Know our PhDs/PostDocs/Researchers
Get to know the NORCICS PhDs, PostDocs and Researchers
Name: Gizem Erceylan (Ph.D)
Email: Gizem.erceylan@ntnu.no
Task 2.10 Digital Twin and AI/ML supported modeling framework for cyber-attack prediction and projection
Overview of work:
Recently, there has been an observable increase in cyberattacks targeting the manufacturing sector, a trend that continues to escalate. Investigations attribute this rise primarily to the integration of Industry 4.0 technologies. The emergence of Industry 4.0, with technologies like IoT, cloud computing and digital twins, has led to improved communication among components of Industrial Control Systems (ICS). Due to the expanding attack surface, conventional security measures used in the manufacturing sector are no longer sufficient and the lack of security protocols for ICS networks makes them more vulnerable to attacks. Therefore, it is crucial to address potential threats and attacks with new techniques for secure Industrial Cyber-Physical Systems (ICPS). Furthermore, Production continuity is a critical requirement in manufacturing. Security measures should prioritize safeguarding this continuity.
Given these requirements, threat modeling emerges as an effective cybersecurity technique suitable for application in manufacturing. This proactive technique is typically employed in the design phase of secure system development. In this technique, potential threats are determined, and appropriate mitigation mechanisms are determined. Threat modeling is an iterative process; although tailored to specific systems, all stages of threat modeling should be implemented to ensure a comprehensive approach. However, it is seen that the examples in the literature cover only certain stages of threat modeling. Another prominent deficiency is that the threat model is mostly applied manually. This manually applied process depends on the knowledge of the cyber security specialist and is a time-consuming process. For this reason, the application of this technique is ignored.
In our study, we propose the use of Digital Twin technology to overcome this problem and enhance threat modeling. Digital twin is basically a technology that allows us to create a virtual representation of a physical asset or system. Digital twin allows us to establish a bidirectional real-time connection with the physical system. At this point, the digital twin has the potential to serve as a valuable cyber-security tool with its various capabilities such as testing, analysis, and prediction without disrupting ongoing production or using physical components. It is common to use this technology in the manufacturing sector for maintenance or production improvement. In the last few years, it has been seen that it has been used in areas such as attack detection, cyber ranges, security testing in the field of cyber security. In our study, we work on the stages of threat modeling where the data collection, monitoring, replication, analysis and simulation capabilities provided by the Digital Twin can be used effectively. We also recommend using machine learning prediction algorithms as a basic technique to convert the data collected during the identification of possible threats into meaningful data.
Based on this approach, our goal is to develop an optimized threat modeling framework with enhanced situational awareness and predictive capabilities, achieved by integrating digital twin technology with machine learning algorithms.
Name: Trond Vatten (Ph.D)
Email: trond.vatten@ntnu.no
Task 3.18 5G and beyond as an element of critical services
Overview of work:
Our digitized, modern society relies on data communication in almost every aspect of daily life. Even critical infrastructures such as hospitals, emergency services, energy systems, and financial institutions depend on communication networks. Network failures happen frequently and often disrupt communication between critical sectors such as hospitals and first responders, which can lead to severe consequences. How can we ensure that these networks function seamlessly under all circumstances? The new network era not only increases speed and capacity but also introduces highly dynamic and flexible networks powered by virtualization and softwarization. Softwarization allows tailoring networks to the specific needs of individual sectors. For instance, stakeholders can have their own optimized and specialized network rather than sharing the same capacity with all other users. However, this added flexibility also brings complexity and new vulnerabilities, requiring innovative solutions to ensure continuous operation. My research tackles these challenges from two angles: 1. Assess the threats introduced by softwarized flexible networks. 2. Leverage this softwarization to create resilient network solutions. On the one hand, we want to harness the positive potential of softwarization. On the other hand, we must be mindful of the added threat surface it introduces. In more detail, I utilize virtual network functions (VNFs) to optimize resource efficiency (reducing costs for operators) while still meeting the stakeholders’ demands and maintaining availability and performance, even during outages. We have already started a fruitful discussion on the topics with NC-Spectrum. If you are interested in something similar or have suggestions or questions about the work, I would be happy to connect!
Name: Camille Sivelle (Ph.D)
Email: camille.sivelle@ntnu.no
Task 3.13, Secure, human-centered XR experiences in critical sectors
Overview of work:
Extended Reality (XR) is increasingly used in Norwegian critical sectors. Virtual Reality (VR) can provide safer and cheaper training opportunities before performing critical operations in various sectors (healthcare, energy production, emergency response…). Augmented reality (AR) is also adopted, for example through hologram-like technology to help visualize data in 3-D (for industrial installations like pipelines or for anatomical data).
