsoresultina“cookbook”(methodology)thatdiscusseshowtodevelop,setup,andgovernaDDoS clearing house. Similarly, CONCORDIA’s educational actions (T3.4) focus ondevelopingmethodologiesandframeworkstodesign,certify,andteachcoursesforcybersecurity professionals, mid-managers, executives, and teachers as well asdescribeprocessesforusingthem.
Table1.KeybuildingblocksofCONCORDIA’scross-sectorcybersecurityinfrastructure.
WP3keybuildingblock Output TaskAn intelligent decision support system for incident responseteamsusingasharedthreatintelligenceplatform
TD,M,UC T3.1
A DDoS clearing house for proactively and collaborativelyhandlingDDoSattacksusingDDoSfingerprints
TD,M,UC T3.2
A virtual lab for other CONCORDIA WPs, trainings, and(smaller) European cybersecurity companies in a post-CONCORDIAera
TD,M,UC T3.3
Hands-ontrainingsforoperationalteams,forinstancebasedontheconceptof“cyberranges”
TD,M,UC T3.3
Cybersecurity educational instruments such as courses andcurriculumsforprofessionalsandteachers(aspartoftheEEEC)
M,UC T3.4
A“factory”forstartingnewcybersecuritybusinesses(start-ups),forinstanceintermsofIPRmanagementanddatasharing
M,UC T3.5
TherestofthisreportprovidesanoverviewofthemainresultsandlessonslearnedofWP3in2019,withaseparatesectionforeachofWP3’stasks(Sections2through6).WeconcludewiththeoverallstatusofWP3andanoutlookfor2020inSection7.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted7www.concordia-h2020.eu 23December2019
2 Building a threat intelligence platform for Europe (T3.1)
2.1 Task objective The aim of Task 3.1 is to build and operate the CONCORDIA Threat IntelligencePlatform,alogicallycentralizedsystemthatenablesplayersfromdifferentsectorstoshareawidevarietyofthreatindicatorsinatrustedway.Theplatformwillbeabletoautomatically analyze threat information and seamlessly distribute appropriateeventnotifications.Itsimplementationwillbebasedonexistingcomponents,suchastheMalware Informationand threat SharingPlatform (MISP) [1] and the IncidentClearingHousedeveloped intheproject“AdvancedCyberDefenceCentre”(ACDC)[2].
2.2 Status Task3.1isontrackandfulfilledtheenvisionedtargetsforY1.TheworkcarriedoutinY1preparedthegroundforthecomprehensivedevelopmentofallactivitiesrelatedtothreatintelligenceinformationsharinginthenextyearsoftheproject.
2.3 Key achievements Y1 TechnologyscoutingTask3.1startedinJanuary2019withaseminaldiscussionamongallprojectpartnerswith the goal of defining requirements and objectives for Threat Intelligence (TI)sharing.Lateron,thecollectedfeedbackguidedthesearchforTIplatformsavailableonthemarketthatcouldfulfillCONCORDIA’sneeds.TheTIplatformofchoice,MISP,was selectednot just becauseof its comprehensive set of featuresbut also for itsmaturityanditsalready-establishedwide-spreadusagearoundEurope.Created in 2011, MISP is an open source threat intelligence sharing platformsupportedbytheComputerIncidentResponseCenterLuxembourg(CIRCL).CIRCLisa partner of the SPARTA project, which increases the probability that MISP willbecomeastandardinEurope.OriginallydevelopedcooperativelybyCIRCLandNATO,MISPemergedasaneffectiveandefficientsolutiontoshareIndicatorsofCompromises(IoCs)which,atthattime,wereexchangedonlybyemailasunstructured textualdata (e.g.,PDFdocuments).With the increase of cyberattack sophistication and the consequent need forcollaborative analysis operated by distributed teams of security experts, theadvantages of using MISP became clear and the project expanded to support agrowingnumberofusers: fromindividuals toworld-wideprivateorganizationsaswellasnationalandsupranationalCERTs(e.g.,CERT-EU).CONCORDIAplatformforthreatintelligenceWithinCONCORDIA,thecentralMISPinstance,representsthecoreoftheenvisionedCONCORDIA Platform for threat intelligence sharing.MISPwas deployed at DFN-CERTinJune2019andiscurrentlymanagedcooperativelybySiemensAG(principaland formal responsible) and DFN-CERT itself. A selected number of CONCORDIAparticipants (mostly related to the CONCORDIA “Telecom” and “Finance” pilots)
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted8www.concordia-h2020.eu 23December2019
started testing and interactingwith the centralMISP instance in November 2019pavingthewaytotheofficialroll-outfacein2020.InthesecondhalfofY1,Task3.1focusedonaligningactivitiesandcontributionsofthe involved partners. Those include topics such as: the role and actions of theIncidentClearingHouse(ICH)ofDFN-CERT,thedefinitionofareferencearchitecturefortheCONCORDIAplatform,theidentificationofthekindofinformationthatwillbesharedamongallstakeholders,thetechniquesforgainingknowledgeontopoftheavailabledata(e.g.,machinelearning).While the ICH reactively informs resource owners of actual problems in theirnetworks(e.g.,botsdetectedconnectingtotheircommandandcontrolserver)andthusforwardsincidentstotheaffectedparties,theDDoSClearingHouse(presentedin Section 3) proactively shares fingerprints of detected DDoS attackswith otherpartiestofacilitateeasymitigationoncetheattackcomestheirway.SincethealreadyoperationalICHrequiresestablishedthirdpartiesastrustanchorstomanageaccessto the ICH for the different classes of organizations (e.g., Trusted Introducer forCERTs),termsofaccesstotheICHaspartoftheCONCORDIAprojectweredevelopedand shared with the consortium. The overall integration of the ICH within theCONCORDIA platform was preliminary examined but will be more thoroughlydiscussedintheupcomingmonths.Atthetimeofwriting,abasicsetofinteractionsrelatedtotheCONCORDIAPlatformhasbeenidentified.ThisisshowninbothFigure1andFigure2.Figure1emphasizesactivitiesinvolvingCONCORDIAstakeholderswitheitherthecentralMISPinstanceor the ICH. Such situation describes the status of threat intelligence sharing inCONCORDIAforthewholeofY1.
Figure1.CONCORDIAPlatforminY1.
Figure2,ontheotherhand,showstheintentionofprovidingtotheprojectavirtualsinglepointofcontactforallthreatintelligencerelatedactivities.Componentswithin
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted9www.concordia-h2020.eu 23December2019
theCONCORDIAplatformwillinteractwithoneanothertoorganizeavailablethreatintelligenceinformationandthustransparentlyimprovetheirservicestoallusers.
Figure2.CONCORDIAPlatformVision.
2.4 Further Contributions and Outlook for Y2 Intheupcomingyears,inordertopopulatetheCONCORDIAPlatform,allinterestedpartners will work on generating threat intelligence indicators (e.g., FORTH isworkingoncustomizinganddeployingstate-of-the-arthoneypotsolutions for thispurpose).TheseindicatorswillbeeventuallypushedtothecentralMISPinstanceand,thus,sharedwithintheconsortium.
Finally,animportantcontributionofT3.1reliesonthehandlingof“CourseofAction”(CoA)data,namely,informationonresponseactionstobeperformedtocounteractcyberattacksandsecuritybreaches.Within the CONCORDIA Platform, a specific component named “CoA HandlingPlatform”willbedesignedtofulfillthistask.TheCoAHandlingPlatformwillnotjustcollect CoAs but also evaluate them, make correlation and contextualize theinformationtomakeit“readytouse”.TheseactivitieswillpavethewayforautomateddeploymentofCoAswith the ambitionof boosting computer emergency responseteams’ efficiency and, thus, their capabilities to quickly respond to the upraisingnumberofcyberthreats.
3 Piloting a DDoS clearing house for Europe (T3.2) 3.1 Task objective TheobjectiveofTask3.2istopilotaDDoSClearingHousewithEuropeanindustryforEuropetoproactivelyandcollaborativelyprotectEuropeancriticalinfrastructureagainstDDoSattacks.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted10www.concordia-h2020.eu 23December2019
The tasks keydeliverables are a pilot in theNetherlands and in Italy and aDDoSclearinghouse“cookbook”thatenablesothersetsofserviceproviderstosetupandoperatetheirownclearinghouse.
3.2 Status Task3.2isontracktowardsitsgoal,butwemademoreprogressonthecookbook(e.g.,intermsfurtherdevelopingtheclearinghouseconcept)thanonthepilotintheNetherlands itself, which we had not anticipated. The main cause is that thedevelopmentofthedraftdatasharingagreementhadalongleadtime,partlybecauseofstaffingissuesandpartlybecauseittookawhileforthelegalandtechexpertstounderstandeachother’sproblemspaceandagreeonacommonapproach.Totacklethe latter, we will set up a permanent Legal working group for the pilot in theNetherlands(seelessonslearnedinSection3.3).
3.3 Key achievements Y1 ExperimentalsetupWesetupthefirstiterationoftheDDoSclearinghousepilotintheNetherlands,whichfocuses on creating and sharing DDoS fingerprints through ddosdb.nl, a centralinstanceofDDoS-DB [3] that runson thenetworkof SIDNLabs.TheNLpilot is acollaborationof10differentorganizations(e.g.,ISPs,Internetexchangepoints,andgovernmentagencies),threeofwhichareCONCORDIApartners(SIDN,SURFnet,andtheUniversityofTwente).DatasharingagreementWe developed a simple data sharing agreement for the first phase of the pilot,coveringbasic legal aspects like objectives, liability, security, personal identifiableinformation(PII),andgovernance.Thedatasharingagreementisvalidforafixedbutextensibledurationof6monthsandiscurrentlybeingreviewedbythepilotpartnersin the Netherlands. For simplicity, the DDoS fingerprintswe share currently onlyincludemetadataandnopacketcaptures(PCAPs).Thedevelopmentofthedatasharingagreementhadalongleadtime,partlybecauseofstaffingissuesandpartlybecauseittookawhileforthelegalandtechexpertstounderstandeachother’sproblemspaceandagreeonacommonapproach.DraftoverallarchitectureWe developed the high-level architecture of the clearing house (Figure 3), whichrevolvesaroundthreekeycomponents: thedissector (generates fingerprints fromDDoS traffic), DDoS-DB (distributes fingerprints and provides a searchablefingerprint history), and a converter (maps fingerprints to traffic filtering rules).Figure3showsanexampleinwhichserviceproviderSP2handlesDDoSattackAandshares the attack’s fingerprint FP(A) with service providers SP1 and SP3. Theoperations teams of SP1 and SP3 use the fingerprint to reconfigure theirinfrastructure (e.g., by loading appropriate filtering rules into their routers), thusproactivelypreparingforattackAshoulditcometheirwayaswell.Wereferto[5]foradiscussiononhowtheDissectorworks.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted11www.concordia-h2020.eu 23December2019
Figure3.ServiceprovidersSP1,SP2,andSP3usingaclearinghouse.
Figure 3 also illustrates how the DDoS clearing house differs from the IncidentClearing House (see Section 2): the DDoS clearing house proactively sharesfingerprintsofdetectedDDoSattacks,whereastheincidentClearingHousereactivelyinforms resourceownersof actualproblems in theirnetworks (e.g., botsdetectedconnectingtotheircommandandcontrolserver).SystemrequirementsThe partners in the Dutch pilot have also developed a report that provides anoverviewofthetechnicalrequirementsandusecasestoimprovetheclearinghouse’skey components (dissector, DDoS-DB, and converter). Examples of requirementsincludethatthedissectormustnotincludeanysensitiveinformationaboutthevictimofaDDoSattackinafingerprint(e.g.,destinationIPorMACaddresses)andthattheDDoS-DB must allow an authenticated user to perform searches on the index offingerprintsanddownloadthem.The requirements specification also contains a breakdown in different 4 dev-opsphases,with the firstphase focusingon improvements tosetupastable “clearinghousecycle”:fromgeneratingfingerprintsusingthedissector,todistributingthemthroughDDoS-DB,andusingthefingerprintsinnon-productionrouters.Thedevelopmentoftherequirementswasacollaborativeeffortofthe10partnersinNL, using a system architect jointly funded by the Netherlands’ National CyberSecurityCenter(NCSC-NL),NBIPandSURFnet.
DDoS attacks A MS2 F2PCAP(A) FP(A) FP(A)
SP2 (sender)
FP(B)
L2
MS1FP(A) FP(A)
L1
MS3FP(A) FP(A)
SP3 (receiver)
L3
FP(A)
Information layerDDoS handling
D2
C2
C3
DDoS-DB
DP2
reconfig
reconfig
reconfig
DDoS Clearing House
SP1 (receiver)
C1
Governance body
Rules and procedures
MS Mitigation SystemD DissectorC ConverterL Local DDoS-DB instanceF FilterFP Fingerprint
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted12www.concordia-h2020.eu 23December2019
DisseminationWepresentedtheDDoSclearinghouseat9differentconferencesandworkshops(seeTable 2), including the key security conference in the Netherlands (the OneConference)andtheCONCORDIAOpenDoorEvent.Allpresentationsareavailableatwww.concordia-h2020.eu/publicity/.
Table2.Task3.2presentationsinY1.
