Summary

The National Cyber Security Centre (NCSC), working in collaboration with the Research Institute for the Trustworthy Inter-connected Cyber-physical Systems (RITICS), is inviting proposals from academic researchers for research into the topics relevant to the Research Challenges described below.

The successful projects will join the RITICS portfolio, with all project staff becoming community members (see Joining RITICS section).

Total funding available: £400,000

Duration of funding: 16 months

Submission deadline: 31 August 2018, 16:00

Eligibility: Applicants need to be based in institutions eligible to apply for EPSRC funding

Research Challenges

This call concerns a number of research challenges that have been identified and refined through discussion with the Community of Interest (CoI), created by NCSC working in a public/private partnership with Industry, Lead Government Department (LGDs) and Academia. This community is open to all UK based ICS Asset Owners, ICS Security Researchers, ICS Vendors, and interested parties from HMG and Academia.

  • The ICS sectors, particularly the Transport and Civil Nuclear sectors, have a major concern with safety and security of ICS. Research is required into integrated safety and security systems. The safety regime is well understood, but safety in these industries has the upper-hand, and it is often to the detriment of the security. Why would you do an update to protect the security of a system, if it means you are unable to operate the system because the ‘safety case’ is no longer valid? Research is required into the assessment/assurance process used within the safety world, to see if there are any best practices or lessons learnt that could be used for the cyber security world. The aim being to provide those responsible with a level of assurance of the safety and security capability of that system.
  • How safe is a secure system? Research is require to understand the trade-offs that may have to be made when the security of the system is put before safety, and when the safety of a system is put before security.
  • Research is also required to understand and optimise decision-making when a practitioner is faced with competing safety and security concerns. What knowledge and information do they turn to? What information is available and what is missing? What decision-making processes are employed by individuals, groups and organisations? How can the balance of objective and subjective decisions be optimised? What incentives and influences dictate these trade-offs?

  • Research is required to understand the breadth of autonomous systems, and autonomy within the CNI and NI, not just vehicles but robots in factories, the commercial and consumer worlds. The research should also focus on the risks of these devices and platforms and how they could be assured.
  • Research is required to understand what assurance/assessment process can be used with systems that autonomously continue to learn, changing from their starting state. Can they be assessed? At what stage of ‘learning and changing’ should they be assessed? What level of assurance can be provided? How do you define the boundary of such a system? How do you know when it is secure, when it is safe?

  • Research is required in how to integrate Incident Response into the normal Business Process. Would this be done undertaking training, awareness, business process, ensuring there is ownership, or by other processes or procedures? The research should look at all aspects with the overall aim of being able to react and recover from a cyber incident. Could the same approach be used for the whole organisation, or would there be additional things to consider for control systems, cyber physical systems and critical systems.
  • Research is required into ICS Forensics. Is it different to Enterprise IT Forensics? If so, why and how? How to determine when to replace versus when to investigate? Can you gather evidence, if so, how?
  • Research is required to understand how and if you can detect an incident on an ICS/Cyber Physical system. How to detect, respond, analyse, and recover? How to get the information from the low level network, the end device, without affecting the system, collect and collate and inform a SOC. Research is also required to understand what actions a SOC should take.

  • Research is required on the ‘trade off’ of using encryption (‘to protect a network’) against not using encryption. Research into the ability to monitor and maintain real time equipment when using and not using encryption. Does using encryption cause real-time issues, or is there insufficient latency to raise concerns. What are the risks of not using encryption?
  • Research is required to understand how to do configuration management and unplanned change detection across ICS/cyber-physical systems? Research is required into how enumeration and identification of ICS/cyber-physical system assets, can be undertaken in a safe and secure way, ensuring the system is not broken or compromised? Research into how to manage ICS/cyber-physical system kit across multiple sites in a cost effective manner, which is safe and secure, without increasing the cost with operating additional network.
  • Research into understanding the commonalities and differences between planning and implementation of security for personnel and physical protection in relation to planning and implementations for the cyber security of Enterprise systems, ICS and cyber-physcial systems? What is the impact of those differences and how can strength in one area be leveraged for the others?
  • Research is required to understand what is the best balance of redundancy, diversity, system protection and false targets (or other methodologies) to build an optimal defence strategy for all cyber systems, but, focussing on ICS and cyber-physical systems?
    Interconnected Systems
  • Research is required into the effective modelling of the critical national infrastructure (CNI) as a system of systems. The CNI consists of many systems of different types, spread across 13 sectors. Many CNI systems depend on other CNI systems, whether in the same or different sectors. Current mappings are, at best, informal and, in many cases, non-existent, nor is there consistency of approach across different sectors. Research is required into how a CNI sector or sub-sector can be most effectively modelled. Can a CNI sector be modelled to a level that is practical whilst providing insight into these dependencies and inter-dependencies? Can these sector models be combined into a single, system of systems view of the whole CNI? Research is required into the balance between detail, accuracy and practicality. Research is also required into how models of the CNI can be used to support analysis, including identification of systemic vulnerabilities and points of low resilience.

  • Research is required to map and articulate the Supply Relationships from owner to supplier, whether this is a component of a service. How is the ownership of security and risk articulated to all those within the Supply Chain.

