KIRAS Security Research

2013

ITsec.at

Cyber-attacks are among today’s greatest threats to both the private and public sectors. Attacks that reduce the resilience of a product by purposefully introducing a flaw during design or production are especially problematic. Project ITsec.at aims at identifying and counteracting such “by design” threats: proposed research efforts include the development of an IT procurement strategy, a comprehensive decision support system, a number of security tests as well as requirement catalogues for hardware and software components relevant to the task of protecting Austria’s IT landscape against attacks from cyberspace

Cyber-attacks are among today’s greatest threats to both the private and public sectors. The resistance against such attacks varies from component to component, rendering different technologies or products more or less vulnerable to attack. One special kind of early-life attacks purposefully reduces the resilience of a product by introducing flaws during design or production though e.g. a faulty implementation of a cryptographic component, which might later enable certain side-channel attacks.

Since most of the country’s IT infrastructure is manufactured abroad, our dependence on foreign, potentially untrustworthy suppliers is particularly high. Unfortunately, complete independence is difficult to achieve due financial considerations and because of Austria’s (but also the EU’s) minor role on the global IT market. The situation can be remedied, however: instead of costly and time-consuming attempts to develop competitive products or even entire industries, the focus of this project lies on the development of affordable and effective solutions in the form of a secure procurement strategy, a comprehensive decision

support system and a number of tailored security tests for both hard- and software (IT components). The presented approach aims to be organizationally, technologically, and financially feasible for domestic implementation with or without the cooperation of select international partners.

The proposed project – ITsec.at – initially evaluates threats to the Austrian IT landscape – focusing on product origin and aforementioned “by design” threats. Subsequent project stages focus on researching strategies, procedure recommendations and specific security tests for IT components and systems. In addition, requirement catalogues as well as hardware and software security specifications are to be developed in order to harden the national infrastructure against cyber-attacks.

Strategies revolve around an Austrian strategy for the procurement of secure and trustworthy hardware and software components as well as telecommunications technology. Requirement catalogues and security specifications solely include technologies and components that are feasible to develop or finance in a domestic context or in cooperation with select international partners. Every component has to be relevant for defending national interests against attacks from cyberspace and will be prioritized accordingly. All project results as well as additional recommendations for a general course of action are to become part of a comprehensive decision support system which is to be implemented as part of a proof of concept prototype.

A concluding management report summarizes all recommendations developed in the course of project ITsec.at

Project leader:
Institut für IT Sicherheitsforschung, FH St. Pölten

Project partner:
SEC Consult Unternehmensberatung GmbH
Bundeskanzleramt
BM.I (Bundesministerium für Inneres)
BMLVS (Bundesministerium für Landesverteidigung und Sport)
Magistrat der Stadt Wien (MA14, Informations- und Telekommunikationssysteme)

Contact:
Univ.-Doz. Dipl.-Ing. Dr. Ernst Piller
Institut für IT Sicherheitsforschung, FH St. Pölten
Matthias Corvinus-Straße 15, 3100 St. Pölten
Telefon +43 2742 313 228 – 636
E-Mail: ernst.piller@fhstp.ac.at
Web: https://ifs.fhstp.ac.at

print