Date Event26-Nov-2019 C.HesselmanandJ.Santanna,“FightingDDoSattackstogetherona
nationalscale”,SNiC2019ResilITconference(nationalconferenceforstudentassociationsincomputerscience),Amersfoort,NL
05-Nov-2019 C. Hesselman and J. Latour, “The DNS and the IoT: security andstability opportunities, risks, and challenges (for ccTLDs)”,ICANN66,Montréal,Canada
17-Oct-2019 C. Hesselman, “Piloting a DDoS Clearing House for Europe”,CONCORDIAOpenDoorEvent,LuxembourgCity,Luxembourg
02-Oct-2019 C.HesselmanandJ.Santanna,“FightingDDoSattackstogetheronanationalscale”,OneConference,TheHague,NL
02-Sep-2019 C.Hesselman,C.Hesselman,“MitigationofIoT-basedDDoSattacks”,APTLD76,Malasyia(remotepresentation)
16-Jun-2019 C.Hesselman,“IncreasingtrustinthedigitalinfrastructurethroughanationalDDoSclearinghouse”,AfricaInternetSummit(AIS2019),Kampala,Uganda(remotepresentation)
28-May-2019 C.Hesselman,“IncreasingtheresilienceoftheNetherlands’digitalinfrastructure together”, ISC2NL Cyber Resilience Event,Amersfoort,TheNetherlands
17-May-2019 C. Hesselman, “Mitigating DDoS attacks from botnets through anationalDDoSclearinghouse”,BotLegWorkshop,co-locatedwithTILTingPerspectives2019,Tilburg,theNetherlands
23-Feb-2019 C.Hesselman, “Collaboratively increasing the resilienceof criticalservices in the Netherlands through a national DDoS clearinghouse”, Internet Infrastructure Security Day at APRICOT2019,Daejeon,SouthKorea(remotepresentation)
LessonslearnedOurkeylessonslearnedare:The need for a DDoS clearing house is widely recognized. Based on the positivefeedbackwereceivedonour talks,weconclude that theneed foraDDoSclearinghouse is widely acknowledged. This is also illustrated by the Dutch partners’investments in the clearinghousepilot, both in-kindand in-cash. For example, allpartnersareputtinginpersonmonths(bothtechnicalandlegalexperts)andNCSC-NL,NBIP, and SURFnet jointly funded a systems architect to further flesh out theoverallarchitectureofFigure3.TheDDoSclearinghouseneedstobepartofawider“anti-DDoScoalition”.TheDDoSclearing house is an operational facility that needs to be supported by an active
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted13www.concordia-h2020.eu 23December2019
community,whichwecall an “anti-DDoScoalition” (in theNetherlands: theDutchanti-DDoS coalition”). Member organizations organize themselves into variousworking groups to provide continuity, for instance to develop andmaintainworkproducts such as iterations of the clearing house’s data sharing agreement,proceduresandwaiveragreementsforDDoSexercises,andtherulesofengagementforcoalitionmembers(e.g.,membershiprules).TheDutchpartnersinthepilotalsoexpressedtheneedtocarryoutlarge-scaleDDoSexercisestogetherandactuallyranoneinthefourthquarterof2019.Asaresult,wethinkofananti-DDoScollationasintermsoftwocoreoperationaltasks:runningtheDDoSclearinghouseandcarryingoutDDoSexercises.Wealsolearnedthatananti-DDoScoalitionshouldconsistsoftwotypesofmembers:acoreoforganizationsthathaveajointoperationalrelationship(sharingfingerprintsandcarryingourDDoSexercises)andagroupofaffiliatedmembers that focusonsharingexpertiseandexperiences(ratherthanoperationalactivities).Theobjectiveoftheentirecoalitionshouldbetofurtherimprovetheprotectionofmembers’criticalservicesbysharingexpertise,experiences,andoperationaldataonDDoSattacks.Anti-DDoScoalitionsneedalegalworkinggroup.Thedevelopmentandoperationofthe clearing house requires a working group of legal experts that collaborativelydevelopandmaintainlegaldocumentsforvariousiterationsofthepilot,suchasthedatasharingagreement,thewaiveragreementsforDDoSexercises,andtheclearinghouse’s evolving governance structure. A legal working group speeds up thedevelopment and deployment of the clearing house because the people on theworkinggrouparecloselyinvolvedinthetopicandprovidecontinuitywhenpeoplearetemporarilyunavailableorchangejobs(weexperiencedthelatterfirst-handintheDutchpilot).Inaddition,alegalworkinggroupusesthecombinedexpertiseofitsmembers,whichwillhelpaligningthelegaldocumentswiththedifferentiterationsofthepilot.WearecurrentlysettingupalegalworkinggroupfortheDutchcoalition.Personaltrustiscrucialatearlystages.Personaltrustbetweenthe10partnersintheNetherlandswascrucialtomakeprogressinthisearlystageoftheclearinghouse.Forexample,peoplewereconfidentthattheycouldreachconsensusintheworkinggroupthat develops the DDoS clearing house, which is why we opted for unanimousdecisionmakinginourcurrent“governancemodel”(formalizedaspartofthedatasharingagreement).Keepdatasharingagreementsimpleandscalable.Thedatasharingagreementneedsto clearly articulate the purpose of the first iteration of the pilot, which is toexperiment with exchanging DDoS fingerprints across different organizations toassesstheusefulnessandeffectivenessoftheclearinghouse.Italsoneedstocoverother legal aspects (e.g., liability, security, PII, and governance), but only the bareminimum.Thisisimportanttokeepthedatasharingagreementsimpleandscalableandfitforexperimentation.Afuturechallengeistoevolvethedatasharingagreementsothatitslevelofsimplicityandscalabilitycontinuestoalignwithnextpilotiterations.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted14www.concordia-h2020.eu 23December2019
Combiningtechandlegalexpertiseearlyonisamust.Thedatasharingagreementrequiresclosecollaborationbetweenlegalandtechnicalexpertsfromthestart.Forexample,thetechfolkneedtoprovideguidanceforlegalexpertsontheconceptofaDDoS fingerprint and highlight the purpose and nature of the data exchange(collaborationandexperimentation).This is importanttoreducelegaluncertainty,whichhelpsavoidingconservativelegalconstructs(cf.[4])Combiningresearchandoperationalexpertiseearlyonisamust.Earlydiscussionswiththeoperationalteamswhowillworkwiththeclearinghouseisimportanttogettheirrequirements.Forexample,theyneedtobeincontrolofinstallingfilteringruleson their network infrastructure, whichmeans that the clearing house should notinstalltheserulesautomatically.AnotherexampleisthatsystemsmightfailunderaDDoS attack, which means that ops teams also need the possibility to createfingerprints by hand through a UI or a command line tool and share whateverinformationtheylearnedabouttheattack(e.g.,suspectedorigin,protocoltype).CONCORDIApartnersplayabridgingrole.SIDN,UT,andSURFnetplayabridgingrolebetween twodifferentworkstreams: thedevelopment of theDDoS clearinghousepilotintheNetherlandswith7non-CONCORDIApartnersandthemoreresearchtypeofworkinCONCORDIA(T3.2andT1.2).Toenablethetwoworkstreamstoadvancemore in parallel, we will create a separate experimental setup for CONCORDIApartners(ddosdb.eu)andsharetheresultsacrossthetwoworkstreams.
3.4 Outlook Y2 OurnextstepsfortheNLpilotaretosignthedatasharingagreement,startsharingDDoSfingerprints,andusethefingerprintstoconfigurenon-productionrouters.Inaddition,wehavestartedfleshingouttherequirementsforthenextiterationsofthepilotandimprovethedissector,DDoS-DB,andconvertersoftware.Ourotherplansfor2020includewritingablogonourlessonslearnedintheNLpilot(startingpointfortheDDoSclearinghousecookbook),settingupaninstanceoftheclearinghouseatSIDNLabsspecificallyforT3.2(ddosdb.eu),andrunexperimentssuchasfingerprintingbasedoncross-VMDDoStraffic,clusteringoffingerprints,andautomatic generation of mitigation rules. We’ll also translate the data sharingagreementfromDutchtoEnglishtoaccommodatethisactivityandmakeitavailablewithinCONCORDIA(e.g.,forT3.5).Finally, we aim to increase cooperation within T3.2 and with other WP3 tasks,specifically:• T3.1:todevelopatechnicaldesignonhowtoshareDDoSfingerprintsthroughthe
CONCORDIAthreatintelplatform(inadditiontothroughDDoS-DB)• T3.3:torunddosdb.euintheCONCORDIAvirtuallab(orfirstrunitatSIDNLabs,
thenmigrateit)• T3.5: to provide input for the “start-up factory” and guidance on data sharing
basedonthefirstversionoftheDDoSclearinghousecookbook.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted15www.concordia-h2020.eu 23December2019
4 Developing CONCORDIA’s ecosystem (T3.3) 4.1 Task objective TheobjectiveofT3.3istoestablishtheCONCORDIAcybersecurityecosystemwithvirtual labs,servicesandtrainingactivities.VirtualLabactivityaimstodevelopanecosystem that would support validations and demonstrations of CONCORDIA’sresultsonlargeITinfrastructuresandinsmallercybersecuritylabs.Servicesactivityaims to create a curated portfolio of public and proprietary tools and availablecybersecurity labs tocreateacutting-edgeadvantage for thepartners tospeedupresearchanddevelopmentofcybersecuritysystems.Trainingactivityaimstodevelopand continuously evolve cyber range trainings to achieve better automated andcustom-tailoredtrainingthatcorrespondtotheevolvingcyberthreatlandscape.
4.2 Status Task3.3isontracktowardsitsgoal.ThemainfocuswasonCyberTrainingandtheinventory of Cyber Ranges and Trainings is already available online (website:https://www.concordia-h2020.eu/map-courses-cyber-professionals and onconfluence forproject-internaluse).The first steps forexchanging scenariosweredoneaswellasthecooperationwithotherH2020projectsandpilotshasstarted.Thevisibility inServiceswasbetterthanexpected.TheconceptofaVirtualLab,whichreliesonServicesandTrainings,willneedtobediscussedfurtherwithintheWP3inthefuture(lessonlearned).
4.3 Key achievements Y1 Lessonslearned:focusoncyberrangesThe idea along the lines of a common “live” testing lab must undergo a furtherdiscussion due to security, trust and privacy issues. Because of these reasons,emulationandsimulationapproachesareusuallyusedinthiscontext.Afterseveralroundsofinformation-gatheringwithintheconsortiumwehavelearnedthatatthepresenttimethemostcommonlyreportedmanifestationofacybersecuritylabiseitheracyberrangeoracyberrangeplatformandrelatedtrainings.OurfurthereffortsinY1wasthereforefocusedonthisverycomplexarea.Cyberrange(CR)isamultipurposeenvironmenttoexecutecomplexcybersecurityscenariosinanisolatedandsafemanner–essentiallyacyberspacecounterparttomilitarytestingandtrainingranges.Cyberrangeplatforms,ontheotherhand,allowtocreatemultipleinstancesofcyberrangeenvironmentsondemand.VirtualLabOneofthegoalsoftheVirtualLabistograntaccesstocybersecuritylabstopartnersandpossiblyalso to certificationbodies.Thisgoal is very tightly connected to theServices and Training activities where several potential labs and solutions weremapped.Threat Intelligence (TI) platform and Central Clearing House (CCH) are currentlyhostedintherelatedtasksT3.1andT3.2,respectively.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted16www.concordia-h2020.eu 23December2019
ServicesInordertofulfiltheobjectiveofprovidingcuratedportfoliooftoolsandservicestoCONCORDIA and the wider community, we integrated cybersecurity ecosystemcontent into the CONCORDIA website: https://www.concordia-h2020.eu/map-courses-cyber-professionals/(seeFigure4).Thereby,allinformationisinoneplaceandcaneasilybefound.
Figure4.CyberRangesandCTFEventswithintheCONCORDIAmap2andcalendar3.
As a first step, we gathered several information about cyber ranges and trainingpossibilitiesfromCONCORDIApartners.Morethan10cyberrangesandcyberrangeplatforms are either running or being created/set-up within CONCORDIA, forexampleatCODE,UL,ACS,RISE,andMUNI.ThesecyberrangesaswellasCapturetheFlag(CTF)eventsarealreadyshownintheCONCORDIAmap2(seeFigure4),whichisajointcooperationwithT3.4.Themapincludes,forexample,informationabouttheplace,securityarea(relatedtotheresearchtasksinWP1),sectors(relatedtoWP2),andadditionalinformation.Inordertoseethedifferentcybersecurityeventsduringtheyear,wearecurrentlyworkingtogetherwithdifferenttaskstoincludethemintotheCONCORDIAcalendar3,asshowninFigure4aswell.Inasecondstep,recommendedtools,likeChizpurfle(hasafocusontestingvendor-specificsystemservicesofAndroidOS)andFrida(dynamicinstrumentationtoolkitfor developers), are currently being collected internally and they are going to bedisplayed in the service catalog1 in Y2. Further helpful information, like existing
1https://www.concordia-h2020.eu/concordia-service-cybersecurity-tools/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted17www.concordia-h2020.eu 23December2019
cybersecuritylabs,willbeavailableviatheservicecatalogattheCONCORDIAwebsiteaswell.
TrainingCyberrangeplatforms,CR-basedtrainings,andrelatedtoolsarethemainfocusoftheTraining activity. Initial discussions were started with technical topics such astechnicalfederation,exchangeofscenarios,automaticexecutionofattackscenarios,scoring mechanisms and network simulation/emulation. Actual status anddevelopmentatCODE,UL,ACS,RISE,MUNI,andothercyberrangepartnerswastakenintoaccount.AjointworkshopwasheldatCODEinordertobroadencollaborationbetweenCODEandMUNI.AbroaderconsensuswasreachedregardingtechnicalfederationofcyberrangesandCRplatforms.AtthepresenttimeCONCORDIAdoesnothaveambitionstopursuethisdirection,asopposedtootherpilots,forexample.Instead,wearecurrentlyfocusedonresearchingthepossibilityofinterchangingtestingandtrainingcontent(e.g.basevirtual images, network topologies, SW configurations, and scenario descriptions)betweencyberrangeplatforms(e.g.,MUNICyberRange,CODECyberRange,andULCyberRange).Thiswillenablethepartnerstocombineandshareeffortintheareaoftrainingcreationvia(partial)scenarioexchange.CODE,UL,andMUNIhavetheirCRplatformsinanoperationalstateandasacademicpartnerstheyareabletosharedetailsabouttheirinternalworkings.MUNIcreatedafirstdraftofaminimalnetworktopologydescriptionformatwiththegoalofsharingtopologydescriptionbetween taskpartners.MUNIalsostarted legaland technicalprocedurestoreleasetheirCyberRangePlatformasopensourceinY2,whichisbasedontheKYPOcyberrangeconceptdevelopedatMasarykUniversity.SixmajoreventswereheldwithCONCORDIA’sparticipation(seeTable3)thataredirectlyrelatedtotheproject1measurableKPI-DC-5“Morethanfour(4)Capture-the-Flag(CTF)competitions,trainingseminars,andtrainingcourses.”
Table3.TrainingeventsinY1.
CODE-CTFandCTFqualification 22.-23.11.2019 120participantsCODE’sJeopardy-styleCTFinvolvedmultiplecategoriesofchallengesforwhichtheteamshadalimitof18hourstosolve.TheteamshadtogothroughanonlinequalifyingCTF,where29outof56teams(6fromCONCORDIA)gotqualified.URL:https://ctf.code.unibw-muenchen.de/ctf-2019---the-5th-element-results.htmlUL-SecurityManagementCourse 18-22.11.2019 25participants
2https://www.concordia-h2020.eu/map-courses-cyber-professionals/3https://www.concordia-h2020.eu/cybersecurityevents/4https://www.concordia-h2020.eu/concordia-service-cybersecurity-tools/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted18www.concordia-h2020.eu 23December2019
TheULcourseprovidedanoverviewofmethodsandtoolsrelatedtosecuritymanagementinanintegratedmanner,thedifferentpracticalexercisesbeingperformedoverthecyberrangeplatform.URL:http://telecomnancy.univ-lorraine.fr/fr/security-managementUL-CyberRangeLaunchEvent 24.09.2019 150participantsTheULCyberRangeLaunchEventincludedanoverviewofCONCORDIAactivitiesrelatedtothecyberrange,demonstrationsofthecyberrange.URL:https://telecomnancy.univ-lorraine.fr/fr/inaugurationMU–KYPOSummerSchoolonCS 13-15.08.2019 20participantsHands-ontutorialsandcybersecurity(CS)gamesfortrainingoftheCzechnationalteamparticipatinginjointventurewithCyberSec4Europe.
URL:https://www.europeancybersecuritychallenge.eu.JCODE-WorkshopatCODE2019 10.06.2019 40participantsTheaimoftheworkshopwastodiscussthebestpracticesandtechnologiesrequiredtosimulaterealsystems.Furthermore,itwasdiscussedhowcyberrangescouldprovideabroaderportfolioofscenariosforefficienttraining.URL:https://www.unibw.de/code/jahrestagungenMU-CyberCzechExercise 21-22.05.2019 24participantsTheexercisewaschosentodemonstratecyberrangeplatformcapabilitiestoCONCORDIArepresentatives.Theexercisetrainedtechnicalskills,abilitytocollaborate,communicate,andsharerelevantinformationwithmanagement.URL:https://www.concordia-h2020.eu/blog-post/cyber-training-defence-exercise/T3.3initiatedcooperationwiththeotherpilots(ECHO,SPARTA,CyberSec4Europe)andH2020projects(THREAT-ARREST)intheareaofcyberrangeplatformsandCR-basedtrainings.WithECHO,SPARTA,andTHREAT-ARREST,pointsofcontactwereestablished.WithCyberSec4Europe, jointcollaboration isalreadyunderway in theformofsummerschools(executedandplanned).Also,paneldiscussionCyberRangesinH2020PilotsatIEEENOMS2020conferencewasproposedtofostertheideaofcooperation.
4.4 Outlook Y2 OurplansforT3.3inY2are:VirtualLab
• CollaboratewithtasksT3.1andT3.2intermsoftestingITinfrastructure.• Gathermoreinformationinthecontextofexistingcybersecuritylabs.
