Projektbeschreibung / Project Summary

Cloud Computing is a style of computing where elastic IT-related capabilities are provided as optimized, cost-effective, and on-demand utility-like services to customers using Internet technologies. Being one of the major trends in the IT industry recently, it has gained tremendous momentum and started to revolutionize the way enterprises create and deliver IT solutions. As more sectors adopt cloud services in their computing environment, the trend will also reach ICT services operating critical infrastructures (CI), such as transportation systems or infrastructure surveillance.

Hosting CI services in the cloud brings with it security and resilience requirements that existing cloud offerings are not well placed to address. Due to the opacity and elasticity of cloud environ- ments, the risks of deploying CI services in the cloud are difficult to assess – specifically on the technical level, but also from legal or business perspectives. Traditional IT security measures cannot fully tackle the issues (e.g. risk, trust, and resilience) arising from this paradigm shift, especially for operators and manufacturers of critical infrastructure IT systems. Therefore, the mission of the SECCRIT project is to analyse and evaluate cloud computing technologies with respect to security risks in sensitive environments, and to develop methodologies, technologies, and best practices for creating a secure, trustworthy, and high assurance cloud computing environment for CI.

In order to accomplish this mission, the objectives of the SECCRIT project are: identification of the relevant legal framework and establishment of respective guidelines, provision of evidence and data protection for cloud services; understanding and managing risk associated with cloud environments; understanding cloud behaviour in the face of challenges; establishment of best practice for secure cloud service implementations; and the demonstration of SECCRIT research and development results in real-world application scenarios.

To reach these objectives, the SECCRIT consortium will take a user-driven and multi-disciplinary approach. Underpinning all the technical objectives of the project will be legal guidance, ensuring the compliance and applicability of our results. An outcome from the project will be a set of (legal) guidelines about the use of cloud services for CI providers. In addition, SECCRIT will develop risk assessment and management methodologies, and give broader insights into risk perception, transfer and migration, such that CI providers can make decisions about cloud computing adoption with a clear view on the potential risks. Critical infrastructure providers have stringent security assurance and resilience requirements that reflect business, regulatory and legal obligations. To ensure these are met when providers use the cloud, techniques for assurance evaluation will be produced. Furthermore, tools that support specifying policies and ensuring their enforcement will be created. Understanding the operational behaviour of cloud services, particularly when challenged, is a paramount concern for CI providers. Root cause analysis techniques that provide insights into the operational behaviour of clouds will be developed in order to address this important need. Critical infrastructure services provided in the cloud will surely be a prime target for attack. Furthermore, faults and human mistakes, for example, will challenge the operation of CI services, potentially with significant impact. Consequently, SECCRIT will develop a resilience management approach that allows the use of specific techniques, such as vendor diversity and controlled dynamic adaptation of networks and services, in cloud environments. Implementations of our project results and pro- cess-oriented guidelines will be developed. This will be done in close cooperation with project partners who are either users or providers of CI solutions and cloud computing. The research and development results will be rigorously evaluated and validated in two demonstration scenarios.

To ensure wide adoption and maximise the impact of SECCRIT results, the project solutions will be strongly end user-driven. A user group that spans through multiple application domains, e.g., energy, healthcare, industry automation, finance etc. has been formed to reinforce and complement the user organisations in the consortium in the requirements specification phase. Another specific purpose of this group is to enable effective dissemination of project results, ensure a strong link to industry and public authorities, and facilitate the building of a community in this important area.