Worldwide there is a lack of well-educated and experienced information security specialists. The first step to address this issue is arranging enough people with a well-known and acceptable basic level of information security competences. However, there might be a lot of information security education and training, but there is anything but a well-defined outflow level with a known and acceptable basic level of information security competences. There exists a chaotic situation in respect of the qualification of information security professionals, with the emergence of a large number of difficult to compare certificates and job titles. Apparently the information security field requires uniform qualifications that are internationally recognized. Such qualifications could be an excellent way of unambiguously clarifying the knowledge and skills of information security professionals. Furthermore it gives educational institutions a framework which facilitates the development of appropriate information security education and training.
In May 2018, the new Dutch Intelligence and Security Services Act 2017 (Wet op de Inlichtingen- en veiligheidsdiensten, Wiv) will enter into force. It replaces the previous 2002 Act and incorporates many reforms to the information gathering powers of the two intelligence and security services as well as to the accountability and oversight mechanisms. Due to the technologyneutral approach, both the civil and the military intelligence services are now authorized to, for example, intercept communications in bulk, hack third parties, decrypt files, store DNA or use any other future innovative technology. Also, the national security legislation extends the possibilities for the indiscriminate collection of data, and for the processing, storage and analysis thereof. The process leading to the law includes substantial criticism from the various stakeholders involved. Upon publication of this report, an official consultative referendum is being organized on the new act. The aim of this policy brief is to provide an international audience with a comprehensive overview of the most relevant aspects of the act and its context. In addition, there is considerable focus on the checks and balances as well as the bottlenecks of the Dutch intelligence gathering reform. The selection of topics is based on the core issues addressed during the parliamentary debate and on the authors’ insights.
Onderzoeksplatform ‘Connected Learning: ’Al ruim vijftien jaar houdt De Haagse Hogeschool zich bezig met onderzoek als deel van haar missie. Terwijl onderwijs vaak geworteld is in monodisciplinaire vakgebieden, kan met onderzoek wat makkelijker gekeken worden naar domeinen in de samenleving (zorg, veiligheid, ondernemen, etc.) waarin complexe problematiek steeds vaker wél dan niet een multidisciplinaire aanpak vereist. Bijna niemand werkt nog alleen of met alleen vakgenoten aan problemen of uitdagingen. En die veranderende beroepspraktijk is bij uitstek het domein van het hoger beroepsonderwijs. Daar leiden we voor op. Het onderzoeken van en experimenteren met nieuwe uitdagingen in de praktijk verbindt ons sterker met de samenleving, het stelt ons in staat om ons beroepsonderwijs te vernieuwen en geeft docenten, onderzoekers en studenten de kans om zich te ontwikkelen door samen te werken aan vragen en uitdagingen die de toekomst van de beroepspraktijk vorm geven. Veel onderzoek wordt uitgevoerd onder begeleiding van lectoren die samenwerken met docent-onderzoekers, studenten, en professionals in het werkveld aan veelal meerjarige onderzoeksagenda’s die lijn aanbrengen in verschillende deelactiviteiten. Een van de manieren waarop De Haagse Hogeschool onderzoek organiseert is in de vorm van onderzoeksplatforms die zich richten op verschillende domeinen van de samenleving. Wij zijn ‘Connected Learning’, een onderzoeksplatform dat zich richt op leren in de netwerksamenleving - in de samenleving zelf, maar ook in de beroepspraktijk en in ons onderwijs. Aangenaam. Wat wij doen? Daar gaat dit boek over, dus daar verklappen we hier nog niets over. Wat verwacht u als u nadenkt over onze naam? Enig idee? Geen idee? Benieuwd? Lees verder om te ontdekken wat ons inspireert, uitdaagt en nieuwsgierig maakt. Sommige van onze ideeën zijn doordacht en doorleefd omdat we er al jaren onderzoek naar doen, andere zijn nieuw en dagen ons uit om er grip op te krijgen. Wij geven met dit boek een beeld van waar we staan in 2018. Zie het als een eerste kennismaking, met de nadruk op ‘eerste’: we werken graag met veel en verschillende partners. Zie het als visitekaartje van onze onderzoeksagenda. We hopen van harte dat u zich als lezer uitgenodigd voelt om met ons samen op zoek te gaan—misschien wel naar een gezamenlijke toekomst. ‘Connected Learning’ Research Platform: For over fifteen years, The Hague University of Applied Sciences has been carrying out research as part of its mission. While education is often rooted in monodisciplinary subject areas, research allows for a broader look at areas of society (care, security, entrepreneurship etc.), where complex problems more often than not require a multidisciplinary approach. Today, barely anyone works on problems or challenges alone or solely with colleagues from within the same subject area. Universities of applied sciences are uniquely placed to