The notion of cyber resilience signifies an extended ambition of cyber security in Critical Sectors (CrSec). The rationale for employing the concept of resilience is not confined to recovery from disruption, but to maintain integrity and functioning when being exposed to both expected and unexpected disturbance and variability, including genuine surprise. This challenge is not only technological, but also human and organizational. Dealing with complexity, irregular and surprising events demands a different mindset and different skills than anticipating their occurrence. The notion of resilience has gathered many meanings through recent years but is inextricably linked to the challenge of combining and bridging these mindsets in a holistic manner. CrSec will always include a mix of old (legacies) and new technologies and paradigms. Operating this mix implies sociotechnical drift, which is driven by successful adaptation as much as recovering from failure. Rudimentary resilience exists because practitioners need to create practical solutions under varying conditions, in which successful adaptation to a large extent is an emergent property that cannot be achieved solely by technical or planned means. A CrSec secured without paying attention to practical drift, operated solely on the basis of past failures and successes, is at risk of becoming "robust yet fragile". Such a "resilience as imagined" will inherently increase risk rather than mitigate it. A living digital ecosystem is necessary for both recognizing complex, emerging threat landscapes, as well as facilitating a polycentric resilience landscape of diverse, but reciprocally collaborating entities. A digital ecosystem comprises technologies, actors (vendors/integrators/asset owners/operators), management processes and governance/regulatory structures associated with the IT/OT systems constituting CrSec at the cyber-physical and service level. This ecosystem creates or inhibits the premises for cyber resilience to emerge/manifest. Their joint understanding, interactions and reciprocity in strategizing and decision-making is crucial

Objective: 

• Develop a joint framework for understanding and describing cyber resilience in CrSec, combining
  enhanced preparedness and risk management processes, sociotechnical interaction in complex
  systems combining IT and OT, management and governance processes.
•  Initiate a community of practitioners that can represent key actors of a digital ecosystem for
  electricity supply through collaboration with T4.1.
• Develop a generic recommendation for collaboration in a digital ecosystem enabling polycentric
  cyber resilience in CrSec, e.g., in electricity, the oil/gas industry and smart cities.
•  Identify target aspects for influence and corresponding success criteria.
•  Describe possible discursive frameworks for resolving conflicting objectives on the path towards
  resilience.

Contact:

Task Leader T3.2, Tor Olav Grøtan (tor.o.grotan@sintef.no)

Dorthea Mathilde Kristin Vatn SINTEF Digital;

Vahiny Gnanasekaran SINTEF Digital;

Tom Ivar Pedersen SINTEF Energi;

Partners: 

• NTNU
• SINTEF Digital
• SINTEF Energi
• ELVIA
• Aiba
• Mnemonic
• Diri

Cyber Physical Systems (CPS) constitute the core of Critical Infrastructure (CI), yet their architectural and operational characteristics are not thoroughly captured by contemporary cyber ranges, which are commonly narrow in scope or purposefully aligned with subsections of specific target systems. The anticipated use of the physical reference environments investigated, modelled, and integrated is twofold, namely as demonstrators for education and dissemination, but also as testbeds for activities related to research and training.

Objectives:

Establish a configurable and expandable cyber-physical range that uses real, simulated and emulated components of CI CPS, integrating both IT and OT infrastructure, along with the development of suitable educational and training material.

Contact:

Task Leader T3.3, Vasileios Gkioulos

PhD, Vyron Kampourakis

Partners involved:

• NTNU
• SINTEF Digital
• SINTEF Energi
• NR
• SINTEF Manufacturing
• Norsk Hydro
• NC- Spectrum
• Sykehuset Innlandet
• Lyse Elnett
• Helgeland Kraft
• Siemens
• Elvia AS
• Kongsberg Gruppen
• EQUINOR AS

In the IPN project “Semi-automated cyber threat intelligence”1 funded by the Research Council of Norway mnemonic created an open-source Cyber Threat Intelligence platform with a graph database with granular access control as the back end2. This graph database was used as input to the SOCCRATES project3 funded through the Horizon 2020 program where mnemonic used it for modelling infrastructure4. We now see the possibility to use this back end for two new use cases: asset modelling and extended infrastructure modelling. These two use cases are related as assets are part of an infrastructure. Both use cases give a user the opportunity to do analysis on the context of alerted security events, enabling automation and effectiveness of analyst operations.

