A Dynamic Cyber Security Situational Awareness Framework for Healthcare ICT Infrastructures

The healthcare sectors have experienced a massive technical evolution over the past decade by integration of medical devices with IT at both physical and cyber level for a critical Health Care Information Infrastructure (HCII). HCII provides huge benefits for the health care service delivery but evolving digital interconnectivity among medical and IT devices has also changed the threat landscape. In particular, systems are now more exposed to the cyber-attacks due to sensitivity and criticality of patient health care information and accessibility of medical devices and this pose any potential disruption of healthcare service delivery. There is a need to enhance security and resilience of HCII. In this paper, we present a Cyber Security Situational Awareness Framework that aims to improve the security and resilience of the overall HCII. The framework aims to develop a novel dynamic Situational Awareness approach on the health care ecosystem. We consider bio inspired Swarm Intelligence and its inherent features with the main principles of the Risk and Privacy assessment and management and Incident handling to ensure security and resilience of healthcare service delivery

Handling of advanced persistent threats and complex incidents in healthcare, transportation and energy ICT infrastructures

In recent years, the use of information technologies in Critical Infrastructures is gradually increasing. Although this brings benefits, it also increases the possibility of security attacks. Despite the availability of various advanced incident handling techniques and tools, there is still no easy, structured, standardized and trusted way to manage and forecast interrelated cybersecurity incidents. This paper introduces CyberSANE, a novel dynamic and collaborative, warning and response system, which supports security officers and operators to recognize, identify, dynamically analyse, forecast, treat and respond to security threats and risks and and it guides them to handle effectively cyber incidents. The components of CyberSANE are described along with a description of the CyberSANE data flow. The main novelty of the CyberSANE system is the fact that it enables the combination of active incident handling approaches with reactive approaches to support incidents of compound, highly dependent Critical Information Infrastructures. The benefits and added value of using CyberSANE is described with the aid of a set of cyber-attack scenarios

Cyberattack Path Generation and Prioritisation for Securing Healthcare Systems

Cyberattacks in the healthcare sector are constantly increasing due to the increased usage of information technology in modern healthcare and the benefits of acquiring a patient healthcare record. Attack path discovery provides useful information to identify the possible paths that potential attackers might follow for a successful attack. By identifying the necessary paths, the mitigation of potential attacks becomes more effective in a proactive manner. Recently, there have been several works that focus on cyberattack path discovery in various sectors, mainly on critical infrastructure. However, there is a lack of focus on the vulnerability, exploitability and target user profile for the attack path generation. This is important for healthcare systems where users commonly have a lack of awareness and knowledge about the overall IT infrastructure. This paper presents a novel methodology for the cyberattack path discovery that is used to identify and analyse the possible attack paths and prioritise the ones that require immediate attention to ensure security within the healthcare ecosystem. The proposed methodology follows the existing published vulnerabilities from common vulnerabilities and exposures. It adopts the common vulnerability scoring system so that base metrics and exploitability features can be used to determine and prioritise the possible attack paths based on the threat actor capability, asset dependency and target user profile and evidence of indicator of compromise. The work includes a real example from the healthcare use case to demonstrate the methodology used for the attack path generation. The result from the studied context, which processes big data from healthcare applications, shows that the uses of various parameters such as CVSS metrics, threat actor profile, and Indicator of Compromise allow us to generate realistic attack paths. This certainly supports the healthcare practitioners in identifying the controls that are required to secure the overall healthcare ecosystem

Vulnerability prediction for secure healthcare supply chain service delivery

Healthcare organisations are constantly facing sophisticated cyberattacks due to the sensitivity and criticality of patient health care information and wide connectivity of medical devices. Such attacks can pose potential disruptions to critical services delivery. There are number of existing works that focus on using Machine Learning (ML) models for predicting vulnerability and exploitation but most of these works focused on parameterized values to predict severity and exploitability. This paper proposes a novel method that uses ontology axioms to define essential concepts related to the overall healthcare ecosystem and to ensure semantic consistency checking among such concepts. The application of ontology enables the formal specification and description of healthcare ecosystem and the key elements used in vulnerability assessment as a set of concepts. Such specification also strengthens the relationships that exist between healthcare-based and vulnerability assessment concepts, in addition to semantic definition and reasoning of the concepts. Our work also makes use of Machine Learning techniques to predict possible security vulnerabilities in health care supply chain services. The paper demonstrates the applicability of our work by using vulnerability datasets to predict the exploitation. The results show that the conceptualization of healthcare sector cybersecurity using an ontological approach provides mechanisms to better understand the correlation between the healthcare sector and the security domain, while the ML algorithms increase the accuracy of the vulnerability exploitability prediction. Our result shows that using Linear Regression, Decision Tree and Random Forest provided a reasonable result for predicting vulnerability exploitability

Cyber supply chain threat analysis and prediction using machine learning and ontology

