Chapter 17: RESISTO—RESIlience Enhancement and Risk Control Platform for Communication infraSTructure Operators

Communications play a fundamental role in the economic and social well-being of the citizens and on operations of most of the Critical Infrastructures (CIs). Thus, they are a primary target for criminals having a multiplier effect on the power of attacks and providing enormous resonance and gains. Also extreme weather events and natural disasters represents a challenge due to their increase in frequency and intensity requiring smarter resilience of the Communication CIs, which are extremely vulnerable due to the ever-increasing complexity of the architecture also in light of the evolution towards 5G, the extensive use of programmable platforms, and exponential growth of connected devices. The fact that most enterprises still manage physical and cybersecurity independently represents a further challenge. RESISTO platform is an innovative solution for Communication CIs to increase situation awareness and enhance CIs resilience. An integrated Risk and Resilience analysis management and improvement process is in charge to identify threats and prevent impacts as well as RESISTO implements an innovative Decision Support System to protect communication infrastructures able to detect negative events, respond, and recover from physical, cyber, and combined cyber-physical threatening events. A suite of state-of-the-art cyber/physical threat detectors (Machine Learning based, IoT security, Airborne threat detection, holistic audio-video analytics) complete the platform. Through RESISTO, Communications Operators will be able to implement a set of recovery actions and countermeasures that significantly reduce the impact of negative events in terms of performance losses, social consequences, and cascading effects in particular by bouncing efficiently back to original and forward to operational states of operation. RESISTO adopts a unified approach to face physical as well as cyber threats as well as a double and integrated approach between offline and run-time activities applicable to different kinds of CIs.

The logical architecture of RESISTO integrates two control loops both running on top of the Communication Infrastructure and interlinked with each other (Figure 17.1) that implement the five core security functionalities introduced by the USA National Institute of Standards and Technology (NIST) in the “Framework for Improving Critical Infrastructure Cybersecurity,” namely Identify, Protect, Detect, Respond, and Recover.

The Long-term Control Loop (LTCL) is an offline activity, following a well-defined methodology and supported by advanced tools, aimed to identify infrastructure vulnerabilities and cyber and physical security threats and, consequently, to define assets configuration and interventions in order to improve Cl’s resilience and robustness. For each loop cycle, a set of Resilience Indicators (RIs), relevant to critical threat event typologies, are estimated and stored in a Knowledge Base (KB) as described in detail in Section 17.5. An LTCL cycle is performed on a periodic basis or when particular events take place (new threats or discovery of previously undetected vulnerabilities). It is typically conducted annually, quarterly, or even monthly.

The Short-term Control Loop (STCL) is the runtime component of the platform. It promptly responds to detected cyber/physical attacks and events that may impact the operational life of the system. It enhances situation awareness and provides operators with a Decision Support System cockpit able to implement the best response to an identified adverse event with the aim of mitigating the event’s effects and recovering standard operating conditions. While facing adverse cyber/physical events, some actual RIs values are measured and stored in the KB (see Section 17.5).

Moreover, LTCL and STCL are strongly interlinked with each other. In fact, comparison between target RIs estimated by the LTCL and their actual values measured by the STCL facing run-time threat events establishes a higher level global control loop able to continuously review and improve infrastructure resilience and methods.

The RESISTO LTCL is in charge of the configuration of the Communication’s Critical Infrastructure according to the security assesment.

While STCL provides tools for immediate reaction against attacks in real time, LTCL leads to the identification of criticalities and definition of long-term strategies. Therefore, it is conducted on a periodic basis as well as in case of specific events, e.g., detection of new types of vulnerabilities, expectation of new threats, or after significant CI changes that may impact on security.

The LTCL implementation is based on a sophisticated risk and resilience management process, aimed at identifying and evaluating risks and suggesting treatment and mitigation strategies, that extends the ISO 31000 standard.

Each cycle is structured into the following nine sequential steps (Figure 17.2):

1. Context analysis: it is devoted to the general description of the system, including societal, economic, legal, and ethical context, and includes the identification of key stakeholders, resilience objectives, restrictions, and evaluation criteria.

2. System analysis: it is aimed at the analysis of the system environment and interfaces, including boundary definitions, static and dynamic analysis, and (graphical) modeling/representation.

3. System performance function identification: it is targeted to the definition of (nonperformance (service) functions of the system, including qualitative and quantitative descriptions. The system (non)performance functions in combination should cover the expected system behavior and its assessment.