Objectives:

• Automatic population of an infrastructure model for both normal office environments, cloud environments and ICS environments based on available data in security monitoring solutions. 
• Automatic population of a model of all relevant data on and around an asset/server/host in an environment. Examples of information which would be relevant are IP, OS, applications, users(s), organization(s), known vulnerabilities (with EPSS5 and relevant CVSS6 from different sources), connections in/out and placement in infrastructure. 
• Predefined analysis capabilities for security analysts 
• Automation of knowledge extraction from the graphs
• Master student(s) 
• Identification of related research challenges and application for new research projects with partners in NORCICS

Contact:

Task leader T3.11, Siri Bromander

Martin Eian mnemonic;

Geir Skjøtskift mnemonic;

Philip Christian Scheel mnemonic;

Konstantin Müller mnemonic;

Partners involved:

• Mnemonic
• UiO
• NTNU

As industrial systems become increasingly network-connected, the energy industry is waking up to the emerging cyber threat. Long supply chains with components from different manufacturers require a new approach and methods to ensure the necessary security in critical infrastructure. ENISA defines Supply Chain as the ecosystem of processes, people, organizations, and distributors creating and delivering a final solution or product. The security of the supply chain is an area of increasing concern. If a malicious actor can introduce spyware or a backdoor into the supply chain, then every customer downstream is at risk. There is growing evidence that service providers such as accountancy firms, legal firms, cloud providers, outsourced IT providers, and security and SOC providers, among others, are at equal risk of being used by bad actors to gain a foothold into the grid and deliver exploits that can turn out the lights and do severe damage to our economy. Despite the growing concern and the acknowledgement that addressing cybersecurity risks in the digital supply chain is a complex problem, few research works have handled it. This is even more so when managing supply chain cybersecurity risks in digitally transformed industrial settings, particularly critical infrastructures.

Resilience is the ability to recover from or easily adjust to shocks and stresses. Resilience refers to a system’s ability to heal or regenerate its performance after an unexpected impact produces a degradation. Resilience is “the ability to withstand and reduce the magnitude and duration of disruptive events, which includes the capability to anticipate, absorb, adapt to, and rapidly recover from such an event.” Importantly, we regard this “ability” as technical, organizational, and human properties and resources. A resilient digital infrastructure is necessary to support the platforms of a digital economy and society. The digital infrastructure is the physical hardware and related software that enables end-to-end information and communications systems to operate. At the same time, critical infrastructures are becoming digitalized and made “smart” through the rollout of the smart grid, smart city, and intelligent transportation system projects, which further increase our reliance on resilient digital infrastructure. At the organizational level, organizations need to invest sufficiently in cybersecurity and cybersecurity plans, build a security culture among employees, and adopt securityby- design and privacy-by-design principles.

The human factor is critical in preventing and addressing incidents, with people at the core of adequate OT cyber security. Tighter regulation is on the way, with the EU NIS2 directive, for example, introducing numerous mandates related to behavioral aspects, including cyber security training. Capacity building on Education and Training will help critical infrastructures meet regulatory and compliance requirements, empower teams to safeguard organizations from harm and support compliance efforts by ensuring a consistently high level of OT security awareness. Risk awareness initiatives and training are among the most cited countermeasures in the literature to foster the employees' capabilities and prepare them for the new challenges of cyber-physical supply chains. The rationale is to ensure all stakeholders in the digital supply chain in critical infrastructures understand the importance of protecting Cyber-Physical Systems and OT environments and how they can play an active role in preventing incidents.

Objectives: 

• Seek to understand the impact of the NIS2 regulation on CPS and OT systems and create new knowledge to improve our understanding of the dynamics in the regulation and consequences for critical infrastructure in Norway. 
• Develop, test, validate, and demonstrate novel, advanced, innovative methods according to NIS2 for preventing supply-chain-induced cyberattacks against industrial control systems in Critical Sectors.
• Develop methods and tools for training and awareness improvement on the security of the digital supply chain. 
• Transfer the knowledge created within NORCICS among its user partners, other Norwegian businesses, and stakeholders.

Contact:

Task leader T3.12, Arne Roar Nygård

Sokratis Katsikas NTNU

Partners involved:

• Elvia
• NTNU

Efforts to strengthen cybersecurity and resilience of critical sectors such as healthcare, smart districts, or manufacturing go hand in hand with technological innovations, novel approaches and measures. For instance, the advanced use of artificial intelligence (AI) and big data analytics can foster increased situational awareness and intelligence capabilities in the context of smart districts (e.g., for videobased or digital traces-based surveillance, remote monitoring). Further, technologies enabling remote presence like Extended Reality (XR), encompassing the whole spectrum of immersive technologies, are seen as a key enabler allowing to reduce physical human involvement, for instance in dangerous or life-threatening environments. XR is also expected to support new ways of professional collaboration and communication or to create new opportunities for training and education, e.g., increase preparedness through virtual reality trainings to a much larger extent than is the case today.