Cyber Supply Chain (CSC) security requires a secure integrated network among the sub-systems of the inbound and outbound chains. Adversaries are deploying various penetration and manipulation attacks on an CSC integrated network’s node. The different levels of integrations and inherent system complexities pose potential vulnerabilities and attacks that may cascade to other parts of the supply chain system. Thus, it has become imperative to implement systematic threats analyses and predication within the CSC domain to improve the overall security posture. This paper presents a unique approach that advances the current state of the art on CSC threat analysis and prediction by combining work from three areas: Cyber Threat Intelligence (CTI), Ontologies, and Machine Learning (ML). The outcome of our work shows that the conceptualization of cybersecurity using ontological theory provides clear mechanisms for understanding the correlation between the CSC security domain and enables the mapping of the ML prediction with 80% accuracy of potential cyberattacks and possible countermeasures

Interoperability and privacy practices and methodologies: implementation on advanced and secure electronic and mobile services

The design, development and implementation of electronic and mobile (e/m-) services relying on XML and Web Service (WS)-based standards and technologies which are the main components of Service Oriented Architectures (SOAs) is the current trend in the modern era. Due to the nature of these services several issues pertaining to security, privacy, identity management and interoperability have been raised. Initially, the thesis identifies the need for targeted methodologies and frameworks that check and guarantee the end-to-end application interaction capabilities of common services. The thesis proposes a well-formed grey box testing methodology entitled ICoM, able to test whether various services achieve communication effectively based on the adopted standards. ICoM has been applied in order to evaluate the interoperability of the existing autonomous SELIS e-invoicing service and the SWEB e-invoicing service embedded in a SOA-based platform. In addition, the need for privacy aware transactions raises specific problems that aforementioned services need to solve including the privacy-aware managing of identities. The research in this thesis has identified several identity management solutions that implement complete identity handling frameworks. In this diversity of solutions, a SOA designer faces the problem of identifying which framework or specific solution better suites the needs of the SOA he is building, without introducing additional complexity to the design on one hand or leaving out important aspects of privacy management on the other. In this context, this thesis proposes a specific classification of SOAs-designs with respect to the way that the trust relationship among the involved entities, users and SOAs, is established enabling the user to access the provided services. Although, the last decade, the provided e/m-services have been increased, the level of trust and confidence remain low, preventing their adoption and prevalence. Nowadays, despite the formulation of Federations, where a trust relationship among the involved parties is established and monitored by Identity Management System (IMS), has been considered as the most appropriate solution to build Trust, the notion of Trust is still very vague. The accumulation of behavior (reputation) of the parties involved in an e/m-transaction has been already used as a quantitative measure of trust. In this context, this thesis includes an overview and an evaluation of existing reputation systems. The thesis acknowledging the need for a more privacy-respecting design of reputation systems, contributes towards this direction proposing an Identity Management Reputation Service (IMRS) which operates in the IMSs in order to preserve and enhance trust. Finally, the Phd thesis acknowledging the significance of connection anonymity, includes a review of the existing network-based approaches to anonymity and proposes an anonymity SOA framework built upon widely used standards and technologies such as the WS-Addressing and deploys the Tor anonymizing network, taking advantage of the benefits that it offers.H διατριβή πραγματεύεται ένα σύνολο προβλημάτων τα οποία αντιμετωπίζουν οι υπηρεσίες που βασίζονται σε τεχνολογίες της XML και σε πρότυπα των Υπηρεσιών Ιστού ενώ στη συνέχεια προχωρά στην πρόταση συγκεκριμένων λύσεων που τα αντιμετωπίζουν. Η διατριβή για τη διευθέτηση των συγκεκριμένων προβλημάτων κινήθηκε σε δυο παράλληλους αλλά αλληλένδετους άξονες. Στο πλαίσιο του πρώτου άξονα, η διαλειτουργικότητα των Υπηρεσιών Ιστού (ΥΙ) τέθηκε στο επίκεντρο του ενδιαφέροντος διαπιστώνοντας τις περιορισμένες δυνατότητες αλληλεπίδρασης των υπηρεσιών αυτών παρά το γεγονός ότι χρησιμοποιούν κοινές τεχνολογίες και μελετώντας μεθόδους οι οποίες μπορούν να τις εγγυηθούν. Για το λόγο αυτό, προδιαγράφεται μια πρωτότυπη συστηματική και δομημένη μεθοδολογία ελέγχου Διαλειτουργικότητας και Συμμόρφωσης Υπηρεσιών Ιστού (ΔΣΥΙ). Η ορθότητα και εφαρμοσιμότητα της προτεινόμενης μεθοδολογίας ελέγχου διαπιστώθηκε με την εφαρμογή της για τον έλεγχο της επικοινωνίας δύο υπαρχόντων και πλήρως λειτουργικών Υπηρεσιών Ιστού για ηλεκτρονική τιμολόγηση, της αυτόνομης υπηρεσίας ηλεκτρονικής τιμολόγησης SELIS και της υπηρεσίας ηλεκτρονικής και κινητής τιμολόγησης SWEB. Ο δεύτερος άξονας της διατριβής θέτει στο επίκεντρο του ενδιαφέροντος ζητήματα που αφορούν τη διαχείριση της ταυτότητας και της ιδιωτικότητας στις ασφαλείς και προηγμένες κινητές και ηλεκτρονικές Υπηρεσίες Ιστού (ΥΙ). Σε πρώτη φάση παρουσιάστηκαν και κατηγοριοποιήθηκαν οι υπάρχουσες γλώσσες ιδιωτικότητας οι οποίες μπορούν να χρησιμοποιηθούν ώστε να αποτυπωθούν οι πολιτικές ιδιωτικότητας των οντοτήτων που μετέχουν σε μια συναλλαγή. Στη συνέχεια, μέσω της μελέτης των υπαρχόντων συστημάτων διαχείρισης ταυτότητας και μιας σειράς κατηγοριοποιήσεων τους προτάθηκε μια ταξινόμηση των σχεδιαστικών λύσεων των Αρχιτεκτονικών Προσανατολισμένων στις Υπηρεσίες (ΑΠΥ) παρέχοντας συγκεκριμένες λύσεις διαχείρισης ταυτότητας και διαδικασιών οι οποίες μπορούν να εφαρμοστούν για καθεμία από τις προσδιοριζόμενες κατηγορίες. Κατά την διάρκεια της έρευνας στο δεύτερο άξονα διαπιστώθηκε επίσης και η σημασία που έχει η καταγραφή και αποτύπωση της συμπεριφοράς που επιδεικνύεται από τους χρήστες στα πλαίσια των συναλλαγών που αυτοί εκτελούν με τις ΥΙ και του ρόλου που αυτή μπορεί να διαδραματίσει για την ενίσχυση της ιδιωτικότητας. Για το λόγο αυτό, προτάθηκε μια Υπηρεσία Καταγραφής Συμπεριφοράς (ΥΚΣ) περιγράφοντας τον τρόπο που αυτό λειτουργεί σε συνδυασμό με ένα σύστημα διαχείρισης ταυτότητας. Τέλος, ο τρίτος άξονας της διατριβής εστίασε στη διερεύνηση μηχανισμών οι οποίοι μπορούν να διευθετήσουν την Ανωνυμία των ΥΙ σε Επίπεδο Σύνδεσης. Στο πλαίσιο της συγκεκριμένης μελέτης προτάθηκε ενός Ολιστικό Μοντέλο Ανωνυμίας για Υπηρεσίες Ιστού το οποίο είναι εφαρμόσιμο σε η/κ-Υπηρεσίες Ιστού οι οποίες είναι ανθεκτικές σε μεγάλες χρονικές καθυστερήσεις