4. Disruptions identification: it identifies threats, hazards, and disruptions (classical risk events) that might affect system (non)performance, as well as potentially affected system functions, system layers, and resilience capabilities.

5. Pre-assessment of combinations of functions and disruptions: it analyses all combinations of system functions (step 3) and potential disruptions (step 4), in order to identify critical combinations which need to be further evaluated (in step 6). Step 5 is typically conducted analytically using a semiquantitative approach. Step 5 and step 6 take account of all resilience cycle phases.

6. Overall resilience quantification: based on system modeling and simulation, it is aimed at determining resilience quantities, i.e., at quantification of the resilience of the system (non)performance functions regarding the identified threats based on the criticalities identified in the previous step 5. Step 6 covers advanced (overall) resilience quantification approaches.

7. Resilience and cost evaluation: it is devoted to the comparison of resilience performance, illustration of the performance loss, and evaluation of the acceptance level for all threats. Step 7 evaluates the results of steps 5 and 6.

8. Selection of options for modifying resilience: it selects the best options for resilience improvement based on a preselected decision-making method. Step 8 includes the re-execution of all previous steps that affect the resilience (semi) quantification to assess the resilience gain taking into account the planned improvement methods.

9. Implementation of options for modifying resilience: development and implementation of those options for improving resilience select at Step 8, based on domain-specific standards as far as possible and efficient methods corresponding to determined resilience levels for all subsystems.

In principle, the methodology employed in RESISTO is applicable to any kind of CI subjected to both physical and cyber threats. However, some elements and tools have been adapted or added in order to exploit specific aspects of the Communications domain.

Specific data concerning CI characteristics, potential threats, vulnerabilities, and their exploitation, and countermeasures required by LTCL are stored in a dedicated Data and Knowledge Base. However, a web application supporting fast and easy browsing through its content and further information inference, such as critical combinations of system functions and threats and threat ranking (Step 5), which serve as additional input to other steps of the resilience management process, has been realized. This application is based on the Shiny package of the free programming language R for statistical computing and allows a semi-quantitative assessment of critical risks. Tabular Excel templates for data import/export complement the tool.

Quantification of the resilience Matrix of the critical risks based on CI simulations is further supported. At present, two simulation tools have been integrated in RESISTO: the platform-integrated CISIApro simulator, also employed in real-time by the STCL, and the offline CaESAR simulator. CISIApro (Critical Infrastructure Simulation by Interdependent Agents) is a software engine, developed by the University of Roma Tre, able to calculate complex cascading effects, taking into account (inter)dependencies and faults propagation among the involved complex systems. CISIApro has been developed in the framework of the H2020 ATENA Project and in RESISTO has been updated to version 2.0, adding some important functionalities related with the modeling of telecommunication infrastructures.

In addition to the RIs computation, the simulators allow to assess and rank possible mitigation strategies. It should be noted that these simulations are not performed on an event basis, as a consequence of a detected attack, like in STLC, but rather on a periodic basis to identify weak points of the current setup of the infrastructure.

In Figure 17.2, the tools supporting the different steps of the risk and resilience management are indicated.

Among the methodologies and tools adopted in RESISTO in order to improve the knowledge about possible threats and their consequences (Figure 17.2, Step 4 from the Risk and resilience management process), we cite:

1. Attack Trees: Attack trees are a way to describe an attack. In the LTCL, they can be used to identify situations that the organization has no defense process in place. Each attack should have countermeasures in place.

2. Honeypots: A honeypot is a set of physical, HW, and/or SW modules simulating legitimate interactions with external users while they are instead separate entities not performing any real operation and/or handling real data. Post-processing of honeypot logs is a long time used technique to detect and analyze sophisticated intrusions while keeping the real system safe. Moreover, it provides the possibility to observe an attack over time, then enabling both: learning about new threats and assessment of known ones. Since it collects detailed historical information, the technique is particularly useful for the LTCL purposes.

3. Penetration tests: A penetration testing (PENTEST) is a combination of techniques that considers various issues of the systems and tests, analyses, and gives solutions. It is based on a structured procedure that performs penetration testing step-by-step. Undertaking a series of penetration tests helps test security arrangements and identifies improvements. When carried out and reported properly, a penetration test can give knowledge of nearly all technical security weaknesses and provides the information and support required to remove or reduce those vulnerabilities.

