RAMP (Robotics and Automation MarketPlace)

Robotics and Automation MarketPlace functions as a marketplace bringing together suppliers and Manufacturing SMEs, promoted by a network of 35 Digital Innovations Hubs in but also offers digital infrastructure and services for robotics and automation on top of FIWARE.

Qlack

Qlack is a dynamic environment, gathering common functionality for complex applications, operating as web integration environment. This supports web integration of various applications and single point of access.

SOFIA: Dynamic and reconfigurable visualisation environment

SOFIA implements dynamic presentations and dashboards, customized to each specific need, enabled by dynamically designing Database schemas in parallel with visualization and editing of data, but most importantly by enabling a myriad of possibilities of data presentation by combining in a variety of ways, Menus, Forms, Lists, Charts, Graphs, Access controls, Reports and Dashboards. Access control configures the access to different resources per User Role, ensuring high level of security and allowing requirement-oriented data presentation customized to any specific need.

​A rich UI specially designed for the mobile generation of users, provides a true mobile user experience and eases navigation and data exploration.

SOFIA comprises :

  1. A) Author Application which dynamically configures the presentation of the data, the menus, graphs, and user access and
  2. B) WebApplication which visualizes the data in various configurations and graphics. Both applications are enabled by JAVA Springboot, Angular, Redis, Mysql Databases and Docker technologies but also offers data editing on the fly.
Author’s Application

The ‘Author’s Application dynamically configures the entire application by logically separating the configuration functionalities in five layers starting from the bottom layer, database schema design to the top layer, users and roles.

Let’s have a look at a ‘hello world’ example application: Invoicing for a retail shop.

Layer 1: Table Designer. The first step is to create the data structure and their relations for example Product, Invoice & Customer database tables, that are needed for the Invoicing component.

Layer 2: Component Designer: is part of the Author application and helps design the Invoicing Component as a new logical structure, composed of group of Tables and Views together in a logical way, to represent the business logic of the application. For example, the Invoicing Component includes the three tables Product, Invoice & Customer linking them together by the their foreign keys Invoice ID, and  Customer ID.

Layer 3: Form Designer, is part of the Author’s application and enables to create an Invoicing form by using the invoicing service structure. The forms define how the data will be presented, for example in lists, graphs, charts, etc, and the options to modify it or not, user rights, etc.  Custom CSS and Javascript scripts are applicable.

Dashboard, Chart, Graphs, List Designers, enable to define the design the required data representations as required to compose the presentation of the form. For example, a list of history invoices is created using the List Designer. Dynamic filters, user rights, custom CSS and Javascript scripts are applicable.

Layer 4: Menu Designer. In similar way, the menus are created from the Menu Designer of the Author’s application. A menu defines the sidebar and header menu buttons as well as the navigation on the Web Application.

The service supports definition of multiple languages by a multilingual menu options tree with custom descriptions and Icons with a robust navigation system that allows to navigate to any part of the application. Finally, access polymorphism is possible by assigning different sidebar & header menus to each user, thus, role based visualisations.

SOFIA allows to configure a variety of analysis and visualization forms for statistics, charts & dashboards, configurable data imports from excel files, dynamic reports for exporting pdf, word & html documents and many more.

NFPMS (Network Forensic Process Management System)

Network Forensic Process Management System supports the forensic readiness of organisations, but systematising the interactions of personnel for the evidence acquisition, by collecting it in anticipation of an incident in a legally acceptable manner and before investigations begin.

Why is it needed?

Currently, the approach taken by organisations to cyber-incidents focuses on business continuity and disaster recovery. However, this approach often includes actions that contradict the principles of forensic investigations. Organizations tend to be reactive to cyber-incidents, meaning that once a security incident or data breach occurs they try to handle it and perform forensic investigations, followed by actual evidence[1] collection.