While XR has the potential to make critical sectors safer and more efficient, it also raises novel cybersecurity and privacy risks: just to function, XR devices rely on sensors collecting large amounts of data about the user, their movement, and their surroundings. Researchers have shown that by analyzing just a few minutes of movement data from a VR headset and the associated hand controllers, they were able to accurately identify its user. Moreover, many of the XR devices used in critical sectors are provided by companies with a history of data breaches. The security mechanisms we use on our phones and computers are not always as usable and secure in XR. For example, passwords typed on a virtual keyboard in VR can easily be inferred through side-channel attacks or from observing the user’s movement. Moreover, new types of attacks exploiting the immersive nature of XR put the user’s physical safety at risk.
How can we mitigate these risks while maintaining a high level of immersivity? After analyzing the different use cases for XR in the Norwegian critical sectors and the associated security and privacy requirements, we will study new ways to make these XR experiences more secure. We will also empirically evaluate their efficiency and their impact on the overall user experience.
Name: Ming-Chang Lee (Researcher)
Email: ming-chang.lee@ntnu
Task 3.19 Sustainable collective time series anomaly detection for critical cyber-physical systems
Overview of work:
A real-time collective anomaly detection approach in critical Cyber-Physical Systems (CPSs) has become more important than ever since this approach can promptly detect anomalies (including unexpected events, system malfunction, and malicious attacks) within collective time series and allow CPS personnel to take necessary countermeasures for minimizing the potential damage. Collective anomaly detection refers to the process of identifying anomalous data points across a group or collection of time series, rather than examining each time series in isolation. Such a detection system should consider the global context of all time series. However, the challenges include how to capture the dynamic correlation between different time series over time to facilitate effective anomaly detection, and how to ensure sustainable anomaly detection without consuming extensive computing resources or require human intervention. In this project, we would like to address the above challenges by proposing a real-time sustainable collective anomaly detection system for critical CPSs based on a divide-and-conquer strategy, parallel processing, and the majority rule.
Name: Vahiny Gnanasekaran (Ph.D)
Email: vahiny.gnanasekaran@ntnu.no
Ikke-teknisk aspekter (menneskelige og organisatoriske) i industrielle kontrollsystemer innen cybersikkerhet
Overview of work:
Cyberattacks have caused multiple security incidents within the industrial sector in recent years. However, in recent years, Operational Technology (OT) systems have benefited from digitization, but this increases the likelihood of security incidents disrupting the operation or production of industrial facilities. In other words, a cyber-attack might cause physical harm or damage. Such severe security incidents demand cooperation between cybersecurity and safety employees to secure production safety during incident response.
The PhD work investigates the interactions between different emergency and incident response roles in security-safety incident response. It further addresses particular roles, such as Security Operations Centre monitoring IT and OT systems, Computer Security Incident Response Teams, and emergency teams, using the Norwegian oil and gas industry as an empirical foundation. The work is part of the project Cybersecurity Barrier Management funded by the Norwegian Research Council, collaborating closely with the Norwegian oil and gas industry and SINTEF. Vahiny also has a 25% position at SINTEF Digital besides her PhD research, working on related research projects.
Name: Kristian Kannelønning (Industrial Ph.D)
Email: Kristian.kannelonning@ntnu.no
Improving Cybersecurity for Industry
Overview of work:
The research focuses on improving cybersecurity for the industry, also known as Operational Technology, OT. The objective of the PhD is to provide results that could benefit academia but also be of practical use for OT professionals and practitioners. The work thus far has included discovering how cybersecurity behavior is assessed, with the most prominent finding being that subjective measurements are often used in research. This measurement method has some weaknesses regarding biased responses, and it is essential to include some objective measurements when assessing human behavior in a cybersecurity context. This finding was tested in a survey of 113 respondents who were all affiliated with the Norwegian industry. The results are favorable compared to similar studies, showing that personnel employed in the Norwegian Industry act according to their self-assessments. The good results are attributed to the high level of training received by the participants within their respective organizations. However, for organizations to become more cybersecure, more tangible results should be provided to practitioners. Therefore, a quantitative study measuring the use of cybersecurity controls and mitigating actions used by organizations to avoid cyber threats has been conducted. The results show that the Norwegian Industry should increase specific cybersecurity training for OT employees. What to improve and focus on is challenging, especially since OT cybersecurity is still in its infancy for many organizations. Using international cybersecurity standards could be a source of knowledge for organizations. The research does, however, show that international standards are not used to an extensive degree within the Norwegian Industry. The voluminous size and lack of practical advice have been identified as barriers to usage. Through qualitative research, findings show that areas for improvement for OT organizations are the setup of how cybersecurity is governed. Cybersecurity should include both IT and OT personnel, a change that should lead to improved communications internally. With gains in internal communications employees should have an improved understanding of why selected security controls is implemented and rules enforced, something that should reduce the number of workarounds present in today’s OT cybersecurity landscape.