While the above mentioned innovations and technologies (e.g., AI, XR, …) create new opportunities in the context of a secure and sustainable digitalization within critical sectors, they also often have an invisible flip side: their ethical implications, e.g., related to trust, agency, privacy, digital inequality, or bias are often under-addressed and still poorly understood due to fragmented approaches and lacking incentives to tackle them more holistically, among other things. Further, there is a lack of concrete tools and methodologies to have these ethical concerns continuously on the agenda, despite a growing policy focus on their importance.

In the context of XR, as one particular focus area in this task, the huge potential to transform existing practices and enable new ones, goes hand in hand with arising ethical challenges and potential vulnerabilities, for example linked to the protection and (mis)use of personal information and digital identities. These vulnerabilities, as well as solutions to address them, are to date still poorly understood and at risk of being insufficiently accounted for in real-world scenarios and to be considered only ex post. To drive forward the potential and adoption of secure, ethical and humancentered XR experiences in the broader context of critical services, these experiences need to be wellaligned with the expectations of diverse human users and need to incorporate human capabilities, human behavior and ethical considerations in a meaningful way. This requires a thorough understanding of needs and requirements in different use cases, but also a critical framework to capture, anticipate and evaluate potential unintended consequences and ethical implications as an integral part of a human-centered process.

Objectives:

• To identify, classify and perform an in-depth study of key ethical concerns and implications linked to technological innovations and novel approaches used to strengthen the resilience and cybersecurity of critical services and sectors. This will be done by means of a critical analysis of the state of the art and a series of empirical case studies, which will result in the design of an integrated and holistic ethical framework that can be used in practice, seeking to integrate ethical considerations systematically into human-centered design and evaluation.
• To study the most salient privacy concerns and security vulnerabilities in this context and to investigate how they influence user experience and user practices, in order to map and model potential security – privacy – user experience trade-offs and derive best practices for reconciling them.
• To raise more awareness around existing barriers and challenges in the context of secure, ethical and human-centered technology experiences in critical sectors and to provide concrete tools and approaches to consider these more systematically in practice, and in various use cases.

Contact:

Task leader T3.13, Katrien De Moor;

Kaja Ystgaard NTNU;

David Palma NTNU;

Ph.D Camille Seville

Partners involved:
NTNU

This task is the extension of T3.6 (Task 3.6: Autonomous Adaptive Security for 5G-enabled IoT). In this task, adaptive cybersecurity solutions for 5G-IoT in critical sectors will be developed to reduce security threats and risks. 5G-IoT has several applications, including remote surgery, industry 4.0, smart energy, smart city etc. [1]. In a 5G-IoT communication environment, devices and users communicate through the Internet which faces different dynamic cybersecurity issues, including DDoS, malware, man-in-the-middle, etc. Consequently, adaptive cybersecurity solutions need to be developed for 5G-IoT applications to protect them against evolving cyber-attacks [2]. Several innovative adaptive cybersecurity security solutions for securing 5G-IoT communication are required [3], such as intrusion detection, root cause analysis, device /user authentication, access control, etc. Although there exist several anomaly detection techniques [4] and security assurance [5], but they do not consider varying and dynamic nature of 5G-IoT for improving adaptive anomaly detection and prediction, and dynamic security assurance.

[1] Jiang, Chengzhi, Hao Xu, Chuanfeng Huang, and Qiwei Huang. "An adaptive information security system for 5G-enabled smart grid based on artificial neural network and case-based learning algorithms." Frontiers in Computational Neuroscience 16 (2022): 872978.

[2] Wazid, Mohammad, et al. "Security in 5G-enabled internet of things communication: issues, challenges, and future research roadmap." IEEE Access 9 (2020): 4466- 4489

[3] Kalaivaani, P. T., Raja Krishnamoorthy, A. Srinivasula Reddy, and Anand Deva Durai Chelladurai. "Adaptive Multimode Decision Tree Classification Model Using Effective System Analysis in IDS for 5G and IoT Security Issues." Secure Communication for 5G and IoT Networks (2022): 141-158.

[4] Jan Vávra, Martin Hromada, Luděk Lukáš, Jacek Dworzecki, Adaptive anomaly detection system based on machine learning algorithms in an industrial control environment, International Journal of Critical Infrastructure Protection, Volume 34, 2021, 100446, ISSN 1874-5482, https://doi.org/10.1016/j.ijcip.2021.100446

[5] Bena, Nicola, Ruslan Bondaruc, and Antongiacomo Polimeno. "Security Assurance in Modern IoT Systems." In 2022 IEEE 95th Vehicular Technology Conference:(VTC2022-Spring), pp. 1-5. IEEE, 2022.

Objectives:

• Enhance the security of 5G-IoT systems.

