European Conference on Cyber Warfare and Security <p>The European Conference on Cyber Warfare and Security has been run on an annual basis since 2002. Conference Proceedings have been published each year and authors have been encouraged to upload their papers to university repositories. In addition the proceedings are indexed by a number of indexing bodies.</p> <p>From 2022 the publishers have decided to make all conference proceedings fully open access. Individual papers and full proceedings can be accessed via this system.</p> Academic Conferences International en-US European Conference on Cyber Warfare and Security 2048-8602 Reith, Russell, and the Robots: AI, Warfare, and Shaping the Debate <p>On December 8th, 2021, Professor Stuart Russell delivered the second of that year’s Reith Lectures, presented under the banner title ‘Living With Artificial Intelligence’. This specific talk dealt with ‘The Future Role of AI in Warfare’, and in this paper I propose a reading of Russell’s address which both summarises and critiques his argument and stance, to determine what, if anything, can be taken from his position as effectively a public philosopher and applied in the realm of modern warfare, where ethical questions are taken from the seminar room and enacted in battlespace. The Reith lectures occupy a unique place in public discourse; given each year by a leading figure in the field under discussion, they help to shape opinion and debate. In considering the role of AI, and in particular its deployment in combat, there is undoubtedly a need for multi- and transdisciplinary thought, but the choice of Russell as the lecturer is not unproblematic. He is undoubtedly an expert in the field of AI, but he has no direct experience of working with the military, and is clearly not a neutral witness. He has been a leading figure in the campaign to ban research into autonomous weapon systems, and was closely involved in the production of Slaughterbots, a short film which presents a nightmare vision of swarming drones as agents of political repression. There are deep and serious questions to be asked about the role of AI in warfare, but Russell’s position that we must stop all research in the field is arguably naïve. Our adversaries will surely not be as punctilious. At the heart of the debate lie complex issues concerning human agency and control (and ‘control’ lies at the etymological root of ‘cyber’); this paper will use Russell’s lecture as a starting point for the consideration of how we might develop an ethical doctrine for the use of AI, resting on the idea of human-machine teaming. It will, in short, argue for a cybernetic solution to the problems of cyber warfare.</p> Keith Scott Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-10 2022-06-10 21 1 443 449 10.34190/eccws.21.1.510 Desired cybersecurity skills and skills acquisition methods in the organizations <p><strong><em>Abstract</em></strong><em>:</em><em>Key personnel and their competences play important roles in continuity management and improving resilience of cybersecurity in organizations. Researchers have addressed many topics and studies in the cybersecurity domain. However, relevant cybersecurity skills and acquisition of them in expertise development, have only been partially touched. If designed systematically and properly, cybersecurity training can improve cybersecurity expertise to ensure better performance in complex cybersecurity situations. More through study on the acquisition of cybersecurity skills, and work-life needs are needed. The research three questions of this study are: How do work-life representatives see cybersecurity? How do work-life representatives see cybersecurity related skills? How do work-life representatives see methods for skills acquisition in the organizations? The work is multi-method, as it builds on both a literature review on skills acquisition in cybersecurity, and on empirical findings of a questionnaire study on cybersecurity skills desired by the work-life representatives. The findings show that cybersecurity is seen important in the organizations. The demanded skills from the employees focus especially on communication and situational awareness. There is a specific need for training with Cyber Ranges (CR) to ensure skills acquisition on cybersecurity. These results can be used to plan and design training and education for future professionals. This study aims to promote constructive discussion on skills and their acquisition in the cybersecurity domain.</em></p> Kirsi Aaltola Harri Ruoslahti Jarmo Heinonen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 1 9 10.34190/eccws.21.1.293 Identification of Violence in Twitter Using a Custom Lexicon and NLP <p>Information warfare is no longer a denizen purely of the political domain. It is a phenomenon that permeates other domains, especially those of mass communications and cybersecurity. Deepfakes, sock puppets, and microtargeted political advertising on social media are some examples of techniques that have been employed by threat actors to exert influence over consumers of mass media. Social Network Analysis (SNA) is an aggregation of tools and techniques used to research and analyze the nature of relationships between entities. SNA makes use of such tools as text mining, sentiment analysis, and machine learning algorithms to identify and measure aspects of human behavior in certain defined conditions. One area of interest in SNA is the ability to identify and measure levels of strong emotions in groups of people. In particular, we have developed a technique in which the potential for increased violence within a community can be identified and measured using a combination of text mining, sentiment analysis, and graph theory. We have compiled a custom lexicon of terms used commonly in discussions relating to acts of violence. Each term in the lexicon has a numerical weight associated with it, indicating how violent the term is. We will take samples of online community discussions from Twitter and use the R and Python programming languages to cross-reference the samples with our lexicon. The results will be displayed in a Twitter discussion graph where the user nodes are color-coded according to the overall level of violence that is inherent in the Tweet. This methodology will demonstrate which communities within an online social network discussion are more at risk for potentially violent behavior. We assert that when this approach is used in association with other NLP techniques such as word embeddings and sentiment analysis, it will provide cybersecurity and homeland security analysts with actionable threat intelligence.</p> Jonathan Adkins Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 10 17 10.34190/eccws.21.1.340 The U.S. Cyber Threat Landscape <p>Cybersecurity is concerned with protecting information, hardware, and software on the internet from unauthorized use, intrusions, sabotage, and natural disasters. It is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage, or unauthorized access. The numerous ways in which computer systems and data can be compromised and the dramatic increase in cybercrimes have made cybersecurity a growing field. One of the most problematic elements of cybersecurity is the quick and constant evolving nature of security risks in critical infrastructure and major businesses all around the world. In this paper, we sketch a general frame for the cyber threat landscape in the United States of America by focusing on five major categories: ransomware, social engineering, third party software, deep fakes, and insider threats. We elaborate on each of these pillars by providing case studies from the past decade, as well as discussing ways to move forward.</p> Elie Alhajjar Kevin Lee Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 18 24 10.34190/eccws.21.1.197 Impact of Moral Disengagement on Counterproductive work behaviours in IT Sector, Pakistan <p>This research examines the role of moral disengagement towards counterproductive work behaviour in the information technology sector of Pakistan. Furthermore, research is also focused on the mediating effect of information security awareness (Attitude &amp; knowledge) and information security awareness behaviours. The target population consisted of public sector I.T. departments of Punjab, Pakistan. A convenience sampling technique is utilized. Data collection has been done through a survey questionnaire from technical and non-technical staff currently employed in the Public sector I.T. departments of province Punjab. Statistical software PLS-SEM is used for analysis. This study highlights the role of the information technology sector staffing level of engagement that affects the employee’s counterproductive work behaviour and information security awareness behaviour. Moreover, the study proposes that management should take the initiative for the implementation of strategies that may be helpful to get awareness about information security amongst employees.</p> Qazi Muhammad Ali Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 25 36 10.34190/eccws.21.1.198 Supporting Situational Awareness in VANET Attack Scenarios <p>The integration of sensors and communication technologies is enabling vehicles to become increasingly intelligent and autonomous. The Internet of Vehicles (IoVs) is built from intelligent vehicles that work collaboratively and interact with the surrounding environment in real time. The underlying communications infrastructure is provided by Vehicular Ad-hoc Networks (VANETs), for vehicle to infrastructure (V2I) and vehicle to vehicle (V2V) communications. &nbsp;The volume of autonomous vehicles (AVs) increases, as well as the level of automation for vehicles. The potential for related incidents and attacks increases as a result. A particular concern is the ability to disseminate alerts and emergency messages effectively and securely via the V2V/V2I nodes, given the diminishing involvement of autonomous vehicle users with the operation of the autonomous vehicles.</p> <p>&nbsp;</p> <p>With this challenge in mind, this paper investigates the issue of situational awareness for occupants in autonomous vehicles.&nbsp; Building from the concept of VANETs and recognised classification of automation levels, the discussion considers a range of related attack scenarios that could be encountered, each of which illustrates also contexts in which occupants may need to be made aware and take decisions in response.&nbsp;Consideration is then given to resulting support for situational awareness that would be required, particularly highlighting the associated requirements for user responsibility at different levels of automation. &nbsp;The resulting discussion serves to articulate the challenge and serves as a basis for further research to inform the mechanisms to address the resulting requirements.</p> Dimah Almani Steven Furnell Tim Muller Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 37 45 10.34190/eccws.21.1.215 The Emergence of IIoT and its Cyber Security Issues in Critical Information Infrastructure <p>The emergence of the Industrial Internet of Things (IIoT) can transform and improve industrial domain processes. This is achieved by IIoT’s ability to collect and process vast amounts of data using technology such as sensors. IIoT capabilities can improve the manufacturing processes of these sectors and contribute to the improved functioning of critical information infrastructure. In addition, current trends - such as the Fourth Industrial Revolution (4IR) - use IIoT to realise specific goals. While the emergence of IIoT systems does introduce many benefits, such as improved efficiency and sustainability, it can also introduce security concerns. These security concerns pose a significant threat to the industrial domain, including critical information infrastructures. The resulting threats emphasise the need to implement solutions to secure IIoT systems. The paper aims to discuss the emergence of IIoT and its cyber security issues within the context of critical information infrastructure. The research paper follows a theoretical research methodology to provide an improved understanding of the emergence of IIoT and its cyber security issues in critical information infrastructure. The paper contains an exhaustive discussion of what is IIoT. A discussion on where IIoT fits within the context of critical information infrastructure and its impact on 4IR is also highlighted in the paper. Due to the many vulnerabilities that IIoT systems can contain, the paper also discusses security concerns surrounding the emergence of IIoT. The security concerns make IIoT systems attractive targets for cyberattacks. Therefore, different approaches that can be applied to secure IIoT systems is also provided. Since IIoT capabilities can impact the critical information infrastructure of businesses and nations, the authors’ stance on how IIoT systems could transform the current understanding of critical information infrastructure is also discussed.