deal with these changes in professional practices; after all, we train the professionals who will one day enter that field. Researching and experimenting with new challenges in professional practice allows us to connect more strongly with society, enables us to be innovative in our professional training and gives lecturers, researchers and students the opportunity to develop themselves by cooperating on the challenges and issues that will shape the future of that professional practice. Most research is carried out under the guidance of professors who cooperate with lecturers/researchers, students and the professional field, mainly on long-term research agendas that provide an outline for various sub-activities. One of the ways in which research is organised at The Hague University of Applied Sciences is in the form of research platforms that focus on various areas of society. We are ‘Connected Learning’, a research platform focusing on learning in the network society — in that society as such, but also in professional practice and our education. Nice to meet you! So, what do we do? That’s what this book is about, so we’re not going to give anything away just yet. Just thinking about our name, what do you expect we do? Any ideas? Or not a clue at all? If you’d like to find out, keep reading to find out what inspires us, what challenges we face and what drives our curiosity. Some of our ideas are well-established because we’ve been researching them for years, while other, newer ideas are more challenging to grasp. This book provides an overview of where we stand in 2018. You could see it as an initial introduction, with the emphasis on “initial”; we work with many different partners, and we enjoy doing so. Alternatively, you could see it as a calling card for our research agenda. We sincerely hope that, as a reader, you feel encouraged to join us in our quest — possibly towards a joint future.
The integration of renewable energy resources, controllable devices and energy storage into electricity distribution grids requires Decentralized Energy Management to ensure a stable distribution process. This demands the full integration of information and communication technology into the control of distribution grids. Supervisory Control and Data Acquisition (SCADA) is used to communicate measurements and commands between individual components and the control server. In the future this control is especially needed at medium voltage and probably also at the low voltage. This leads to an increased connectivity and thereby makes the system more vulnerable to cyber-attacks. According to the research agenda NCSRA III, the energy domain is becoming a prime target for cyber-attacks, e.g., abusing control protocol vulnerabilities. Detection of such attacks in SCADA networks is challenging when only relying on existing network Intrusion Detection Systems (IDSs). Although these systems were designed specifically for SCADA, they do not necessarily detect malicious control commands sent in legitimate format. However, analyzing each command in the context of the physical system has the potential to reveal certain inconsistencies. We propose to use dedicated intrusion detection mechanisms, which are fundamentally different from existing techniques used in the Internet. Up to now distribution grids are monitored and controlled centrally, whereby measurements are taken at field stations and send to the control room, which then issues commands back to actuators. In future smart grids, communication with and remote control of field stations is required. Attackers, who gain access to the corresponding communication links to substations can intercept and even exchange commands, which would not be detected by central security mechanisms. We argue that centralized SCADA systems should be enhanced by a distributed intrusion-detection approach to meet the new security challenges. Recently, as a first step a process-aware monitoring approach has been proposed as an additional layer that can be applied directly at Remote Terminal Units (RTUs). However, this allows purely local consistency checks. Instead, we propose a distributed and integrated approach for process-aware monitoring, which includes knowledge about the grid topology and measurements from neighboring RTUs to detect malicious incoming commands. The proposed approach requires a near real-time model of the relevant physical process, direct and secure communication between adjacent RTUs, and synchronized sensor measurements in trustable real-time, labeled with accurate global time-stamps. We investigate, to which extend the grid topology can be integrated into the IDS, while maintaining near real-time performance. Based on topology information and efficient solving of power flow equation we aim to detect e.g. non-consistent voltage drops or the occurrence of over/under-voltage and -current. By this, centrally requested switching commands and transformer tap change commands can be checked on consistency and safety based on the current state of the physical system. The developed concepts are not only relevant to increase the security of the distribution grids but are also crucial to deal with future developments like e.g. the safe integration of microgrids in the distribution networks or the operation of decentralized heat or biogas networks.