Sub objectives: 

• Develop adaptive anomaly/intrusion detection and prediction techniques for 5G-IoT solutions using closed feedback loop. 
• Perform validation in the defined Cybersecurity for 5G-IoT Smart Grids use case with the two scenarios from T4.1 a) detection of radio access network Denial of Service attack against the 5G Gateway terminal, and b) detection and prediction of SYNC flooding attacks in 5G enabled Smart Grid. 
• Build fuzzy based dynamic security assurance methodology for 5G-IoT

Contact:

Task leaders T3.14, Habtamu Abie, Sandeep Pirbhulal 

Partners involved:

• NR
• SINTEF Digital
• Norsk Hydro
• Siemens
• Kongsberg
• Sykehuspartner

This task is the extension of T3.7 (Task 3.7 Reverse Engineering Lab)

Hardware components are crucial for ensuring the security, integrity, and reliability of computing systems, especially in the context of Internet of Things (IoT) devices. These IoT devices play a pivotal role in daily life and critical infrastructures, transmitting vital information for decision-making processes. To enhance security at the hardware level, it's essential to understand device vulnerabilities and potential attack vectors. Hardware reverse engineering (HRE) is a method used to gain insights into the inner workings of man-made devices. However, there's a noticeable gap in educational resources related to hardware security and HRE, including courses, labs, and best practices.

The reverse engineering lab at NTNU Gjovik is being established under NORCICS to address future hardware security challenges through developing innovative methods, tools, and techniques in collaboration with industries, government and international research institutions. The lab is equipped with essential testing tools and is in the process of creating a master-level course on hardware security for embedded systems, set to launch in Autumn 2024. Currently, two master projects are underway focusing on different hardware security topics. The lab has been actively exploring hardware security vulnerabilities within intelligent electronic devices (IEDs) utilized in smart grids and will engage PhD/Postdoc to continue these activities.

Objectives:

The objective is to establish a reverse engineering lab at NTNU as a national arena for knowledge development, research, innovation and education. This will contribute towards improving the cybersecurity and resilience of the entire value chain in our digital society. The Reverse Engineering lab will serve as a hub and will in collaboration with partners and national/international experts to facilitate activities such as: 

• Establishing Test Bench for Carrying out Research and Experimental work on hardware security under Reverse Engineering Laboratory 
• Develop Test Case Scenarios for Carrying out hardware security research in Coordination with Industry Partners 
• Proposal development for establishing hardware reverse engineering lab in cooperation with industry partners

Contact:

Task leader T3.15, Arvind Sharma;

Arne Roar Nygård NTNU and Elvia;

Geir Olav Dyrkolbotn NTNU;

Lasse Øverlier NTNU;

Jens-Petter Sandvik NTNU;

Andre Jung Waltoft-Olsen Statnett and NTNU;

Partners involved:

• NTNU
• Elvia
• SINTEF Energy
• SINTEF Manufacturing
• Norsk Hydro
• Mnemonic
• Yara
• Equinor
• Helgeland Kraft
• Siemens
• NC-Spectrum
• Kongsberg
• Sykehuset Innlandet
• Oslo Politidistrikt

This task is the extension of T3.8 (Task 3.8 Secure broadcasting in wireless in critical systems)

Digital transformation of industries and the shift towards wireless communication offer great benefits to society, but these changes also come with some risks. Within critical sectors, special security measures will often be needed, such as fine-grained access control in order to handle multiple levels of protection. In most wireless and broadcast-oriented settings, including IoT, 5G, and advanced metering systems (AMS), communication is peer-to-peer-based (or server-to-peer-based) even when used for group communication and collaboration or in content protection systems. Security properties that will be considered in this task include confidentiality and integrity protection, and also untraceable communication.

Objectives:

The main objective is to investigate and define the challenges and potential solutions for wireless manufacturing involving different levels of classified information. Any proposed solution must comply with NSM requirements. Secondary goals include:

• Innovate cybersecurity and protection mechanisms for preventing configuration leakage and data leakage for equipment testing in a novel cyber range test facility.
• Examine existing and/or innovate new cryptographic protocols, methods, and a prototype for secure industrial data communication networks (wifi, mobile, hybrid, and other) that can be used for classified information.
• Conduct research into new and efficient methods for secure untraceable wireless communication.
• Identify and evaluate the most promising options for handling multiple protection levels within one private 5G network and a unified manufacturing system, possibly exploiting database level security features and network slicing.
• Identify and evaluate the most effective and user-friendly authentication options for work environments requiring mandatory protective gear. For instance, biometric systems that rely on facial recognition or fingerprint scanning may not be effective in this setting.