Name: Konstantinos Kampourakis (Ph.D)
Email: konstantinos.kampourakis@ntnu.no
Task 2.7 Digital twin for incident detection and response
Overview of work:
Digital Twin technology is revolutionizing critical infrastructure sectors by enabling real-time monitoring, predictive analytics, and dynamic decision-making. However, this increased interconnectivity and complexity also introduces significant cybersecurity challenges. The aim of my research is to investigate the potential of digital twins to enhance cybersecurity incident detection and response mechanisms for critical infrastructure systems. This investigation endeavors to explore how digital twins, by leveraging machine learning and real-time data analysis, can identify cyber-specific anomalies, predict potential cyber threats, and simulate cyberattack scenarios to evaluate and optimize cybersecurity response strategies. Specifically, my research emphasizes the development of a comprehensive understanding of the role of digital twins in enhancing system security and operational continuity, addressing evolving cyber threats with adaptive and proactive measures. Overall, the key objective is to demonstrate the potential of digital twins to build more resilient and secure infrastructures, safeguarding their reliability in a rapidly advancing digital landscape.
Name: Sahana Sridhar (Ph.D)
Email: sahana.sridhar@ntnu.no
Task 3.5 Codes for sub-millisecond latencies in 5G and beyond
Overview of work:
With the evolution of telecom networks, 5G, 6G and their successors offer significant value, supporting future industries and addressing societal challenges. These successive wireless communication networks are expected to handle high capacity, low latency transmissions, and reliable control signaling. Moreover, due to the proliferation of IoT devices, which will ubiquitously integrate into the network, new markets and applications are emerging, exemplified by the Industry-4.0 paradigm. This paradigm involves the integration of IoT, cloud computing, and AI/ML technologies to develop smart factories. Accordingly, 6G networks are projected to achieve at least 100-fold improvements in both throughput and latency over the capabilities expected of 5G.
However, a significant impediment to realizing the ambitious visions and promises of 5G and beyond, such as telepresence, holographic transmissions, telemedicine, and remote operations, lies in the network latencies within the control layer, which have thus far not been reduced below 1ms, even in optimally controlled experimental settings. The 5G control layer requires short codes (about 40 to 128 bits) to minimize encoding and decoding times and reduce response latency. While the latency for 4G networks falls within the range of 50ms, 5G is anticipated to exhibit latency around 10ms, potentially being up to five times faster than 4G. Ongoing efforts, such as those by Nokia and other companies, aim to further reduce latency to the range of 1 - 2ms.
The transition to 6G networks is predicted to necessitate a 100-fold increase in data throughput compared to 5G. This will lead to an extensive expansion of edge cloud deployments, potentially encompassing ’hundreds of thousands to millions of access points,’ effectively ensuring wide-reaching coverage. Such a transformation is crucial to facilitate sub-millisecond latency for emerging applications and to align computational, storage, and AI functionalities with evolving user demands. This projected development path for 6G wireless networks highlights the research areas we are currently focusing on: i⟩ Coding theory, focusing on the development of short codes that can provide improved (i.e. lower) latency than the Polar codes currently utilized in 5G. ii⟩ Exploration within coding theory to address edge computing challenges, with an emphasis on designing locally repairable codes.
Name: Arnstein Vestad (Ph.D)
Email: arnstein.vestad@ntnu.no
Task 4.3, Cybersecurity models for remote medical and care services delivery
Overview of work:
My research centers on understanding and improving cybersecurity practices in municipalities. Municipalities face unique challenges in securing their diverse and interconnected ICT infrastructures. These challenges arise from the broad range of public services they offer, such as water supply, healthcare, education, and child protective services, each with vastly different security requirements. My work focuses on identifying and describing sustainable municipal cybersecurity capabilities. This concept shifts the perspective from simply adhering to security frameworks to understanding the municipality's capacity to execute essential cybersecurity tasks.
Through a multi-method approach, combining document analysis of relevant cybersecurity frameworks like ISO 27001, NSM ICT Security Principles and Normen, with qualitative research involving active municipal cybersecurity practitioners and experts, I aim to uncover the key capability structures that enable sustainable cybersecurity practices in municipalities. These studies explore the barriers and opportunities municipalities encounter as they strive to build and maintain robust cybersecurity posture. A key perspective is the importance of a socio-technical approach, integrating technological, strategic, and human aspects to understand and improve municipal cybersecurity practices. This approach recognizes the interdependence between tasks, structures, actors, and technology when addressing cybersecurity challenges. For example, the research highlights that simply introducing new technology is not sufficient without addressing the skills and education of the workforce, the "fit" of the technology for specific tasks, and the potential impact of technology on organizational structures and roles.