Cyber Threat Analysis Using Natural Language Processing for a Secure Healthcare System

Cyber threats in the healthcare sector have increased significantly in recent years. Attackers are now using sophisticated techniques to launch multi-phase cyber attacks to compromise the system and leak patient healthcare data. Healthcare organisations need to protect IT infrastructures and understand the threats and possible attack surface for a secure healthcare service delivery. Hence, threat analysis is one of the key activities for tackling the potential risks and ensuring security of a system context. This work presents a threat analysis approach that allows to identify and assess the possible threats within healthcare information infrastructure. The approach considers the existing threat data from widely used repositories and uses Natural Language Processing to identify threats among cyber security news, also evaluating their corresponding level. The preliminary experimental assessment shows promising results, providing a realistic manner to assess the threats, allowing to adopt the proposed approach in real-world contexts

An Attack Simulation and Evidence Chains Generation Model for Critical Information Infrastructures

Recently, the rapid growth of technology and the increased teleworking due to the COVID-19 outbreak have motivated cyber attackers to advance their skills and develop new sophisticated methods, e.g., Advanced Persistent Threat (APT) attacks, to leverage their cybercriminal capabilities. They compromise interconnected Critical Information Infrastructures (CIIs) (e.g., Supervisory Control and Data Acquisition (SCADA) systems) by exploiting a series of vulnerabilities and launching multiple attacks. In this context, industry players need to increase their knowledge on the security of the CIs they operate and further explore the technical aspects of cyber-attacks, e.g., attack’s course, vulnerabilities exploitability, attacker’s behavior, and location. Several research papers address vulnerability chain discovery techniques. Nevertheless, most of them do not focus on developing attack graphs based on incident analysis. This paper proposes an attack simulation and evidence chains generation model which computes all possible attack paths associated with specific, confirmed security events. The model considers various attack patterns through simulation experiments to estimate how an attacker has moved inside an organization to perform an intrusion. It analyzes artifacts, e.g., Indicators of Compomise (IoCs), and any other incident-related information from various sources, e.g., log files, which are evidence of cyber-attacks on a system or network