In recent years, large-scale cyber attacks have grown rapidly. These attacks utilize both known attack vectors, e.g. DDoS, as well as previously unknown security vulnerabilities in the course of advanced APT attacks to take advantage. These affect not only companies and private individuals, but now also state institutions. Due to its role in national defense, the BMLV is a particularly prestigious target for a wide variety of attacking groups. Therefore, it is the Federal Army's aim to maintain sovereignty over its mission-critical information and to make a significant contribution to national cyber defense security in the best possible way to protect its infrastructures. The occurrence of a massive cyber incident caused by a cyberattack, massive misconfiguration, or unfavorable failure of core services is only a matter of time. Preparatory measures are therefore urgently needed in order to react appropriately in the event of on incident, and (i) to be able to detect an incident in due time (monitoring, sensor technology), (ii) to recognize correlations and to draw the right conclusions (data analysis), (iii) to provide the relevant actors with specific information (information distribution), (iv) to assist the establishment of situational awareness (situation picture presentation), (v) and to initiate the correct countermeasures (cyber incident response).
While there are various efficient solutions in the SOC area for private companies, these are not directly applicable to the BMLV. On the one hand, its structure is fundamentally different, on the other hand the objectives are diametral to industry. While private companies generally strive for profit maximization under cost pressure, the BMLV with its particularly sensitive data (up to the classification level "top secret") has higher protection goals. However, this also means that risks must be mitigated, which would be accepted under purely economic aspects. As a result, monitoring and cyber incident response in the BMLV must also be set up differently, or follow much harder requirements than in the private sector. This leads to the circumstance that existing solutions can only be used in an adapted form, or that in the first place new concepts, methods and solutions for cyber incident response in the military environment have to be developed.
The aim of CADSP is the scientifically founded conception and prototypical evaluation of a Cyber Attack Decision and Support Platform (CADSP) for selected BMLV (Federal Ministry of Defense) use cases and defined processes for Cyber Incident Responses especially in the military environment. In doing so, CADSP investigated which data sources are suitable in the selected application scenario in order to provide sufficiently accurate information for assessing the current security status of an infrastructure and cyber attacks taking place. Building on this, a suitable user interface and situation visualization were generated that optimally support the Cyber Incident Response process. In particular, user interfaces can be adapted according to the need-to-know principle for individual stakeholders. It is thus possible to visualize a situation picture for different target groups and in a large number of applications and purposes with selected information. The prototype/demonstrator was developed in close coordination with the end-users utilizing agile development methods. As soon as they were available, prototypes/demonstrators were made available to the end-users for feedback or discussed in regular coordination meetings and then refined for the intended use.
The knowledge gained in this research project supports the BMLV/OEBH in maintaining the ability to control its own cyber space / information space. The large number of different events in cyberspace that directly or indirectly affect the information security of the BMLV/OEBH ICT infrastructure is enormous. In order to be able to get a representative picture of this, it was absolutely necessary to automate as many steps in the process of gathering and passing on information as possible. The tasks of the Military Cyber Situation Center are to collect the BMLV/OEBH internal cyber security situation (cyber security-relevant information) and to provide appropriate reports for tactical, operational (and strategic) military decisions at any time, in the desired form and at any required location. This was significantly supported by the CADSP research project. The findings were subsequently incorporated into the digitalization of the processes at the Military Cyber Situation Center. This development of automation took place in parallel to the supporting research project in order to be able to use synergies as optimally as possible.
In summary, it can be said that without this or other research projects and solely with the BMLV/OEBH's own resources, such an effective and efficient implementation of the capability development and maintenance of the Military Cyber Situation Center would not be possible. This is due to the fact that there are still no commercial solutions that fulfill the requirements of military environments and therefore the research on new methods and concepts was the most effective way to go for the BMLV/OEBH

• Partner: AIT Austrian Institute of Technology (Koordinator), Frequentis AG, Bundesministerium für Landesverteidigung
• Projektlaufzeit: 11/2019 – 04/2022
• Förderprogramm: FFG FORTE Ausschreibung 2018