Services
• Include more specific tools and training offerings into the CONCORDIAportfolio.
• IncorporatemoreTrainingeventsinCONCORDIAcalendar.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted19www.concordia-h2020.eu 23December2019
• Provideamorefine-grainedmechanismoffilteringandsearchintheavailableCONCORDIAitems.
Training
• Continuetoworkonaminimalnetworktopologydescriptionformat.Furtherpursuetheideaofscenarioexchange.
• Iflegallyandtechnicallypossible,releaseKYPOCyberRangePlatformasopensource.
• Participationon“IFIPsummerschoolonPrivacyandIdentityManagement”incollaborationwithCyberSec4Europe.
5 Establishing a European education ecosystem for cybersecurity (T3.4)
5.1 Task objective ThistaskwillcontributetothedevelopmentofaEuropeanEducationEcosystemforCybersecurity through a number of targeted actions addressing mainly thecybersecurity industry and its professionals (technicians, mid-level management,executives)andteachers.
5.2 Status The task 3.4 is progressing as planned. The work performed in the first year onpooling,assessinganddisseminatingexistingcoursesinConcordiaconsortium,thecommunicationactivitiesaroundthemsetsolidgroundsfordevelopingaEuropeanEducation Ecosystem for Cybersecurity. The findings of the feasibility study for aCybersecurity Skills Certification Schemewill help further in closing thework ondevelopingtheframeworkforaCONCORDIAcertificateandonthemethodologyforthecreationofnewcoursesalreadystartedinyear2019.
5.3 Key achievements Y1 Inyear1,undertaskT3.4westartedworkingonfourofthesixtaskactionslistedinthe project plan, namely Actions 1. Pooling, assessing and disseminating existingcourses,Action2.DesignanddevelopaCybersecurityspecificMethodologyforthecreationofnewcoursesand/orteachingmaterials,Action4.Developaframeworkfor a CONCORDIA certificate to be attached to the courses produced by theconsortiumandAction6.ContributetobuildingaEuropeanEducationEcosystemforCybersecurity(Figure5.StructureoftheT3.4actionsandprogress).
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted20www.concordia-h2020.eu 23December2019
Figure5.StructureoftheT3.4actionsandprogress.
OverviewofcybersecuritycoursesofferedbyCONCORDIApartnersAction1’sinitialeffortwasallocatedtocollectinginformationontheexistingcoursesoffered by the CONCORDIA consortium to different categories of industryprofessionals in Cybersecurity within Europe such as technologists, mid-levelmanagers,executives.ThepartnerswhereinvitedtoprovidedetailsviatheEUSurveyplatform on the content of the course, target audience, delivery format, language,certification,alumni,butalsoonthe linkageofthecoursetothefivepillarsofthedata-centric approach to Cybersecurity advocated by CONCORDIA, and on theirassociationtothefivecoreindustrialpilotsthatCONCORDIAisfocusingon,namelyTelecom,Finance,Transporte-mobility,e-HealthandDefensesectors.InviewofdisseminatingtheCONCORDIAcourses,wehaveplottedthemonadynamicmap1ontheprojectwebsite.Wealsomadeavailabledifferent filterswhichcanbeused to help professionals identify the trainings which best suit their needs forupskilling,reskillingorsimplylearningaboutcybersecurity.Wealsousedtheeventscalendar2asanadditionalchannelfordisseminationoftheCONCORDIAcoursesbyprovidingconcretedateswhereavailable(seeFigure6.CONCORDIAdynamicmapofcoursesandexcerptfromthecalendar).
1https://www.concordia-h2020.eu/map-courses-cyber-professionals/2https://www.concordia-h2020.eu/cybersecurityevents/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted21www.concordia-h2020.eu 23December2019
Figure6.CONCORDIAdynamicmapofcoursesandexcerptfromthecalendar.
ByNovember2019,non-lessthan33coursesorganisedbytheCONCORDIApartnerswereplottedonthemap.Tothese,anumberof27externalcourseswereaddedasweopenedthemapforexternalsubmissions.ThisendeavourispartofthetaskAction6 as it helps contribute to building the European Education Ecosystem forCybersecurity.Themapwillbeupdatedonacontinuousbasisandaimatbecomingthemainsourceofinformationonavailablecoursesforcybersecurityprofessionalsandofprofessionalsinterestedincybersecurity.ThecoursesweredisseminatedonlineviatheCONCORDIAwebsite(thecoursesmapand the calendar), social media posts, andofflineduring events (Brussels – ECSOmeetings;Rome–Womenincyber;Heraklion–ENISAsummerschool;Luxembourg-CONCORDIAOpenDoor2019)–thelinksare:• Launchthedynamicmaponcourses(duringtheGA5/06):
o https://www.concordia-h2020.eu/map-courses-cyber-professionals/o https://www.concordia-h2020.eu/news/towards-a-european-education-
ecosystem-for-cybersecurity/• Promotethedynamicmaponsocialmedia:
o https://twitter.com/FLCutas/status/1138378020094402560• Newsitem(calendarofcourses)createdonCONCORDIAwebsite:
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted22www.concordia-h2020.eu 23December2019
o https://www.concordia-h2020.eu/news/concordia-calendar-courses/• Disseminationactivitiesonsocialmedia:
o https://twitter.com/FLCutas/status/1166285862381989890o https://twitter.com/FLCutas/status/1159012919230849024o https://twitter.com/concordiah2020/status/1158762987454377984o https://twitter.com/BCarminati/status/1154070421379190784o https://twitter.com/FI_CODE/status/1158998271651713024o https://twitter.com/FLCutas/status/1154000779906150400o https://twitter.com/FLCutas/status/1151404667332694016o https://twitter.com/concordiah2020/status/1151396260793987072o https://twitter.com/concordiah2020/status/1151396260793987072o https://twitter.com/EIT_Digital/status/1166247733780471808o https://www.linkedin.com/posts/felicia-cutas-18212332_concordia-
calendar-for-cybersecurity-courses-activity-6564787038250377216-04jB
o https://www.linkedin.com/posts/felicia-cutas-18212332_we-are-part-of-concordia-ecosystem-h2020-activity-6559706731482497024-LcQe
o https://www.linkedin.com/posts/concordia-h2020_concordia-calendar-for-cybersecurity-courses-activity-6564528922619334656-AcEG
o https://www.linkedin.com/posts/concordia-h2020_cybersecurity-skills-europe-activity-6557161779615539200-kUCt
o https://www.linkedin.com/posts/eit-digital_cybersecurity-incidents-cost-businesses-40b-activity-6572017256409112576-Lfng
• Newsitemtopromotetheupdateslinkedtothecourseso https://www.concordia-h2020.eu/news/concordia-map-60-
cybersecurity-courses-collected-in-6-months/• PromotionofthecalendarandcoursesonTwitter:
o https://twitter.com/FLCutas/status/1202154413940494336o https://twitter.com/FLCutas/status/1191642813647278080o https://twitter.com/FLCutas/status/1204348141052538880
AssessmentofCONDORDIAcoursesA significantwork part of Action 1. Pooling, assessing and disseminating existingcourses was devoted to assessing the existing CONCORDIA courses (Annex A:Assessing the courses for Cybersecurity professionals already developed byCONCORDIA partners (T3.4)). In view of doing so, we first outlined the keyCybersecurity needs and challenge areas, looked into the different Cybersecuritycompetenciesneededandsomeoftherelevantcoursesofferings,exploredthemarketneeds in termsofcybersecurityskillsandpresentedexistingmodels insupportofmatchingthecompaniesneedswiththeskillsoffers.WethenaskedtheCONCORDIAindustrypartnersabouttheirneedsintermsofskillsand technical people and check towhich extent they are addressed by the actualCONCORDIAprofessionaleducationoffer.TheconclusionswerecapturedinAnnexA:Assessing the courses for Cybersecurity professionals already developed byCONCORDIA partners (T3.4) and was/will be further used in developing themethodology for the creation of new courses and in feeding the CONCORDIAcybersecurityroadmapEducationchapter.Contentwise,thecoursesarevariousbut
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted23www.concordia-h2020.eu 23December2019
notnecessarilyindustryspecific,especiallytheonesaddressedtomiddlemanagersandexecutives.Besides,theycovermainlyacademicandtechnicalknowledgeandtoa lesser extent business aspects and hands-on components for which part of theindustrypartnersarelookingfor.MethodologyforthecreationofnewcoursesBasedontheobservationsdrawninAnnexA:AssessingthecoursesforCybersecurityprofessionals already developed by CONCORDIA partners (T3.4) assessing theexistingCONCORDIAcoursesandtheeducationenvironment forprofessionals,wehavestateddevelopingaspartofthetaskAction2,amethodologyforthecreationofnewcoursesandteachingmaterials.Theproposedmethodologywillhaveabusinessapproachinthesensethatitwillstartfromtheindustryneedsintermofupskillingtheir personnel and/or hiring skilledworkers. The document is structured in tenchaptersasdepicted in theFigure7.Weplanatbuilding itasapracticalguidebyprovidingundereachchapterachecklistsandreferringtosomebestpracticecases.The structure was validated internally with the partners contributing to thedevelopmentofthisactionandisintheprocessofbeingdeveloped.Themethodologypaperwill bemade available to the consortiumpartners at the beginning of year2020.
Figure7.CONCORDIAstructureoftheMethodologyforcreationofcourses.
TowardsaCybersecuritySkillsCertificationSchemeProgress has been made also in the task Action 4. Develop a framework for aCONCORDIA certificate tobe attached to the coursesproducedby the consortiumlinked to the development of a framework for a CONCORDIA Certificate. We arecurrently finalizing the Feasibility study for a Cybersecurity Skills CertificationScheme assessing the need for the creation of such a certification scheme, andidentifyingspecificprofilesnotcurrentlycoveredbyanycertificationscheme.Thestudylooksmainlyintotheexistinginitiativesforcybersecuritycareersandstudies,cybersecuritybodyofknowledge,existingCybersecurityskillscertificationschemes,andmappingexistingcertificationschemestocompetenciesandlevels.Basedontheconclusions of the Feasibility study wewill develop a Certification framework toprovide thenecessary information regarding theprocess of the skills certification
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted24www.concordia-h2020.eu 23December2019
specifictocertainprofiles-fromthesubmissionoftheapplicationtotheachievementandthepreservationoftheircertification,todescribetheexaminationmechanismsproposed by CONCORDIA for the certification of knowledge, skills and othercompetences of the related professionals, and to look into the type of supportingtechnologytobeusedintheimplementationoftheframework.
5.4 Outlook Y2 InYear2wewillcontinueupdatingtheinformationonthecybersecuritycoursesforprofessionalswithrespecttothedatesandnewcontentandwillpromotethemonlineandoffline.ThemethodologyforthedevelopmentofnewcybersecuritycoursesforprofessionalswillbefinalizedandmadeavailabletotheconsortiuminQ1-2020.ThemethodologywillbeafterwardsappliedtotheAction3ofT3.4bydevelopingnewcourses targeting industrymid-levelmanagement andexecutives.Wealsoplan tofinalize thework on the Feasibility study for the Cybersecurity skills certificationschemeandontheFrameworkfortheCertificate.TheintentionwouldbetotesttheFramework for theCertificatebyapplying it to a specificprofile identifiedvia theFeasibilitystudy.
6 Community building, support and incentive models (T3.5) 6.1 Task objective Task3.5hastwoobjectives.Thefirstisrelatedtoearlystagestartupsandservicesthat CONCORDIA could deliver to these stakeholders, including creation of futurestartups(e.g.today’sCONCORDIAresearchers)anddefinitionofsupportservicesthattheymightneed.Thesecondobjectiveofthetaskistodevelopandevaluateincentivemodelsfordatasharing,whichwillstart inYear2.Inbothobjectives,collectionofbestpracticesanddraftingofguidelinesareexamplesofactivitiestobeexecuted.Task3.5contributestoCONCORDIAoverallprojectobjectiveO2,whichstatesthat“CONCORDIAaddressesthiswithagovernancemodelthatcombinestheagilityofastartupwiththesustainabilityofalargecenter”.TaskT3.5iscloselyrelatedtotaskT5.1,whichfocuseson“startupincubators”.Wethereforejointlycarryoutinformationgatheringactivities.
6.2 Status We are on track for the first objective of task T3.5. In Y1, we developed a firstdescriptionoftheconceptofa“startupfactory”andsharedourpreliminaryresultswithinCONCORDIAandwiththelargercybersecuritycommunityinEurope.Theseresultsarebasedonasetofresearchquestionswearticulated,aliteraturestudy,andinterviews of several startup cybersecurity companies and researcher-entrepreneurs.WecapturedtheresultsofY1inaninternaldeliverable(seeAppendixB),whichwasdistributedtothepartnersinvolvedandtothemanagementboard,aswellasexternaladvisors.The feedbackwascollectedanddiscussedat theCONCORDIAOpenDoorEventinLuxembourg,withseveralalternativeoptionsforthefurtherdevelopmentofservicesforCONCORDIAstartupcommunity.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted25www.concordia-h2020.eu 23December2019
WeobservethatstartingcybersecuritybusinessoffthegroundisslightlydifferentthanstartingotherITbusiness,giventhemarketspecificities(formoredetailsseedeliverableD6.3).Theservicesandbusinessmodelmayvaryduetothelocationorphysicalpresence,butinsomecasesnotentirely.AcybersecuritystartupthattargetsSMEcustomers,forexample,mightchoosealocalgo-to-marketstrategy,whilenichesolutioncouldonlyuseonline sales channels.Thereare someguidelinesandbestpracticesavailableontheInternet1andentrepreneurshiphasbeenaddedtocertaincurricula,suchasEITDigitalMasterSchool2,butthedifficultyliesinapproachingthedemand side customers, which are often reluctant to work with the freshlyestablishedcompanies.Thesecondpartof taskT3.5ondatasharing incentiveswill start inY2because itdependsonotherCONCORDIAactivities,suchasT3.1,T3.2,andtheWP2pilots.
6.3 Key achievements Y1 ResearchquestionsarticulatedOurfirstworkproductconsistedofasetofresearchquestions,whichwearticulatedbased on a literature study that covered topics such as cybersecurity-specificcontexts,differentkindsoffinancingoptionsforstartups,stakeholdermotivations,andsuccessfactors.Theresearchquestionswefocusonare:
• Whatarethemotivesfordifferentstakeholdersin“startupfactory”schemesandservices?
• Howistheperformancemeasuredandhowdoesitrelatetocybersecuritykeyperformanceindicatorsingeneral?
• What are the external factors that shape or influence “startup factory”landscapeforcybersecurityentrepreneursinEurope?
We also interviewed selected spin-offs and startups to gain insight into thesequestions from their experiences, as well as with some investors and otherstakeholders.Inparallel,wehavecarriedoutaliteraturestudyonservicesforearlystage startups inother IT sectors. Finally, collection andanalysis of data includedcomparisonof findings fromliteratureandpublicsources, inorderto findspecificchallengesandgapsinthecybersecuritystartupsituationinEurope,.StartupfactorypropositionWedevelopedafirstdescriptionoftheconceptofa“startupfactory”,forinstanceintermsof its servicedefinition,valueproposition,andpositioning.This is themainresultofphase1(seeFigure8)thatisestablishingvisionand,afterall feedbackisgatheredfromthemanagementboard,itwillbealsoreflectedinthestrategy.