4. “ MITRE ATT&CK”: it consists in the constant monitoring of the information in the “MITRE ATT&CK” knowledge base on potential attacks in order to develop and update threat models for risk assessment of their networks.

The RESISTO Short-term Control Loop (STCL) is a typical run-time control loop. It is in charge of detecting potential physical, cyber, and physical/cyber combined threat events that may impact on the operational life of the system and react promptly.

The STCL:

• Monitors the physical and cybersecurity status of the infrastructures, correlating physical and cyber domain events, and monitoring communication infrastructure data in order to collect and/or detect anomalies and provide early warnings on security attacks or events adversely impacting security;

• Evaluates the performance degradation causes related to detected anomalies and security attacks on the Communication CI and interlinked CIs, if known, based on the cascading effect;

• Supports decision-making providing a qualitative and quantitative What-If analysis tool in order to evaluate the best mitigation strategy;

• Drives response and recovery by means of action workflows (composed of directives to intervention teams, physical protection devices activation) and, mainly, of orchestrated Communication Network reconfiguration and protection function activation.

The STCL functional control flow is reported in Figure 17.3.

Input data to the STCL can be grouped into the following categories:

1. Physical events related to attacks (e.g., intrusions, damage) or to potentially dangerous events (e.g., unauthorized UAV flights);

2. Cyberattacks;

3. Communication infrastructure physical layer/HW monitoring data (e.g., power and energy consumption and HW faults);

4. Communication network QoS monitoring data (e.g., offered traffic, throughput, latencies, error statistics, …).

The sources of such data and information could be:

• Legacy Physical Security Information Management (PSIM) systems or other physical attack detectors made available by the telecommunication operator,

• Legacy Security Operating Centers (SOCs) or other cyberattack detectors made available by the telecommunication operator,

• RESISTO additional physical/cyber threat detectors [e.g., airborne threats detection systems, smart spectrum surveillance, OSINT (Open-Source Intelligence)-based] described in the following.

From a functional point of view, input data are collected by the Cyber/Physical Events Correlator. The Events Correlator not only propagates, as alarms, externally detected and collected attack/anomaly events, but it also generates alarms on its own from apparently harmless events and monitoring data. This latter action is performed by using several event correlation techniques, such as logical, causal, and temporal correlation based on event timing.

The Cyber/Physical Events Correlator is composed by the following main components, as depicted in Figure 17.4:

• Correlator Engine: component correlating data source events and identifying potential threats based on a list of rules set by skilled operators;

• Machine Learning (ML)-based module: a component based on the application of ML algorithms for the identification of standard/anomalous behavioral models for the traffic originating from network data sources.

The Correlator Engine is mainly based on Apache Storm and Esper technologies. Apache Storm is a free open source software for distributed computing of real-time processes. Esper is a Complex Event Processing (CEP) component able to perform Event Stream Processing. This feature allows real-time or quasi-real-time detection of those events that match the stored rules. In RESISTO, rules can be updated in real time without the need of a Correlator Engine restart.

The Esper engine operates in a different manner compared to a database management system. Instead of storing data and performing queries on the stored data, it allows applications to store their own queries and directly launch them on the data. The processing mode is continuous and a reply is in real-time whenever the conditions contained within the query are met.

Esper provides two principal methods for processing events:

1. Event pattern,

2. Event stream query.

The first method is based on a language allowing specification of expression-based patterns for event matching. It analyses event sequences or a combination of event sequences based on timing factors. On the contrary, the second method offers the possibility to define queries allowing filtering, aggregation, and correlation (through join operators) as well as to analyze event streams. These queries follow the EPL (Event Processing Language) syntax. EPL is a declarative language implementing and extending the SQL-standard allowing rich expressions over events and time.

The Machine Learning (ML)-based module allows the detection of anomalous traffic situations compared with the daily recorded ordinary traffic intensity. Control flow historical data retrieved from past records are used as first baseline for training the learning procedure. Historical data repository can be increased continuously in order to tune the machine learning-based detector with respect to evolving data traffic curves.

More in details, the engine exploits a profile-based anomaly detection approach. This technique exploits the history of the normal network behavior, thus creating a normal network profile. Following this principle, “anomaly” is defined as a network behavior that is significantly different from the modeled one. One of the main advantages of profile-based approaches is that they do not require a model for the anomalous behaviors, thus allowing the detection of new and unforeseen anomalies. Moreover, the approach aims at designing an anomaly detection method which takes as input only control flow quantitative indicators such as the number of packets and bits. Let us note that this restriction on the kind of attributes exploited by the anomaly detection method is needed to fulfill the privacy preserving requirements.