Evidence suggests that the companies suffer significant financial losses due to cybercrime for example in the UK losses are reported around 37 billion euro per year (27 billion pounds), Italy $875 million, the recovery and opportunity costs reached $8.5 billion[2] and the “average cost of cybercrime in Europe has risen steeply to $57,000 (€50,000) per incident”, and recent figures show that the median cost jumped to €50,000 over the past 12 months (2019-2020), representing a near six-fold increase on the previous year’s €9,000[3].

Network Forensics

According to the Merriam-Webster dictionary forensics is: ‘the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence, as from a crime scene’. The forensics process is dominated by ruling out potential explanations for the security events under investigation.

Network Forensics is defined as ‘The use of scientifically proved techniques to collect, fuse, identify, examine, correlate, analyse, and document digital evidence from multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities.[4]

Network forensics relates to the monitoring and analysis of network traffic for the purposes of gathering information, including legal evidence. It is the art of capturing, storing and analysing of host and network-based evidence, aiming to shed light on what has happened in the past and to identify the source of a network attack.

Network forensics is a complex task, which becomes even more complex due to the increasing complexity of ICT infrastructures. Consequently, network forensic processes aim to identify profound information in and about the network and the infrastructure not previously known. They are complex processes in which methodologies, tools and human intelligence combine for the purpose of an investigation.

Forensic Readiness

Forensic Readiness is defined as ‘…the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation[5] and ‘having an appropriate level of capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively: in any legal matters; in security investigations; in disciplinary proceeding; in an employment tribunal; or in a court of law.[6]

Organisations, during their operation, generate a lot of digital data that can become central pieces of evidence during a security incident investigation. However, not all digital evidence is collected, as they are generated for adjacent and phenomenally irrelevant purposes, such as internal communication, regulatory or legal requirements, or other external reasons. It is thus not easy to forecast when and what digital evidence is necessary. To this extend a forensic readiness process aims to assist organizations in laying the groundwork for incident readiness, so that retrieval of digital evidence is structured and documented, resulting in being appropriately collected and stored even “before an incident occurs”, without services interruption. Furthermore, a forensic readiness process ensures that when digital evidence is required, it will be made available in a legally accepted form.

Being forensic ready demonstrates that an organization has the initiative and ability to manage risks effectively.

ED’s Solution

To assist organisations in their forensic readiness journey, European Dynamics has developed a novel Network Forensics Process Management System (NFPMS) that systematizes the process of evidence acquisition and supports the collaboration of security personnel to interact and exchange knowledge and information online with forensic expert(s), adopting and implementing all the steps of the OSCAR[7] network forensics methodology.

OSCAR is a methodological framework, used by forensic investigators, ensuring that the results of the network forensic task are reproducible and accurate. This step-by-step process stands for:

  • Obtain information about :
    • the incident itself, such as the date and time when an incident was discovered, persons and systems involved, what has initially happened, actions taken since the discovery, who is incident manager, etc. The time frame for investigation/recovery/resolution and goals should be defined and written down
    • the environment where it took place, including business model, legal issues, network topology (network map), available sources of network evidence, organizational structure (organizational chart), incident response management process/procedures, etc.
  • Strategy for planning of the investigation and the prioritisation of the acquisition of the network-based evidence. For example, a company may define as high priority the collection of web proxy cache data or the firewall logs.
  • Collection of evidence from each identified source, based on the plan defined in the previous step, considering,
    • Documentation (log file) of all systems accessed and all actions taken during evidence collection, stored safely, including time, source of the evidence, acquisition method and the involved investigator(s).
    • Capturing of the evidence where network packets are captured, system and application logs and copied, etc.
    • Storage/Transport of the collected evidence, demonstrating the Chain of Custody.
  • Analysis to recover evidence material using a number of different methodologies and tools, depending on the case and what leads are already present. According to Brian D. Carrier, “After the obvious evidence has been found, then more exhaustive searches are conducted to start filling in the holes[8]
  • Report the results of the investigations to the client(s) in fully understandable by non-technical persons manner, like managers, judges, etc.

This evidence is collected in anticipation of an incident in a legally acceptable manner and before investigations begin. As a result, time and money are saved.