</p> Humairaa Bhaiyat Siphesihle Sithungu Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 46 51 10.34190/eccws.21.1.248 Including Human Behaviors into IA Training Assessment: A Better Way Forward! <p>Few can argue against the reality that humans are the weakest link in cybersecurity, and Social Engineers work very hard to take advantage of this human weakness. Many cybersecurity practitioners believe the only way to solve this problem is through a technical solution; however, this solution is elusive because humans are still in control and can circumvent these technical measures. In cybersecurity, the human is the critical component of the human firewall, and it is going to take a multi-disciplinary approach to solve the human problem. The human firewall is the first line of defense for cybersecurity. Historically, the primary solution to the human problem has been the Information Awareness training program, designed to teach the end-user about the risks and assess their risk. The biggest problem with the information awareness training program is that it does not modify behavior. Cybersecurity practitioners need to understand better the human firewall and how it can be strengthened. It is necessary to understand how the human makes security-minded decisions, how these decisions affect the cybersecurity decision-making process, and if there is a way to assess a person's susceptibility level more precisely when working to strengthen the human firewall. Humans are multifaceted, complex beings influenced by both internal and external factors. The most significant internal factor that affects a person's decision-making process is behavior, while Social Media is one of the most significant external factors that impact a person's decision-making capacity. This study presents a new method of assessing a person's susceptibility to cybercrime by including behavioral and social media usage factors into a Dynamic/Adaptable information awareness training assessment tool. This study shows that including human behaviors and social media usage behaviors into an Information Awareness (IA) training assessment tool produces a more precise measure of a person's accurate susceptibility level.</p> Henry Collier Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 52 59 10.34190/eccws.21.1.225 Automatic Construction of Hardware Traffic Validators <div><span lang="EN-GB">This paper describes a fully automated process that creates a custom hardware traffic validator directly from a formal grammar and deploys it within a specialized network security appliance. The appliance appears as a hidden, all-hardware “bump-in-the-wire” that can be inserted within any network segment; it stores and validates messages on-the-fly, and either forwards or drops individual packets in real-time. Consequently, it serves to disrupt and mitigate stealthy remote attacks that leverage zero-day exploits and persistent implants. Allowed traffic, files, and mission payload formats are specified formally using a standard Look-Ahead, Left-to-Right (LALR) grammar that operates on ASCII and/or binary data. The grammars can be expressed either in Backus-Naur Form (BNF), used by industry standard tools such as Bison, or through state-of-the-art combinators, such as Hammer, under development within the DARPA SafeDocs program. Bison and Hammer compiler tools are used to generate standard shift/reduce parsing tables. These tables are post-processed to improve their compactness and practical viability. The optimized tables are then combined with a generic push-down automaton to form a complete parser. The parser is then automatically transformed into a hardware circuit using High-Level Synthesis (HLS). The result is a composable block of circuitry that can be directly inserted into a generic communications harness embedded within a Field Programmable Gate Array (FPGA) on the network appliance. </span></div> Stephen Taylor Jason Dahlstrom Ellie Baker Brandon Guzman Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 60 69 10.34190/eccws.21.1.200 Developing Mandatory Reporting for Cyber-Attacks on U.S. Businesses <p>The goal of this paper is to argue for the mandatory reporting of cyber-attacks on critical U.S. infrastructure, industries, and companies to the Department of Defense (DoD) for the DoD to improve national security through a clearer understanding of the threats and how to position the U.S. for better defense. The paper will first discuss who will be subject to mandatory reporting and propose a template for the requirements of reporting such as the turnaround time to report and the details needed from the attack. The paper will provide an argument showing the benefit to the DoD requiring reporting and why it should be concerned about external cyber-attacks on non-DoD systems. The paper will then look on the private sector viewpoints to discuss the benefits of mandatory reporting such as the bottom line and brand awareness. Additionally, the paper will also discuss how the consumer will benefit from mandatory reporting with a focus on both financial and privacy issues. Lastly, the paper will address some key points of dissent on the topic of mandatory reporting as well some evidence to push back or show how the negatives of not reporting outweighs the negative of reporting. After reading the paper, the reader will have a better picture of the current status of cyber-attacks on the private sector, how these attacks effect the DoD’s mission, and why mandatory reporting can help enhance private sector cybersecurity. More research is needed to better understand the legal argument for requiring reporting on cyber-attacks as well as economic incentives for compliance, however this paper is not intending to answer that argument given the authors do not come from the legal or economic disciplines.</p> Baylor Franck Mark Reith Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 70 77 10.34190/eccws.21.1.308 Obstacles on the Path to the Internet of Things: The Digital Divide <p>The Internet of Things holds has the potential to provide an array of technological benefits and online resources to individual users and society in general. However, the Digital Divide, the gap between information computing technology (ICT) and those who can effectively take advantage of it, presents challenges to the global implementation of the Internet of Things. Factors contributing to the Digital Divide include lack of broadband access, cost of ICT, user socioeconomic challenges, user security concerns, and political or governmental restrictions.</p> John Gray Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 78 85 10.34190/eccws.21.1.237 Societal Impacts of Cyber Security in Academic Literature – Systematic Literature Review <p>The 2020 Allianz Risk Barometer, with 39% of responses, ranked cyber incidents as the number one risk threatening business continuity. Any organisation may face a number of challenges e.g. costly data breaches, ransomware incidents, and even litigation after an event. The Internet has, in many ways, changed society, transformed businesses, organisational communication and learning. People can now interact through social networking platforms. Modern society has become very technology driven, as ICT is now an integral component in peoples’ lives. However, besides the many benefits that the Internet and other ICT technology bring, there are also threats, such as cyber-attacks looking to exploit vulnerabilities in ICT applications and systems. This study is a systematic literature review that explores how societal impacts of cyber security in modern society are discussed in academic literature. The Introduction discusses the overall importance of cyber security in today’s society. The body of this paper presents the method in which the literature review was conducted, and a concise summary of the findings that answer the research question: How are societal impacts of cyber security discussed in academic literature? Six categories of investigation of societal impacts of cyber security are identified: 1) Impacts on Social and Societal Levels, 2) Detection of cyber-crime and incidents, 3) Critical infrastructures and services, 4) Impacts of incidents and individual technology, 5) Cybersecurity awareness, and 6) Cybersecurity and collaboration. Lastly, the conclusions, based on the research findings, address the feasibility, impact, strengths, weaknesses and possible ethical concerns of cybersecurity. This paper contributes to the overall understanding of current societal impacts of cyber security, and this understanding benefits the development of methods that assess societal impacts, as well as provides focus for future training and development of cyber and e-skills needed for better awareness of cyber threats, and to better address possible cyber incidents.</p> Eveliina Hytönen Amir Trent Harri Ruoslahti Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 86 93 10.34190/eccws.21.1.288 Planning the building a SOC - A Conceptual Process Model <p>There are few frameworks available to consult when building Security Operation Centers (SOCs). (P. Jacobs, 2015). Jacobs proposed such a framework, and this paper builds on the “Planning” part of that framework. The authors could not find any existing conceptual process models where it comes to the planning phase when building SOCs. We propose a conceptual process model to follow during the planning phase of the SOC. Conceptual models are used to represent systems typically made up of the composition of concepts (Robinson; Arbez; Birta; Tolk; Wagner, 2015). The aim of our conceptual process model is to help SOC builders understand the proposed process to be followed during the SOC planning phase and is meant to guide the SOC builder's thinking during the planning phase.</p> <p>&nbsp;</p> <p>The conceptual process model will start by determining the services that the SOC in development will be offering, followed by deciding on a SOC model. After the determination of the SOC services and model we will identify the technologies and tools to facilitate the services, keeping in consideration the influence the SOC model has on the service. For each of the steps in our conceptual model we have identified existing, public frameworks, standards or best practices. Our conceptual process model will be mapped to these frameworks, standards or best practices with the intention to be used to augment our model.</p> Pierre Jacobs Sebastiaan von Solms Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 94 104 10.34190/eccws.21.1.247 Pedagogical and self-reflecting approach to improving the learning within a cyber exercise <p><strong>: </strong>In the digitalized world, there is a growing need not only to improve one’s cybersecurity skills and knowledge, but also to find ways to optimize the learning process, for example by motivating the learners or optimising the learning facilities, material and the learners for the process. Cyber exercises ran within cyber ranges/arenas (CR) are an efficient way for the exercise participants to improve their cybersecurity skills and knowledge level. The pedagogical way of orienteering the participant to a learning situation is to have a preliminary survey, which prepares the participant for the upcoming event, adds self-reflection, and may even provide feedback and background information for the educator about the upcoming event. The objective of the survey is to improve the quality of the exercise by knowing the interest areas, preferences and other useful information about the participants that is then be used optimise the exercise accordingly.&nbsp;&nbsp;</p> <p>&nbsp;This study analyses the structure of one preliminary survey targeted for the cyber exercise event to be held in January 2022. The questions are justified according to existing frameworks. We have collected a set of structured questions presenting different topics related to the participants’ professional background and expectations towards the exercise. In addition to the short-term goal of analysing the survey for one cyber exercise, this work benefits the long-term goal for improving the skills of cybersecurity professionals. Our further work will validate the results of our preliminary analysis and analyse its correspondence with the survey results, and the final analysis constructed after the cyber exercise.</p> Anni Karinsalo Karo Saharinen Jani Päijänen Jarno Salonen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 105 114 10.34190/eccws.21.1.221 Strategies for Internet of Things data privacy and security using systematic review <p>The Internet of Things (IoT) now referend to as the Internet of Everything (IoE) has been in existence long before it was identified as a concept. It was introduced with the emergence of the Fourth Industrial Revolution and was aimed at improving people’s lives and economies across the globe by connecting physical items to the internet so they can be able to deliver specific services implicitly. The nature of IoT requires that all the systems ensure data privacy and security because much of data that is uploaded into and used by the system is personal and private. Thus, the aim of this research was to identify the tools and strategies that can be used for IoT data privacy and security while also providing a brief but intensive understanding of the concept of IoT and data privacy and security challenges faced by IoT systems. This qualitative research study utilised a pragmatic paradigm and data was collected and analysed using text-based secondary data sources and a PRISMA protocol through systematic review. A PRISMA flow diagram was utilised to assess the eligibility of the sources used for this research. The findings showed that hacking is a major challenge that affects IoT systems and that there are strategies that can be used to protect data such as authentication, encryption technology, and anonymisation amongst many. Additional findings found that the strategies have not yet been found effective, but standards have been set upon the results expected from them. The conclusion is that for the identified strategies to be proven effective, they must be implemented and tested in IoT systems, so further investigation can be conducted if they prove to be ineffective.