Proposals are invited against at least one of the following three subtopics:
a) Cybersecurity/privacy audit, certification and standardisation
Innovative approaches to (i) design and develop automated security validation and testing, exploiting the knowledge of architecture, code, and development environments (e.g. white box) (ii) design and develop automated security verification at code level, focusing on scalable taint analysis, information-flow analysis, control-flow integrity, security policy, and considering the relation to secure development lifecycles, (iii) develop mechanisms, key performance indicators and measures that ease the process of certification at the level of services and (iv) develop mechanisms to better audit and analyse open source and/or open license software, and ICT systems with respect to cybersecurity and digital privacy. These approaches may be accompanied by creating information bases to measure and assess the security of digital assets. Proposals should make use of existing standards to the extent possible, and should strive to contribute to relevant standardisation efforts.
b) Trusted supply chains of ICT systems
Innovative approaches to (i) develop advanced, evidence based, dynamic methods and tools for better forecasting, detecting and preventing propagated vulnerabilities, (ii) estimate both dynamically and accurately supply chain cyber security and privacy risks, (iii) design and develop security, privacy and accountability measures and mitigation strategies for all entities involved in the supply chain, (iv) design and develop techniques, methods and tools to better audit complex algorithms (e.g. search engines), interconnected ICT components/systems (v) devise methods to develop resilient systems out of potentially insecure components and (vi) devise security assurance methodologies and metrics to define security claims for composed systems and certification methods, allowing harmonisation and mutual recognition based primarily on evidence and not only on trust.
The trusted supply chain for ICT systems/components should be considered by proposals in its entirety, in particular by addressing the IoT ecosystems/devices that are part of the supply chain.
c) Designing and developing privacy-friendly and secure software and hardware
Innovative approaches to establish methods and tools for (i) security and privacy requirements engineering (including dynamic threat modelling, dynamic attack trees, attack ontologies, dynamic taxonomies and dynamic, evidence based risk analysis), (ii) embedded algorithmic accountability (in order to monitor the security, privacy and transparency of the algorithms/software/systems/services), (iii) system-wide consistency including connection between models, security/privacy/accountability objectives, policies, and functional implementations, (iv) metrics to assess a secure, reliable and privacy-friendly development, (v) secure, privacy-friendly and accountability-enabled programming languages (including machine languages), hardware design languages, development frameworks, as well as secure compilation and execution, (vi) novel, secure and privacy-friendly IoT architectures enabling consistent trustworthy and accountable authentication, authorization and accounting services across IoT devices/ecosystems with enhancement of Public Key Infrastructures (PKIs) aiming to support PKI services (e.g. registration, revocation) for IoT devices.
For each of the sub-topics above, the outcome of the proposals is expected to lead to development up to Technology Readiness level (TRL) 5.
For grants awarded under this topic for Research and Innovation Action the Commission or Agency may object to a transfer of ownership or the exclusive licensing of results to a third party established in a third country not associated to Horizon 2020. The respective option of Article 30.3 of the Model Grant Agreement will be applied.