Contact:

Task leaders T3.16, Svetlana Boudko , Ivar Rummelhoff

Partners involved:

• NR
• Kongsberg Gruppen
• Siemens

This task is the extension of T3.9 (Task 3.9 Assurance aware ontology-based scenario management framework for cyber range)

System security has evolved into a critical line of defense for our socioeconomic web in today's digital age. Because cybersecurity is a dynamic and multifaceted field, System Security Assurance (SSA) faces a bewildering array of challenges. Large Language Models (LLM), a powerful tool with capabilities such as anomaly detection, predictive analytics, and adaptive learning, provide a sophisticated technique for assessing and combating the rapidly evolving complex system environment. Despite LLMs' enormous promise in the field of cybersecurity, it is clear that more study has to be done before these models can be tailored and optimized for certain real-world cybersecurity applications. There are several obstacles that must be addressed and overcome on the way to successfully integrating Large Language Models (LLM) into SSA. These include issues with model interpretability, adversarial robustness, model validation and reliability, scalability and efficiency, and real-time response and analysis.

Objectives:

With the purpose of applying AI in studying system security, this project seeks to develop a framework that properly combines AI's analytical and adaptive capabilities into the SSA evaluation process. The defined sub-objectives to realize this aim are:

•  AI-Driven Customization and Compliance for System Security To employ advanced AI technologies to tailor security measures precisely to the diverse needs of system security. By dynamically adjusting requirements based on specific operational conditions, this approach ensures that security practices are both technically effective and practically feasible. Furthermore, the system automatically adjusts policies in response to regulatory changes and emerging security insights, ensuring that the system remains resilient, compliant, and responsive to evolving challenges. 
• Data-Driven Approach to Enhancing System Security and Compliance It focuses on using data and metrics to strengthen system security. By developing interoperability security metrics, it assesses risks associated with the integration of diverse system components. A dynamic risk scoring system evaluates and prioritizes security measures based on component vulnerabilities and potential impact, ensuring system resilience.
• Advanced AI Capabilities for Proactive System Security Management: To leverage AI to enhance security insights, integrate data sources, and generate adaptive recommendations tailored to the today’s system evolving landscape. By analyzing data within its context, AI improves the accuracy of security event interpretations and ensures relevant insights. Additionally, AI translates complex technical metrics into actionable insights,empowering decision-makers to implement effective security strategies

Contact:

Task leader T3.17, Basel Katt

Shao-Fang Wen NTNU

Partners involved:

• NTNU

5G networks, both the access and the core part are considered to become the uniform service providing infrastructure of the future – also for critical infrastructure sectors like power provisioning, manufacturing, health, smart cities, etc. Hence it will become a critical hub for all critical sectors. Each service or sub service should be handled by its own slice, including VNF-based service chains, to meet security and dependability requirements. The 5G technology to provide this is still immature. Nevertheless, work has started on the generations beyond, and in the perspective of NORCICS, these developments should be considered. This task addresses these challenges from three perspectives, aiming to (i) holistically model 5G to understand the impact of immature systems on non-functional characteristics like dependability or performance, (ii) design> mechanisms to identify inconsistencies and misconfigurations including non-functional characteristics, and (iii) conduct service integration and experiments to assess non-functional characteristics in real-world settings.

Subtask 1: Survivability modeling in 5G network slicing (starting 04.2021)
Digitalized cyber physical systems should resist and handle massive outages caused by various cyber incidents and natural disasters. Cyber incidents include incidents and accidents which cause outages with significant or catastrophic consequences of communication systems and services, and consequently for critical infrastructures that are digitalized and that depend on communication services. The root causes range from human made malicious cyberattacks, sabotage, misconfiguration and mis-operation, system design flaws w.r.t. software and hardware, random technical failures, to natural disasters. Even with very different root causes, the consequences for the system operation may be the same, but the mitigation and protection might be very different. This task has a specific focus on how to assess the recovery of a system after a massive outage. A framework for quantifying survivability is developed and will be extended. A holistic approach is taken to study (critical) cyber physical infrastructures with 5G/6G networks as a core element in a system-of-systems “digital ecosystem”. The framework can model various use cases that are relevant for the NORCICS partners, and we may for instance investigate and compare alternative recovery and mitigation strategies.

Subtask 2: Secure and reliable softwarization in the context of 5G and beyond (starting 01.2022)
Network softwarization is one of the key paradigms for 5G and beyond, changing the way networks are built, managed, and operated. It follows IT world paradigms like cloud native or DevOps to enable highly scalable, resilient, and manageable applications, which at the same time require customization to networking scenarios. Those paradigms accept the occurrence of failures, bugs, and misconfigurations, and aim at rapidly rolling out updates in live systems reducing down and repair times. Applying those IT concepts to networking results in increased complexity and thus increases the risk and impact of failures. To overcome these drawbacks, mechanisms to proactively identify and assess their impact are required, thus assuring secure and reliable system operation.