</p> Sithembiso Sithembiso Teballo, A. Kekana Amanda Sibiya Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 115 122 10.34190/eccws.21.1.194 Public Authorities as a Target of Disinformation <p>Disinformation is a part of a modern digitalised society and thus affects public authorities´ daily work. Through disinformation, malicious actors can often erode the fundamentals of democratic societies. In practice, this can be achieved by influencing authorities’ decision-making processes and creating distrust towards public organisations which can weaken authorities’ ability to function. In Finland, public authorities have relatively transparent and open decision-making processes and communication practices compared to other democratic societies. This transparency and openness can be seen as a vulnerability, increasing the opportunities for malicious actors to use disinformation. The authorities of public services are also seen as producers of evidence-based official information. In general, Finns have very high trust in public authorities. Trust has a major impact on societies’ psychological resilience and susceptibility to disinformation. The results of this article strengthen the idea that disinformation weakens authorities’ ability to function. The producers of disinformation, aided by citizens’ high confidence of public authorities, aim to utilise authorities’ communication by misrepresenting the content according to their own agenda. In this study, our purpose is to describe public authorities’ experiences relating to disinformation in their own organisation. This study follows a qualitative design framework by analysing data collected in September 2021 using inductive content analysis. The empirical data includes 16 government officials’ interviews with themes exploring how disinformation affects their daily activities and why they are targets of disinformation. This article is part of a larger project relating to counterforces and detection of disinformation. The results contribute towards a broader understanding on how different types of public authorities, ranging from health to security organisations, communicate in complex social media environments.</p> Pekka Koistinen Milla Alaraatikka Teija Sederholm Dominic Savolainen Aki-Mauri Huhtinen Miina Kaarkoski Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 123 129 10.34190/eccws.21.1.371 An Ontological Model for a National Cyber-attack Response in South Africa <p>South Africa is increasingly targeted by cyber criminals and is often ranked under the top five countries suffering the most cyber-attacks. In an initiative to counter these attacks, the South African government has initiated various measures such as a National Cybersecurity Policy Framework Policy (NCPF) and a Cybercrimes Act. However, the structures and policies that follow from these measures have not been fully implemented yet. Although the government published the NCPF in 2015 and enacted the Cybercrimes Act in May 2021, there is still a gap in terms of interoperability and shared understanding within the environment. In addition, numerous new structures have been established and others are still being planned. One example of a new structure is the Cybersecurity Hub, the national CSIRT, which is mandated to co-ordinate attack information and provide support for cyber incidents. In addition, the Hub must also implement a national Cybersecurity Awareness program.</p> <p>This paper presents a model for the Cybersecurity Hub in the event of a cyber incident in South Africa. The model is based on different attack scenarios and depicts the complex interoperability problem of the various roles, responsibilities, and interactions of role players when there is a cyber incident. One of the scenarios is an attack on critical infrastructure. The model is a prototype of a semantic knowledge base (an ontology) that will help with planning and decision making. Core queries that should be answered concern the critical role players during and after a cyber event; the communication activities that have to take place; and the response actions and the skills required to handle the event.</p> Aphile Kondlo Louise Leenen Joey Jansen van Vuuren Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 130 149 10.34190/eccws.21.1.213 Combining System Integrity Verification with Identity and Access Management <p class="western" lang="en-GB"><span style="font-size: small;">Digital transformation and the utilization of Industrial IoT (IIoT) introduces numerous interconnected devices to factories increasing among others the challenge of managing their software versions and giving attackers new possibilities to exploit various software vulnerabilities.</span></p> <p class="western" lang="en-GB"><span style="font-size: small;">Factory networks were earlier isolated from the Internet. However, this separation is no longer valid and there can be connections that allow intruders to penetrate into information systems of factories. Another issue is that although factories typically are physically isolated, it is not necessarily safe to assume that physical security is in good shape as the novel supply networks comprise subcontracted activities and temporary work force. Another threat can also arise from unauthorized monitoring of devices and the unauthorized replacement of existing ones.</span></p> <p class="western" lang="en-GB"><span style="font-size: small;">Based on the previous, it is crucial that IIoT security should be built into factories of the future (FoF) right from the design phase and even low-end devices need to be supported. Trusted computing concept called remote attestation should be used. Remote attestation allows remote parties to verify the integrity of each system component. System components should include trusted hardware components that can be used to measure executable software. The term measurement means calculating the cryptographic hash of the binary component before passing control to it. Trusted hardware components should also have a mechanism to protect the integrity of the measurement list and cryptographic keys that can be used to sign integrity assertions. The verifier part should have a storage of reference integrity metrics identifying the expected values of these measurements.</span></p> <p class="western" lang="en-GB"><span style="font-size: small;">Deploying trusted computing and remote attestation concepts to industrial automation is not straightforward. Even if it is possible to use remote attestation with suitable hardware components, it is not clear how remote attestation should be integrated with various operational technology (OT) industrial automation protocols. Approaches to use remote attestation with existing industrial automation protocols (e.g., OPC UA) is discussed. Advanced identity and access management (e.g., OAuth2, OpenID Connect) can be used to combine integrity measurements with device identity information so that the remote attestation process is triggered by authentication during the first transaction. The focus is on machine-to-machine (M2M) communications with immutable device identities and integrity evidence transfer.</span></p> Markku Kylänpää Jarno Salonen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 140 149 10.34190/eccws.21.1.202 SIEM4GS: Security Information and Event Management for a Virtual Ground Station Testbed <p>As the space sector continues to grow, so do the cybersecurity risks. As large as the attack surface of a space system is, the ground segment remains an attractive source of intrusion points, not only because of its relative accessibility but also because the ground system is often viewed as little more than a conventional IT system. Thus, a representative security assessment of a space system cannot avoid addressing the vulnerabilities of the associated ground system and the relevant threats. This motivates the construction of a virtual ground station testbed, as part of larger reference platform, to support our ongoing research on the cybersecurity of space systems. Presented here is a discussion of the preliminary work being undertaken at the University of South Australia node of the SmartSat Cooperative Research Centre on such a testbed. A distinguishing feature of the testbed is the integration of a security information and event management (SIEM) system justifying the name of the testbed, “SIEM4GS”. Based on the latest literature on ground stations, a logical architecture and an implementation plan involving only open-source software building blocks for SIEM4GS are proposed. Features of the ground station and SIEM services are discussed. A plan is provided on how to extend the SIEM system from a primarily “detect” role in the NIST Cybersecurity Framework to a “detect and respond” role.</p> Yee Wei Law Jill Slay Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 150 159 10.34190/eccws.21.1.228 Physical Layer Security: About Humans, Machines and the Transmission Channel <p>In an increasingly interconnected and globalized world in which the volume but also the confidentiality of transmitted content is becoming ever more important, trust, confidence and trustworthiness are of fundamental importance. Particularly in human societies, this trust is established, sustained and strengthened by personal relationships and experiences. But, in a globally connected world with Cyber-Physical Production Systems (CPPS), Industrial Internet of Things (IIoT) and Digital Twins (DTs), these personal relationships do not longer exist. (Remote) access to systems is possible from anywhere on the globe. However, this implies that there have to be technical solutions to detect, identify and acknowledge entities -people and machines- in the networks and thus to establish an initial level of trust.</p> <p>Especially since the proliferation of appropriate use-cases, Physical Layer Security (PhySec) is becoming increasingly popular in the scientific community. Using systems' intrinsic information for security applications provides a lightweight but secure alternative to traditional computationally intensive and complex cryptography. PhySec is therefore not only suitable for the IIoT and the multitude of resource-limited devices and sensors, it also opens up alternatives in terms of scalability and efficiency. Moreover, it provides security aspects regarding the entropy H and Perfect Forward Secrecy (PFS).</p> <p>Therefore, this work provides insight into three major branches of PhySec: i) <em>Human</em> - Physically Unclonable Functions (PUFs) ii) <em>silicon/electrical</em> - <em>PUFs</em>, and iii) <em>Channel-PUFs</em>. Based on the PUF operating principle, the silicon derivatives consider the electrical properties of semiconductors. Individual and uninfluenceable deviations during the manufacturing process result in component-specific behavior, which is described in particular for Static- and Dynamic Random Access Memory (S-/DRAM). Following this PUF principle, human characteristics -biological, physiological and behavioral features-, are used to recognize and authenticate them. With respect to the wireless channel, the characteristic properties of electromagnetic wave propagation and the influences on the wireless channel -diffraction, reflection, refraction and scattering-, are used to achieve symmetric encryption of the channel.</p> <p>In addition to the "conventional" wireless PhySec, especially the development of the Sixth Generation (6G) Wireless Systems, opens up a wide range of possibilities in terms of PhySec, for example in relation to Visible Light Communication (VLC), Reconfigurable Intelligent Surfaces (RIS) and in general the application of frequencies in the (sub)THz range.</p> <p>Thus, the work provides an overview of PhySec fields of application in all areas of the IIoT: in terms of humans, machines, and the transmission channel.</p> Christoph Lipps Hans Dieter Schotten Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 160 169 10.34190/eccws.21.1.403 On the Road to Designing Responsible AI Systems in Military Cyber Operations <p>Military cyber operations are increasingly integrating or relying to a specific degree on AI-based systems in one or more moments of their phases where stakeholders are involved. Although the planning and execution of such operations are complex and well-thought processes that take place in silence and with high velocity, their implications and consequences could be experienced not only by their targeted entities, but also by other collateral friendly, non-friendly, or neutral ones. This calls for a broader military-technical and socio-ethical approach when building, conducting, and assessing military Cyber Operations to make sure that the aspects and factors considered and the choices and decisions made in these phases are fair, transparent, and accountable for the stakeholders involved in these processes and the ones impacted by their actions and largely, the society. This resonates with facts currently tackled in the area of Responsible AI, an upcoming critical research area in the AI field that is scarcely present in the ongoing discourses, research, and applications in the military cyber domain. On this matter, this research aims to define and analyse Responsible AI in the context of cyber military operations with the intention of further bringing important aspects to both academic and practitioner communities involved in building and/or conducting such operations. It does that by considering a transdisciplinary approach and concrete examples captured in different phases of their life cycle. Accordingly, a definition is advanced, the components and entities involved in building responsible intelligent systems are analysed, and further challenges, solutions, and future research lines are discussed. Hence, this would allow the agents involved to understand what should be done, what they are allowed to do, and further propose and build corresponding strategies, programs, and solutions e.g., education, modelling and simulation for properly tackling, building, and applying responsible intelligent systems in the military cyber domain.