RSS feed LinkedIn Watch us on Youtube

Activity title

Cyber Monitoring and Detection Capability for Military Systems

Activity Reference

IST-162 (IWA)


Information Systems Technology

Security Classification




Activity type


Start date


End date



AdvancedTargeted Attack, Cyber security, Detection, Military systems, Monitoring, Security measures


Traditionally military systems contain limited or no IT-components, or the IT-components could be seen as supporting components. Current military systems contain more and more (COTS) IT-components and fulfill a more decisive role in the overall functioning of the system. It is even foreseen that this will only increase in the future. Additionally, military systems are increasingly (external) interconnected with other systems. Not only with other military systems, but also with e.g. military supporting systems such as maintenance systems and even public available/used communication networks such as commercially available mobile networks (GSM/LTE/etc.). Combining both trends it is assumed that for (future) military systems (1) the number of IT vulnerabilities increases (more IT-components) and (2) there will be an increase in attack vectors (more interconnections) and (3) possible adversaries may develop their cyber-weapons in their own representative environment because of the (increased) use of COTS hardware. Within regular environments such as office automation, there is a lot of attention for (new) security measures. These include a wide variety of prevention, detection, repression, correction measures that could be implemented within the infrastructure to increase the resilience of the infrastructure. Despite the relevance of all types of security measures, preventing all (advanced/targeted) cyber-attacks is assumed impossible. In case prevention fails it becomes important to detect the cyber-attack as soon as possible. Within the cyber security research field new methods of detection are developed, mainly for the traditional (e.g. office automation) environments. However, military systems have specific characteristics which makes it hard to apply these measures without any modification. One of these characteristics is the high availability requirements which stems from the safety-regulations of these systems; a second characteristic is the permissible delay that may be introduced by security measures; a third characteristic is the strict security certification processes that apply to military systems, each modification to a system (e.g. a security measure update) requires re-certifying the entire system.


1) Alignment of Monitoring and Detection views amongst the different NATO nations; 2) Validate and further develop of technical Monitoring and Detection capability; 3) Blueprint development of integration of Monitoring and Detection within military organization/operation.


To reach these objectives the following topics will be covered: - Technical aspects of Monitoring and Detection will be addressed and further developed. Current detection techniques will be validated and modification to/new detection techniques may be developed. Validation/development is based on a system to be selected, and based on the available data of/in the system. - Organizational aspects will be addressed to integrate the Monitoring and Detection capability within a military organization. In case a possible incident is detected, how can this be translated to ‘operational impact’ and which follow-up is possible given the current context of the military system. The organizational aspect include the definition/description of the incident flow that is appropriate for a military system; from first detection till the (operational) advice response strategy. Topics to be covered include: o Validate current detection techniques for military systems; o Development of (new) detection algorithms bases on system behavior; o Technical infrastructure blueprint for integration monitoring and detection within military systems o How to respond to possible incidents, taken the military context into account; this includes possible response strategies; o How to determine the possible impact of incident detected; o How can monitoring and detection capability be optimized by sharing information amongst (coalition) partners

Contact Panel Office