CyberSANEs aim is to help Critical Infrastructure (CI) cyber-security officers to detect and respond to numerous advanced persistent threats from multiple sources as part of their daily operations. However, to do so it is important to understand the various demands of these officers as well as the technical necessities of such infrastructures. These “Requirements” define the various needs and specifications of the different end-users, guiding the creation of the CyberSANE system. As such, they are paramount to the definition of the architecture itself and will become the system’s backbone, on top of which the development of the various components will take place.
The first type of requirements revolves around the needs of the end-user. To identify such needs, a questionnaire was created and shared among multiple industries to get a broader input of specific user demands. Our goal was for them to provide an insight into the various critical cyber-security issues in CI services as well as the numerous practices and risk assessment techniques in use in these industries before gaining a glimpse at their systematic security management issues.
The second type of requirements concerns the various system needs, based upon the defined use case scenarios and the results of the user questionnaire. Since these requirements are more of a technical nature, they specify the restrictions and obligations of CyberSANE, thus moulding the produced architecture between defined guidelines.
To adequately organise and structure the final requirements, it is necessary to establish an order of priority, thus separating important necessary elements from those deemed un-necessary at the present time, but could be included at a later date. For this, the MoSCoW prioritisation technique was adopted, which separates the various needs into four distinct categories.
A grand total of 48 questionnaires from both consortium members as well as external end-users were received, covering multiple types of organisations from universities to port transportation authorities. The results revealed that 85% of interviewees are interested in or related to cyber-attacks with only 58% actually performing tasks related to cyber-security. Furthermore, 73% state their organisation provides an effective security management plan with 69% employing effective incident handling procedures. Finally, a 50-50 split was observed when asked if they use a centralised solution to incident information recovery, meaning that the market is split evenly between centralised/decentralised approaches.
Thanks to the participation and extensive information provided by the various questionnaires, a significant list of both user and technical requirements were created. These requirements cater to specific requests and demands by the end-users upon all levels of the CyberSANE architecture. However, some generic overall requirements, such as complying with numerous security standards as well as laws and regulations in various CI domains were also defined.