European Dynamics NFPMS fosters an organized approach as a key element of a successful forensic readiness plan, by enabling organisations to organise their steps to:

  • determine the significant or relevant risks, types of incidents to be expected, and potential responses.
  • define the cyber incidents and scenarios that require digital evidence.
  • identify the capturing points for monitoring, select the monitoring targets, potential event sources, where they are stored, how they can be accessed, who should be contacted to get permission to access and collect them and how forensically sound they are.
  • identify the resources available for event log collection, aggregation and analysis including evidence storage space, available time, tools, systems, and staff for collection and analysis.
  • identify how the sources of evidence and the network itself might be impacted by evidence collection.
  • prioritize sources of evidence, by identify those that are likely to be of the highest value to the investigation, while also considering the effort needed to obtain them.
  • plan evidence acquisition and identify relevant personnel that should be invited to provide access to the evidence and what kind of access should be given (physical or remote).
  • select the appropriate methodologies and tools for collecting, storing and recovering evidence material in a secure and forensically sound manner.
Workflows and Screenshots

NFPMS supports organisations to meet the preconditions to enable network monitoring and forensics, by enabling/allowing:

  1. Security personnel to upload their organisation network architecture and topology including a detailed description;
  2. Forensic experts to indicate the capturing points for monitoring;
  3. Security personnel to select appropriate monitoring targets, focusing and prioritizing on the most critical systems, including monitoring targets attack signatures is available;
  4. Security personnel to provide network related information, such as network behaviour, used protocols and connections and any communication patterns that will allow the forensic experts to define and decide upon the monitoring policy;
  5. Forensic experts to review, comment and request for an update, for all uploaded material;

The following 9 steps illustrate this capacity.

Step 1: After the security personnel logs in to the NFPMS he navigates to the “Tasklist” application, and follow the steps to start the process.

Step 2: The security personnel uploads network architecture including a detailed description.

 

Figure 1. NFPMS – Network Forensic Readiness Process (Network Architecture Prerequisite)

 

Step 4: NFPMS process allocates a new task to the security personnel to indicate the capturing points.

 

Figure 2. NFPMS – Network Forensic Readiness Process (Traffic Capturing Points)

 

Step 5: The security personnel selects appropriate monitoring targets, focusing and prioritizing on the most critical systems, including monitoring targets attack signatures if available and information on the network behaviour, such as whether network behaviour is known and whether the used protocols and connections can be kept down to the necessary minimum.

 


Figure 3 NFPMS – Network Forensic Readiness Process (monitoring targets and network behaviour)

 

Step 6: NFPMS invites the security personnel to select the monitoring policy and subsequently to define the monitoring targets, used protocols and connections.

 

Figure 4. NFPMS – Network Forensic Readiness Process (used protocols and connections and communication patterns)

 

The forensic expert reviews uploaded information on monitoring targets, availability of attack signatures, network behaviour, used protocols and connections as well as any uploaded communication patterns and decides on the monitoring policy.

 

Figure 5 NFPMS – Network Forensic Readiness Process (final monitoring policy selection)

 

Execution of the OSCAR methodology

NFPMS allows security personnel to interact with forensic experts through all the steps of the OSCAR methodology, aiming to:

  1. Obtain information about the environment, identify the event logs sources, identify available resources for event log collection, analyze whether and how the sources of evidence and network itself will be impacted by evidence collection;
  2. Prioritize sources of network-based evidence, including their potential value to the investigation and the effort needed to obtain them;
  3. Initiate the Chain of Custody process, by documenting everything done by the security personnel and the forensic expert, including which systems were accessed and how, how collection of evidence from the network was achieved and all actions taken during collection of evidence from the central logging server;
  4. Detail the methodologies and tools used for recovering and analyzing evidence material from the forensic working/investigate image, which is a duplicate the forensic disk image;
  5. convey the results of the investigation, to the security personnel.

The following steps illustrate this capacity.

Step 1: As soon as the forensic expert logins to the NFPMS he/she navigates to the “Tasklist” application, where he/she is presented with the tasks assigned to him/her.

