A collaborative cyber incident management system for European interconnected critical infrastructures

Giuseppe Settanni, Florian Skopik, Yegor Shovgenya, Roman Fiedler, Mark Carolan, Damien Conroy, Konstantin Boettinger, Mark Gall, Gerd Brost, Christophe Ponchel, Mirko Haustein, Helmut Kaufmann, Klaus Theuerkauf, Pia Olli

    Research output: Contribution to journalArticleScientificpeer-review

    40 Citations (Scopus)


    Today's Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex; moreover, they are extensively interconnected with corporate information systems for cost-efficient monitoring, management and maintenance. This exposes ICSs to modern advanced cyber threats. Existing security solutions try to prevent, detect, and react to cyber threats by employing security measures that typically do not cross the organization's boundaries. However, novel targeted multi-stage attacks such as Advanced Persistent Threats (APTs) take advantage of the interdependency between organizations. By exploiting vulnerabilities of various systems, APT campaigns intrude several organizations using them as stepping stones to reach the target infrastructure. A coordinated effort to timely reveal such attacks, and promptly deploy mitigation measures is therefore required. Organizations need to cooperatively exchange security-relevant information to obtain a broader knowledge on the current cyber threat landscape and subsequently obtain new insight into their infrastructures and timely react if necessary. Cyber security operation centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. CI providers are asked to report to the responsible SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although many of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we present a collaborative approach to cyber incident information management for gaining situational awareness on interconnected European CIs. We provide a scenario and an illustrative use-case for our approach; we propose a system architecture for a National SOC, defining the functional components and interfaces it comprises. We further describe the functionalities provided by the different system components to support SOC operators in performing incident management tasks.
    Original languageEnglish
    Pages (from-to)166-182
    JournalJournal of Information Security and Applications
    Publication statusPublished - 1 Jun 2017
    MoE publication typeA1 Journal article-refereed


    • Cyber incident handling
    • Cyber incident reporting
    • Cyber security
    • Information sharing
    • Security operation center


    Dive into the research topics of 'A collaborative cyber incident management system for European interconnected critical infrastructures'. Together they form a unique fingerprint.

    Cite this