Cybersecurity Lab

The laboratory explores and analyzes ahead of time the vulnerabilities of the “systems of the future” and the cyber aspects of the ever-growing digital dependence, with priorities related to public sector development plans (e-government, critical infrastructure) and specialization in the private sector, both nationally and at the international level.

The scientific and applied results achieved within the activities of the laboratory are used for the development of modern training programs through simulations, practical classes, and exercises, as well as services in the field of cyber-resilience for the public and private sector.

Currently, among the main research and applied tasks performed by the Lab are:

Long-term research activities, related to cybersecurity and resilience of Systems of Systems (SoS) and cyber-physical systems: models, vulnerabilities, risks, and more specifically:

• Systems of Systems – research and analysis of the cyber dependencies of different types of architectures, levels of interaction (interoperability), and vulnerability models of “aggregated” systems and processes
• Application of the research results for the development of architectures for simulation platforms of complex systems, with the core goal to study interconnected vulnerabilities and weaknesses and simulate interoperable critical infrastructures, with a strong focus on supply chains
• Application of Artificial Intelligence (AI) methods for cybersecurity and cyber-defense, as well as methods and research in the field of the defense of AI-based systems themselves

Operational applied and technical research activities

• Research in the field of contemporary cyber threats – analysis and classification of web threats, mobile application related threats, and IoT-related threats and attack vectors
• Development of means and methods for the provision of simulation installations (otherwise called Cyber Ranges) and polygons for cyber-hybrid exercising
• Development of a technological platform for the monitoring of availability and accessibility of web-based or internet-based services

Research on projects, related to applied information security

Development of means and methods for auditing and assessing the risk from cyber-incidents of various third-party systems (web or mobile)

Ongoing Projects

Currently, the team is working on activities, related to the key applied research areas of the lab, focusing on the following fields:

• Resilience − maintaining the main organizational functions in times of crisis
• Detection of incidents and incident recovery
• Consultations related to secure systems, products, and architectures design
• Advising the creation of secure systems and product architectures
• Secure coding
• Methods for ensuring the confidentiality, integrity, and availability of information
• Integration of security models and business processes improvement
• Penetration testing, testing, and cybersecurity audits of components, systems, and organizations
• Simulation of cyber attacks and methods for the prevention and protection in complex infrastructures and systems
• Training and educational programs, awareness, and simulation models, technical platforms

Currently, the team of the Cybersecurity Lab also performs activities, set out in the National Roadmap for Scientific Infrastructure (2017-2023).

Implemented Projects

Creation of an open platform for the development of Internet of Things applications – eTOP for IoT

The realization of the project “Creation of an open platform for the development of Internet of Things applications – eTOP for IoT” was initialized in May 2018 and implemented under the “Innovation and Competitiveness” 2014-2020 Operational Program, co-financed by the European Union through the European Regional Development Fund.

The main beneficiary of the project was APPlaDesign Ltd and a key partner – the Research and Development Consortium of Sofia Tech Park. On behalf of the Research and Development Consortium, the project was implemented by the team of the Cybersecurity Lab.

The main project goal was the creation of the open platform – eTOP, which is to serve for the development of user applications for the “Internet of Things” (IoT). The purpose of eTOP for IoT is to provide a working environment, which integrates different telecommunication standards and protocols for the communication between systems and allows the flexible, secure, and efficient creation of new applications for users in the field of IoT.

The role of the Cybersecurity Laboratory in the project was to consult, monitor, and manage the secure development and deployment of the platform, as well as to advise on the overall security of the architecture following the secure coding principles.

CyberMap Bulgaria (Models for early prevention against potential mass-cyber attacks towards economical and public organizations – Phase I: A pilot version of „CyberMap Bulgaria”)

In 2018, the team of the Cybersecurity Lab began working on the project Models for early prevention against potential mass-cyber attacks towards economical and public organizations – Phase I: A pilot version of „CyberMap Bulgaria“, financed under grant agreement № D-060-2018 / 20.06.2018 by Sofia Tech Park and the Research and Development Consortium. The activities under the project were carried out from July to November 2018 with the support of ESI CEE.

The project aimed to create an aggregate picture of the technical profile and the weaknesses of a large number of independent systems providing services within the Bulgarian Internet space.

The picture created as a result of the implementation of Phase I is fully operational and is in itself a product that can provide data for assessing the Bulgarian cyberspace with diverse goals such as to identify chronic vulnerabilities and weaknesses – for example, to identify critical points in the Bulgarian IT infrastructure (public and private).