Subtask 3: Use-case integration in 5G infrastructure (starting 01.2024)
The limited access to 5G technology along with its complexity creates a lot of unclearness about the prospects and capabilities of the technology, different releases, and the characteristics of available commercial and non-commercial systems. At the same time, there is a strong push for industrial partners to use 5G technology in industrial settings (e.g., Norwegian 5G Industry Forum, Norwegian public safety network (DSB)), and potential adopters face challenges on (i) how to securely integrate application scenarios into a 5G network and (ii) if non-functional 5G properties like performance or dependability of 5G satisfy the application requirements. To address these challenges, applications need to be integrated in 5G systems and be assessed with respect to relevant KPIs.

Objectives:

Develop competence, i.e., extend the state of art, in using 5G and beyond technologies to build secure, resilient, and survivable critical infrastructures and provide critical services. Focus will be on interdependencies, slicing, multi-tenant and multi-operator challenges, and IT paradigms adapted to 5G, where solutions are immature, and innovation is potential largest. Additional objectives cover exploration of different 5G solutions, with emphasis on industrial scenarios and the public safety networks and means to assess exemplary non-functional characteristics in such solutions.

Contact:

Task leader T3.18, Stanislav Lange;

Thomas Zinner NTNU;

Poul Heegaard NTNU;

Ph.D, Trond Vatten;

Ph.D, Sebastian Gilje Grøsvik;

Suneet Kumar Singh NTNU.

Partners involved:

• NTNU,
• SINTEF Digital
• SINTEF Energi
• SINTEF Manufacturing
• Norsk Hydro
• Mnemonic
• Yara
• Equinor
• Siemens
• NC-Spectrum
• Kongsberg 
• Sykehuset Innlandet
• Oslo Politidistrikt

Anomaly detection is vital for securing critical cyber-physical systems (CPSs) by identifying deviations in real time, crucial for early detection of threats and preventing cyberattacks. It extends beyond cybersecurity, identifying faults in physical behavior, crucial for maintaining system integrity in critical contexts. Additionally, it enhances system resilience by facilitating issue identification and containment, aiding adaptation and recovery from unforeseen events.

Collective time series anomaly detection refers to the process of identifying anomalous patterns or behaviors in a large set of time series data. In this context, "collective" implies that anomaly detection is applied to a group or collection of time series rather than individual series in isolation. This approach is particularly relevant when the behavior of the entire system or a group of interconnected components needs to be considered to identify anomalies. Collective anomaly detection looks at the global context of the entire collection of time series data and considers how anomalies in one series may be correlated with or influenced by anomalies in others.

Due to the dynamic CPS environment where the relationships between different components or variables may change over time, the ability to adapt to evolving dependencies is crucial for effective anomaly detection. In addition, as the number of time series in a CPS increase, scalability becomes an important consideration. The challenge is, how can we provide sustainable collective anomaly detection that is scalable, capable of adapting to dynamic dependency changes, and environmentally friendly while guaranteeing effective detection accuracy?

Objectives:

This project aims to confront the above-mentioned challenges and develop practical and applicable solutions that can be applied to real-world critical cyber-physical systems. Detailed sub-objectives are as follows:

•  Develop a scalable and energy-saving mechanism that can learn the dynamic correlation between different time series and dynamically cluster these time series based on their varying correlations into different groups/levels. 
• Develop a scalable and lightweight approach that can collectively identify anomalies within a large set of time series based on their dynamic correlation. 
• Integrate the above approaches and mechanisms into a scalable anomaly detection system.
• Performance evaluation of the system by applying it to the CPSs provided by the project partners.

Contact:

Task leader T3.19, Jia-Chun Lin (Kelly);

Ming-Chang Lee NTNU;

Sokratis Katsikas NTNU.

Partners involved:

• NTNU
• Kongsberg
• SINTEF Energy
• Yara

A safety instrumented system (SIS) is an engineered set of hardware and software controls which provides a protection layer that shuts down a chemical, nuclear, electrical, or mechanical system, or part of it, if a hazardous condition is detected. SIS are composed of sensors, logic solvers, and final control elements (e.g., valves, relays, actuators) typically present in critical process systems within industrial processes. The purpose of SIS is to halt or shut down critical/dangerous industrial processes, as soon as they exceed pre-defined safety limits, typically when the underlying control system fails. Examples of SIS include Emergency Shutdown Systems, Emergency Venting systems, Safety Shutdown Systems and High-integrity Pressure Protection systems.

These systems, despite their importance, are not intrinsically secure and have flaws that are the result of poor testing, code quality, and engineering. Legacy insecure by design features or legacy patterns are still present, and likely to be present for the foreseeable future. While many in the industrial safety community have robust safety programs, the reality is that SIS are cyber-vulnerable. An attacker could infiltrate a SIS and:

•  put it into a state of ineffectiveness by a remote attack, e.g., by a (D)DOS attack causing CPU overload, so that it fails to fulfil its core safety function (i.e. controlled shutdown of a plant in due time); 
• trigger a SIS safety shutdown from a remote location, thus causing a costly reliability incident; 
• reprogram a SIS without authorization from a remote location and modify safety threshold values.

