How to Protect Public Administration from Cybersecurity Threats: The COMPACT Project. L. Coppolino, S. D’Antonio, G. Mazzeo, L. Romano, L. Sgaglione. Article presented at EASyCoSe-2018 - WAINA-2018.
The advent of the Internet has been opening new opportunities for Local Public Administrations (LPAs) to improve their efficiency while providing better services to citizens via an ever larger set of specialized network applications, including e-government, e-health, and more. Indeed, as a potential channel of accessing personal information, these specialized applications also expose the public sector to new risks. The cybersecurity landscape is changing, and Local Public Administrations are rapidly becoming an attractive target for cybercriminals, who might access some sets of personal data or gain control over smartly operated city resources through LPAs infrastructures. The consequences of cyber-threats have the potential to be considerable causing business interruptions, data losses, and thefts of intellectual property, significantly impacting both individuals and organizations. This paper provides an overview of the EU H2020 COMPACT (Competitive Methods to protect local Public Administration from Cyber security Threats) project, that aims to increase LPAs awareness, skills, and protection against cyber threats through risk assessment, gamebased education, monitoring and knowledge sharing services that are highly usable, interoperable with major Commercial Off-The-Shelf (COTS) solutions, cloud-enabled and cloud-ready.
A GDPR-compliant approach to real-time processing of sensitive data. L. Sgaglione, G. Mazzeo. Article presented at KES-IIMSS-18.
Cyber-attacks represent a serious threat to public authorities and its agencies are regularly targeted by hackers. The public sector as a whole collects lots of data on its citizens but that data is often kept on vulnerable systems. Especially for Local Public Administrations (LPAs), protection against cyber-attacks is an issue due to outdated technologies and budget constraints. Furthermore, the General Data Protection Regulation (GDPR) poses many constraints/limitations on the data usage when “special type of data” is processed. In this paper the approach of the EU project COMPACT (H2020) is presented highlighting the solutions used to guarantee the data privacy during the real time monitoring performed by the COMPACT’s security tools.
An Approach for Securing Cloud-based Wide Area Monitoring of Smart Grid Systems. G. Mazzeo, L. Coppolino, S. D'Antonio, L. Romano, L. Sgaglione. Article presented at NBiS-2018.
Computing power and flexibility provided by cloud technologies represent an opportunity for Smart Grid applications, in general, and for Wide Area Monitoring Systems, in particular. Even though the cloud model is considered efficient for Smart Grids, it has stringent constraints in terms of security and reliability. An attack to the integrity or confidentiality of data may have a devastating impact for the system itself and for the surrounding environment. The main security risk is represented by malicious insiders, i.e., malevolent employees having privileged access to the hosting machines. In this paper, we evaluate a powerful hardening approach that could be leveraged to protect synchrophasor data processed at cloud level. In particular, we propose the use of homomorphic encryption to address risks related to malicious insiders. Our goal is to estimate the feasibility of such a security solution by verifying the compliance with frame rate requirements typical of synchrophasor standards.
It's all fun and games, and some legalese: data protection implications for increasing cyber-skills of employees through games. D. Fabcic Povse. Article presented at CECC 2018.
In order to combat cyberattacks, an organisation can decide to train its employees. Improving cyber-skills of employees through educational games means their personal data will be processed and therefore it falls under the scope of the General Data Protection Regulation (GDPR). The goal of this paper is to address challenges that organisations are likely to face in practice, such as invalidity of employees' consent and over-intrusive monitoring. It argues that in order to approach training lawfully, organisations should (1) choose their external trainer with due diligence, (2) carry out a data protection impact assessment, and under certain circumstances (3) appoint a data protection officer.