</p> Clara Maathuis Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 170 177 10.34190/eccws.21.1.204 Responsible Digital Security Behaviour: Definition and Assessment Model <p>Digital landscape transforms remarkably and grows exponentially tackling important societal challenges and needs. In the modern age, futuristic digital concepts are ideated and developed. These digital developments create a diverse pallet of opportunities for organizations and their members like decision makers and financial personnel. Simultaneously, they also introduce different factors that influence users’ behaviour related to digital security. However, no method exists to determine whether users’ behaviour could be considered responsible or not, and in case this behaviour is irresponsible, how it could be managed effectively to avoid negative consequences. Thus far, no attempt was made to investigate this to the best of our knowledge. Then this research aims to: (i) introduce ‘responsible digital security behaviour’ notion, (ii) identify different factors influencing this behaviour, (iii) design a Bayesian Network model that classifies responsible/irresponsible digital security behaviour considering these factors, and (iv) draw recommendations for improving users’ responsible digital security behaviour. To address these, extensive literature review is conducted through technical, ethical, and social lenses in a Design Science Research approach for defining, building, and exemplifying the model. The results contribute to increasing digital security awareness and empowering in a responsible way users’ behaviours and decision-processes involved in developing and adopting new standards, methodologies, and tools in the modern digital era.</p> Clara Maathuis Sabarathinam Chockalingam Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 10.34190/eccws.21.1.203 A Model for State Cyber Power: Case Study of Russian Behaviour <p>The emerging cyber environment with new information channels provides a novel avenue for states to project their powers to govern their residents and fulfil their international ambitions. The recent manipulation of elections, coercing companies, blackmailing citizens, and suppressing essential infrastructure services reflects an increased activity and development both by state and non-state entities in the cyber environment. Several models for inter-state power projection are created in studies of international relationships, military strategy, and, recently, hybrid warfare. Do these models recognise the foundational transformation in international power projection? Do they explain the current national cyber strategies? Can they help foresee the possible developments of power projection in international confrontations?</p> <p>The paper seeks a bigger picture from other power strategies in fulfilling the state’s political ambitions. Furthermore, the paper explores the evolution of the cyber environment and its possible emerging features for international power projection. A constructive research method builds a multiple domain power projection model by combining systems thinking with various models from international relationships, military strategies, business strategies to classical decision making. Finally, the feasibility of the model is tested in a case study of Russian cyber strategies and actions between 2007-2020 from a positivistic approach. <br />As a result, the model seems to help explain the past cyber power-wielding and provide insights into current national cyber policies. Further testing is required to evaluate the model’s feasibility in creating a foresight. Nevertheless, the proposed state-level cyber power projection model extends the existing models with a system dynamics viewpoint. Additionally, it adds the dimension of evolution to consider the future changes of international power projections in the information realm. Hence, the model improves the ability of national defence planners to study cyber strategies and estimate the lines of operation and impact of cyber operations.</p> JUHA KAI MATTILA Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 188 197 10.34190/eccws.21.1.207 Building Software Applications Securely with DevSecOps: A Socio-Technical Perspective <p>While continuous real-time software delivery practices induced by agile software development approaches create new business opportunities for organizations, these practices also present new security challenges in the DevOps environment. DevSecOps attempts to incorporate advanced automated security practices for agility in the DevOps environment. Mainstream perspectives of DevSecOps tend to overlook the collaborative role played by social actors and their relations with technologies in securing software applications in organizations. The first perspective emphasises the use of technologies such as containers, microservices, cryptographic protocols and origin authentication to secure the continuous deployment pipeline. The other dominant perspective focuses almost exclusively on the social aspects such as organizational silos, culture, and team collaboration. Such one-sided perspectives neglect the socio-technical argument that secure software applications from continuous deployment emerges when developers, quality assurers, operators and security experts combine their collective expertise together with DevSecOps technologies. The article presents a socio-technical framework of DevSecOps based on a systematic literature review. The review focused primarily, but not exclusively, on the computing and information systems literature and identified 26 peer reviewed articles from 2016 to 2020 which met the quality criteria and contributed to the analysis. The authors used a critical appraisal checklist and member checking to assess the quality of the articles. The authors then used thematic analysis to develop a comprehensive framework for DevSecOps based on the insights from these articles and a socio-technical lens. The socio-technical framework can be used by practitioners to perform a more holistic analysis of their DevSecOps practices. It highlights the key social and technical themes that underpin the effectiveness of DevSecOps and how insights about these themes can be used by practitioners to improve the instrumental and humanistic goals of DevSecOps. An interdisciplinary approach is proposed to adequately address challenging socio-technical relationships in DevSecOps. Future research can empirically test the importance of the interplay between technology and human activities to improve the overall performance of DevSecOps and other domains in cyber warfare and security.</p> <p>&nbsp;</p> Rennie Naidoo Nicolaas Möller Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 198 205 10.34190/eccws.21.1.295 Effective Cyber Threat Hunting: Where and how does it fit? <p>Traditionally threat detection in organisations is reactive through pre-defined and preconfigured rules that are embedded in automated tools such as firewalls, anti-virus software, security information and event management (SIEMs) and intrusion detection systems/intrusion prevention systems (IDS/IPS). As the fourth industrial revolution (4IR) brings with it an exponential increase in technological advances and global interconnectivity, the cyberspace presents security risks and threats the scale of which is unprecedented. These security risks and threats have the potential of exposing confidential information, damaging the reputation of credible organisations and/or inflicting harm. The regular occurrence and complexity of cyber intrusions makes the guarding enterprise and government networks a daunting task. Nation states and businesses need to be ingenious and consider innovative and proactive means of safeguarding their valuable assets. The growth of technological, physical and biological worlds necessitates the adoption of a proactive approach towards safeguarding cyber space.</p> <p>This paper centers on cyber threat hunting (CTH) as one such proactive and important measure that can be adopted. The paper has a central contention that effective CTH cannot be an autonomous ‘plug in’ or a standalone intervention. To be effective CTH has to be synergistically integrated with relevant existing fields and practices. Academic work on such conceptual integration of where CTH fits is scarce. Within the confines of the paper we do not attempt to integrate CTH with many of the various relevant fields and practices. Instead, we limit the scope to postulations on CTH’s interface with two fields of central importance in cyber security, namely Cyber Counterintelligence (CCI) and Cyber Threat Monitoring and Analysis (CTMA). The paper’s corresponding two primary objectives are to position CTH within the broader field of CCI and further contextualise CTH within the CTMA domain. The postulations we advanced are qualified as tentative, exploratory work to be expanded on. The paper concludes with observations on further research.</p> Nombeko Ntingi Petrus Duvenage Jaco du Toit Sebastian von Solms Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 206 213 10.34190/eccws.21.1.240 Two novel use-cases for non-fungible tokens (NFTs). <p>Non-Fungible Tokens (NFTa) can either represent an original digital artwork, or act as a digital reference to the actual work. In both as digital references to the actual work. In both cases the record in the distributed ledger, mostly a blockchain-based database, intends to serve as a proof of ownership or transfer of rights. NFTs might also add a further purpose, which in blockchain terms is referred to as “a utility", such as access to special websites, chats or clubs in emerging metaverse platforms. This use-case paper presents a first introduction of two early stage demonstrators, set outside the common use of art images or images of historical events as NFTs. The first case shows how educational credentials can be created, in which different teachers contribute to assessment achievements. We elaborate how these partial achievements are verified separately within the actual credentials. In the second case study, we build on previous research in regard to NFTs in the music industry and show the combination of physical vinyl record special editions, in our case vinyls signed by the band, and the ownership certificate as NFT. For both demonstrators we used, in different settings, the crypto art platform NFTmagic and the blockchain-token wallet Sigbro. We developed and tested the results within the setting of a roleplay as a group and show how blockchain technologies and especially NFTs can be made useful in new ways, inspired by the ongoing process of discovering risks and opportunities in ‘crypto art’, thus initiating discussion on the topic and effectively bridging the cybersecurity and (digital) art communities.</p> Alexander Pfeiffer Natalie Denk Thomas Wernbacher Stephen Bezzina Vince Vella Alexiei Dingli Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 214 221 10.34190/eccws.21.1.141 Cybersecurity risk assessment subjects in information flows <p>A modern society includes several critical infrastructures in which digitalization can have positive impacts on the levels of autonomy and efficiency in the use of infrastructure systems. Maritime transportation is an example of an infrastructure that currently needs development in the digitalization of its operations and processes. At the same time, maritime processes represent a large-scale cyber environment, thus trustable information distribution between system elements of the processes is needed. Since 2020, the Sea4Value / Fairway (S4VF) research program in Finland has been working to develop maritime digitalization which can lead to autonomy processes in the future. The first stage of the program has led to a demonstration phase of remote fairway piloting. This remote fairway piloting process, “ePilotage,” is a complex system-of-systems entity. In this entity, fairway systems, ship systems and control center systems are the main processes from the operational point of view. Remote pilotage operations need support processes such as vessel traffic service (VTS) and weather forecast services. Situation awareness from other vessels and the stakeholder’s processes are also essential information for the entire piloting operation. In this context, a new concept of information flows at the technical level will be based partly on cloud servers. In this paper, a cybersecurity risk assessment has been carried out at the technical level of information and communication technologies (ICT), and it concerns information transmission between a ship and a cloud server. It describes the most important topics for a comprehensive risk assessment in a specific ship-to-cloud information flow of the fairway process. The findings of the study can be considered good examples of the management of cybersecurity risks in critical information flows between all main system blocks of the fairway process. The research question is as follows: “How can the cybersecurity risks of information flows in a system-of-systems entity be described and evaluated?” The main findings are related to the risks of transmitting information from a ship to a cloud server. The methodology that has been used is based on analyzing the probabilities of cyberattacks occurring in relation to the probabilities to defend against these actions. The main risk assessment topics have been listed.