 

Figure 6. NFPMS – Tasklist (Forensic expert)

 

He/she navigates to the relevant task and clicks on it. He/she is then presented with the 1st step of the OSCAR methodology namely the “Obtain Information” step.

During this step, the forensic expert obtains information about the incident itself and the environment, by reviewing information provided earlier regarding the network architecture, and relevant IT policies and procedures. After reviewing the network architecture and talking with the security personnel/administrator(s), the forensic expert is now in a position to identify the sources of evidence (event logs sources) that are likely to relate to the investigation, including available resources and organisation personnel for collecting evidence (event log collection). At this step the forensic expert can also analyze whether and how the sources of evidence and network itself will be impacted by evidence collection and hence decide whether devices (sources of evidence) can be removed from the network, if they can be powered off, if they can be accessed remotely (active acquisition) and as a last resort whether they can be accessed at specific times or schedule a downtime, to minimise the impact.

 

Figure 7. NFPMS – Network Forensic Readiness Process (Forensic expert – Obtain Information Step)

 

Step 2: NFPMS informs via email the security personnel/administrator(s) that the forensic expert has provided information regarding the sources of evidence, the available resources for evidence collection and whether and how the sources of evidence and the network itself might be impacted by evidence collection.

The security personnel reviews the provided information and provides his/hers comments.

 

Figure 8. NFPMS – Network Forensic Readiness Process (Security personnel – Obtain Information Step)

 

Step 3: NFPMS informs via email the forensic expert that the security personnel/administrator(s) has reviewed the obtain information details and requests to proceed with the strategize step.

During this step, the forensic expert prioritizes sources of network-based evidence, including their potential value to the investigation and the effort needed to obtain them, including which organisation personnel (system and/or network administrators) will provide him/her access to the evidence as well as the acquisition method.

Step 4: NFPMS informs via email the security personnel/administrator(s) that the forensic expert has prioritized the sources of network-based evidence, including their potential value to the investigation and the effort needed to obtain them, including which organisation personnel (system and/or network administrators) will provide him/her access to the evidence as well as the acquisition method.

The security personnel reviews the provided information and provides his/hers comments.

 


Figure 9. NFPMS – Network Forensic Readiness Process (Security personnel – Strategize Step)

 

Step 5: NFPMS informs via email the forensic expert that the security personnel/administrator(s) has reviewed the strategize details and requests to proceed with the collect evidence step.  At the last step of Collecting Evidence, the forensic expert initiates the Chain of Custody process, by documenting all the steps, the systems accessed and how.

Step 6: NFPMS informs via email the security personnel/administrator(s) that the forensic expert has initiated the Chain of Custody process. The security personnel reviews the information uploaded and provides any further feedback if needed. The forensic expert/investigator uses his/hers querying and analytics tools to recover evidence material from the forensic working image aligned with the 4th (Analysis) step of the OSCAR methodology.

 

Figure 10. NFPMS – Network Forensic Readiness Process (Forensic expert – Analyse Step)

 

Step 7: The process final step invites the forensic expert/investigator to the final step of OSCAR methodology namely the “Report” to convey the results of the investigations in a detailed Forensics Technical Report.

Benefits

European Dynamics Network Forensics Process Management System benefits include:

  • Online collaboration and cooperation, between security personnel/administrator and forensic experts.
  • Ready to respond to the potential need for digital evidence. In case an organization has to bring matters to a trial, where digital evidence is required, there will be a need for digital forensics. This in turns requires electronic evidence to be provided quickly and in a forensically sound manner when requested. The OSCAR based NFPMS ensures that appropriate procedures are established through all the steps, so that data related to a specific event are collected, stored and processed in an appropriate manner, making them readily available when requested;
  • Minimized cost of cyber investigations, since the evidence is gathered and acquired in anticipation of an incident. Costs, time to respond as well as the disruption of operations are reduced and investigations are efficient and rapidly completed;
  • Easier and faster detection and understanding of attack vector;
  • Reduced costs of regulatory or legal requirements for data disclosure, since evidence is collected and stored in a proper manner, enabling organisations to provide evidence, when requested by regulatory authorities or law enforcement agencies, in an appropriate and timely manner;
  • Complete and faster damage restoration and eradication, since post-incident activities are optimized, regarding cost, time and effort;
  • Reduced insurance premiums, since organisations can prove that are ready to respond to cyber incidents;
  • Demonstrates due diligence and good corporate governance of the company’s information assets as well as regulatory compliance.