Anomalies detected by the Events Correlator trigger the Risk (Impact) Predictor. The Risk Predictor evaluates and highlights the impacts of the potential exploit detected by the Correlator on the communication infrastructure and, mainly, on the services provided by the infrastructure. The Risk Predictor Engine is based on CISIApro 2.0 and acts at run-time on a CI model built according to different offline interlacing points of view:

• Under a reductionist perspective, each infrastructure is decomposed into a network of interconnected physical elementary entities and their behavior depends on the (mutual or not) interactions with the other reductionist elements;

• Applying a holistic approach, each infrastructure is modeled as a (logical) reality with its own identity, functional properties, and recognizable boundaries. It interacts with other similar entities according to reduced identifiable set of relationships. With such a perspective, it is easy to identify the roles that each infrastructure plays in a specific context;

• From a Service point of view, a Service Entity represents a logical element, conceptual or real, that provides an aggregate resource such as a QoS (Quality of Service) level.

Moreover, the Risk Predictor supports the decision-making process allowing a “What-If analysis” and thus simulating the application of countermeasures and reconfiguration and their impact on system resilience.

In parallel with the Risk (Impact) Predictor, the Correlator also triggers the Workflow Manager software engine in charge to guide the operator during the reaction and recovery phases. On the basis of the alarm type, the most appropriate workflow is selected and executed. A workflow is a conditional sequence of steps. Each step can specify a procedural action such as:

• Alert a security or technical team with an emergency message sent through the EWCF,

• Drive one or more physical actuators (e.g., lock physical gate),

• Carry out a complex O&M action on the Communication Network (e.g., activate a Virtual Network Security Function, isolate a faulty or attacked component, reconfigure a part of the network, disable a 5G slice, etc.).

The Workflow Manager inside RESISTO platform is an extremely effective tool for managing critical infrastructure security. It is based on a Business Process Model (BPM) engine for the configuration and execution of automatic or semi-automatic processes, consisting of sequences of actions and reactions, which can be triggered by a defined event. Given a certain alarm/event, it allows selecting and executing the most appropriate workflow, i.e., a conditional sequence of tasks.

The workflow execution is carried out via Activiti, an open-source workflow engine written in Java that can execute business processes described in standard BPMN (Business Process Model and Notation) 2.0. The workflow is represented by an xml file, which is managed by the Activiti engine through its deployment in a dedicated database.

Complex actions on the Communication Infrastructure are performed by the Orchestration Controller. The Orchestration Controller is built around the concept of Software Defined Security (SDS) taking advantage of the Network Function Virtualization (NFV) and Software Defined Networking (SDN) paradigms of the underlying communication network. The Orchestrator Controller implements complex security functions and services composing less complex/primitive security mechanisms/functions acting on physical resources (i.e., network physical equipment) as well as on Virtual Network Functions in a NFV/5G perspective. The Orchestration Controller operates on a communication infrastructure already controlled by a telecommunication operator, so it works on top of a simple SDN Controller, on the northbound side, or on top of a more complex network Operational Support System (OSS).

The Emergency Warning Communication (EWC) function is activated when it is needed to send instant messages, targeted alerts, and operating instructions to specific categories of users that are present in a certain area where events like natural disasters, physical, or cyberattacks are occurring. In particular, rescue teams called to execute actions on the infrastructure can leverage on the received information. The EWC module includes a server application and either an Android one. The server exposes an interface towards the other modules of the RESISTO framework needing to communicate information concerning a physical-cyberattack to the intervention team that operates where the telecom infrastructure is located. The rescue team will leverage on the application information, both textual and visual. In particular, the position of points of interest or of the other team members is collected and visualized. The app is available on Android devices, including smartphones.

The EWCF service is implemented in a microservice architecture using Docker containers. The service has its own persistent storage and database where information regarding teams, users, and events are registered. The server is connected with an Android app installed on the user terminals of the team members. The same app can be connected to an IoT platform and will relay sensor values to the platform. In particular, the GPS position of the terminal will be collected in the IoT platform and in this way will be shared among the team members. A messaging platform is used instead to connect the terminals among themselves and with the main service that in turn receives specific messages from the Workflow Manager.