</p> Jouni Pöyhönen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 222 230 10.34190/eccws.21.1.263 Exploring care robots' cybersecurity threats from care robotics specialists’ point of view <p>Care robots can perform tasks related to physical or mental care; assisting in daily tasks or rehabilitation, independently or semi-automatically. Care robots are exploitable in home-care, nursing homes, or other care facilities. Care robots have the potential to solve several challenges related to aging people. However, care robots suffer have similar cybersecurity problems as other information and communication technology (ICT) devices. In addition, the cybersecurity threats of care robots have been studied less than those of industrial robots. This study’s purpose is to map cybersecurity threats related to care robots from the perspective of care robotics specialists. The study consists of thematic interviews of six purposive-selected specialists in care robotics. A semi-structured thematic interview guide based on the literature view of previous studies, facilitates the conversations at the interviews. All interviews were transcribed verbatim, analyzed by deductive content analysis, and the remaining material was analyzed by inductive content analysis. According to the interviewed specialists, care robots’ cybersecurity threats are associated with the same risks and threats as the use of other ICT devices or robots. Most potential threats are considered to be remote access of care robots, spying, and eavesdropping. Network connectivity is seen as the main interface to the realization of cybersecurity threats in care robotics. New features such as artificial intelligence and machine learning are considered to create more opportunities for new threats. Experts also highlight the underlying human factors behind cybercrime. According to the results, more studies exploring the motives for cybercrime against care robots and the potential benefits derived from it are needed to determine the likelihood of the realization of threats to care robots are needed. Cybersecurity is a race against cybercrime and finding a balance between significant and acceptable risks. In the future, a service ecosystem should be developed which guarantees the safety of care robots throughout their life-cycle: during the design and development phase, deployment and user guidance, maintenance, and reuse of the robot. Additionally, it is important to take into account how new robust operating models can withstand failures and how critical services can be secured in the event of a cybersecurity threat.</p> Jyri Rajamäki Marina Järvinen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 231 238 10.34190/eccws.21.1.275 Cyberterritory: An Exploration of the Concept <p>What does the future of cyberspace look like? The idealistic notion of cyberspace as a 'free' and 'open' global infrastructure is progressively challenged by projecting territoriality and conveying traditional nation-state models of governance into cyberspace. The aim of this interdisciplinary paper is to examine the process of cyberspace territorialisation and to present a conceptual definition of a theoretical 'cyberterritory' as a bounded sovereign entity that operates under the jurisdiction of a certain nation-state. Firstly, we explain the different views of the cyberspace governance and summarize the latest developments in the UN's efforts to bring order over cyberspace. Secondly, we analyse the different views on 'digital sovereignty' and show how several nations have felt the need to express publicly their views on sovereignty in cyberspace. Thirdly, we discuss the possibility of new techno-economic alliances, because only few (if any) nation-states could have sufficient resources to be 'sovereign' in cyberspace. Finally, we present a conceptual definition of a theoretical 'cyberterritory' that encompasses political, legal and technical aspects. The significance of this paper is in its contribution to the discussion of future cyberspace governance by presenting a definition of a theoretical 'cyberterritory' as an entity of its own - a new nation-state 'digital terrain' of the future.</p> Jori-Pekka Rautava Mari Ristolainen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 239 246 10.34190/eccws.21.1.229 Researching Graduated Cyber Security Students – Reflecting Employment and Job Responsibilities through NICE framework <p>Most research and development on Cyber Security education is currently focusing on what should be taught, how much, and where within the degree programmes. Different Cyber Security frameworks are currently evolving to include Cyber Security education parallel to older paradigms of Computing Education, existing alongside with such as “<em>Information Technology”</em> and “<em>Software Engineering”</em>. Different Cyber Security specialisations or even whole degree programmes have started within universities before the frameworks have been defined into standardised degree structures. This is mainly the result of a dire industry need of well-educated cyber security personnel, a phenomenon affecting the industry globally.</p> <p>Our research concentrates on Finnish alumni students who have already graduated from a bachelor’s degree programme in Information Technology with a specialisation in Cyber Security in Finland. Within our gathered research data, we analysed what is the industry sector where their current job resides, and what are the cyber security responsibilities in their current work. The questionnaire also contained an after-reflection section where the graduated students could choose what they would study were they about to start and plan their studies again.</p> <p>The results verify that Cyber Security is still the most favoured specialisation within the former Cyber Security alumni students. Slight variation is evident from the data, which in the authors’ perspective, verifies the multifaceted nature of Cyber Security. When analysing alumni students’ job responsibilities, the main category of work resides in the “<em>Protect and Defend”</em> category of the NICE Framework, which in the terms of the conference, relates to Critical Infrastructure Protection being the main subject of employment for fresh graduates.</p> <p>These results give insight to other education organisations on how to develop their curricula to further emphasise the employment of students or to offer modules which are of interest for newly employed Cyber Security professionals. In addition, it gives an insight of industry demand for freshly graduated students within the target group.</p> Karo Saharinen Jarmo Viinikanoja Jouni Huotari Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 247 255 10.34190/eccws.21.1.201 ZTA: Never Trust, Always Verify <p>Zero Trust Architecture (ZTA) deployments are growing in popularity, widely viewed as a solution to historical enterprise security monitoring that typically finds attackers months after they have gained system access. ZTA design incorporates multiple industry security advisories, including assuming network compromise, using robust identity management, encrypting all traffic, thwarting lateral movement, and other security best practices. Collectively, these features are designed to detect and prevent attackers from successfully persisting in the environment. These features each offer solutions to various ongoing security problems but individually are not comprehensive solutions. When designed for cloud services ZTA holds the promise of outsourcing security monitoring. However, some observations about ZTA suggest that the component solutions themselves have flaws potentially exposing systems to additional undetected vulnerabilities, providing a false sense of security. This paper addresses vulnerable paths using a bottom-to-top approach, listing problem areas and mapping them to attacker goals of <em>deny, deceive, disrupt, deter, </em>and<em> destroy</em>. The paper then addresses residual risk in the architecture. Based on the findings the paper suggests realistic countermeasures, offering insights into additional detection and mitigation techniques.</p> char sample Cragin Shelton Sin Ming Loo Connie Justice Lynette Hornung ian poynter Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 256 262 10.34190/eccws.21.1.309 A Collaborative Design Method for Safety and Security Engineers <p>The number of cyberattacks has been increasing not only on information systems but also on physical systems. Safety must be considered as an influence of cyberattacks. Vulnerabilities exploited in cyberattacks continue to occur day by day even if systems were developed securely. Security engineers must eliminate vulnerabilities even if the vulnerabilities occur after the developed systems are released. Vulnerabilities must be managed throughout system life cycle. But it takes time to apply its security patch. Safety engineers are required to ensure safety even when vulnerabilities exist. Therefore, collaboration between safety and security (S&amp;S) engineers is necessary to manage corresponding S&amp;S in operation process. S&amp;S should be considered simultaneously in early stage of development process. Collaborative discussion is useful to mitigating risk of reworks. It is an example of reworks by inadequate S&amp;S discussion that the braking system might be redesigned to promote the response in order to compensate for the delay caused by encryption. Therefore, this paper proposes common models effective for the collaboration throughout system life cycle. A management approach using the models is also proposed. Common model is represented by data flow diagram (DFD) because a module under cyberattacks can adversely affect other modules only through data flows. In the proposed method, the three improvements contribute to supporting management throughout system life cycle. Firstly, the models are applied to safety analysis and security analysis. Secondly, vulnerability occurrence is managed at the level of modules. System structures are designed based on modules. Module abnormalities caused by cyberattacks on the vulnerabilities are managed as causes of safety corruption. To indicate critical points for system to be considered, the points from a safety perspective must be identified. Processes and information are traced from the points in DFD. Finally, a module, which performs sets of functions, is outsourced. For each module, it must be considered who will manage vulnerabilities. The proposed method is illustrated using a development of a self-driving wheelchair as an example. In this paper, the collaborative design method for S&amp;S engineers of products and their management based on modules are described to ensure safety even when unexpected vulnerabilities exist.</p> Taito Sasaki Takashi Hamaguchi Yoshihiro Hashimoto Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 263 270 10.34190/eccws.21.1.317 Siamese Neural Network and Machine Learning for DGA Classification <p>Domain Generation Algorithms (DGA) are systems used to create immediate multiple and varying domain names. Such “artificial” domains can be then used for siting command and control servers which in turn oversee recruiting/infecting devices, and finally turning them into new resources to be exploited. In this sense, identifying DGA domain names can be crucial, to avoid cyberattacks like Phishing, Spam sending, Bitcoin mining, and many other. Usually, domain names generated by DGAs, are comprised by illegible character strings, but new “intelligent” DGAs tend to generate names using combination of words in dictionaries making its detection a challenging task. For this reason, in this work, we propose to address this problem using a combination of Machine Learning algorithms for improving the classification of DGAs domains. In particular, we propose to combine Siamese Neural Networks and traditional supervised Machine Learning algorithms in order to expand the input domain into separable n-dimensional data points and then achieve the domain classification. The proposed approach can be separated into 3 phases. In a first phase, domain names are encoded, by a one-hot encoder and a variation of this, named probabilistic one-hot encoder, which are implemented separately. Then, in the second phase, Long Short-Term Memory and Convolutional Siamese embedders are tested and compared. In particular, the first one is combined with the one-hot, while the Convolution algorithm is applied with the probabilistic one-hot encoded data. In the final step, five Machine Learning algorithms are tested using the two ways embedded data. Both embedder approaches reach very high results in terms of F1-score and Accuracy (about 91%) depending on the implemented classifier. The promising results obtained by the application of the proposed method shows that it is possible to perform DGA domain classification uniquely over the domain names, without considering external information such as DNS packets features.