Name: Shao-Fang Wen (Postdoc)
Email: shao-fang.wen@ntnu.no
Task 3.9 Cybersecurity assurance frameworks
Overview of work:
Ensuring system security has never been more critical, especially with the rise of interconnected devices, global supply chains, and evolving regulatory demands. Our AI-Driven System Security Assurance Framework addresses these challenges head-on by providing a cutting-edge approach to security assurance. This innovative framework leverages artificial intelligence (AI) and ontology-based knowledge systems to dynamically tailor security requirements, automate compliance, and proactively manage risk. It enables organizations to adapt quickly to new threats, ensures end-to-end system protection, and reduces manual effort through automation.
Key Benefits and Unique Features
- Supply Chain Security: Gain full visibility into supply chain dependencies and prevent risks from embedded vulnerabilities or counterfeit components.
- IT/OT Convergence: Seamlessly integrate IT and OT systems while ensuring unified security across diverse technologies and third-party components.
- Regulatory Compliance: Keep pace with global and regional regulations through AI-driven automation of compliance tasks.
- Dynamic Risk Assessment: Use AI to calculate real-time risk scores, offering proactive threat detection and mitigation.
- Lifecycle Security: Protect systems from design and manufacturing to deployment and daily operation.
Name: Touseef Sadiq (Ph.D)
Email: touseef.sadiq@uia.no
Task 3.23 Humanized deep Learning & Big-data Analytics
Overview of work:
The rapid digitization of urban environments has led to vast, diverse data generation from sources such as traffic cameras, sensors, and digital communication systems. Smart cities increasingly rely on these sources to monitor and manage urban infrastructure, ensure security, and improve emergency response. However, this data, often vast and unstructured, poses significant challenges for information retrieval and analysis, especially when modalities such as language and vision must be aligned for accurate data interpretation and response.
For instance, retrieving specific traffic events—like accidents, congestion, or road closures—through text-based queries requires accurately linking natural language to visual content within video streams. This alignment challenge is compounded by differences in data structure, semantic gaps between modalities, and real-time processing needs, which together demand robust computational methods to translate human language into machine-interpretable formats for cross-modal retrieval tasks.
Existing tools for multimodal processing often fall short of supporting scalable, accurate data retrieval across such varied inputs. Advanced machine learning models that enable real-time alignment and data fusion are essential to bridge these gaps, ensuring that traffic management systems can dynamically identify, retrieve, and present relevant data for effective decision-making. This project addresses these needs through the development of novel vision and language integration models tailored to traffic event retrieval in smart cities, enabling more responsive, scalable, and context-aware applications in urban traffic management.
Name: Odin Heitmann (Public Ph.D)
Email: odinhei@stud.ntnu.no
Digital forensic readiness framework for cybercrime investigation: a law enforcement perspective
Overview of work:
Organized criminals are among the actors who engage in cybercrime, and this form of crime has become a widespread problem that can affect virtually any business. A cyberattack can have catastrophic consequences for the targeted company, and from a societal perspective, it is crucial to stop such crimes. For traditional crime, it is a given that the police apprehend the perpetrators to stop the criminal activity. If someone breaks into a business and steals computers, it is reported with the expectation that the perpetrators will be caught and punished. But how does this work with cybercrime?
After a cyberattack, or "incident," most businesses prioritize restoring systems and returning to normal operations. To restore the systems, it is necessary to map and understand as much as possible about what has happened. Answering these questions involves addressing the same issues as in an investigation, which can lead to discovering potential digital traces. For the police, these traces are crucial for identifying and prosecuting those responsible for cybercrime. However, law enforcement is often not involved at all, or at best, only at a very late stage.
The starting point for the PhD project is the observation that companies and key frameworks focus on preparing for incident management and recovery to a normal state rather than the subsequent investigation. This gap is at the very core of the PhD project. The project will research the Norwegian police as well as relevant high-profile organizations.
About Odin:
Odin has a background in digital forensics and has worked as a digital forensics investigator in the East police district in Norway. Since 2018, he has worked at the Hi-Tech Crime Unit at the National Cybercrime Centre (NC3), a National Criminal Investigation Service (Kripos) department in Norway. At Kripos, he has primarily worked with management and disciplinary development of digital forensics, and from 2022, he has been an Expertise Steward for digital forensics and internet-related investigations. From 2022, he has been a Ph.D. student at NTNU through a public Ph.D. program where Kripos and NTNU collaborate.