1 So You Want to Run a Cybersecurity Startup, available athttps://static1.squarespace.com/static/551468e4e4b0bd427144c108/t/560af216e4b053ff51a6e0d6/1443557910287/FullSiteSol-article-V4.pdf/2https://masterschool.eitdigital.eu/programmes/sap/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted26www.concordia-h2020.eu 23December2019
Theconcept isbasedonreconciliationof innovationpushandpullparadigms inacybersecurity ecosystem such as CONCORDIA.Demand side customers, aswell aslargesystem integratorsorconsultantsalreadypresenton themarket,areable tobetteridentifyrealbusinessneedsandderiveorconnecttoinnovativeideascomingfromsupplysideacademiaorstartups.InsideCONCORDIAtheseideascouldbetestedbefore or in parallel to the business modelling or start of startup revenues. Themechanism that could be used could be Open Call (already described in thedescriptionofwork)orasapartoftheWP2.
Figure1.Implementationofearlystagestartupservicesin3phases
Ourdefinitionisbasedoninterviewswithresearchers-entrepreneursandearlystagestartups, which are the startup factory’s main target groups. We for instancediscussed other similar services with them (e.g., in terms of their gaps), thespecificities of cybersecurity markets, and the relationships between the targetaudienceofthestartupfactoryandotherstakeholders.Wedrewupafirstsetofconclusions,whichwepresentedatseveralevents,suchasConcordiaOpenDooreventinLuxembourgorCybersec4europeconcentrationeventinToulouse.Someexamplesare:
• Communitybuildingthroughnetworkingandbrokerageisfine,butstartupswouldnotpayforit.
• Supportforskillsandeducationincludingmentoringishighlywelcomedandsomestartupsarewillingtopayforit,iforganisedattheregionallevel
• Theconceptof cybersecurity-specific incubators receivedpositive feedbackandthesecouldbepan-European
• Startupvouchers(e.g.foruseoftestingfacilities,orcertification)arealsoseenasagoodidea.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted27www.concordia-h2020.eu 23December2019
• Atthemomentthereisnoproblemwithaccesstofinance,butstartupshavedifficulty to reach customers without partnerships with trusted andestablishedlargecompanies.Partnermatchmakingcouldbeagoodidea.
• BusinessdevelopmentsupportinCONCORDIAiswelcomedandKPIsshouldberelatedto“accesstofinalcustomer”insteadofpurefinancing
Participationinotherevents(e.g.,ECSOCyberInvestordaysandSouthSummit)hadtheobjectiveofgatheringopinionsfromearlystagestartups,inordertounderstandtheirneedsaswellasfurtherpromotetheCONCORDIAstartupcommunity.StartupchallengesBasedonourliteraturestudyandtheinterviewsweconducted,weidentifiedfourkeychallengesforcybersecuritystartups:Accesstoearlyadoptercustomers,whichiscriticalforanynewcompany,butinthecase of cybersecurity it ismuchmoreproblematic, since thebusiness is basedontrust.Customersdonotwanttobethefirstclientandtheyoftenpreferwell-knownproviders or brands, even if these established players lack agility or innovativeproducts.This is evenmore the case foroperatorsprovidingessential servicesoroperating specific market segments such as defence, which are experienced inworkingwithstartups,forinstanceintheformofsubcontractorsoflargecompanies.Accesstofundsandfinancing,whichseemstoberathersatisfactorybecausestartupshaveseveralalternativefundingmechanismsattheirdisposal(e.g.incubators,openchallengesorhackatons,cyberinvestoreventsetc),whichisunlikeafewyearsagowhenthesetofoptionswasmorelimitedandbankcreditsor“friendsandfamily”financingmodelswerepredominant.However,solvingfinanceissuesdoesnotsolveall theproblemsforthestartup. Investments fromseedfunds, forexample,donotbringreferencesandisnotaguaranteeforthesolutiondeployment.Customersdonottrustsomeexistingreferencesthatcomefromresearchorinnovationprojects,andoftenaskforreferencesfromtheoperationalenvironmentwithcustomersthataresimilartothemintermsofsizeandmarketsegment.Hereagain,financingthatmixespartnershipwithlargercompanies,orsomesortofvouchersorincentiveforfirsttimedeployment,wasmentionedasoneofthepossiblesolutions.Keeping up with the quickly changing cybersecurity landscape, which forces allstakeholders to continuously monitor technology and markets, as well as toimplement internal innovationprocessestomaintainappropriate levelofsecurity.Whilethisisanimportantactivityforanycompany,itismorecomplicatedforearlystagestartupsbecausetheyoftendonothaveresourcesforthiskindoftasks.Similarconcernswereexpressedforfuturecertifications,labellingandcompliancetasks.Developing business support services for startups, which is important becausecybersecuritycompanieswillbecollaboratingwithmanypartiesinmanydifferentways in the future, including jointly entering themarket and subcontracting. Thistranslates to specific business model challenges, including cybersecurity startupvalue networks. Knowledge sharing and best practice exchange is expected withsimilarcompaniesoperatinginotherregions,universities,corporates,startupsand
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted28www.concordia-h2020.eu 23December2019
otherMemberStates.Supportservices,suchasmentoringorbusinesspartnershipbuilding,willthusplayavitalrole.
6.4 Outlook Y2 InY2,wewillbecomparingregionaldifferences,suchastheinvestmentsindifferentMemberStates,theratioventurecapitalavailable,culturalandinstitutionalfactors,riskappetite.WewillalsolooktojoinpartsofthistaskwiththosefromT5.1,whichdealswithmoremature startups. Based on best practices we plan to publish a “Guide for youngcybersecurityentrepreneurs”.Theworkondatasharingincentiveswillalsostartinyear2,withstrongercollaborationbetweenpilotactivitiesandtasksT3.1andT3.2.
7 Conclusions and outlook Asacommunitybuildingandsustainabilityactivity,WP3hasfullymetitsobjectivesfor Year 1 and proactively explored enhancements beyond the baseline activitiesscopedintheDoA.AllWP3activitiesarecurrentlyontrackandalltaskshaveoutlinedtheirY2work.
8 References [1] MISP-OpenSourceThreatIntelligencePlatform&OpenStandardsForThreat
InformationSharing.(https://www.misp-project.org/)[2] The “Advanced Cyber Defence Centre” project - Information Sharing
Platform/Central Clearing House. (https://acdc-project.eu/software/information-sharing-platformcentral-clearing-house/)
[3] DDoS-DBhomepage,https://github.com/ddos-clearing-house[4] K.eSilva,“Mitigatingbotnets:Regulatorysolutionsforindustryinterventionin
large-scalecybercrime”,Ph.D.thesis,TilburgUniversity,Dec2019[5] J. Conrads, “DDoS Attack Fingerprint Extraction Tool: Making a Flow-based
ApproachasPreciseasaPacket-based”,M.Sc.Thesis,UniversityofTwente,Aug2019
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted29www.concordia-h2020.eu 23December2019
Annex A: Assessing the courses for Cybersecurity professionals already developed by CONCORDIA partners
(T3.4) Abstract:ThisdocumentispartofthedeliverableD3.1andisprovidinginsightsonthe courses for Cybersecurity professionals already developed by CONCORDIApartnerswhileplacing them in the larger landscapeof cybersecurity.The findingsreflecttheperiodofassessmentbetweenJanuary–October,2019,andwillbefurtherusedasabasisforestablishingaEuropeanEducationEcosystemforCybersecurity.
Editors Felicia Cutas Contributors EIT Digital – Felicia Cutas
UMIL – Claudio Ardagna UOP – Kostas Lampropoulos UT – Mattijs Jonker TUDA – Neeraj Suri
A.1 Executive summary Cybersecurityasaconceptinindustrialandbusinessenvironmentwasconsideredinthepastasanafter-thoughofthedesignandoperationofInformationalTechnologysystems process. This had to do with the lack of proper training and securityawarenessof thebusiness/industrialprofessionals involved insuchenvironments.Underthe lightofmanycybersecurityattacksthathavecausedhavocatEuropeanandInternationallevelandproducedconsiderablerisksanddamages,thisattitudehasconsiderablychanged.Thus,nowadays,thereisagrowingneedbytheindustrialprofessionalcommunityforlearningbasicbutalsoadvancedcybersecurityconcepts.This is reflected in the considerable amount of offered cybersecurity courses byvariousEuropeanandinternationalorganizations.However,despitetheplethoraofoptionsto learnthere isaprofound lackofcoherencyandholisticplanning inthistraining and awareness effort since each offered course (or series of courses) isdesigned with different criteria from other courses (by another organization).Hence,inseveralcasesthisapproachisconfusingthetraineeonwhatandhowheshould perceive cybersecurity concepts, as well as how to use them to cover hisprofessionalneeds.InConcordia,weacknowledgetheproblemandtrytoaddressitbydevelopingaEuropeanEducationEcosystemforCybersecuritythatwillincludeabroadrangeofcoursespresentedinaconsistentandcoherentmanner,thatwilltakeintoaccounttheactualneedsofboththeindustryandtheindustryprofessionals,andthatwillindicatetheroadmaponhowtodesignnewcourseservingtheprofessionalsinthebestpossiblemanner.This document presents the portfolio of courses offered by the CONCORDIAconsortium to different categories of industry Cybersecurity professionals withinEuropesuchastechnologists,mid-levelmanagers,executives.Thisendeavor,alongwith other actions to be developed under WP3, aims at contributing to thedevelopmentofaEuropeanEducationEcosystemforCybersecurity.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted30www.concordia-h2020.eu 23December2019
The findings presented in this paper will be further used in developing aCybersecurity specificmethodology for the creation of new courses and teachingmaterialsforCybersecurityprofessionals,andforpotentiallyidentifyunmetneedsintermsofcourses.ItwillalsocontributetodevelopingaCybersecurityRoadmapforEuropeaspartoftheWP4.Thedocumentisorganizedasaprogressionof3chaptersthatcoverthefollowing:ChapterA2:outlinesthemajoreducational/competencebuildingchallengesrelatedto the Cybersecurity sector while also introducing a non-exhaustive collection ofavailableCybersecuritycoursesforprofessionals,bothonlineandoffline.Thechapteroverviews trends in needs of European companies in terms of cybersecuritytypes/profilesofjobsopeningsonLinkedInovertheperiodApril–October2019andcloses by pointing to different models aiming at helping (future) Cybersecurityprofessionalsindevelopingtheneededskillstobuildtheircareerwithinthesector.Theintentistocontribute,asviable,tomatchthe“demandandsupply”fortalentintermofskillsdevelopment.ChapterA3:presentsthecurrentlyavailablepoolofCybersecurityrelevantcoursesalready developed by the CONCORDIA partners. The data on these courses wascollectedastoreflecttheirlinkagetothefivepillarsofthedata-centricapproachtoCybersecurityadvocatedbyCONCORDIA,andalsotheirassociationtothefivecoreindustrialpilotsthatCONCORDIAisfocusingon,namelyTelecom,Finance,Transporte-mobility, e-Health and Defense sectors. Furthermore, the CONCORDIA industrypartnerswerequeriedontheirneedsintermsofcybersecurityskillsandpeople,inanattempttogetabetterunderstandingofthegeneralskillsgapchallenge.ChapterA4: closeswith some recommendationson the characteristicsof coursesneededtobeofferedontheCybersecurityskillsmarketplaceastofacethecurrentchallengesandtosupporttheincreasingdemandforCybersecurityprofessionals.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted31www.concordia-h2020.eu 23December2019
A.2 The Landscape WhatarethekeyCybersecurityneedsandchallengeareas?The digitization of industries, the constant increase in number of interlinked IoTdevices, the dramatic rise in the data volumes and the pervasive use of ICTtechnologiesinallwalksoflifeareexpandingthelistofCybersecurityrisks.AsurveyconductedbyTUVRheinland1lists8maintrendsinCybersecurityfor2019.Relevant to our assessment exercise it’s worth mentioning the following trends.Trend1:Cybersecurityhasbecomeaboard-levelissue,Trend5:TheCybersecurityskillsshortagewilldistortthelabormarket,andTrend8:Cybersecuritywilldefinedigitaleconomywinnersandlosers.Indeed, it is important to acknowledge that Cybersecurity it is not strictly an “ITmatter” any longer, but it impacts all levels of the businesses and turned into abusinessrisk.Cybersecuritystrategiesshouldaddresshorizontallyalldepartmentsof an organization and would need to be allocated reasonable funding, both forinvesting in technologies and in people at different levels. Thus, it becomesparamounttoincreasethetrainedworkforcepoolandtoupskilltheexistingone,bothingeneralknowledgebutalsoinverytechnicalones.AccordingtotheVaronis’infographicsThefutureofCybersecuritybudgeting2,mostC-levelexecutives(60%)interviewedconsiderthatthecurrentsolutionstheyhaveimplementedintheirorganizationskeepthemsafefromcyberthreats,thusdonotprioritize investment in information security products and services. ThedisagreementoverprioritiesbetweentheseniormanagementandtheCybersecurityexpertscontributedtoexposingthecompaniestodatabreaches.Nevertheless, theimportance of cyber protection ismore andmore acknowledged and 75% of theorganizationsstudiedhaveincreasedtheirCybersecurityinvestmentsinthepast12months.Itisnotclearthoughtowhichextent,partofthisbudgetisallocatedtoskillsdevelopmentwithintheorganization.Morethan40%ofcyberattacks3aretargetingsmallbusinesses.Besides,todate,60%ofsmallcompaniesgooutofbusinesswithinsixmonthsofacyber-attack.Theskillsshortageestimatedtoreach1.5milliongloballyby2020willleadtoanincreaseinsalaries,making itchallenging for thesmallorganizationstoattract talentsoas toprotect their organization. Consequently, if little investment in developingCybersecurityskillswithintheorganizationismade,thecyberriskwillturnintothemainbusinessrisk.
1https://img06.en25.com/Web/TUVRheinlandAG/%7B72babaf7-4989-4086-a89b-2536d75429b5%7D_TÜV_Rheinland_Cybersecurity_Trends_2019_EN.pdf2https://techaeris.com/2019/05/11/infographic-the-future-of-cybersecurity-budgeting3https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted32www.concordia-h2020.eu 23December2019
TheCybersecuritysectorhasastrongannualgrowthrate,astheworldwidemarketforinformationsecurityisexpectedtoreach€145billionby2020.Partofthisgrowthisgeneratedbystartupsandyoungcompanies fromtheNetworkand InformationSecuritysector,thoseinnovativeandagilewayofactingbringanaddedvaluetothesector. An ENISA analysis on Challenges and opportunities for EU Cybersecuritystartups1confirmed that the start-ups are aswell impacted by the skills shortagebecauseof the scarcityof theappropriateprofilesand the costof sourcing,whichreduce their chances to scale-up. The same analysis identifies that on top of thecategoryofinvestmentandfundingchannelsfortheNISstart-upsarethefollowing:investorsspecializedinCybersecurity(eg.accelerators);investorsnon-specializedinCybersecurity;privatestakeholdersthatprovidesupportotherthanfundingtoNISstart-ups, such as private incubators, private accelerators and corporate openinnovationin largecompanies.Someofthesecategoriescouldbealso lookingintodevelopingknowledgeandbekeptupdatedintheCybersecurityareaforthebenefitofthestartupstheyareinvestingin,andoftheEuropeanCybersecurityindustryasawhole.Buttheinvestorsarenottheonly“un-conventional”categoryofprofessionalsthoseactivitieswouldbenefit fromacquiringknowledgeoncybersecurity.Following thetrend of digitization, the cyberattacks are threatening an increased range ofindustries, thus forcing a shift in skills needed to perform traditional tasks. Forinstance, in the health sector, physicianswould not only need to take care of thepatients but also to protect their data. The cybersecurity threats and some of theassociatedvulnerabilitiesthatcurrentlyaffectthehealthsectorarewelldescribedinthe publication Health Industry Cybersecurity Practices: Managing Threats andProtecting Patients 2 which also recommend cybersecurity practices for smallorganizations3andformediumandlargeorganizations4.Samegoesinthelegalareawhere the practitionerswould not only need to understand cybersecurity field ifinterestedtobecomeacybersecuritylawyerbutalsotoprotecttheinformationtheyareworkingwith as a significant amount of data is collected during the process.Universitiesareexpanding theiroffersas toprepare thenewgenerations,but thepractitionersshouldalsogetanunderstandingofthecyberdomainanddevelopbasicsecurityskills.WhenitcomestotheITprofessionals,theTripwireSkillsgapsurvey20195revealednotonlythattheskillsgapisgrowinganditisgettingharderforthecompaniestohireskilledsecurityprofessionals,butalso the fact that theskills required tobeagreatITsecurityprofessionalarechangingatafasterpace.