</p> Lander Segurola Telmo Egüés Francesco Zola Raúl Orduna Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 271 279 10.34190/eccws.21.1.205 Probability of Data Leakage and Its Impacts on Confidentiality <p>A multi-channel communication architecture featuring distributed fragments of data is presented as a method for improving security available in a communication architecture. However, measuring security remains challenging. The Quality of Secure Service (QoSS) model defines a manner by which the probability of data leakage and the probability of data corruption may be used to estimate security properties for a given communication network. These two probabilities reflect two of the three aspects of the IT security triad, specifically confidentiality and integrity. The probability of data leakage is directly related to the probability of confidentiality and may be estimated based on the probabilities of data interception, decryption, and decoding. The number of listeners who have access to the communication channels influences these probabilities, and unique to the QoSS model, the ability to fragment and distribute data messages across multiple channels between sender and receiver. To simulate the behaviors of various communication architectures and the possibility of malicious interference, the probability of data leakage and its constituent metrics require a thorough analysis. Even if a listener is aware that multiple channels exist, each intermediate node (if any) simply appears to have one input and one output. There may be one or more listeners, and they may or may not be working cooperatively. Even if the listener(s) gains access to more than one channel, there is still the challenge of decrypting, decoding, or reassembling the fragmented data. The analysis presented herein will explore the probability of confidentiality from both the authorized user’s and the adversary’s perspective.</p> Paul Simon Scott Graham Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 280 288 10.34190/eccws.21.1.472 An Analysis of the Prevalence of Game Consoles in Criminal Investigations in the United Kingdom <p>There is a body of current research on the technical analysis of computer games consoles to determine if information present might be of value in a criminal investigation. This research has highlighted the potential forensic value of the various consoles depending on the type of crime and the capabilities of the console. There is also anecdotal information, presented in the media, on various crimes that have been prosecuted using evidence obtained from games consoles. However, there appears to be no recent study examining the degree of involvement of games consoles in actual criminal activity, cases being investigated or their use in court cases. This paper presents the results of a Freedom of Information request using the UK Freedom of Information Act (2000) and the Freedom of Information (Scotland) Act 2002. The Freedom of Information Act request was aimed at obtaining an overview of the criminal misuse of game consoles during 2020. This request was sent to the 49 Police forces that cover England, Scotland, Wales and Northern Ireland, seeking details on games consoles included in cases that they have investigated. Current results provide limited information on the involvement of game consoles in cybercrime in the United Kingdom. In examining the prevalence of different types of games consoles in police investigations, the potential need for further work on game console forensics is discussed along with possible factors affecting both the data collection and the patterns observed in the study.</p> Iain Sutherland Huw Read Konstantinos Xynos Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 289 295 10.34190/eccws.21.1.497 How are Hybrid Terms Discussed in the Recent Scholarly Literature? <p>Hybrid threats range from cyber-attacks on critical systems to disruption of critical services (such as energy and financial services), influencing public confidence, and polarization within society. Awareness, resilience, and response to threats are central to countering hybrid threats. Hybrid warfare is not a new phenomenon, it has existed throughout the history of warfare, however, hybrid threat and hybrid warfare were re-defined as the western concept, as discussed in this paper, in 2014. Securing vital functions of society, i.e., managing overall security includes preparing for threats, and managing and recovering from disruptions and emergencies. Energy policy, which relies on cross-border energy transmission infrastructures (e.g., Russian gas line imports to Europe), can be a tool to influence foreign policy (Geo-economics). Trolls and cyber weapons can be used to impact information and elections, and their activity are based on supranational Information Technology (IT) infrastructure. The vital functions of society are prime targets for political, economic, and military pressure from external actors. Hybrid warfare deliberately blurs the boundaries between peacetime and wartime, which makes it difficult for targeted organizations and countries to plan appropriate and timely countermeasures. The threat of hybrid disruptions can be addressed with resilience. Multifaceted hybrid threats require planning and testing one’s defensive possibilities, so that the various actors of society will be able to respond to possible hybrid attacks and commit all areas of society for an effective defence. Identifying and understanding hybrid warfare is challenging. Situation awareness is a prerequisite, so societies and their organization can meet these challenges.</p> Ilkka Tikanmäki Harri Ruoslahti Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 296 304 10.34190/eccws.21.1.457 Application of Geospatial Data in Cyber security <p>Geospatial data is often perceived as only being related to maps, compasses and locations. However, the application areas of geospatial data are far wider and even extend to the field of cybersecurity. Not only is there an ability to show points of interest and emerging network traffic conditions, geospatial data also has the ability to model cyber crime growth patterns and indicate affected areas as well as the emergence of certain type of cyber threats.</p> <p>Geospatial data can feed into intelligence systems, help with analysis, information sharing, and help create situational awareness. This is particularly useful in the area of cyber security. &nbsp;Geospatial data is very powerful and can help to prioritise cyber threats and identify critical areas of concern.</p> <p>Previously, geospatial data was primarily used by militaries, intelligence agencies, weather services or traffic control. Currently, the application of geospatial data has multiplied, and it spans many more industries and sectors. So too for cyber security, geospatial data has a wide number of uses. It may be difficult to find patterns or trends in large data sets. However, the graphic capabilities of geo mapping help present data in more digestible manner. This may help analysts identify emerging issues, threats and target areas. &nbsp;In this paper, the usefulness of geospatial data for cyber security is explored. The paper will cover a framework of the key application areas that geospatial data can serve in the field of cyber security. The ten application areas covered in the paper are: tracking, data analysis, visualisation, situational awareness, cyber intelligence, collaboration, improved response to cyber threats, decision-making, cyber threat prioritisation and protect cyber infrastructure It is aimed that through the paper, the application areas of geospatial data can be more widely adopted.</p> Namosha Veerasamy Yaseen Moolla Zubeida Dawood Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 305 313 10.34190/eccws.21.1.447 Layer 8 Tarpits: <p>This paper presents a concept for utilising falsified documents and disinformation as a security measure by diminishing the utility of the stolen information for the attacker. Classical definition of tarpitting honeypots is to create virtual servers attractive to worms and other malware that answer their connection attempts in such a way that the machine on the other end becomes stuck. A common extension to the OSI model is to refer the user as the layer 8 on top of the application layer. By generating attractive looking but falsified documents and datasets within our secured network along with the real information, we could be able to force the malicious user on the other end similarly to be 'stuck' as they need to dig through and verify all the information they have managed to steal. This in effect slows down the opponents' decision making speed, can make their activity in the network more visible and possibly even mislead them. The concept has similarities to the Canary trap or Barium Meal type of tests, and using Honey tokens to help identify who might be the leaker or from which database the data was stolen. However, the amount of falsified data or fake entries in databases in our concept is significantly larger and the main purpose is to diminish the utility of the stolen data or otherwise leaked information. The requirement to verify the information and scan through piles of documents trying to found the real information among them can give more time to the defender to react if the attack was noticed. It will also reduce the value of the information if it is just dumped in the open, as its contents and authenticity can be more easily questioned. AI powered methods such as the GPT-3 that can generate massive amounts very realistic looking text which is hard to differentiate from human generated texts could make this type of concept more feasible to the defender to utilise. The shortcoming of this concept is the risk that legitimate end-users could also confuse the real and falsified information together if that is not prevented somehow.</p> Toni Virtanen Petteri Simola Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 314 318 10.34190/eccws.21.1.252 Cybersecurity Threats to and Cyberattacks on Critical Infrastructure: a Legal Perspective <p>Over the years cybersecurity threats to and cyberattacks on the critical infrastructure by state and non-state actors have escalated in intensity and sophistication. Cyberattacks, such as the 2017 NotPetya ransomware attack, the 2020 SolarWinds software supply chain attack and the 2021 Colonial Pipeline ransomware attack, illustrate the vulnerability of critical infrastructure to cyberattacks.</p> <p>&nbsp;</p> <p>Most cyberattacks are committed across borders involving criminal hackers or state supported hackers. Furthermore, critical infrastructure is increasingly interconnected and interdependent. Connectivity brings about the risk of a cyberattack, demonstrated by the 2021 Colonial Pipeline ransomware attack. Interconnectedness also means that the compromise of one critical infrastructure asset can have a domino effect that degrades or disrupts others and results in cascading consequences across the economy and national security. Operational continuity is essential and this may have been one of the reasons why Colonial Pipeline paid a ransom to cyber-attackers.</p> <p>&nbsp;</p> <p>A cyberattack on the critical infrastructure of a state cannot be seen in isolation as the consequences of the attack may impact other states, this was illustrated by the 2017 WannaCry and NotPetya ransomware attacks. The level of sophistication of cyberattacks has increased over the years as shown by the 2020 SolarWinds software supply chain attack. The escalation of attacks has served as a catalyst for governments to address the risk to critical infrastructure. Countries need to have strong government bodies which supervise cybersecurity in their country and work together with their counterparts in other countries by sharing information regarding threats and attacks against critical infrastructure.</p> <p>&nbsp;</p> <p>The discussion focuses on the challenges that threats to and attacks on critical infrastructure present, the possible solutions a government may implement in addressing cyberattacks on critical infrastructure and the accountability of state and non-state actors of cyberattacks on critical infrastructure. The issues are discussed from a legal perspective.