Despite the benefits of the widespread deployment of diverse Internet-enabled devices such as IP cameras and smart home appliances - the so-called Internet of Things (IoT) has amplified the attack surface that is being leveraged by cyber criminals. While manufacturers and vendors keep deploying new products, infected devices can be counted in the millions and spreading at an alarming rate all over consumer and business networks. The objective of this project is twofold: (i) to explain the causes behind these infections and the inherent insecurity of the IoT paradigm by exploring innovative data analytics as applied to raw cyber security data; and (ii) to promote effective remediation mechanisms that mitigate the threat of the currently vulnerable and infected IoT devices. By performing large-scale passive and active measurements, this project will allow the characterization and attribution of compromise IoT devices. Understanding the type of devices that are getting compromised and the reasons behind the attacker’s intention is essential to design effective countermeasures. This project will build on the state of the art in information theoretic data mining (e.g., using the minimum description length and maximum entropy principles), statistical pattern mining, and interactive data exploration and analytics to create a casual model that allows explaining the attacker’s tactics and techniques. The project will research formal correlation methods rooted in stochastic data assemblies between IoT-relevant measurements and IoT malware binaries as captured by an IoT-specific honeypot to aid in the attribution and thus the remediation objective. Research outcomes of this project will benefit society in addressing important IoT security problems before manufacturers saturate the market with ostensibly useful and innovative gadgets that lack sufficient security features, thus being vulnerable to attacks and malware infestations, which can turn them into rogue agents. However, the insights gained will not be limited to the attacker behavior and attribution, but also to the remediation of the infected devices. Based on a casual model and output of the correlation analyses, this project will follow an innovative approach to understand the remediation impact of malware notifications by conducting a longitudinal quasi-experimental analysis. The quasi-experimental analyses will examine remediation rates of infected/vulnerable IoT devices in order to make better inferences about the impact of the characteristics of the notification and infected user’s reaction. The research will provide new perspectives, information, insights, and approaches to vulnerability and malware notifications that differ from the previous reliance on models calibrated with cross-sectional analysis. This project will enable more robust use of longitudinal estimates based on documented remediation change. Project results and methods will enhance the capacity of Internet intermediaries (e.g., ISPs and hosting providers) to better handle abuse/vulnerability reporting which in turn will serve as a preemptive countermeasure. The data and methods will allow to investigate the behavior of infected individuals and firms at a microscopic scale and reveal the causal relations among infections, human factor and remediation.
Prompt and timely response to incoming cyber-attacks and incidents is a core requirement for business continuity and safe operations for organizations operating at all levels (commercial, governmental, military). The effectiveness of these measures is significantly limited (and oftentimes defeated altogether) by the inefficiency of the attack identification and response process which is, effectively, a show-stopper for all attack prevention and reaction activities. The cognitive-intensive, human-driven alarm analysis procedures currently employed by Security Operation Centres are made ineffective (as opposed to only inefficient) by the sheer amount of alarm data produced, and the lack of mechanisms to automatically and soundly evaluate the arriving evidence to build operable risk-based metrics for incident response. This project will build foundational technologies to achieve Security Response Centres (SRC) based on three key components: (1) risk-based systems for alarm prioritization, (2) real-time, human-centric procedures for alarm operationalization, and (3) technology integration in response operations. In doing so, SeReNity will develop new techniques, methods, and systems at the intersection of the Design and Defence domains to deliver operable and accurate procedures for efficient incident response. To achieve this, this project will develop semantically and contextually rich alarm data to inform risk-based metrics on the mounting evidence of incoming cyber-attacks (as opposed to firing an alarm for each match of an IDS signature). SeReNity will achieve this by means of advanced techniques from machine learning and information mining and extraction, to identify attack patterns in the network traffic, and automatically identify threat types. Importantly, SeReNity will develop new mechanisms and interfaces to present the gathered evidence to SRC operators dynamically, and based on the specific threat (type) identified by the underlying technology. To achieve this, this project unifies Dutch excellence in intrusion detection, threat intelligence, and human-computer interaction with an industry-leading partner operating in the market of tailored solutions for Security Monitoring.