1https://www.enisa.europa.eu/publications/challenges-and-opportunities-for-eu-cybersecurity-start-ups2https://healthsectorcouncil.org/wp-content/uploads/2018/12/HICP-Main-508.pdf3https://healthsectorcouncil.org/wp-content/uploads/2018/12/tech-vol1-508.pdf4https://healthsectorcouncil.org/wp-content/uploads/2018/12/tech-vol2-508.pdf5https://www.tripwire.com/misc/skills-gap-survey-2019/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted33www.concordia-h2020.eu 23December2019
Bothhighereducationindustryandtheprofessionaltrainingprovidersareworkingto address the increase skills need. But, as reflected in the ECSO paper Gaps inEuropean Cyber Education and Professional training 1 there is a need for atransformation in the area. Cybersecurity is to be viewed as an emerging meta-discipline and not just an academic discipline. The academic education systemapproaches Cybersecurity from a holistic perspective whereas the professionaltraining is usually focused on specific skills. As are addressing different learningneeds,theyshouldbothbepartofacareerdevelopmentpath.Besides,theyshouldnotworkinisolationbutcooperateandexchangeknowledge.One of the challenges the organizations are facing today when looking forCybersecurityspecialists, isthedifficulty inmatchingtherecruitmentcriteriawiththestudiesandthequalificationslistedintheCVsoftheapplicantsbecauseoftheuseofnon-standardterminology.Theadoptionofastandardlexicon,includingcyberroleresponsibilities2willhelpontheonehandcompaniesidentifyingtherighttalentforthejob,andontheotherhandtheeducationprovidersbettershapetheircurriculumtomatchthecyberworkforceneeds.Finally,asthecyberthreatsanorganizationisfacingarediverseandwouldrequiredifferenttypeofskillsandperspectives,adiverseteam3shouldbebuilt.Thediversitywithin the team would require different backgrounds and personalities (techies,creative people, problem solvers, communicators, …) but also different age andgender.Itwillbringtheadvantageofreachingbetteroutcomesaswillhelpassessingsituationsfromdifferentperspectivesandprovidingdifferentapproachestoproblemsolving.WhatarethedifferentCybersecuritycompetenciesneeded?InthecontextoftheCONCORDIAprojectandforthepurposeofthisanalysisweusetheterm“Cybersecurityprofessionals”asincludingacademiathoughtmostlythebroad group of industry representatives such as IT technical teammembers andexperts,middlemanagersleadingITornon-ITtechnicaldepartments,andexecutivesofthecompanies.SinceCybersecurityisahorizontalissueimpactingalldigitizedindustries,theneedsintermsofcompetenciesmightdifferbutthefollowingelementscouldbeconsideredgenerallyvalid:
• IT Technical team members – are looking for acquiring new knowledge,developingnew skills, and to upskill the existing ones. This category could
1https://www.ecs-org.eu/documents/publications/5bf7e01bf3ed0.pdf2https://niccs.us-cert.gov/sites/default/files/documents/pdf/cybersecuritytalentidentificationandassessment.pdf?trackDocs=cybersecurity%20talent%20identification%20and%20assessment.pdf3https://www.forbes.com/sites/extrahop/2019/07/19/how-to-combat-the-security-skills-shortage/#27db2e464eae
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted34www.concordia-h2020.eu 23December2019
incorporate also the recent graduates and the students comingback to theuniversitiestofollowonlyspecificCybersecurityrelatedmodules.
• IT Technical experts and freelancers – are looking for expanding theirCybersecurityknowledge,ortotesttheirskillsindifferentscenarios.
• Middle-managers leading IT departments – are looking into learning about
new techniques and/or solutions to identify, protect, detect, react fast andrecoverfromacyberattack.
• Middle-managers leading non-IT departments – are looking into
understandingthegeneralcyberrelatedrisks,andintopracticaltechniquestobeimplementedastoavoidacyberattack,andtorecognizeandknowhowtoreact in case such an event occurs. This category could include also non-traditionalcategoriessuchasphysicians,lawyers.
• Executives – are looking into having a general understanding of the
Cybersecurityareaanditsimpactonthebusiness,investmentandinsurancewise included, as Cybersecurity is becoming a business risk. CybersecurityAuditors within companies are also part of this group. This categoryincorporates also the startups and scaleups which do not afford having aspecializedITdepartmenttoprotecttheirbusinessthusneedtocoveralltheaspectsofthebusiness.
• Investors looking into indevelopingknowledgeandbekeptupdated in theCybersecurityarea,inviewofplacingfundingindifferentcyberornon-cyberrelatedbusinesses.
• Academia – are looking for enriching their theoretical knowledge with
informationonnewprotocols,techniques,products,servicesdevelopedbytheindustry
• Non-IT employees – not necessarily actively looking into developingCybersecurity skills but being asked by the company procedures to have abasicknowledgeinthefieldinordertopreventand/orreactproperlyincaseof a possible cyber-attack. This category could include also the users ingeneral.
Besides,inordertobuildacareerinCybersecurityoneshouldbeawarethatapartoftechnical skills, soft skills suchasanalytical-, communication-,writing-, leadershipskillsshouldideallybedeveloped.These needs are backed by the findings of the International Information SystemSecurityCertificationConsortium(ISC)2intheir2018(ISC)2Cybersecurityworkforce
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted35www.concordia-h2020.eu 23December2019
study1inwhichCybersecurityexperts identifiedcommonchallenges that couldbeaddressedatthecompanylevelsuchas:thelackofsecurityawarenessamongend-users; a lack of funding; not enough skilled staff available; a general lack ofsupport/awareness from management about the urgency of Cyber- securityinitiativesoverall.Furthermore, the (ISC)2 study also depicts different skills areas identified byCybersecurityprofessionalsasimportanttobeimprovedorenhancedinthefuture.
FigureA1.Credits:(ISC)2
It is important to note that, in today data-driven environment and data-driveneconomy,acyber-securityprofessionalmusthavecompetencesintheareaofdataanalysis.Thelatterinfactisofparamountimportanceforguaranteeingandverifyingcybersecurity inmodernarchitectures.Evenmore, the roleof thedata scientist isfundamentaltogetridofnovelthreatsandattacks.Infact,securityismovingfromapplication security to data security,meaning that cybersecurity depends on datasecurityandthecapabilitiesofcorrectlyinterpretingthedataatourdisposal.Today,manyArtificialIntelligenceapproachesareappliedforguaranteeingcybersecurity,while,inturn,cybersecuritytechniquesareappliedtoartificialintelligencetoprovesomesecuritypropertiesonthem.TheneedofdataanalysisforcybersecurityisclearinallaboveboxesinFigureA1.andespeciallyinthedarkbluebox–“topareasforimprovement”,whereahugeamountofdataiscollectedeveryday(e.g.,Cloud)andtheabilityofcorrectlyanalyzingthembecomefundamental(e.g.,forensics).Thisisalsotrueintheorangebox–“areastoenhanceandgrowth”pointingtotheneweffort
1https://www.isc2.org/-/media/ISC2/Research/2018-ISC2-Cybersecurity-Workforce-Study.ashx?la=en&hash=4E09681D0FB51698D9BA6BF13EEABFA48BD17DB0
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted36www.concordia-h2020.eu 23December2019
supported by the European Commission in the definition of the EUCybersecurityCertificationFramework1. AlookintotheavailablecourseofferingsInthecontextofCONCORDIA,weconsiderthecourses/trainingsforCybersecurityprofessionalsasthecoursestowhichaCybersecurityprofessionalcanhavedirectaccesswithoutbeingconstrainedtobeenrolledinafullprogramme.Thesecouldbeorganizedonline,face-to-face,orcouldbeblended.A search on the Internet reveals that there is a plethora of courses addressingCybersecurityprofessionals.Theonlinecoursesareconvenient toprofessionalsastheyofferfullcontrolonorganizingpeoples’timeforstudyingthushelpingthemtocopebothwiththeprofessionalbusinesslifeandtheneedsforupskillingorreskilling.Thesecouldbedoubledbyface-to-facecoursesformiddleandseniormanagersorexecutives,orbyspecificcompetitionssuchascyber-rangesfortechnicalexperts.When it comes to the online courses, we identified the main platforms from theviewpointoftheusersandoftheCybersecurityrelatedcontentasbeingthefollowing:
- Coursera2–has33millionusersandithasinitsportfolioabout50coursesonCybersecurity,mostofthemaddressingintroductorytopics.
- edX 3 platform – has 14 million users to which it offers only around 30Cybersecurityrelatedcourses
- LinkedInLearning4-alearningplatformwith9.5millionusers,hostsaround120coursesonCybersecurity,halfofthemaddressingintermediateskilllevel,closelyfollowedbycoursesaimedatdevelopingbasicskillslevels
- Cybraryplatform5offerstoits2millionusersabout500cyberspecificvideocoursesforprofessionalsastodeveloptheircareers,butalsoforbusinessesinviewofworkforcedevelopment.
- IASACA 6 (Information Systems Audit and Control Association) providesonline,offlineandmixedcoursesofdifferentlevels(foundation,practitioner)both for information security and Cybersecurity, including courses forCybersecurityauditors.Thecoursesaresanctionedbycertifications.IASACAis a nonprofit global association that serves 140,000 professionals in 180countries
- Udacityplatform7–has8millionusersbuthasonlya small (9)numberofsecurity/Cybersecuritycourses
Although they are addressing the same market, each platform is structuring theinformationbasedonitsownmodel,andwithoutmakingareferencetoanycommon
1https://www.enisa.europa.eu/news/enisa-news/the-european-union-agency-for-cybersecurity-a-new-chapter-for-enisa2https://www.coursera.org/3http://www.edx.org/4https://www.lynda.com/5https://www.cybrary.it/6https://www.isaca.org/pages/default.aspx7https://www.udacity.com/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted37www.concordia-h2020.eu 23December2019
competenceframework.Thus,itmakesdifficulttocomparethedifferentoffersandtheirattractiveness.Inanattempttomeasurethereactionofthemarkettotherisksthecyberattacksarebringing within the different industries, we used the public statistics offered byLinkedInLearningplatformoveraperiodof6monthsandmonitoredthenumberof“views”ofdifferentCybersecurityrelatedcourses.ThefiguresconfirmedforinstanceareactiontotheincreasedCybersecurityriskforthebusinessbyregisteringaraiseinnumberof“views”fromonemonthtoanother(between7-15%)oncoursesformanagers suchas “ReasonableCybersecurity forbusiness leaders”, “Cybersecurityforexecutives”,“MicrosoftCybersecurity:shuttingdownshadowIT”,“Cybersecurityfor SMEs: essential training”, all launched in late 2018 or early 2019. The biggestincreaseinviews(19-20%)isregisteredforthecourse“TransitioningtoacareerinCybersecurity”, and the newly launched (June 2019) “Cybersecurity for ITprofessionals”and“TheCybersecuritythreatlandscape”.Withrespecttothecyber-ranges,informationisveryscarcethusdifficulttoassessatthisstage.cyberwiser.eu1–the“CivilCyberRangePlatformforanovelapproachtoCybersecuritythreatssimulationandprofessional training”newly launchedendof2018andbenefitingfromH2020funding,aimsatprovidingasetofinnovativetoolstogeneratehighlydetailedexercise scenarios simulating ICT infrastructures tobeused for Cybersecurity professional training, togetherwith tools and solutions tosimulate cyberattacks and defensive countermeasures. Cyberwiser.eu offers a“Behindthescenes:anin-depthlookatthetechnologybehindtheCYBERWISER.euPlatform”2TheEuropeanUnionAgencyforNetworkandInformationSecurity3(ENISA)putatthedisposalofinterestedprofessionalsacomprehensivesetoftrainingmaterialsinsupportofdevelopingskillsintheIncidentResponseandinthefieldofOperationalSecurity.InMay2019,theENISACSIRTtrainingmaterial4listwascomprisedof42titles,coveringfourmainareas:Technical,Operational,SettingupaCSIRTandLegalandCooperation.TheofferfortrainingcoursesforCybersecurityspecialistsis,onthecontrary,verylimited.Thetrainingsareavailableuponrequestby,forexample,theNational or Governmental CERT of the Member State, and must follow the EUregulation526/2013.ENISA and the Network and Information Security (NIS) education partners puttogetheraNISuniversitiesmap5underwhichtherearegroupedtogethercoursesand
1file://cyberwiser.eu2 https://www.cyberwiser.eu/news/behind-scenes-depth-look-technology-behind-cyberwisereu-platform3https://www.enisa.europa.eu/4https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material5https://www.enisa.europa.eu/topics/cybersecurity-education/nis-in-education/universities
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted38www.concordia-h2020.eu 23December2019
certificationprogrammeslinkedtoNetworkandInformationSecurity,mostofthemforundergraduates,postgraduatesoratmasterlevel.Outofthe551coursesspreadaroundtheEU28,538areofflinecourses(datavalidinMay2019).Mostofthecoursesarerequiringregistrationinafullcurriculumthustheyarenotspecificallyaddressingthe Cybersecurity professionals and their needs as defined in this paper.Nevertheless, the map provides valuable content mainly to technical peopleinterestedindevelopingacareerinCybersecurityindustry,notnecessarilyengagedinabusinessactivityandwithnotimerestrictions.DifferentinternationalconsultingcompaniesandorganizationsincludeintheirofferscoursescoveringCybersecuritytopics:DeloitteEMEACyberAcademy1–offersonlinetrainings,awarenessprograms,onsitetrainings and aHackazone Zone, an online learning platform containing over 125challengesforperforminghands-onexercisesrelatedtovariousCybersecuritytopics.Theyaretargetinghighly-qualifiedtechnicalpeoplebutalsoexecutivesanddirectiveboards, technical andnon-technicalmanagers and executives and other employeegrades. The Deloitte Academy area of expertise covers Ethical Hacking, SecureSoftware Development, Reverse Engineering, Monitoring and correlation, DDoS,Advancedpersistentthreats,ForensicAnalysis,CyberIntelligence,CybersecurityandMobileDeviceSecurity.PwC’s Academy 2 is offering specialized courses to professionals, companies,industriesandgovernmentbodies intrendingdomains,betweenthemtheface-to-face course “Cybersecurity for Non-Cybersecurity Professionals during which theparticipantswillbegettinginvolvedinaproprietaryvirtualgame–GameofThreats3.EYCertifypoint4–isofferingcoursesforcertifyingauditorsondifferentstandardssuchasISO/IEC27001:2013-InformationSecurityManagementSystem,orSS584:2015-Specificationformulti-tieredcloudcomputingsecurity,commonlyknownasMTCSKPMGCyberAcademy5offersablendedframeworkofe-learning,virtualclassroomsandworkshop-basedfacetofacetraining.Theirofferrangesfrompenetrationtestingand security architecture to identity access management and cyber maturityassessment.Whatarethecompanieslookingfor?Despitethelargeofferforfreecourses,companiesarefacingdifficultiesforfillinguptheir Cybersecurity related positions. According to the job openings published onLinkedIn and monitored for 6 months between April-September 2019, the totalnumberatthelevelofEU28remainsprettymuchstablefromonemonthtoanother
1https://www2.deloitte.com/bd/en/pages/risk/solutions/deloitte-emea-cyber-academy.html2https://www.pwc.com/sg/en/academy.html3https://www.pwc.co.uk/issues/cyber-security-data-privacy/services/game-of-threats.html4https://www.ey.com/gl/en/services/specialty-services/certifypoint/certifypoint---training-courses5https://home.kpmg/md/en/home/services/advisory/consulting/cyber-security/cyber-academy.html
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted39www.concordia-h2020.eu 23December2019
anditisaround3500±5%.Ingeneral,theaverageperiodforapositionopenedonLinkedInisonemonth.Thefactthatthetotalnumberremainsalmostthesameit’saproofofthecontinuousneedforprofessionalsinthearea.UKcountsforonethirdofthe positions opened followed in top 10 by The Netherlands, Germany, Portugal,France,Poland,Spain,Italy,IrelandandBelgium.(SeeFigureA2)
FigureA2:Cybersecurityjobs:positionsopened–top10EUcountries
Whenitcomestotheexperiencerequiredbytheemployer,the“Associate”levelismostindemand,closelyfollowedbythe“entrylevel”positions.Themostindemandjobcategoryinthecyber-domainistheIT,followedbyfarbytheengineers.(FigureA3)
FigureA3:CybersecuritypositionsopenedperExperiencelevel
IfwecontrastthesedatawiththeofferofcoursesdisplayedontheENISAmapwithnopretentionofanexhaustiveanalysisandawareaboutthelimitationsgivenbythesubjectivityofthedata,itcanbeobservedthat,countrieswithabigofferofcourses,thus with presumably more entry level Cybersecurity skilled people, are notnecessarily the ones also looking for hiring them and the other way around. Forinstance,Polandhas145 jobsopenedintheCybersecurity industry,butnocoursewasreportedontheNISmap.Ontheotherhand,Sloveniaencodedinformationabout
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted40www.concordia-h2020.eu 23December2019
12coursesontheNISmap,buttheSloveniancompanieshavenopositionsopenforentryandassociatelevels.(AnnexA.5.5.)Howtomatchthecompaniesneedswiththeskillsoffers?CompaniesareusuallylookingforhiringalreadyskilledITtechnicalpeople.Yet,intheirabsence,thecompaniestrytore-skilland/orup-skillexistingemployees.Thistrend is confirmed also by the CONCORDIA industry partners questioned on thematteranddescribedinthenextchapter.Buttheprocessofdeveloping,displaying,searchingforspecificskillsshouldbebasedonagenerallyagreedstructureastoensureacommonlanguageontheskillsmarket.InsupportofthisendeavoronecangetinspiredfromtheUSNationalInitiativeforCybersecurityEducation(NICE)CybersecurityWorkforceFrameworkwhichdepictsfordifferentCybersecurityworkforcecategoriesthenecessaryassociatedknowledge&skillsandthelistoftaskstobeperformed:NISTSpecialPublication800-1811.Thisframeworkdocumentisofusefordifferentworkforcedevelopment,education,ortrainingpurposes.AttheEuropeanlevel,asalreadymentioned,ECSOiscallingforaspecificframeworkforprofessionaldevelopmentinCybersecurity,tobejointlydevelopedwiththerelevantactorsinthefield.TheCybersecurityCareerPathway2proposesaninteractivestructurebylistingthecoreCybersecurityrolesatentry-mid-andadvanced-levelanddetailsthetopskillsand the top certifications requested for each position. As there is no clear andgenerallyagreedtaxonomyonthejobtitlesintheindustry,ausefulinformationisalsoprovidedonthecommonjobtitlesemployerslistinjobopeningsforeachrolewhilealsopositioningtheindividualrolesinthemostcommonNICECybersecurityworkforce frameworkcategories.Anexample foranentry levelrole isdepicted inAnnexA.5.1.The tool ismainlydesigned for theuseof those interested to start anddevelop acareer in Cybersecurity. Nevertheless, the structure could be used also by thecompanieswhen deciding to open a new position on the jobmarket, not only bybenchmarking the salary expectations with respect to the competition and thedemandbutalsousingsimilarkeywordswhendescribing the tasksas toease thematchbetweentheirneedsandtheskillsandqualificationslistedbytheapplicantsintheirCVs.ACybersecurityCompetencyModelClearinghouse3wasdevelopedfewyearsagointheUSinviewofpromotingskillsetsandcompetenciesessentialtoeducateandtrainthe workforce. The model is structures on 5 tiers: Personal EffectivenessCompetencies, Academic competencies, Workplace Competencies, Industry-WideTechnicalCompetencies,Industry-SectorFunctionalAreas.