</p> <p>&nbsp;</p> Murdoch Watney Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 319 327 10.34190/eccws.21.1.196 Cyber Security Norms: Trust and Cooperation <p>As cyber crime becomes ever more sophisticated and a significant asymmetric threat, the need for effective cyber security is of vital importance. One important cyber security response is through cyber norms. At the same time, calls for multi-sector and multi-domain trust and cooperation are widespread. Yet research on the nature of trust and cooperation in cyber security norms appears to be underdeveloped. Key questions remain concerning the emergence and nature of trust and cooperation in norms. In addressing this gap, the article first considers how we can understand trust and cooperation in cyber norms through leveraging well-established theory from management research on trust building. Next, the paper examines the SolarWinds breach, as an example, to evaluate norms, trust and cooperation. The paper then applies principles from prominent trust-building theory to examine the antecedents, processes of outputs involved in building trust and cooperation. The contribution of this work presents a foundational conceptual framework, to allow the dynamics of norms, trust, and cooperation in managing cyber crime incidents to be studied. In doing so, the literature on examining trust and cooperation in norms is extended. Other researchers’ interest is encouraged as is an agenda for further research on norms, trust, and cooperation to support cyber security management. Implications may help the cyber security community as they construct and manage norms, trust, and cooperation.</p> Allison Wylde Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 328 335 10.34190/eccws.21.1.498 A Managerial Review and Guidelines for Industry 4.0 Factories on Cybersecurity <p>The Fourth Industrial Revolution (Industry 4.0) has created a rebellion in traditional factories by introducing the Internet of Things (IoT) and Cyber-Physical Systems (CPS). This revolution has caused increased automation and customized production, which has occurred through a synergy between customer demands, stocks, and supply chains. This synergy has also exposed factories to potential cyber-attack threats. Although there is extensive literature available on the topic of cyber security, however, business owners still assume cyber security as business preservation. This study sheds light on a step-by-step cyber security aspect of manufacturing factories with Industry 4.0. The study presented possible vulnerabilities and threats to the networks and devices used in a factory by dividing them into various common parameters. We reviewed the proposed literature and provided solutions to Industry 4.0 factories regarding cybersecurity challenges. The reviewed articles are divided into four segments, starting from the purpose of the proposal, the adopted methodology, the proposed cyber security solution, and finally the author’s evaluation. The study reports on a state-of-the-art cyber security solution for Industry 4.0 factories. The characterization of cybersecurity is also proposed concerning management aspects, by showing that every level of organization has its role. The study also highlighted that cybersecurity could play a crucial role in the creation of value for businesses. It is suggested that despite adding an expert system paradigm for cyber security solutions, factories should also adopt new innovative ways, such as machine learning, digital twins, and honeypots. This review highlights that cyber security is not only a technical concern, but it also needs support from multiple actors of the organization to add it to the comprehensive strategy of an Industry 4.0 factory, and every user must be trained and aware of the cybersecurity risks.</p> Najam Ul Zia Ladislav Burita Aydan Huseynova Victor Kwarteng Owusu Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 336 340 10.34190/eccws.21.1.499 A Cyber-Diplomacy and Cybersecurity Awareness Framework (CDAF) for Developing Countries <p>Cybersecurity is high on the agenda of national and international security policy discussions – mostly lead by diplomats. The practise of diplomacy has evolved since the Internet has become the backbone of society as we know it. Technological evolution has resulted in a significantly bigger and more accessible cyberspace, but the ability of governments and institutions to respond to and function in an expanding cyberspace seems to be lagging behind. The practice of diplomacy has similarly changed fundamentally and created a cyber-diplomacy environment where there is an increased utilization of inter alia social media platforms to achieve foreign policy goals. There is not enough attention given to practical processes to guide the new breed of diplomats in the evolving world of cyber-diplomacy and there is a need to improve the cybersecurity awareness of diplomats in all countries, but this article will focus primarily on developing countries. To mitigate potential cyber threats to diplomacy, diplomats need to be subjected to cyber-diplomacy orientation as well as functional cyber awareness training. Preliminary research conducted suggests that there is a gap between the existing and required cyber-diplomacy and cybersecurity awareness levels of diplomats from developing countries. The purpose of the article is to present a cyber-diplomacy and cybersecurity awareness framework (CDAF) that can be used by developing countries to equip their diplomats to play a more constructive role within the international cyber-diplomacy domain. The CDAF comprises of two distinct components, namely cyber-diplomacy and cybersecurity awareness, but this article will focus primarily on the cyber-diplomacy capacity building aspect of the CDAF. The CDAF was developed by following a design science research approach where a real-world problem was identified followed by an in-depth literature review to identify objectives and possible solutions to the problem. The subsequent outcomes were used to design and development of the CDAF. The article concludes with a critical evaluation of the proposed framework as well as how it can be incorporated into the developing cybersecurity knowledge modules of the Global Forum on Cyber Expertise (GFCE).</p> Hendrik Zwarts Jaco Du Toit Basie Von Solms Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 341 349 10.34190/eccws.21.1.226 Assessing Information Security Continuous Monitoring in the Federal Government <p>To confront the relentless and increasingly sophisticated cyber assaults from cybercriminals, nation-state actors, and other adversaries, the U.S. Federal Government must have mechanisms to reduce or eliminate compromise and debilitating consequences. Information Security Continuous Monitoring (ISCM) leverages technology to rapidly detect, analyze, and prioritize vulnerabilities and threats and deliver a data-driven, risk-based approach to cybersecurity.&nbsp; Although monitoring information system security became a requirement for government agencies over 20 years ago and billions of dollars are being spent annually for cybersecurity, ISCM remains at a low maturity level across the Federal Government.&nbsp; This research framework presented is part of ongoing doctoral research.&nbsp; The research seeks to identify the challenges achieving an effective ISCM program and inform measures needed to optimize ISCM.&nbsp; &nbsp;The research involves conducting an ISCM Program Assessment in a Department of Defense (DoD) organization using the recently published National Institute of Standards and Technology (NIST) ISCM Assessment (ISCMA) methodology and the companion assessment tool ISCMAx.&nbsp; An ISCM doctrine placement is presented, derived from the NIST ISCM assessment elements, to more clearly articulate and visualize the doctrine of a well-designed and well-implemented ISCM program.&nbsp; This research will also contribute to the knowledge base for assessing ISCM in the Federal government and the functionality of the ISCMAx tool. &nbsp;</p> Tina AlSadhan Joon Park Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 351 359 10.34190/eccws.21.1.281 Expectations And Mindsets Related To GDPR <p>The aim of this qualitative case study is to examine the initial expectations and assumptions related to General Data Protection Regulation (GDPR) of the European Union from the perspectives of selected Finnish organizations: what were the initial expectations of GDPR, how were they adapted/refined over time, and what was the impact on organizational planning and resourcing. There are no precise earlier studies on the subject. The research question was:&nbsp; What were the organizations’ initial expectations of GDPR - and how have they affected the efforts made?&nbsp; GDPR can be described as an input that forms images, preconceptions and views among other things, through various active and passive communication flows. As the empirical results indicate GDPR has been a legal issue, mainly due to the inadequate and unspecific active, official, communication flows. As a result, organizations have experienced difficulties to scale the necessary GDPR efforts. The results of this research can benefit both privacy and information security managers and personnel responsible for aligning policies and practices, and to evaluate organization-specific actions on GDPR compliance. The results can support regulators and authorities in the future GDPR and other policy work and provide ideas for service providers.</p> <p><strong>&nbsp;</strong></p> Pauliina Hirvonen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 360 367 10.34190/eccws.21.1.238 A Cyber Counterintelligence Competence Framework <p style="font-weight: 400;">The increased use of cyberspace and technological advancement are fundamentally changing the cyber threat landscape. Cyberattacks are becoming more sophisticated, frequent, and destructive. Internationally, there is a growing acceptance that Cyber Counterintelligence (CCI) is essential to counter cyber-attacks optimally. Therefore, in addition to government intelligence and security agencies, more companies are incorporating a CCI approach as a critical element of their posture for engaging cyber threats. However, the successful adoption of a CCI approach depends on the availability of skilled CCI professionals equipped with the requisite competences. The creation of such CCI professionals, in turn, requires a framework for developing the necessary CCI competences. At least in as far as reviewed academic literature is concerned, there is no existing postulation on a framework to develop the CCI competences, specifically for developing countries. Given the complexity and multi-disciplinary nature of the emerging CCI field, such a framework needs to provide two distinctive skillsets linked to CCI’s two distinct areas of expertise, namely cyber (security) and counterintelligence. The paper presents a high-level Cyber Counterintelligence Competence Framework (CCIC Framework) that outlines dimensions of CCI, functional areas, job roles and requisite competences (knowledge, skills, and abilities), and tasks for each CCI job role. The CCI framework also outlines five levels of proficiency expected for each job role. The identification of competences and levels of proficiency are integral to the successful implementation of the framework and workforce development. The CCIC Framework is intended to be used as a tool to retain, assess, and monitor knowledge, skills, and abilities for CCI workforce development. In addition, the CCIC Framework can be used to assist in providing the basis for individual performance management, education, training, and development pathway, as well as career progression. Therefore, this paper presents a CCIC Framework which is an overarching, integrative construct that synergistically combines different components required to develop a competent workforce for the emerging field of CCI.</p> Thenjiwe Sithole Jaco Du Toit Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 368 377 10.34190/eccws.21.1.255 The Cyber Era`s Character of War <p class="western" lang="en-GB"><span style="color: #000000;"><span style="font-size: small;">The nature of war is often considered unchanged, although in the cyber era the concept of war, weapon, and fighter have become blurred. Instead, the character of war is constantly changing and is always unique. The character of war is not similar at different battle domains or levels of warfare, which complicates the course of war. A serious deviation from a strategic-level perception of war character in relation to an operational or tactical level perception character of war can result in defeat.</span></span></p> <p class="western" lang="en-GB"><span style="color: #000000;"><span style="font-size: small;">The fog of war has intensified, although the situational awareness of conventional battlefields has clarified due to advances in technology. Technology is a key factor in shaping the war character of the cyber era, depending on the point of view, in 4th or 5th generation warfare. The nature of the next generation warfare and the formation of the character of war may be determined by the Artificial Intelligence or other Emerging and Disruptive Technologies, which itself develops and uses technology or some other technology, not yet known to us.</span></span></p> <p class="western" lang="en-GB"><span style="color: #000000;"><span style="font-size: small;">This paper seeks to find factors that influence the formation of the cyber era`s war character and its transformation in Western and Russian military thinking. The aim is to describe the opportunities and challenges associated with the use of advanced technology in the military purpose. This review is based on the NATO`s and the Russia`s strategy papers. Theoreticallly, this paper draws on the theory of the character of war, which is applied to the question under study through the theory of strategic culture. An integrative literature analysis has been used as the research method.