Nevertheless, the architecture is modular and can be adapted to use other external platforms.

As already explained before, RESISTO platform also include some state-of-the-art physical/cyber threat detectors.

Considering the emerging use of unmanned devices, UAVs (Unmanned Aerial Vehicles) or drones are nowadays more and more regarded as potential, human-driven, physical threats. Within RESISTO, mixed techniques involving low-cost radars combined with acoustic sensors are implemented to detect small airborne objects and moving targets. The specific airborne threat detection system consists of a set oftools designed and developed to detect the presence of small UAVs that may constitute airborne threats and provide alarm signals. The system can be also deployed in small unprotected areas, such as antenna telecom parks, providing additional situational awareness and perimeter defense against low-flying aircrafts.

The radar sensor currently adopted in RESISTO is a Doppler radar able to detect and track fast moving, small targets even in harsh conditions (dusk, rain or snow) at a range of several kilometers.

Detection based on the acoustic signal emitted by the UAV is based on a low cost, low power array of high sensitivity dynamic microphones. Acoustic sensors have many advantages that include non-line-of-sight, omni-directionality, passiveness, low-cost, and low-power, and play a potential key role in situational awareness. Moreover, while the equivalent radar cross section of UAVs can be rather small, due to both their small size and the electromagnetic properties of their constituent materials, their acoustic signature is directly related to the acoustic wave originating from both the engine and the propeller rotation. The acoustic microphone arrays are used as a second sensor modality to detect broadband acoustic emissions from approaching targets. In particular, rotary wing UAVs can be detected by exploiting the tonal components of the spectrum of the incoming acoustic wave related to the propellers’ rotations (in the 20 Hz-2 kHz range).

Target’s detection and angle of arrival estimation adopt advanced signal processing and machine learning techniques making use of radar and acoustic signal features in both the time-domain and the frequency-domain. The above sensors and tools can be either used separately or in combination, through a multiplexing console and a computer, physically connected to the sensors, that performs signal and data processing.

Video and Audio sensors are widely used in surveillance operations and protection of critical infrastructures. Intelligence algorithms are applied in audio and video streams for the real-time detection of events for the early identification of illicit activity. Pattern recognition and machine learning techniques are used to extract acoustic events (i.e., gunshot, screaming, glass breaking) or to classify persons, vehicles, and other objects that are moving within the surveilled area. Both the audio and video analytics modules form an intelligence surveillance system where the security operator is notified with an alert about the suspicious activity accompanied with important information such as location (source) and type ofthe event, detected objects, etc. This intelligent process reduces the effort of the operator by monitoring in a 24/7 base a huge number of sensors.

The Intelligent Audio Analytics Component (AAC) allows the detection of abnormal behavior regardless of the field of view, while also allowing the triggering of the system with the occurrence of predefined keywords. The solution implements well-established methods from the fields of audio coding, machine learning, and speech recognition and allows efficient operation on low-cost power-limited devices (or embedded systems) for the detection of screaming, glass breaking, and gunshots within the environment. The Video Analytics Component (VAC) provides the necessary functionalities for visual surveillance analytics, aiming to identify and provide methods that abstract the information of interest contained in video surveillance streams.

The design of Intelligence Surveillance System including both the AAC and VAC is based on two different processing levels, one with reduced processing capability (infrastructure based on embedded system, i.e., Raspberry PI 3) and one with enhanced processing capability (i.e. GPU-enabled computers or servers). Based on the application, audio or video, several components will be deployed on each level of processing.

Additionally, within RESISTO project, audio and video analytics modules are enhanced with some other components in order to support the smooth operation, logging, and correlation of the events.

Smart Spectrum Surveillance is a set of tools, like RADIOFILTER and RAN (Radio Access Network) MONITOR, being developed in the context of RESISTO project, which makes use ofIoT Radio Frequency (RF) sensors for the detection of physical events/threats in telecom critical infrastructures.

RADIOFILTER is a stand-alone system used for the detection of non-authorized Access Points (AP), Bluetooth, and WiFi devices as well as connections in manned facilities as well as intrusion detection in unmanned facilities.

RANMONITOR is a stand-alone system used for the detection of IMSI-catchers/rogue base stations, misconfigured small cells, and interferences to the cellular network (intentional and non-intentional).