1https://www.nist.gov/file/3725812https://www.cyberseek.org/pathway.html3https://www.slideshare.net/colleenlarose7/competency-model-clearinghouse
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted41www.concordia-h2020.eu 23December2019
AnnexA.5.2.includesmoredetailslinkedtothedifferentareasfromTiers4and5depictedinFigureA4:CybersecurityCompetencyModel.
FigureA4:CybersecurityCompetencyModel
At the European level, a concerted work on defining what are the competencesneeded tobeowned/developedbydifferentEuropeanactorsplayinga role in theCybersecuritymarketorimpactedbyit,iscurrentlypursuedbyECSOincollaborationwiththeirmembers,andthe4Cybersecuritypilotprojects.ItwillbebasedonexistingcompetencesframeworkssuchasEuropeane-CompetenceFramework(e-CF)1,NICE.The work will build, between others, on the ECSO Information and Cybersecurity Professional Certification 2 paper which looked into the professional securitycertificationschemesandframeworksinEuropeaswellasinternationally.Themainfindingsarearoundthefactthatthe industry isstillverydependentonUS-centriccertificateswhicharenotbasedonformaltraining.And,evenif insomeEuropeancountriesfirststepshavebeentakentosetupacertificationscheme,theuptakeoftheseschemesisverylimited.Theauthorsofthepaperrecommendtheestablishmentof an EU-wide certification and accreditation scheme as well as a EuropeanframeworkforprofessionaldevelopmentinCybersecurity.Also,theECHOpilotprojectislookingfordevelopingaCyber-skillsframework(E-CSF)astoaddresstheneedsandskillsgapofcybersecurityprofessionalsbasedonamappingofthecybersecuritymulti-sectorassessmentframework.Itisintendedthatthe E-CSF will bemade up of learning outcomes, competencemodel and genericcurriculum in order to establish a mechanism to improve the human capacity ofcybersecurity across Europe. In view of achieving this goal, the ECHO pilot willleverage a common cyber-skills reference, derived and refined from ongoing and
1https://www.ecompetences.eu/2https://ecs-org.eu/documents/publications/5bf7e0d81b347.pdf
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted42www.concordia-h2020.eu 23December2019
related work in the field (e.g, ECSO, e-Competence Framework, EuropeanQualificationFramework).
A.3 CONCORDIA ecosystem We askedour CONCORDIA industry about their needs in termsof skills andtechnicalpeopleInviewofcapturingthedata,weinvitedtheCONCORDIAindustrypartnerstofillinasurveyorganizedaroundtwotopics:TopicA-theirpracticeinhiringcybersecurityrelatedprofessionals,andTopicB-theirneedsintermsofdevelopingcybersecurityskillswithintheirorganization.TheCONCORDIA industrypartnersaremainly representativesof thenational andinternationalcorporatesegment,andtoalesserextenttheSMEsone.Lessthan30%of the respondents are covering through their activities one or two of theCybersecuritydomains(seelistanddescriptionsinAnnexA.5.3.),whilemostofthemdevelop activities touching 3-5 domains, with the Network-, Data/Application-CentricSecuritydomainsprofilingonthetop.Whenitcomestotheindustriestheyare active on, apart of the five CONCORDIA focus areas (telecom, finance,transportation,e-healthanddefence)someoftheindustrypartnersarealsocoveringareaslikesemiconductorindustry,energy,automation,IT,law,services.
Theoutcomeofthesurveycanbesummarizedasfollows:TopicA. What are the organization’s needs in terms of NEW employeecategories&theassociatedskills?- When looking for hiring new employees, the level of cybersecurity level
requestedwithrespecttotheopenpositionisdepictedinthefigurebelow.Asexpected,theITrelatedjobsrequiremediumandhighlevelofcybersecurityskills.Nevertheless,itcanbeobservedthatthereisnotyetapriorityinaskingnon-technicalpeopleandexecutivestohavebasicskillsinthearea.
FigureA5.Jobprofilesvs.Cybersecurityskillslevelrequiredwhenhired
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted43www.concordia-h2020.eu 23December2019
- WhenaskedabouttherelevanceofthepossessionofaCERTIFICATErelatedto the cybersecurity skills in the process of recruitment, the answers arealmostequallyspreadbetweenVeryrelevantforITpositions-RelevantforITpositions – Relevant for all the positions – Not necessarily relevant – Notrelevant.ItworthmentioningthattheNotnecessarilyrelevant–NotrelevantoptionswereselectedmainlybytheSMEpartners.
- 80%ofthecompaniesagreethatanEUharmonizedtaxonomyrelatedtothecybersecurity skills linked to different job positionswould be useful in theprocessofrecruitment
- In view of addressing cybersecurity needs within their organization, morethanhalfoftheorganizationswouldratherprefertohireanalreadyskilledpersonthantore-skillorup-skillanexistingemployee.Nevertheless,incasetheydecidetoinvestinpersonaldevelopmentoftheemployees,thein-housecourses arepreferred to external courses; yet, sometimesboth options areapproached in parallel: train and grow internally as well as hire from theoutside.
- Additional practices in recruiting new employees were reported such as:hiring young people from academics as part time, and up-skill them viatraining-on-the-job; hiring from outside EU due to the lack of skilledpersonnel.
TopicB. What are your company needs in terms of cybersecurity skillsdevelopmentforEXISTINGemployees?- Whenaskedaboutwhattypeofcontentforthecoursestheorganizationsare
lookingforfortheiremployeesthevastmajorityofthempointedtowardsamixoftechnical,hands-onandcyber-business-orientedtopics.Theweightofthetypeofknowledgewithinacoursevarythoughdependingontheroletheemployeeisplayingintheorganization.
FigureA6.Typeofcoursecontent-overall
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted44www.concordia-h2020.eu 23December2019
FigureA7.Typeofcoursecontentperjob
- Most of the companies surveyed are offering or would like to offercybersecurityrelatedcoursestothedifferentcategoriesoftheiremployees.Notsurprisingly,themosttargetedonesaretheITtechnicalteamseniorsandjuniors, but also the ITmiddlemanagers. The online format for courses ispreferredbyfarwhiletheblendedformathastheleasttraction.
- Whenitcomesto thecompanynormalpracticewithrespect to thecoursesoffered to their employees, apart of two companiesdeclaring that they areoffering the employees only courses developed inhouse, all the others areofferingamixofthefollowingoptions:Developandrunin-house;Contractacourseprovidertotailorthecontentforthespecificneeds;Allowemployeestofindanonlinecoursethatfitstheirneeds;Buyoff-the-shelfcourses.
- Theemployeesareofferedthepossibilitytoattendacourseforupdatingtheircyber related knowledge with different frequencies which vary from “asfrequentasneeded”listedbymostofthecompaniesto“onceevery2years”,withapreferredlengthof2-3daysincaseofaFace-to-Faceformat.
- How important is the Certification option when buying a course for youremployees?Thein-housecoursesorbaselinesecuritycoursesofferedtotheemployeesarenotnecessarilyselectedbecauseofthecertificationoptions.Yettheemployer is interested inmore thanacertificateofattendancebutofaCertificate issued by the training provider following a test/exam passedand/or Certificate offered by MOOC platforms as proof of the knowledgeacquired.Whenitcomestothecertificationsbasedonstandards,thefollowinghavebeenlisted:CSX,CSX(P),OSCP,CEH,CyberEssentials.
The CONCORDIA industry partnerswere also asked to list their top 3 immediateneeds intermsofskills,consideringthecybersecuritythreatstheirorganizationisfacing.TheanswerspointedmainlytotraditionalcoursesandvariedfromSecurityawareness and Security fundamentals to Solid understanding of mobile networksecurity or Use of AI/Machine Learning; from Threat Intelligence analysis,Penetration testing and intrusion detection andMalware analysis, to Secure chip-design, Secure software-design and secure hardware-software co-design. Specificmentionswereincludedontheimportanceofahands-on,exercise-basedapproach
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted45www.concordia-h2020.eu 23December2019
includingfortheonlineformatofdeliverywhichshouldbeasinteractiveandreallifeaspossible.
Finally, thepartnerswere asked to addanyother comments linked todevelopingskillsforcybersecurityprofessionalsandwhichwerenotaddressedbythepreviousquestions. The most relevant of them are listed below and will be used in thedevelopment of the cybersecurity specific methodology for the creation of newcoursesandteachingmaterials.
“Needtoeasytoaccessandregistercourses,thatareonline,thataremobiledevicefriendly, that cover concepts intuitively, and can provide links to more hands-oncourses,iffollow-upsareneeded”“Wehaveanumberofinternalonlinecourseswhichareobligatoryforeachemployeeandothersthatareobligatoryforcertainroles.”“Coachingisanimportantpartduringthelearningprocess.Couldbeon-line.“"Cybersecurityprofessionalswouldbenefitfromthedevelopmentofsoftskillsthatcouldfurthersupportthemworksinacollaborativemanner.""Academic degrees, although interesting, appear to lack basic skills for thecybersecurity practitioners. When hiring a person with a degree in the subject,usually that onlymeans that she/he have the potential to understand the subjectprovidedspecifictheoreticalandonthejobtrainingisprovided.Butevenso,insomecountriesitisdifficulttofindeventhat.(e.g.Germany,Austria,...)""the semiconductor industry take a special place in the cyber security market;semiconductorcompaniesstayat thebeginningof thevaluechain for thesecurityindustry, which are focus on prevention of cyber attacks; securemicrocontroller,meansdevelop,qualifyandcertifyproductsalongISO15408,EAL4+,5+or6+"CONCORDIAprofessionaleducationlandscapeCONCORDIAaimsatestablishingaEuropeanEducationEcosystemforCybersecurity.ThefirststepinthisendeavoristostartcollectinginformationonwhatCONCORDIAconsortiumofferintermsofskillsdevelopment(universityandindustrypartners).ThisdatawillbecontrastedwiththeneedsintermsofskillsofdifferentCONCORDIApartners(mainlytheindustrypartners)andofthemarketastoidentifythepotentialunmetneedsintermsofskillsdevelopment.TothisendweinvitedalltheCONCORDIApartnerstoprovidestructuredinformationonthecourses/trainingstheyareorganizingforCybersecurityprofessionals.Apartofageneraldescriptionofthecourse,itslocationandthelanguagetaught,thefollowing information aligned to the CONCORDIA scope and objectives were alsocollected:
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted46www.concordia-h2020.eu 23December2019
- Cybersecuritypillarsaddressed–Device-centric//Network-centric//System/Software-centric//Application/Data-centric//User-centricsecurity–seedescriptionofthepillarsinAnnexA.5.3.