SIS controllers are designed to protect the most critical assets (e.g., refinery, power plant, chemical plant, offshore oil rig) from potentially catastrophic malfunctions. Taking out the SIS would remove well-engineered fail-safe safety measures operators rely on to prevent a significant, adverse event, such as a plant explosion. Similarly, tricking the SIS to invoke an unintended shut down when it would otherwise be unwarranted would take production off-line for months or longer, and have material operational and financial impacts.

Asset owners and system integrators employ various design approaches to connect their plant’s distributed control systems (DCSs) with the SIS. The traditional approach relies on the principles of segregation for both communication infrastructures and control strategies. The past decade has seen a trend toward integrating DCS and SIS designs for various reasons, including lower cost, ease of use, and benefits achieved from exchanging information between the DCS and SIS.

Until the 1980s, the codes of practice for designing and using trip and alarm systems were set down by major chemical and petrochemical companies. These codes established most of the ground rules used today. Over the past three decades, the International Electrotechnical Commission (IEC) and ISA can be credited with providing global leadership around the issues facing SIS by releasing standards. The current ones are ISA/IEC 61511-2018 and the technical report ISA-TR84.00.09-2017.
However, the costs of physically separating SIS and control systems can be very expensive involving new engineering, re-wiring, testing, and taking production off-line for a month or more. As such, the vast majority of SIS remain joined with the control system network. In fact, some manufacturers combine both safety and control into the same controller.

In the process safety pyramid, control, alarm, and safety are distinct layers of function. Integrated control & safety systems are at elevated risk to be compromised simultaneously, thus rendering the safety layer ineffective, easing major HES incidents by cyber-attack. Integrated control and safety systems, other than multi-vendor system configurations, can counter-intuitively be compromised by intrusion detection systems that are installed in ICS environments, also by standard IT services, e.g. remote access or network monitoring systems.

Objectives: 

• Investigate past and possible cyber-attacks on SIS, to provide a framework for security level in SIS.
• Assess cyber risks in SIS, to propose cybersecurity controls for preventing and detecting attacks against SIS. 
• Demonstrate the feasibility of selected cyber-attacks against SIS and assess the effectiveness of the proposed controls.

Contacts:

Task leader T3.20, Sokratis Katsikas;

Mary Ann Lundteigen NTNU;

Vasileios Gkioulos NTNU.

Partners involved:

• Yara
• Equinor
• Hydro
• NTNU

As the power industry increasingly relies on digital products and services to improve efficiency, availability, and overall performance, managing suppliers and their products has become crucial to ensure a reliable power supply to society. However, this growing dependence on digital technology also brings emerging cyber risks by introducing more digital products and services into the complex digital supply chain. In such an interconnected and complex critical infrastructure, where safety and reliability are essential, latent vulnerabilities in digital products can cause significant disruptions that impact both business and society.

To address these risks, the digital supply chain for these essential products and services needs to be mapped and understood. This project will use a combination of literature reviews and interviews with industry experts to identify potential gaps or weaknesses in cybersecurity practices. The literature review will gather insights into current best practices, regulatory requirements (such as NIS2), and known vulnerabilities in digital supply chains. Meanwhile, interviews with industry professionals will provide practical, real-world perspectives on emerging challenges and effective solutions in cybersecurity.

This task aims to develop a mapping tool to help the power industry identify and address cyber risks across its digital supply chain. The tool can contribute to the industry by assisting actors in making more informed decisions and implementing more robust security measures during procurement.

Objectives:

• Develop guidelines for mapping the digital supply chains of digital products and services.
• Mapping the digital supply chain for one software provider to critical infrastructure actors.

Contacts:

Task leader T3.21, Mari Aarland NC-Spectrum

Partners involved:

• NC-Spectrum
• Elvia
• NTNU

Cyber-Physical Systems (CPS) constitute the core of Critical Infrastructure (CI), yet their architectural and operational characteristics are not thoroughly captured by contemporary cyber ranges, which are commonly narrow in scope or purposefully aligned with subsections of specific target systems. The anticipated use of the physical reference environments investigated, modelled, and integrated is twofold, namely as demonstrators for education and dissemination, but also as testbeds for activities related to research and training.

Objectives:

The project will focus on developing a configurable and expandable service-oriented core architecture for a cyber-physical range that uses real, simulated and emulated components of critical infrastructures and cyber physical systems, integrating both IT and OT components, along with the development of suitable educational and training material. The work will also include the development of realistic attack scenarios and the relevant simulation mechanisms with a focus on selected critical infrastructure sectors, as well as relevant education and training material for the use of the proposed system within those scenarios, with the targeted audience being critical infrastructure operators.