</span></span></p> <p class="western" lang="en-GB"><span style="color: #000000;"><span style="font-size: small;">The key findings of the paper are that Russia and the West share the view that a war-like battle is already under way in the cyberspace. That requires an faster and better capacity to utilize advanced technologies as part of or in support of weapons systems. Russia and the West are struggling with the moral, legal, and technical problems associated with the use of advanced technology, but are aware of its necessity in the cyber warfare.</span></span></p> <p class="western" lang="en-GB">&nbsp;</p> <p class="western" lang="en-GB">&nbsp;</p> Maija Turunen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 378 384 10.34190/eccws.21.1.216 Enhancing the STIX Representation of MITRE ATT&CK for Group Filtering and Technique Prioritization <p>In this paper, we enhance the machine-readable representation of the ATT&amp;CK Groups knowledge base provided by MITRE in STIX 2.1 format to make available and queryable additional types of contextual information. Such information includes the motivations of activity groups, the countries they have originated from, and the sectors and countries they have targeted. We demonstrate how to utilize the enhanced model to construct intelligible queries to filter activity groups of interest and retrieve relevant tactical intelligence.</p> Mateusz Zych Vasileios Mavroeidis Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 385 391 10.34190/eccws.21.1.349 Editorial, Biographies and Review Committee <p>Edited by Dr Thaddeus Eze</p> Thaddeus Eze Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 DRAM-based Physically Unclonable Functions and the Need for Proper Evaluation <p>Dynamic Random-Access Memory (DRAM)-based Physically Unclonable Functions (PUFs) are a part of the Physical Layer Security (PhySec) domain. Those electrical PUFs are memory based and exhibit a high availability, Shannon Entropy, low energy consumption and high amount of Challenge Response Pairs (CRPs). Because of those properties, the DRAM PUF is a promising approach for security applications in the Industrial Internet of Things (IIoT) context as well as securing the Sixth-Generation (6G) Wireless Systems and edge computing.</p> <p>DRAM, with its most common one-Transistor one-Capacitor (1T1C) architecture, and as a volatile memory is embedded in almost every modern computing unit. Regarding the PUF security applications, four main types of applications are currently distinguished in the scientific community: <em>Retention Error</em>, <em>Row Hammer</em>, <em>Startup</em> and <em>Latency</em> PUFs. Thereby these differ in their procedure in how responses are generated as well as by the physical mechanisms. Each of them with varying properties in terms of availability, reliability, uniqueness and uniformity.</p> <p>To examine this, and to obtain comparable results, this work proposes to compare the four different DRAM-PUF types i) with the same metrics of evaluation and ii) implemented on the same DRAM cells. This represents both the difference with regard to the work done in the literature and the added value of this work presented. As far as known, there is no work to date that performs the intended evaluations using the same evaluation platform under the identical conditions. However, this is required for comparable results.</p> <p>This consistent comparison is ensured by a self-developed and implemented evaluation platform, which is accordingly equipped with a significant number of DRAMs. By an appropriate high volume of measurements, a corresponding resolution will be given. Monitoring the environmental conditions prevents from wrong interpretations caused by environmental influences but also provides useful context information.&nbsp; Furthermore, a detailed technical and physical background will be described. The results of this approach will assist by the consideration of which DRAM-PUF is appropriate in which (environmental) conditions and thereby provide a guideline for practitioners. &nbsp;</p> Christoph Lipps Pascal Ahr Hans Dieter Schotten Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 430 433 10.34190/eccws.21.1.404 ECHO Cyber-Skills Framework as a Cyber-Skills Education and Training Tool in Health and Medical Tourism <p>The ECHO Horizon 2020 Project develops a European cybersecurity ecosystem. One of its assets is the ECHO Cyber-Skills Framework (ECSF). This work in progress paper aims to improve cybersecurity education and training in the healthcare industry including health and medical tourism. First, this paper finds out how ECSF will benefit the healthcare sector regarding cyber-skills and awareness in order to create a more secure information technology (IT) environment when it comes to healthcare. Based on these findings, the paper proposes a strategy to adopt ECSF in order to improve the existing state of IT security and increase worker and management awareness and understanding. Finally, the paper looks at ECSF’s possibilities to be a tool for education and training in health and medical tourism.</p> Jyri Rajamäki Eleonora Beltempo Jussi Karvonen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 434 437 10.34190/eccws.21.1.274 How to Utilize E-EWS as a Tool in Healthcare <p>ECHO (the European network of Cybersecurity centres and competence Hub for innovation and Operations) is one of the four pilot projects under the European Commission’s H2020 Program. This work-in-progress paper relates to the project’s task “ECHO Early-Warning Systems (E-EWS) / ECHO Federated Cyber Range (E-FCR) Demonstration Workshops” that will be implemented during 2021 and 2022. As the healthcare industry becomes more connected to the Internet, the possibilities for disastrous cyber-attacks rise accordingly. Well-performing warning systems and robust information sharing between different parties are essential tools to help prevent these attacks. The aim of this paper is to find out how to utilize E-EWS as a tool in the healthcare sector. We started by mapping out the existing Early Warning Systems related to healthcare. At the same time, we researched the different implementations of E-EWS into already existing national systems and how possible information sharing could be done. As a result, we found that there does not seem to be any widely used international Early Warning Systems in use in the healthcare field and can conclude that implementing E-EWS could have significant benefits for the whole industry. A working Early Warning System can help to prevent cyber threats and save lives. However, there are many challenges involved in the implementation. First, the healthcare field is very fragmented with many different private and national actors, and second, the structural differences between different EU countries bring their own problems. Thus, the successful implementation of E-EWS in healthcare depends mainly on how all the different actors can cooperate.</p> Janne Lahdenperä Joonas Muhonen Jyri Rajamäki Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 438 441 10.34190/eccws.21.1.401 Cyber Concerns With Cloud Computing <p>The last two decades has seen a paradigm shift towards cloud-based services, cloud-central storage, and cloud computing. The benefits of this shift has been undeniable, including minimal user infrastructure needed to achieve what appears to be limitless data storage, powerful processing capabilities, and services that scale according to demand. However, when there is an upside there usually exists a downside. Cloud computing brings many security and cyber concerns that stems from the inherent insecurity of having large concentrations of data and assets in the cloud, making it a priority target for malicious actors. This survey paper will provide a review of the existing cyber concerns with cloud computing from a military perspective and point out future cyber concerns that may populate due to emerging technological advancements on the horizon.</p> Jacob Chan Mark Reith Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 393 400 10.34190/eccws.21.1.429 Impact of information security threats on small businesses during the Covid-19 pandemic <p>Information is a significant asset of any organization. The increased information demand by all parties has gained attention and raised security concerns – especially in this digital era where everyone depends heavily on the Internet. The Internet and online platforms expose valuable information to various information threats. These pervasive threats compromise information privacy, safety, and security. Legitimate people and criminals compete to access information. Criminals use innovative ways to gradually increase information security threats, especially in the small business sector with only a minimal budget for proactive security measures. Due to the scarcity of academic research on information security threats for small businesses, this study presents the impact of security threats on businesses during the global Covid-19 pandemic.</p> <p>A qualitative survey within the interpretive approach was used to gather data from 20 small businesses in Western Cape, South Africa, to fill this gap. The study used judgmental sampling to select research participants who are business owners. Data were analyzed using thematic analysis. The results indicated the knowledge gap relating to information threats, even though most businesses are familiar with the costly and negative impact of threats on business operations, resulting in business discontinuity. However, some small business sectors showed minimal awareness a6nd understanding of information security threats, their impact, and proactive mitigation strategies. The study concluded with recommendations to protect against information security threats.</p> Tabisa Ncubukezi Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 401 410 10.34190/eccws.21.1.453 Analysis of sexual abuse of children online and CAM investigations in Europe <p>Child sexual abuse or child´s exploitation online as sexual violence including Child Abuse Materials (CAM/CSAM) is a global phenomenon. This case study aims to get information on the current nature of crimes by online published surveys, reports, articles, and documents as an international and cross-border cybercrime in Europe. To get information of children´s own experiences of some European countries, information on how they react to sexual messages or sexual harassment online or how they recognize a threat to be a victim of sexual abuse online are important aspects to understand the phenomenon at all. The sexually motivated offenders and their behavior online conversations are also important to recognize to get more information of this criminal activity at all. If sexual abuse has been done only online, the knowledge of the current events helps law enforcement authorities (LEAs) to understand how they could find reliably the needed digital evidence for pre-trial investigations and judicial processes. The authorities’ workload can be high in CAM/CSAM cases first with handling enormous digital data, but also with nature of cases which has seen widely causing different forms of stress also to professionals. From this point of view, this study also aims to describe how the different forensic tools and technological solutions would help LEAs with their jobs, for example, by classifying different materials into different categories, recognizing better victims and suspects, or winning time to investigate other crimes.</p> Jyri Rajamäki Johanna Parviainen Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 411 418 10.34190/eccws.21.1.276 Forensic Trails Obfuscation and Preservation via Hard Drive Firmware <p>The hard disk drive stores data the user is creating, modifying, and deleting while a firmware facilitates communication between the drive and the operating system. The firmware tells the device and machine how to communicate with each other and will share useful information such as, disk size and information on any bad sectors. Current research shows that exploits exist that can manipulate these outputs. As an attacker, you can change the size of the disk displayed to the operating system to hide data in, likewise by marking an area of the disk as bad. Users may not be aware of these changes as the operating system will accept the readings from the firmware. However, although the data is not reachable via the operating system this paper looks at the traceability of manipulated data using data recovery software FTK Imager, Recuva, EaseUS and FEX Imager.</p> <p>This report examines the use of malicious techniques to thwart digital forensic procedures by manipulating the firmware. It is shown how this is possible and current forensic techniques or software does not easily detect a change within the firmware. However, with the use of various forensic tools, obfuscated trails are detectable. This report follows a black box testing methodology to show the validation of forensic tools or software against anti-forensic techniques. The analysis of the results showed that most tools can find the firmware changes, however, it requires an analyst to spot the subtle differences between standard and manipulated devices. The use of multiple software tools can help an analyst spot the inconsistencies.</p> Paul Underhill Toyosi Oyinloye Lee Speakman Thaddeus Eze Copyright (c) 2022 European Conference on Cyber Warfare and Security 2022-06-08 2022-06-08 21 1 419 428 10.34190/eccws.21.1.188