 

 

References

[1] We define “evidence” as any recordable event, or an artefact of an event, that can be used towards understanding the cause and nature of the observed incident/event.
[2] Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime II
[3] Cost of cybercrime per incident jumps six-fold to €50,000, June 2020
[4] Sule, Dauda; “Digital Forensics 101: Case Study Using FTK Imager”
[5] Robert Rowlingson, “A Ten Step Process for Forensic Readiness”
[6] The National Archives; Digital Continuity to Support Forensic Readiness, 2011
[7] The OSCAR methodology is defined in “Network Forensics, Tracking Hackers through Cyberspace”, by Sherri Davidoff and Jonathan Ham, page 17-22
[8] Brian D. Carrier, Digital Investigation and Digital Forensic Basics, 2006

 

CRM (Cybersecurity Risk Management)

Cybersecurity Risk Management allows to dynamically build a risk model for the organisation based on the identification of: a) assets, their relationships to other assets and their exposure to threats (including threat likelihood and associated countermeasures), b) threats that can harm the system and their association with the assets, c) vulnerabilities and their association with the identified threats and d) countermeasures and their association with the threats that they mitigate.

MPMS (Manufacturing Process Management System)

MPMS (Manufacturing Process Management System) builds complex and dymanic manufacturing processes and executes them by connecting to manufacturing shopfloor sensors, and agents and monitors in real time the process execution, built on open source workflow tool Camunda.

Esthesis

Esthesis has enabled us to move into the IOT and now data sovereignty domain able to gather data from sensors, through a gateway device (our own) and then store in backend and provide it for further applications but now it is extended to support the concept of federated storage in health (very much required now by EC policies in all application domains)

SPIGA (System for Personalised Incentivisation with Gamified App)

A system for personalised incentivisation with gamified app (which has been developed in 2 projects now being adopted in a third one)-originally targeting energy efficiency for residential consumers and public workers but could be configured to support any socio-economic-environmental objectives, for example we have proposed it for food waste management.

 

 

BENEFFICE person-centered, incentivisation and engagement system for Energy Efficiency: The BENEFFICE complete system (integrated solution) brings together various technologies to provide the “person-centered, incentivisation and engagement system for Energy Efficiency addressed to residential consumers”. BENEFFICE ecosystem leverages:

  1. hardware devices and software to capture consumption data, energy disaggregation,
  2. mobile app: analysis and triggers to engage households in energy efficient behaviors, and neobanking app: monetary rewards for achieved savings and desired behaviours therefore changing the landscape from top-down (policies with limited effect) to bottom-up initiatives (with potential for wide scale take-up).

For more information click here.

C2 (Command and Control System)

The Command and Control System (C2) collects sensor-data, as well as the derived detections and alarms in a software solution for common event visualization, following a user-centric human-machine interaction concept. This feature helps first responders (police officers, border guards, etc.) fill gaps in their current day-to-day operations when they have to monitor and use a large number of independent sensors, browse independent data streams from different sensors, and manage uncorrelated data while trying to operate and execute a mission.

IEGSA (Interoperable European Grid Services Architecture)

IEGSA (Interoperable European Grid Services Architecture) software suite facilitates the requirement of the electricity network operators to procure services (such as balancing, congestion management and ancillary services) from assets connected to the network both at transmission and at distribution level, in a coordinated way, so as to enable a more efficient and effective network management and optimization, for the benefit of increased demand response, greater capacity of renewable generation, secure supply of electricity. IEGSA has been designed, taking into account standardization requirements, providing an interoperability layer, bridging the siloes created by the different market platforms and network management digital tools currently used by the relevant stakeholders.