As a result of the project implementation, and to be able to check the validity of the working hypothesis, the team of the Cybersecurity Lab introduced metrics and reference for selected groups of domains. To be able to collect, analyze, and visualize these metrics, the pilot experimental system CyberMap Bulgaria was implemented, working with a test database of more than 55,000 Bulgarian domains.

This robust experimental database allowed for the extensive testing of the functionalities of the system with different domains and groups of domains. For this purpose a set of filtering mechanisms were implemented by different technical indicators, both for individual domains and for the following groups of domains:

• Banks
• Hospital and Dispensaries
• State Agencies
• IT Companies
• Insurance Companies
• Municipalities
• Pharmaceuticals

The added value of CyberMap Bulgaria, considering the already existing research, consists not only in the ways, in which data is collected and analyzed or in the parameters that are analyzed, but also in the possibility to further study and group websites and sector-based online services, including not only private companies and services, but also websites of government organizations, schools, municipalities, hospitals, and others.

The provision of aggregate information (a cyber “picture”) and its visualization based on different parameters, could serve as a key element for the study of the overall state and security of publicly available IT services in Bulgaria, per the guidelines of the national cybersecurity strategy “Cyber Resilient Bulgaria 2020”, as well as per the implementation of the Directive on security of network and information systems (the NIS Directive).

Last but not least, CyberMap Bulgaria allows the collection, storage, and historical retrospective based on various parameters. Thus it allows for the proposal and follow-up on corrective actions, both for a single web service and entire economical sectors as well.

CyResLab Monitor (Models for early prevention against potential mass-cyber attacks towards economical and public organizations – Phase II: A pilot version of “CyResLab Monitor”)

In 2019, the team of the Cybersecurity Lab began working on the project Models for early prevention against potential mass-cyber attacks towards economical and public organizations – Phase II: A pilot version of CyResLab Monitor, financed under grant agreement № D-094 / 27.09.2019 by Sofia Tech Park and the Research and Development Consortium and co-financed by Nemetschek Bulgaria. The activities under the project were carried out from October 2019 to March 2020 with the support of ESI CEE.

CyResLab Monitor aims is a functional module and a common platform for monitoring and early warning against potential mass cyber-attacks against economical and public organizations, in which the successfully implemented product, developed within the framework of Phase I: A pilot version of “CyberMap Bulgaria” will be integrated as well. CyResLab Monitor realizes tools, means, and methods for the dynamic monitoring and analysis of the behavior (availability) of the web systems of specific target groups, by adding mechanisms for monitoring, historical retrospective and identification of symptomatic behavior models, which allows for the early warning for mass cyber-attacks and crisis threats.

CyResLab Monitor allows the personalization of alerts and notifications via e-mail or SMS for certain preliminary defined events such as service failures or denial of service. The system also implements various functionalities for the dynamic monitoring of various technical metrics, related to the availability from multiple geographic regions.

The CyResLab Monitor aims to provide a flexible, robust, and scalable monitoring platform. Particular attention is paid to the processes of metric collection, processing, storage, and querying. The CyResLab Monitor is:

• Kubernetes powered – scalability and loose coupling
• Function-as-a-Service (FaaS) based – flexibility, adaptability, customizable

By utilizing the FaaS paradigm, the CyResLab Monitor can perform custom availability checks for different types of infrastructure, such as various black-box, grey-box, and white-box availability checks/metrics.

The flexibility and scalability, being the core advantages of the platform, would allow for applications in challenging areas, such as:

• Monitoring fleets of millions of IoT devices, in either push or pull mode
• Collecting data on availability and/or security for entire vertical or horizontal supply chain segments

To improve the available facilities for black-box testing, the team addressed some underlying technological limitations, such as the execution time for FaaS tests. The team also invested in the development of several black-box tests and test tools that can be leveraged to provide better insight into the availability of the respective services.

The following tests and test frameworks were implemented:

• In-Browser Black Box Testing Toolkit – based on Selenium (as a starting point), this framework allows for running user-provided functional tests on Web pages and applications. Support for other in-browser testing platforms, such as cypress.io and puppet, is possible, but not implemented at present
• WordPress – being among the most widely used platform for content-management and blogging (Built With 2020), WordPress has an abundant user-base that can benefit from improved availability data transparency

Currently, the team is experimenting with intelligent alerting by ML-based behavioral analysis, as well as with the exploitation of the platform’s scalability and elastic resources management for the on-demand rapid extension of testing services over thousands of devices (for example, numerous IoT and IIoT).

LABORATORY ENQUIRY FOR YOUR PROJECT: