The CIPSEC Project comes to an end: final recap and concluding thoughts

Antonio Álvarez Romero, CIPSEC Project Coordinator

Do you remember those old times, some decades ago, when computers could take a whole room? Do you remember how big they were? Despite being so big, their computation power was neglectable in comparison to how it is today. However, this limited performance was enough to control critical infrastructures like telephone networks, nuclear plants or electricity grids, and they were very secure, as their security basically relied on that of the premises.

The evolution of computers brought a clear upgrade in terms of computation capabilities and also they became smaller and much easier to handle. This optimized the daily operation of critical infrastructures and security was not a big concern yet.

With the new century and the major breakthrough Internet was, everything speeded up, maybe too fast… The Internet allowed a distributed operation of the facilities, an optimized sharing and balance of resources among the network elements, eased the prompt notification and reaction in case of emergency scenarios, and in parallel elemental devices like sensors, actuators, engines and some others became more and more intelligent thanks to the Internet of Things paradigm. The borders between industrial and IT networks blurred.

Unfortunately, this progress was too fast and security was not set as a major requirement during the thinking and design process. The Internet allowed remote control of critical infrastructures but also opened a door to be within reach of evil cyber criminals, capable of carrying out a wide plethora of attacks with devastating effects.

In this eerie landscape of increasing threats, three years ago a group of passionate people joined forces to propose a solution to the increasing weakness of critical infrastructures against cyber attacks. They brought a set of heterogeneous security solutions and they envisioned a project to integrate them into a single, unique product, capable of providing strong protection to critical infrastructures belonging to a wide range of verticals. This is how CIPSEC was born, a Consortium was formed and our story began.

Upon project kick-off, our Consortium started working to achieve the ambitious goals set for the project. The first step was to identify a series of requirements that are common to most critical infrastructures regardless of the vertical they belong to, and then we moved to find those that are dependent on a specific vertical, involving from the very beginning the three CIPSEC pilots, chosen as use cases to validate the solution.

Figure 1. CIPSEC Reference Architecture

With these requirements elicited, we derived a design of the CIPSEC Framework, with a reference architecture for critical infrastructure protection against cyber incidents. We could find in this architecture the right place for each product and service to be part of CIPSEC. All the pieces fit and the puzzle was assembled. Then it was time to make it real.

We followed a continuous integration approach with a distributed environment in which the interfaces among the different products where studied, designed and implemented. This demanded an intense work and strong cohesion across the partners in the Consortium, as integrating such different products was really challenging. But it was achieved, and by the mid-term review we had an initial proof-of-concept. Then we worked on providing CIPSEC with an appealing and harmonized user interface, intuitive and easy to use. In parallel, we continued to integrate the rest of pieces of the puzzle.

Figure 2. CIPSEC Dashboard

A thorough work was carried out to deploy CIPSEC on the three pilot sites. This allowed us to confirm that each critical infrastructure is unique and there will not be two identical deployments. The optimal approaches were found for an effective operation of CIPSEC in each of the pilot sites.

Once the deployments were working correctly, a thorough testing process was carried out to check that CIPSEC behaves as expected in a wide range of attack scenarios. Also, several tests were made to assess the performance measured from different angles. A total cost ownership (TCO) analysis was conducted to demonstrate that the investment is worthwhile if it mitigates the effects of a major attack or several minor ones.

CIPSEC, as an integrated solution, is a product whose value is much higher than the sum of that of the individual products and services included. It is a leap forward in comparison to traditional cybersecurity solutions, being capable of grouping under the same package heterogeneous yet paramount features that contribute to bridge existing security gaps. CIPSEC can be applied to critical infrastructures in different verticals, and is flexible enough to be adapted to the needs of the client. It can be deployed fully-on-premises, but also admits deployments using a public cloud with the very minimum installed on the premise of the client, and finally a hybrid approach which is amid the two other approaches. The client can select the products and services of their interest, therefore being able to customize CIPSEC to their specific case. Finally, CIPSEC foresees the chance to extend the framework adding new services and products that may enrich the already existing framework.

On balance, participating in the CIPSEC project has been an enlightening experience for us. We have learnt much about critical infrastructures, how crucial they are for the welfare of the population and the devastating effects that malfunctions could imply. Thanks to our three pilots we have first-hand knowledge of what their needs are, what they worry about, what they care about, what their most important assets are and what they prioritize in terms of protection. We have obtained a good overview of different security products and services and have found the way to make them work together. Also, thanks to our dissemination activities we have been contact with the world outside the Consortium and have obtained very valuable information that has been used to make CIPSEC better. This helped us to be aligned with industry needs.

From the human perspective, it has been a great experience to work with such a skilled team, getting together diverse profiles coming from industry, academia and public institutions, people with long experience and people who are starting their careers, managers and technicians, with different cultural backgrounds. Everyone has learnt a lot from the others and very likely we are now better than before the project. To me, as coordinator, it was a honor and a pleasure to coordinate the team and work with this excellent group of people. I definitely hope for new opportunities to collaborate in the future.

I cannot finish without showing gratitude to the European Commission for giving us the opportunity to carry out this project, for trusting this Consortium and for their support in the management of the project during this time.