Contacts:

Task leader T3.22, Vasileios Gkioulos 

Partners involved:

• NTNU
• SINTEF Energi
• NR
• Norsk Hydro
• NC- Spectrum
• Sykehuset Innlandet
• Siemens
• Elvia AS
• Kongsberg Gruppen
• EQUINOR AS

The rapid digitization of urban environments has led to vast, diverse data generation from sources such as traffic cameras, sensors, and digital communication systems. Smart cities increasingly rely on these sources to monitor and manage urban infrastructure, ensure security, and improve emergency response. However, this data, often vast and unstructured, poses significant challenges for information retrieval and analysis, especially when modalities such as language and vision must be aligned for accurate data interpretation and response.

For instance, retrieving specific traffic events—like accidents, congestion, or road closures—through text-based queries requires accurately linking natural language to visual content within video streams. This alignment challenge is compounded by differences in data structure, semantic gaps between modalities, and real-time processing needs, which together demand robust computational methods to translate human language into machine-interpretable formats for cross-modal retrieval tasks.

Existing tools for multimodal processing often fall short of supporting scalable, accurate data retrieval across such varied inputs. Advanced machine learning models that enable real-time alignment and data fusion are essential to bridge these gaps, ensuring that traffic management systems can dynamically identify, retrieve, and present relevant data for effective decision-making. This project addresses these needs through the development of novel vision and language integration models tailored to traffic event retrieval in smart cities, enabling more responsive, scalable, and context-aware applications in urban traffic management.

Objectives:

•  Develop a multimodal alignment pipeline for synchronizing language and vision data to improve the accuracy of traffic event retrieval, with a focus on vehicle-specific queries. 
• Enhance retrieval performance by designing methods that link textual descriptions with corresponding visual data, ensuring high precision in locating specific traffic events within largescale video datasets. 
• Optimize a multimodal framework that integrates text and video inputs, supporting downstream tasks such as vehicle identification and tracking within urban traffic footage.
• Evaluate the multimodal retrieval pipeline on real time dataset to measure improvements in retrieval speed, accuracy, and adaptability to varied traffic scenarios. 
• Advance real-time data fusion techniques to enable seamless interpretation of text-based queries for

Contacts:

Task leader T3.23,Christian Walter Peter Omlin UiA;

Svetlana Boudko NR;

Martin Eian mnemonic;

Katrin Franke Kongsberg Defence and Aerospace;

Bian Yang NTNU;

Ph.D Touseef Sadiq UiA.

Partners involved:

• NTNU
• UiA
• Mnemonic
• Sykehuset Innlandet
• Oslo Politidistrikt
• Aiba

The biggest obstacle for the big visions and promises by 5G (and beyond) networks, about telepresence, holographic transmissions, telemedicine and remote operations are the network latencies in the control layer, that so far cannot go below 1ms even within the most controlled experimental environments. 5G control layer use codes that need to be short (with codewords from 40 up to 128 bits), and their encoding and decoding times need to be short in order to reduce the network response latency. While 4G has latency in the range of 50ms, 5G is expected to have latency of around 10ms (up to 5 times faster than 4G). New efforts (by Nokia and other companies) push the latency further down to 1ms – 2ms. But for further developments, and wireless networks beyond 5G (6G for example), there is an open problem to invent new and even faster codes than Polar codes with sub-millisecond latencies. In a recent 6G symposium, an AT&T executive said that “6G networks will require 100-times the data throughput of 5G, adding edge cloud deployments will need to expand to cover ‘hundreds of thousands of millions of access points ‘basically everywhere’. Such a shift is necessary to enable sub-millisecond latency for future use cases and allow compute, storage and AI capabilities to keep pace with user requirements.” This scenario for the future 6G wireless networks includes two research areas:

•  Coding theory, with short codes that can offer better (shorter) latencies than the current standard used in 5G – the Polar codes.
• Coding theory that addresses the challenges of the edge computing, with design of locally reparable codes; where the proposed team of researchers have a proven record of research, publications, innovations and patents.

Objectives: 

• To develop, fine tune, implement, and test short error correcting codes that have better performances than Polar codes, and reduce latency in sub-millisecond ranges. 
• To develop, fine tune, implement, and test locally reparable codes suitable for the edgecomputing environments that will contribute for the increase of the data throughput and will reduce the latency in sub-millisecond ranges.

Contacts:

Task leader T3.24, Danilo Gligoroski;

Katina Kralevska NTNU;

Ph.D, Sahana Sridhar NTNU.

Partners involved:

• NTNU
• SINTEF Manufacturing
• Norsk Hydro
• Mnemonic
• Yara
• Equinor
• Siemens,
• NC-Spectrum
• Kongsberg
• Sykehuset Innlandet
• Oslo Politidistrikt