1,721,000 research outputs found
Securing the weak link of federated systems via trusted execution: A case study from the eHealth domain
No full textThe interconnection of organisations from distributed, heterogeneous, and autonomous domains having different regulations often requires a trusted third-party gateway to translate security means applied in one domain to those of a different domain. At that point, sensitive data is exposed unencrypted on the gateway host, thus vulnerable to attacks. In this paper, we provide a solution to this weakness of federated architectures by using hardware-assisted trusted computing (TC). We propose an approach where the new Intel's CPU extension, namely Software Guard eXtension (SGX), is exploited to guarantee the trustworthiness of the weakest link - i.e., the gateway - in spite of an aggressive attack model. The validation of our work was realised through the European eHealth infrastructure, namely OpenNCP, that enables cross-border health care and establishes shared practices to implement mechanisms and policies allowing patient data exchange between distinct national eHealth systems
A self-adaptation-based approach to resilience improvement of complex internets of utility systems
No full textA framework for Seveso-compliant cyber-physical security testing in sensitive industrial plants
No full textThe InfraStress-EU framework was defined in the context of the H2020 project InfraStress, to provide operators of sensitive industrial sites – i.e., industrial plants where dangerous substances are handled and are thus subject to the Seveso III Directive (2012/18/EU) – with a technically sound approach and an accompanying simulation tool for the prevention of accidents. The framework enables reliable and effective cybersecurity testing of industrial infrastructures, with the ultimate goal of improving the resilience of critical processes to cyber-physical attacks. It takes a cue from the TIBER-EU initiative, of which it extends the core penetration testing phases to “hybrid”–meaning consisting of a mix of real and simulated components–setups. By doing so, it relieves operators from their main concern, i.e., the risk of compromising the normal functioning of control systems when performing key security testing activities, such as gathering information on cyber-threats and/or trying out alternative response strategies. InfraStress-EU was implemented and evaluated in close cooperation with five operators, who contributed the requirements of real setups in their respective industrial sectors
Elliptic curve cryptography engineering
No full textIn recent years, elliptic curve cryptography (ECC) has gained widespread exposure and acceptance, and has already been included in many security standards. Engineering of ECC is a complex, interdisciplinary research field encompassing such fields as mathematics, computer science, and electrical engineering. In this paper, we survey ECC implementation issues as a prominent case study for the relatively new discipline of cryptographic engineering. In particular,we show that the requirements of efficiency and security considered at the implementation stage affect not only mere low-level, technological aspects but also, significantly, higher level choices, ranging from finite field arithmetic up to curve mathematics and protocols
Increasing the Cybersecurity of Smart Grids by Prosumer Monitoring
No full textThe evolution from traditional power grids to modern smart grids marks a significant advancement in energy management and efficiency. This transition - driven by the implementation of bidirectional energy and information flows - results in a dramatic increase in infrastructure vulnerability since new entry points are introduced on the attack surface. In particular, prosumers represent a brand new - and, thus, largely unexplored - attack vector, for which a thorough re-evaluation of the existing security measures is very much needed. This article proposes a novel approach to security monitoring, which exploits business process knowledge to effectively identify and mitigate prosumer-specific advanced persistent threats in smart grids. To validate the approach, an experimental campaign is done in a real setup, specifically the power grid of the Berchidda municipality, in Italy. Impact evaluation covers technical as well as business aspects since the analysis includes potential economic consequences of the attacks
Going Beyond Counting First Authors in Author Co-citation Analysis
Full text linkThe present study examines one of the fundamental aspects of author co-citation analysis (ACA) - the way co-citation
counts are defined. Co-citation counting provides the data on which all subsequent statistical analyses and mappings
are based, and we compare ACA results based on two different types of co-citation counting - the traditional type that
only counts the first one among a cited work's authors on the one hand and a non-traditional type that takes into
account the first 5 authors of a cited work on the other hand. Results indicate that the picture produced through this non-traditional author co-citation counting contains more coherent author groups and is therefore considerably clearer. However, this picture represents fewer specialties in the research field being studied than that produced through the traditional first-author co-citation counting when the same number of top-ranked authors is selected and analyzed. Reasons for these effects are discussed
Facing the blockchain endpoint vulnerability, an SGX-based solution for secure eHealth auditing
Full text linkAccording to McAfee Labs, even in 2019, the eHealth sector is confirmed as one of the most critical in terms of cybersecurity incidents. It is estimated that more than 176 million patient records were target of attacks between 2009 and 2017, and with a single attack, in 2018, more than 1.4 million patient records were affected at UnityPoint Health. To cope with such a dramatic situation, one of the main strategic priority in the eHealth field is represented by the adoption of Blockchain. Specifically, according to a Deloittes survey, 55% of healthcare executives believe that blockchain technology will disrupt the healthcare industry. Unfortunately, while blockchain provides a valuable tool for enhancing the security of health applications and related data, it cannot be assumed as a panacea for data security. As an example, the so-called Endpoint Vulnerability issue is a well-known problem of Blockchain-based solutions: in such a case the attacker successful in gaining control of the end-point can tamper data off-chain during its generation and/or before it is sent to the chain. In this paper, we face such an issue by shielding the endpoint through the Intel Software Guard eXtension (SGX) technology. We demonstrate our solution for an auditing software belonging to the European eHealth management system (namely OpenNCP). We also discuss how our solution can be generalized to any other Blockchain-based solution. Finally, an experimental evaluation has been conducted to prove the actual feasibility of the proposed solution under the requirements of the real eHealth system
- …