What to include in the proposal

Applications should be no more than eight sides of A4 and should include a breakdown of all costs involved, including equipment, travel & expenses etc. Proposals that attempt to engage with real-world partners are welcomed.

Each proposal must make it very clear how it addresses the challenge areas described above. Proposals should also include details of any planned engagement with ‘real world’ security.

The proposal should specifically address each of the following items:

  • Background: An outline of the context of the research.
  • Aim: A description of what understanding of the topic space the research is progressing and what potential impact it will have in practice.
  • Relevance to the call: A description of which challenges the research addresses, and how it addresses them.
  • Data: Whether the research is planning to create or make use of any specific datasets, and how they will be generated/handled.
  • Field work: Whether the research will be carried out in any ‘live’ environments as opposed to lab based work. Details of the trials environments should be provided and the degree to which access has been agreed.
  • Resources: An overview of the timescales, resources and structure of the research. A workplan should illustrate how these aspects combine to progress the research. The resources being used should be detailed, and CVs for named and visiting researchers included where these are known. Whether the research is planning to involve and draw on any expertise from within the security community should be described, including the nature and extent of the engagement and the degree to which it has been agreed with the appropriate people/organisations in the security community.
  • Method: An outline of how the research will be carried out, detailing techniques and approaches that intend to be used. An indication of the level of previous experience of these approaches should be included.
  • Potential impact in practice: How the outcomes of the research will make a difference in a real-world setting.

How to submit a proposal

Applications (see below for what to include) should be sent to Phil Bliss, Head of GCHQ Research & Innovation Office via email: ResearchCalls@GCHQ.GSI.GOV.UK.

We must receive your application by 1600 on Friday 31st August 2018.

How will proposals be assessed?

Following eligibility checks, research proposals will be reviewed by an expert Assessment Panel comprising representatives from academia, industry, and HMG. The panel will produce a ranked list of proposals based on consensus scores.

The Assessment Panel will consider the below criteria. All three criteria will be equally weighted. However, “Significance” will have a minimum threshold, below which proposals will be rejected.

  • Quality – this will consider the method & concept for the proposed research, and its ability to move forward fundamental understanding within the field.
  • Viability – this will assess how feasible the research is to carry out, eg whether the research concept is practicable to deliver. It will take into account the difficulty of the task, the logistical factors, and the track record of team.
  • Significance – this will consider the research’s potential impact on practice and its relevance to the Call. Note that the impact on practice does not have to be immediate. A long term, highly aspirational piece of research could produce a higher “Significance” score than a more tactical “applied” piece of work eg designed to produce an immediately usable tool. Neither does this preclude research which may have a ‘negative’ outcome, eg proving that a technique does not work. The proposal should outline the potential for transformative thought or progress within the cybersecurity profession, whether this be near or long term.

Funding

This topic will be funded by NCSC with an indicative budget of £0.4M over 16 months.

The funding and contract will be under the NCSC’s standard terms and conditions: a draft copy of the contract can be made available on request. The research will be funded at Full Economic Cost. Budgets for attendance at academic conferences to publicise and disseminate the work should be included within the research proposal. In addition to the travel budget for attending conferences, proposals should include adequate funding for travel between academic partners within the project, and to attend the quarterly Institute meetings.

The cross-disciplinary, exploratory and novel nature of the Institute is likely to require a significant commitment of time on the part of its permanent academic members.

The funders are committed to full and open publication of the research outputs of the Institute in line with normal academic practice.

Both NCSC and RITICS believe that this is a broad scale research call, with the potential to offer significant transformative value. We will be campaigning for more attention to be given to this topic at a national scale, and seeking additional sources of funding for further research from government and industry partners.

Key dates

  • Call for Proposals open: Friday 29 June 2018
  • Deadline for submission: Friday 31 August 2018
  • Announcement of results: w/c 24 September 2018
  • Research starts: December 2018
  • Research completed: 31 March 2020

Joining RITICS

The successful projects will join the RITICS portfolio, with all project staff becoming community members. Representatives from the projects will be expected to attend the majority of the regular RITICS community meetings, workshops and/or conferences. The projects will be asked to present their progress at some of these meetings.

There will be the opportunity to engage directly with the NCSC during the course of the projects, although the majority of the interaction is expected to be via RITICS.

The projects will also be expected to supply brief progress reports each quarter, and an annual progress summary, via RITICS.

About RITICS

RITICS was founded in 2014, as the third of the cyber security Institutes set up by the UK Government in conjunction with the Engineering and Physical Sciences Research Council (EPRSC). Its early focus was to improve Cyber Security of Industrial Control Systems. RITICS was renewed and relaunched in spring 2018, with funding for a further 5 years, now sponsored by the National Cyber Security Centre in partnership with EPSRC.

The vision is that RITICS will carry out high-quality research which advances knowledge in research areas identified as having the greatest potential to transform the academic state of the art and user practice. In addition, it is anticipated that RITICS will provide a focus for liaison with stakeholders from the NCSC and other parts of government and business.
EPSRC and the NCSC aspire to promote wide visibility of the outputs of RITICS in order to enable fast dissemination and, where appropriate, application of the research to improve Cyber Security of cyber-physical systems and critical infrastructure in the UK as a whole.