- Industryfieldaddressed-withafocusonCONCORDIAsector-specificpilots:Telecommunication//Finance//Transportation/e-Mobility//eHealth//Defence
- Maintargetaudience–differentcategoriesofindustryprofessionals- Typeofcourse(face-to-face,online,blended)- Entryrequirements- TypeofCertificationoffered
By endof year2019, theCONCORDIApartners both from industry and academia,providedinformationonatotalof33courses(AnnexA.5.4.).Thedataisdisplayedonadynamicmap1ontheCONCORDIAwebsitefortheuseofthecommunityatlarge.Themapprovidesdifferentfiltersastohelpmatcheasierthespecificneedforskillsdevelopmentwiththeoffer.OverthecourseoftheCONCORDIAproject,themapwillbeperiodicallyupdatedwiththe new courses/trainings developed by the different university and industrypartners.Besides,inoureffortforestablishingaEuropeanEducationEcosystemforCybersecurity,themapisopenforsubmissionofcourses/trainingsforCybersecurityprofessionalsorganizedbyotherEuropeanorganizations.Todatethemapdisplaysalready 27 courses organized in Europe by different organizations outside theConcordiaconsortium.ThemapwillthushavethepotentialtobecomeamarketplaceforCybersecurityskillsforprofessionals.Generalconsiderations
MostoftheCONCORDIAcourseswerelaunchedin2018or2019.TheyareusuallyrunningonceortwiceayearwithfewexceptionssuchastheCyberIncidentGameplannedfor4sessionsoverayear,andSINAbasicscheduledtwiceamonth,with15sessions in total over a year. The short courses are between one day and oneweeklongandareaddressinggroupsof10to20people.Thelongercoursesoftheequivalent of one university semester (12-14weeks) are bringing together largergroups of participants, namely between 80-120. Most of the courses are offeredagainstafee.Cybersecuritypillars
AcloselookintothedatacollectedwithrespectofthefiveCONCORDIACybersecuritypillars(AnnexA.5.3.)addressedrevealsthefactthatalmost40%ofthecoursesarespecificallytargetingonecybersecuritypillar,whileanother40%areofferingcontentvalidfortwoorthreepillars.Nevertheless,somecoursesaretailoredtodevelopmoregeneralskillsrelevantforallthefivepillars.The most addressed pillars are the Network-centric, followed closely by theData/Application-centric security and the Software/System-centric pillars.
1https://www.concordia-h2020.eu/map-courses-cyber-professionals/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted47www.concordia-h2020.eu 23December2019
Interestingly,theleastcoveredskillsareintheareaofDevice-centricsecuritywhichdealswithdataacquisitionand thedevicesproducingrawdatasuchasembeddedsystems,sensors,IoTdevices.TheUser-centricsecuritypillarisalsolessaddressedinthecoursescurriculaalthoughitdealswithissueslikeprivacy,socialnetworks,fakenewsandidentitymanagement.ThiscouldbeexplainedbythefactthatCONCORDIApartnersaremainlyactingintheareaslinkedtothetransportationandusageofdata,andlessinthosedealingwithdataacquisitionanddevicesproducingrawdata.
FigureA8:CONCORDIAcourses–contentvs.thecybersecuritypillarsaddressed
Industryfields
ThefiveCONCORDIAsectors(Telecom,Finance,eHealth,Defence,Transportation/e-Mobility)arealmostequallycoveredbytheto-dateCONCORDIAtrainingportfoliowith Telecom sector being themost addressed. Themajority of the courses helpdevelopskillsapplicabletoatleast4CONCORDIAindustrysectors.Nevertheless,anumberofothercoursesaretargetingdifferentotherindustriessuchascloud,IoT,criticalinformationinfrastructureoroperatingsystems,whilealmostaquarterofthecoursesarenotrelatedtoanyindustryinparticular.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted48www.concordia-h2020.eu 23December2019
FigureA9:CONCORDIAcourses–contentvs.industriesrelevance
Targetaudience
TheexistingCONCORDIAcoursesaremainlyaddressingthetechnicalpeople,andtoalesserextentthemiddlemanagersofnon-ITdepartmentsandtheexecutivesofbigandsmallcompanies.
FigureA10:CONCORDIAcourses–distributionofthetargetaudience
Deliverymethod-F2F,onlineorblended?
According to the(ISC)2CybersecurityWorkforceStudy2018, theemployers’mainchoiceinofferingskillingopportunitiestoemployersistheonlineversionasthisisthemostcosteffectiveonefromthemanagementperspective.Theface-to-faceoption
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted49www.concordia-h2020.eu 23December2019
ranks5 in the listofoptions forprofessionaldevelopment in theworkplace, afterconferenceattendance,personalstudyreviewandonthejobwithpeers’alternatives.On the otherhand, the same study reveals that the employees aremoreprone toattend the face-to-face (F2F) courses as these give them more opportunities tointeract and network, to exchange experiences, and it is closely followed by theinternet-basedtraining.When it comes to the CONCORDIA courses, the vast majority of them is offeredexclusivelyinaface-to-faceformatwhileonlytwoarefullyonlineandthreeothersareblended.Thus,theyareverymuchalignedtotheemployees’appetitetoconsumethistypeofservice.Languagetaught
18outof the33CONCORDIAcoursesare taught inEnglishoroffer thisoptionasalternativetoGermanorFrench.ThisalreadyprovesanopennesstotheEuropeanCybersecurityskillsmarketaslanguageisnot, inthiscase,abarrier.Nevertheless,20%ofthecoursesareexclusivelytaughtonlesscommonlanguagessuchasCzech,Dutch,SloveneorItalian.Content
Contentwise,theCONCORDIAcoursesarefocusingondevelopingspecifictechnicalskills.Thisisreflectedinthetargetaudiencethosemaingroupisthetechnicalteam,followedbyacademiaandstudents’group.Nevertheless,someothercoursestakeabroaderapproachtothetopicandhavelowornoentryrequirementsthusaremoreaccessible to a larger audience such as senior managers, managers of non-ITdepartments,startups.Certification
Todate,noneofthecoursesorganizedbyCONCORDIApartnersareofferingindustryrecognizedcertifications.Nevertheless,someofthemarepreparingtheparticipantsinviewofapplyingforISACAand(ISC)2certifications.Thevastmajorityofcourseproviders are issuing certificates of participation, sometimes signed by aCybersecurity expert. Others offer certificates of completion issued by a well-establishedonlinetrainingplatformsuchasCoursera.Alumni
Although no consistent datawas collectedwith respect to the participants to thecourses organized by the CONCORDIA partners, the following information wasconsideredtobeagoodestimateonthegraduatessofar:
- Totalnumberofparticipantsoverthewholeperiodthecoursesrun:5900+- Genderdistribution:91%malesand9%females- Agedistribution:themajorityoftheattendeesareintheirearlystagesoftheir
careersorinthegrowingstageas62%ofthemarebetween25-34yearsold.35%oftheparticipantsarebetween35-54yearsoldandonly3%arebetween55-64yearsold
- Countryoforigin–mostoftheparticipantscomefromthecountriesinwhichthe course is hosted (in case of the face-to-face courses). In case of longer
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted50www.concordia-h2020.eu 23December2019
durationcourses(theequivalentofoneuniversitysemester)theparticipantsgroupismultinational like incaseofacourseorganizedinGermanywhich,apartfromotherEUparticipants,attractspeoplefromChinaandIndia;orthecaseofthecoursesinSloveniaattractingalsoparticipantsfromCroatia,Spain,PortugalandTurkey.
FigureA11:CONCORDIAcourses–pastparticipantsdistributionpergenderand
age
TheexternalcoursesplottedontheCONCORDIAmapTheCONCORDIAmapwasopenforexternalsubmissionsstartingmid-July2019.Overaperiodof2monthsthereweresubmitted27coursesviatheRegisteryourCourse1form.ThispoolofexternalcoursesfollowingtoacertainextentthecharacteristicsoftheCONCORDIAcoursesandcouldbedescribedasfollows:
- Pillars:mostofthecoursesaddresstheSoftware/System-centric,Network-centricandApplication/Data-centricpillarswhilethelesstargetedoneistheUser-centricpillar
- Industry:thevastmajorityofthecoursesaredevelopingskillsfitfortheTelecomindustry,followedbytheTransportindustry;someofthecourseprovidersreportedalsootherareasofuseoftheskillsacquiredviatheircoursessuchasEnergy.
- Targetaudience:mostofthecoursesaretargetingthecorporateaudience,mainlythetechnicalteammembersbutalsothemanagersofthenon-ITdepartmentsandtheseniormanagementgroup.Someofthemaretargetingtheusers-individualsusing5Gtechnologyorthoseinterestedtolearntheapproachesusedbyhackers,whileoneisspecificallyaddressingthepublicadministration
- Deliverymethod:face-to-faceisthemodelusedby70%ofthecourseswhileonly4arerunonlineandonly1isofferedinablendedformat.
- Language:thelanguageusedis,generally,countryspecific.Nevertheless,someofthecourseprovidersofferthecourse(also)inEnglish,orprovidethedocumentationinEnglish
1 https://docs.google.com/forms/d/e/1FAIpQLScg5QrSQEOikUAJguXL3OrBhIPh3FzZzSvBk2RhGmh6ZRIMtQ/viewform
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted51www.concordia-h2020.eu 23December2019
- Content:only20%ofthecoursesdonotrequireanyentryrequirementsasthecontentprovidedisconsideredintroductoryorclosetointroductorytothespecifictopic.Alltheothercoursesrequirebasictomediumskillsinthetechnicaldomainsaddressedbythecourse.
- Certification:2ofthecoursesareofferingofficialcertificatesrecognizesbythenationalauthoritieswhiletheothersareofferingcertificatesofattendance.
A.4 Conclusions Thefindingssofarproofedheterogeneitybothofthecybersecurityjobsmarketandofthecybersecuritycoursesoffer.Besides,thelackofanagreedterminologycrossdomains and industries related to competencies needed for a specific job makesdifficultforthecompaniestofillintheopenpositions,butalsoforcourseproviderstodesigntheircurriculaastoanswertothemarketneeds,andfortheindividualstoidentifytheskillstheyneedtopossessordevelopastomatchthejobopenedonthemarket.PillarsInanattempt tocreateahigh-levelstructureof thecoursesoffered inEurope,weusedthedatadrivenapproachanditsfivepillarsadvocatedbyCONCORDIA.Wethusinvited the course providers to register their courses on the CONCORDIAmap bymentioning,betweenotherelements, thecybersecuritypillars theskillsdevelopedunderthespecificcoursecouldbeused.Thefindingsgatheredfrom60courses(33fromCONCORDIApartnersand27fromexternalcourseproviders)showsthattheleastcoveredpillarsinCONCORDIAaretheDevice-centricsecuritypillardealingwithdata acquisition and the devices producing raw data such as embedded systems,sensors, IoT devices, and the User-centric security pillar dealing with issues likeprivacy, social networks, fake news and identity management. These findings,althoughnotnecessarilyrepresentativeforthewholeEuropeanmarket,matchthethreats identified in the first chapter, especially those linked to the user-centricsecuritypillar.TargetMoregeneralcybersecurityawarenessneedstobeofferedacrossdifferentindustries,not necessarily technical ones, thus targeting non-traditional cyber audience.Althoughtherearequiteafewonlinecoursesaddressingthisgeneralneed,thereislittle or none tailored to some specific non-technical audience yet targeted andimpactedby cyberattacks. In this respect the following topics couldbe envisaged:Economics of Cybersecurity within an organization, Cybersecurity for lawyers,Cybersecurity for physicians, Cybersecurity for investors. The Cybersecurity forInvestors course for instance, could answer to problems identified in the ENISAanalysisonChallengesandopportunitiesforEUCybersecuritystartups1)andcouldbeco-organizedincollaborationwithInvestEurope2.Theknowledgeacquiredbytheinvestors will help them not only when looking for investing in Cybersecurity
1 https://www.enisa.europa.eu/publications/challenges-and-opportunities-for-eu-cybersecurity-start-ups2https://www.investeurope.eu/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted52www.concordia-h2020.eu 23December2019
companies but also when assessing the viability of any of the companies ascybersecurityshouldbetreatedasabusinessrisk.The industry survey reveals an increased interest in Cybersecurity awarenesscoursesasuntrainedstaffisthegreatestcyberrisktothebusiness.Whenitcomestothetechnicalarea,inadata-drivenenvironmentanddata-driveneconomy,aCybersecurityprofessionalmusthavecompetences in theareaofdataanalysis.Thus,aspecificcurriculumfordatascientistpositionswouldbebeneficialtobedeveloped.SomeothertopicscouldbefurtheridentifiedbasedontheanalysistobedoneintheDeliverableslinkedtotheThreatlandscape,legalenvironmentandeconomicperspectives.ContentContentwise,thecourseswouldneedtobedevelopedinrelationwithanagreedEUcompetence framework.Theyshouldnot stayatageneral levelas toensure theirrelevance forabroadcross industryaudience,butshouldbe industryspecificandbuiltstartingfromclearlearningobjectivesdefinedindirectcollaborationwiththetargetedindustryrepresentatives.Nomatterthetargetaudience,abroadapproachtothetopicwouldbeadvisable,astocoverbothtechnicalknowledgeandsoftskills,but also somemanagerial skills1. Theweights of the different subjects should bebalanced though, according to the profile of the target audience. The hands-onapproachandrealcasescenariosadaptedtothespecificaudienceshouldbefavored.LanguageEU is a multi-cultural continent and local language skills are important tocommunicate.Yet,thefreemovementofpeoplecomeswithfreemovementofskillsandthelanguageshouldnotbeabarrier.Thus,inanattempttobuildaninternationalnetworkofCybersecurityexpertslookingintoexchanginginformationinsupportofbetterprotectingEuropeagainstcyberattacks,thetrainingsshould,atleastpartiallybetaughtinEnglish,thelanguageofthecomputer(mostprogramminglanguagesuseEnglish languagekeywords). ChoosingEnglish as amain languagewould increasealsotheparticipationinthedifferentMOOCswhichareintheirvastmajoritytaughtinEnglish,stillabarrierfornon-Englishspeakers2.Itwillalsosupportthemobilityofthe Cybersecurity professionals from countries with a big offer of courses, thuspresumablymoreCybersecurityskilledpeopletocountrieswithbigdemandonjobmarket.CertificationUndoubtedly,certificationsareimportantintheprocessofrecruitmentofthecyberprofessionals. And at the international level there are quite a few very specificcertifications for the IT professionals. In Europe though, as revealed in the ECSOstudy, the industry is still very dependent on US-centric certificates which are not based on formal training. And, even if in some European countries first steps have been taken
1https://insights.dice.com/cybersecurity-skills/2 https://www.academia.edu/23952938/Planning_to_Design_MOOC_Think_First_?email_work_card=title
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted53www.concordia-h2020.eu 23December2019
to set up a certification scheme, the uptake of these schemes is very limited. There is thus room and a need for a European Cybersecurity certification scheme. During the duration of the project we will be looking into developing a framework of a certificate.The analysis helped identifying some topics and some good-to-have courses’characteristics. These findings will be further considered when developing thecybersecurity specific methodology for the creation of new content and teachingmaterials.Besides,thecoursecontentdevelopmentanddeploymentareintendedtobedesignedinsuchawayastobealignedtotheCONCORDIAcertificationframework.Thepaperwillbeperiodicallyupdatedastocapturethenewtrends,challengesandoffers in the cybersecurity education and will contribute to the definition of theeducationpillaroftheCybersecurityRoadmapforEurope.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted54www.concordia-h2020.eu 23December2019
A.5 Annexes A.5.1.CybersecurityCareerPathway-exampleSource: https://www.cyberseek.org/pathway.html (data collected from September 2017 through August 2018)
FigureA12.CybersecurityCareerPathway–exampleforCybersecurity
Specialist/Technician
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted55www.concordia-h2020.eu 23December2019
A.5.2.CybersecuritycompetenciesSource:https://www.slideshare.net/colleenlarose7/competency-model-clearinghouse
FigureA13:CybersecurityCompetencies–Tiers4and5
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted56www.concordia-h2020.eu 23December2019
A.5.3.The5pillarsoftheresearchandtechnology
FigureA14:CONCORDIA-Thefivepillarsoftheresearchandtechnology
CONCORDIA has a data-driven approach to security and addresses it via the fivepillarsofresearchandtechnologyasillustratedinthefigureabove.Theindividualpillarsaredescribedasfollows:•Device-centricSecurity:DCSaddressesthedataacquisitionandthedevicesthatproducerawdata,suchasembeddedsystems,sensors,IoTdevices,drones,andtheassociatedsecurity-centricissues,suchasIoTsecurity.•Network-centricSecurity:NCSreferstothetransportationofdataaswellaswiththenetworkingandthesecurityissuesassociatedwiththis.TopicsrangefromDDoSprotection,Software-DefinedNetworking(SDN)toencryptedtrafficanalysis.• Software/System-centric Security: SSCS centers around topics such asmiddleware,secureOS,andsecuritybydesign.malwareanalysis,systemssecurityvalidation, detection of Zero-days, and recognizing service dependencies arespecificallyaddressed.