IoT Sensor networks may gather sensitive data or be used by a malicious adversary to conduct attacks. Therefore, security is a key concern for such networks, and for that reason, particular attention is paid to secure the sensors themselves. In RESISTO, the solution proposed for securing sensors is based on the premise of having a secure boot and up-to-date software in the hardware platform ofeach used sensor through secure periodic firmware updates. In order to secure an IoT Sensor Network, the sensors periodically poll a Firmware Update Server to query if there are secure firmware updates available. In case there are, after mutual authentication (involving an Auxiliary Authentication Server), a digitally signed firmware image is downloaded from the Firmware Update Server and its integrity and authenticity verified. To strengthen integrity verification, blockchain technology is applied. If integrity and authenticity tests are passed, the sensor can install the new firmware version. The sensor-server connection is further secured through the use of two-factor authentication.

The use of Open Source INTelligence (OSINT) techniques can help better understand potential threats surrounding a telecom organization or a specific sector, by crawling and learning from publicly available sources. The main features of the crawler are:

• Identification of Common Vulnerabilities and Exposures (CVE) that could be found on devices that can be exposed on the operator network;

• Detection of potential misconfigurations and known vulnerabilities.

The crawler stores the information concerning the type of device, the software running on it, the potential misconfigurations/vulnerabilities based on the knowledge of the operator network.

Within RESISTO, several threat intelligence sources and OSINT platforms are considered and crawled:

• The Computer Incident Response Center Luxembourg (CIRCL), a Malware Information Sharing Platform framework-based OSINT that collects threat intelligence events;

• The Instrument de Veille sur les Réseaux Extérieurs (IVRE), also known as Dynamic Recon ofUNKnown networks (DRUNK), open-source framework for network recon;

• Other sources of data about vulnerabilities that can be found on Twitter;

• A machine learning platform to process the events collected by the crawlers.

Long- and Short-term Control Loops interact with each other by means of Resilience Indicators (RIs). The RIs have been selected in order to describe the main features of the typical resilience curve (Figure 17.5) describing the evolution of a system function performance (or provided service) vs. Time when facing a specific event type. The selected RIs are:

1. RIj: maximum function performance loss expressed in percentage;

2. RI2: elapsed time between the event occurring and the recovery action beginning;

3. RI3: elapsed time between the recovery action beginning and the complete performance recovery;

4. RI4: total performance loss from event to complete recovery (colored area in Figure 17.5).

The interaction between Long- and Short-term Control Loops can be explained in 4 steps as explained in Figure 17.6.

Step 1: RIs estimation

During the last LTCL steps, the process:

• Characterizes (quantifies) CI «as is» resilience (step 6);

• Identifies the most critical couples [function; (threatening) event] showing RIs not in line with required Service Level Agreement (step 7);

• Selects interventions on CI in order to improve resilience for most critical couples (function; event) estimating RIs in the new «to be» configuration (step 8);

• Implements interventions (step 9).

So, at the end of each LTCL cycle, Estimated RIs are stored in a Knowledge Base (KB).

Step 2: RIs measurement

STCL operators, facing Event type, measure actual RIs and store them in the KB.

Step 3: Estimated vs. Measured RIs comparison

Estimated and Measured RIs are compared to verify if the expected resilience is actually in place (no significant deviations) or not.

Step 4: Estimated vs. Measured RIs comparison

Detected significant deviations provide feedback for a next LTCL cycle to improve Critical Infrastructure resilience or estimation methods ifneeded.

RESISTO proposes a complete and integrated framework to cover offline Identification and Prevention activities as well as Detection, Response, and Recovery on-line activities. RESISTO promotes a unified approach to face physical, cyber, as well as combined physical/cyber threats to Communication CIs in order to provide a complete situation awareness and impacts evaluation allowing resources optimization and improving recovery actions efficiency.

RESISTO encompasses security analysis in a wider Risk and also Resilience analysis and management integrating both physical and cyber aspects.

RESISTO approach is scalable, developed in the context of Communications but easily applicable to different kinds of CIs.

The proposed framework is modular and based on very versatile technologies so easily adaptable to face the continuous evolution of physical and cyber threats and continuously improve the CI resilience.

RESISTO also includes a wide set of physical and cyber threatening events detectors based on state-of-the-art technologies (Machine Learning, blockchain, etc.); they could be employed in different contexts as stand-alone components as well as in integrated configurations.