• Data/Application-centric Security: DACS addresses issues such as datavisualizationandthesecurityofapplicationslikecloudservices.•User-centric Security: UCS addresses issues like privacy, social networks, fakenewsandidentitymanagement.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted57www.concordia-h2020.eu 23December2019
A.5.4.TheCONCORDIAcourses
Title WHO WHAT
CyberRange: IT EthicalHacking
AirbusCybersecurity
Hands-on Labs on differenttopicsandcountermeasuresinasimulatednetwork.
ICS-EthicalHacking AirbusCybersecurity
Hands-on Labs on differenttopics of threats scenarios andcountermeasuresinasimulatedindustrialenvironment.
Cyber Incident HandlingWorkshop
AirbusCybersecurity
Table-topgametolearnhowtodeal with cyber incidents fromdifferentperspectives.
CyberRange: AdvancedPersistent Threats andTargetedAttacks
AirbusCybersecurity
Hands-on labs to learncurrenttechniques of APTs andTargetedAttacks.
CyberIncidentGame AirbusCybersecurity
Play the hacker role: plan acyber-attack on an classicalnetwork or an industrialnetworkinfrastructure.
Cybersecurityforbusiness EITDigital An innovative training toempower and train inimproving and championingCybersecurityforthefuture
SecurityandPrivacyforBigData
EITDigital Learn how to identify keysecurity and data protectionissuesandhowtoapplyprivacypreserving methodologies incompliance with the currentregulations
ENISA Summer School(assistingtheorganization)
FORTH Network and Informationsecurity:policy,economic,legalandresearchmatters
CSIRTCyberTraining MasarykUniversity
Hands-on tailor-madeCybersecurity training for ITadministrators andCSIRT/CERT members.Everything from servershardening to networkmonitoring&analysis
Capture the Flag by TeamLocalos
ResearchInstituteCODE
Learn and evolve yourCybersecurity capabilities. Andhave fun at our Cybersecuritycompetition!
IT Competence EducationandTraining
ResearchInstituteCODE
In our flexible Cyber Range,participants are provided withself-learning modules,
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted58www.concordia-h2020.eu 23December2019
individual exercises as well asdefensive/offensive hands-onscenarios.
SINABasics Secunet Basics and functions of theSecure Inter-NetworkArchitecture(SINA)
TRANSITSI/II SURFnet Training for new andexperienced computer securityincidentresponseteam(CSIRT)personnel, and individualsinterested in establishing aCSIRT.
Reliable Software andOperatingSystems
TechnicalUniversityDarmstadt
Dependability and SecurityIssuesforSWsystems
SecurityandtheCloud:TheIssueofMetrics
TechnicalUniversityDarmstadt
SW and Distributed SystemsSecurity
ICTSecurity University ofMariboru
Basics; Physical security andbiometrics; Cryptographybasics; Secure e-commerce;Protection of communicationtechnologies; Standards,security policies and securityplanning; Software security;User aspects of security andprivacy
Dataprotection University ofMariboru
Introduction to the topic;Advanced cryptography;Usabilityandrelatedstandards;Practical aspects of dataprotection
ADVANCEDINFORMATIONSECURITY
University ofMariboru
Providein-depthknowledgeontechniques for securing andprotecting information,computer systems andcomputernetworks
Datasecurityandprivacy
University ofInsubria
Models,toolsandlanguagesformanaging access control andprivacypolicies/preferencesinadatamanagementsystem
DATA SECURITYFUNDAMENTALS
University ofInsubria
Basicknowledge for thedesignandverificationofmechanismsfor data protection ininformation systems andnetworks
InternetSecurityProtocols University ofTwente
MOOC to discuss the detailsofInternet security protocols,
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted59www.concordia-h2020.eu 23December2019
such as HTTPS, SSH, DNSSEC,IPSecandWPA
Internet attacks anddefence
University ofTwente
MOOCtodiscusshowtodetectand mitigate Internet attacks.Topics include DDoS, IDS andFirewalls
Certified InformationSystems Auditor CISA -certification and exampreparation
SBAResearch The course helps in preparing for the exam in view of CISA certification.The Certified InformationSystems Auditor (CISA) is agloballyrecognizedcertificationforprofessionalsintheareasofauditing, control andinformationsecurity.
Certified InformationSecurity Manager CISM -certification and exampreparation
SBAResearch The course helps in preparing for the exam in view of CISM certification.The Certified InformationSecurity Manager (CISM) is agloballyrecognizedcertificationfor experts in the field ofinformation securitymanagementincompanies.
Certified InformationSystems SecurityProfessional CISSP -certification and exampreparation
SBAResearch The course helps in preparing for the exam in view of CISSP certification.TheCISSPexaminationcovers8areas of security which arenecessary for the essentialprotection of informationsystems, companies andnationalinfrastructures.
Certified Secure SoftwareLifecycle ProfessionalCSSLP - certification andexampreparation
SBAResearch The course helps in preparing for the exam in view of CSSLP certification.The CSSLP certificationguarantees that you havecomprehensiveknowledgeinallareasofthesecuredevelopmentlifecycle.
CyberSecurityEssentials SBAResearch The aim of the course is toprovide participants with anintroduction to the topics ofcybersecurityaswellasITandinformation security. Thecourse provides participantswith sound basic knowledgeandessentialthreatscenariosaswell as modern solutions andmethods for copingwith cyberrisks.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted60www.concordia-h2020.eu 23December2019
IncidentResponse SBAResearch The aim is to learn tools andtechniquesforclarifyinganAPTincident. The courseparticipants will also have thepractical opportunity toinvestigate a simulated APTattack using hard disks andmemoryimages.
WindowsHacking SBAResearch The aim is to convey themostfrequentanddangerousgapsinWindows networks and thusprovide the necessaryknowledge for securingsecurity-relevant networks andservers.
SecureCodinginC/C++ SBAResearch This training is especiallydesignedforC/C++developers.It covers secure softwaredevelopment practices andattacks.
WebApplicationSecurity SBAResearch The course teaches developersthe most common anddangerous bugs in webapplication development.Testers learn how to testsecurityaspects.
IoTSecurityEssentials SBAResearch The course teaches the typicaland dangerous securityvulnerabilities of Internet-enabledhardware,includingtheOWASP InternetOfThingsTop10.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted61www.concordia-h2020.eu 23December2019
A.5.5.CoursesofferonNISmapvs.JobsopenedonLinkedIn
EUCountryAcademic CoursesofferENISAmap
Jobsopened-Entry&Associate levels -Oct'19
Jobs opened -Total-Oct'19
Germany 148 511 762UnitedKingdom 97 1,068 1,459CzechRepublic 46 18 30France 33 150 229Belgium 31 54 98Netherlands 22 375 559Spain 22 63 124Finland 18 9 18Portugal 16 313 347Italy 15 134 192Cyprus 12 0 1Slovenia 12 0 0Sweden 10 24 68Ireland 7 58 120Austria 6 15 29Greece 5 4 7Romania 4 35 78Estonia 3 5 11Latvia 2 3 5Denmark 1 20 41Hungary 1 9 21Luxembourg 1 19 31Bulgaria 1 15 27Croatia 1 0 0Malta 1 0 0Poland 0 96 145Lithuania 0 5 8SlovakRepublic 0 5 11
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted62www.concordia-h2020.eu 23December2019
Annex B: Startup scene (T3.5) Muchinnovation inthecybersecuritysectorhasbeendriven inthestart-upworldandtaskT3.5wasalsotryingtoassesstrendsandtomapstakeholdersinEU.Buyingorinvestingincybersecuritystart-upshasbeenmorefrequentthaninotherITareas,creatingthereforeastrongexitmarketforcyber-security-focusedstart-ups.In this overviewwepresent several initiatives that target cybersecurity start-ups,including corporate-led incubators (Google and Thales Station F), public sectorinitatives(Ciberemprende),andpan-Europeanservicesprovidedbypublic-privatepartnershipcompanies(ECSOCyberinvestormatchmakingandEITDigitalservicesforstart-ups).We spoke, for example, to some start-ups from Google Startups Accelerator1thatkickedoffinOctober2019inMalaga,Spain.Withafocusoncybersecuritystartups,itincludes companies like Koodous (collaborative antivirus, it is spin off fromHispasec),SecureKids(targetingprotectionofminors,ownersofIS4K),TechHeroX(focusedononlineeducationforcybersec),Keynetic(with SDNsecuritysolution),CyberSmart (digital compliance), Keystroke DNA (authentication), CyberBlue orironChip.GoogleforStartupsinitiativewasalreadypresentinSpainandin2018itmadeanimportantimpact(seefigurebelow),includingstartupecosystemdiversity(especiallytargetingwomenentrepreneurs).
FigureB1.ImpactofGoogleforStartupinitativeinSpainfor2018(source:Google)
InConcordiaconsortiawehaveonestart-upCyber-detectthatreceivedsupportfromStation F, cybersecurity startup incubator in Francemanaged by Thales. In 2019many other start-ups were selected by this incubator to access services such asvisibilityboostorsupportforfundraising.Thefigurebelowshowsstart-upsthathavebeenselectedwiththereareoffocusorsolutiondescription.
1 https://www.blog.google/outreach-initiatives/entrepreneurs/google-startups-accelerator-empowers-ai-startups-europe/
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted63www.concordia-h2020.eu 23December2019
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted64www.concordia-h2020.eu 23December2019
FigureB2:start-upsselectedbyStationFincubatorin2018and2019
Anotherimitative,thistimewithpublicfundingthattargetscybersecuritystart-upsisCiberemprendeinSpain,managedbyNationalInstituteforCybersecurity(INCIBE).In 2019 they awarded 34.000 to DirectDump (DFTools), forensic monitoringsoftware,whiletheotherwinnerswereClickDefense(24.000€)fortheirsolutionfordetectionofillegitimateclicksinonlineadvertising,AuthUSB(20.000€)forsolutionrelatedtosecureaccesstoUSBstorage.Otherstart-upmentionedintheirreport(andsomeoftheminterviewedforConcordia)wereAcerodocs,documentprotectionandusage control, CriptoCert,certification software;, CyberBlue, decision support andcybercrime detection through emotion analysis, TechHeroX, cybersecurityawareness; Eurocybcar, vehicle cybersecurity; InprOTech (Inprosec Auto),cybersecurity in converged IT (Information Technology) and OT (OperationTechnology); and finally RKL Integral, that targets risk assessment for convergedsafetyandsecurity.On pan-EU levelwe had severalmeetingswith cybersecurity startups during twoECSO Cyberinvestor events, discussing what can we offer from Concordia. Theseevents(14May14thinMadridandOct15thinLuxembourg)revealedthatECSOisdoingalreadygreatworkforcreatingavibrantcybersecurityecosystemandallstart-upsinterviewedweresatisfiedwiththesupport.ECSOisusuallycollaboratingwithlocalorganizers(e.g.INCIBE,EENandFundacionConocimientosMadrid,inthecaseofMadridevent),andisopenforthecollaborationwithConcordia.For the event in Luxembourg, Concordiawas included as a strategic partner (seefigurebelow)andweplantocontinuethiscollaborationwithECSOin2020.
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted65www.concordia-h2020.eu 23December2019
FigureB3:strategicpartnersofECSOCyberinvestordays
Ifwelookatstart-upsthathavebeenselectedforCyberinvestordaysbyECSO,weobservedthatthereisapredominanceof localstart-ups(SpanishinMadridevent,andBeneluxinLuxembourgevent)andthatsomestart-upsrepeattheexperience.TheECSOCyberInvestorDaysinLuxembourgreceivedsupportbythegovernmentandwerekickedoffwithapressconferencebyÉtienneSchneider,Ministerof theEconomy of Luxembourg. Pascal Steichen, CEO of the SECURITYMADEIN.LU,presentedthelocalcybersecurityecosystem.Finalreportfortheseeventsisstillnotavailable, but the report for the previous events can be found athttps://www.thehaguesecuritydelta.com/media/com_hsd/report/224/document/Final-ECSO-Report.pdf
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted66www.concordia-h2020.eu 23December2019
FigureB4:StartupsselectedbyECSOfortheCyberinvestordaysinMadrid
FigureB5:StartupsselectedbyECSOforCyberinvestordaysinLuxembourg
Finally, EIT Digital, which is Concordia partner, was also interviewed in severaloccasions.Morespecifically,opportunitiesforcollaborationwerementioned,suchasEIT Venture program in RIS countries, support for summer course (not linked tocreditsofmasterstudy),orCybersecurity360programforProfessionals.However,EITdigitalhasnoeffortintaskT3.5andthecollaborationintheareaofservicesforstartups in 2019 was not considered. EIT digital regional nodes (e.g. Madrid),however,areorganizingeventsthatcanalsobeofinterestforConcordia.OneoftheregionsthatwouldbeespeciallyinterestingforConcordia,asitwasexpressedbytheadvisory board feedback received during the Concordia Open Doors event, is theEasternEurope(inEITDigitalthisregioniscoveredbyregionalinnovationscheme–RIS1.
1https://eit.europa.eu/our-activities/eit-regional-innovation-scheme-ris
CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION
Unrestricted67www.concordia-h2020.eu 23December2019
IncollaborationwithStartupWiseGuysaccelerator,cybersecurityfocusedprogramCyberNorth was started to receive investment and take part in a 3 month longacceleration in Tallinn, Estonia. In 2019 selected teams are autom8 (Turkey, NLPframeworkstoautomatethedetectionofsecurityandotherflawsinsourcecode),Odin Vision (Ukraine, biometric identification), Cyber Struggle (Turkey, cybersecurity certifications), Cyex.io (Hungary, AI-based cybersecurity exercisegenerator),Fakeskiller(Ukraine,detectionoffakeidentification),Hive.id(Ukraine,digital identity verification), Scoriff (Estonia, identifying high risk companies),Webtotem(Kazakhstan,SaaSforsecuringandmonitoringwebsite).OutsideofEITDigital, we have established contacts with Oxolabs cybersecurity incubator fromHungarythatstarteditsworkin20191.Again,thefollow-upandfurthercollaborationwilldependonresourcesavailableforstartupfactoryandincubator(tasksT3.5andT5.1)andrelatedservices.Asanadditionalideaforstartupfactoryconcept,technologytransferfundingwasalsoconsidered. Academic research is often considered high-risk by the traditionalinvestors,somorerecentlyTTfundsareenabledbyInnovFinEquity–managedbyEIF.Theyformpartof“InnovFin–EUFinanceforInnovators”,aninitiativelaunchedbytheEuropeanCommissionandtheEIBGroupintheframeworkofHorizon2020.Some examples of European investors in TT funds include K.U. Leuven/CD3(Belgium),IPGroup(UK),ChalmersInnovationSeedFund(Göteborg,Sweden),theUMIPPremierFund(Manchester,UK)andKarolinskaDevelopment(Sweden).
1https://cybersecurity.oxolabs.eu/