Sessions are held in room Ada Lovelace and coffee breaks in room Ljusgården, see this page for directions.

For transport to and from the conference venue, see the bus information.

Note: you need to have a valid ID when you arrive at Vricon!

Keynote speaker presentations

Ainara Casajus Valles, Project Officer, Directorate for Space, Security and Migration - JRC.E.1, Disaster Risk Management Unit, European Commission

How science can help in the preparation of National Risk Assessments

The Union Civil Protection Mechanism (Decision No 1313/2013/EU) calls Participant States to develop risk assessments periodically and make the summary of those available to the European Commission, with the aim of promoting an effective and coherent approach to prevention of and preparedness for disasters. The different summaries reported have revealed how challenging it can be for Member States to develop National Risk Assessments (NRAs) due to the diversity of disaster risk management governances in place around Europe, the different level of information available about risk and the their past experiences in carrying out that exercise.

The Report "Recommendations for National Risk Assessment for Disaster Risk Management in the EU" (version 0) attempts to answer the questions of "why" and "how" to do a risk assessment, paying special attention to how science can help in that exercise. The Report is the results of a collaborative effort of the Disaster Risk Management Knowledge Centre team (DRMKC) and nine expert groups from the Joint Research Centre (JRC) to cover various hazards and assets.

This first version of the Report proved that science can already provide advice for risk in a single-hazard framework, in most of the cases. As one of the objectives of NRA is to find a common ground of understanding of the risk faced and their relative priority, the first step towards a multi-hazard assessment is actually harmonising and standardising the assessment as well as the risk metrics among different hazards. At the same time, better knowledge base of risk, availability of data and the development of risk analysis methodologies would facilitate the disaster risk managers to recognise the risk drivers that lead to risk and more effectively plan which capacities are needed.

Version 1 of the mentioned Report is underdevelopment, trying to include other risk such as forest fires and cyber security risk.

Prof. David M. Nicol, Director, Information Trust Institute Franklin W. Woeltge Professor of Electrical and Computer Engineering University of Illinois at Urbana-Champaign

Challenges in Quantifying An Adversary's Cyber Access to Critical Infrastructures

Critical infrastructures such as the power grid, up and down stream components of oil and gas production, communication network, transportation networks and so on are now all controlled by devices with CPUs and memory that communicate over both wireline and wireless channels. Quantitative assessment of risk to the controlled infrastructure depends both on models and analysis of the infrastructure under attack, and of the adversary's ability to mount those attacks. To quantitatively assess the risk to the critical infrastructure of cyber-mischief we have to be able to quantitatively assess that component of the risk which depends on the adversary's cyber access to devices which measure and manipulate the physical system. There are myriad challenges in this subproblem, which derive from the adversary's learning by moving laterally through the network, on the state of knowledge and lack of knowledge about means by which the adversary can make those movements, on quantifying the difficulty of exploiting vulnerabilities as that lateral movement is made. This talk highlights the challenges as we see them after working on this and related problems for several years.

Prof. Awais Rashid, Professor of Cyber Security, University of Bristol

Everything is Awesome! Or is it? Cyber Security Risks in Critical Infrastructure

Industrial Control Systems play an important role in the monitoring, control, and automation of critical infrastructure such as water, gas, oil, and electricity. Recent years have seen a number of high profile cyber attacks on such infrastructure exemplified by Stuxnet and the Ukrainian Power Grid attacks. This naturally begs the question: how should we manage cyber security risks in such infrastructure on which the day-to-day functioning of our society relies? What are the complexities of managing security in a landscape shaped by the often competing demands of a variety of stakeholders, e.g., managers, control engineers, enterprise IT personnel and field site operators? What are the challenges posed by the convergence of IoT and critical infrastructure through the so-called Industrial Internet of Things? And will frameworks such as the EU NIS directive help mitigate the cyber security risks to critical infrastructure? This talk will discuss insights from a multi-year programme of research investigating these issues and the challenges to addressing them.

Yves Rougier Head of planning and crisis management at the ministry for the ecological and inclusive transition, France

Hybrid Threats Impact on Crisis Management

Historically the terrorist threats were mainly constituted of physical actions. They took different forms which evolved during the twentieth century in a continuous way with increasing consequences and effects. The eleventh September 2001 attacks were a real strategic surprise but only involving "classical" operational means. Then the cyber threats were considered and they introduced a new dimension of complexity and capacities for the terrorists. Since 2001 everything can be considered as possible, with the cyber threats this means that attacks can be controlled from far away and the systemic dimension of cyber also changes the nature of the threats from a physically limited act to a systemic act which can reach simultaneously every point connected with the system. Recently, a new dimension appeared linked to the social networks and to the flow of news which are not checked before being published by medias, both of them opening the door to the proliferation of fake news. This new dimension has already been used in France by the "Yellow Jackets" in order to win the battle for public opinion. The hybrid threat is in fact nothing more than a cocktail of physical event potentially combined with a cyber-attack and a fake news flow on social networks based on a deformed reality. If the previous situations were handled by security and cyber-security specialists using professional tools, this new type of threat requires a global involvement of the whole company and even of its partners and customers. This means that new skills and a globalizing approach must be developed based on human sciences more than on tools. This is the condition to be able to set up the barriers to prevent, deter, identify, delay, react and recover to and from these new kind of actions.

Dr. Marianthi Theocharidou, Network and Information Security officer, at ENISA, the EU Agency for Cybersecurity

NIS Directive and the role of ENISA

Marianthi Theocharidou works at ENISA, the EU agency for Cybersecurity. Until recently she had been employed in the European Commission’s Joint Research Centre. She has experience in critical infrastructure protection and resilience, risk management and dependency modelling. Marianthi will provide an update on the progress of the implementation of the NIS directive. She will explain the role of ENISA to assist Member States in the consistent implementation the NIS Directive (NISD) and to support public and private stakeholders to enhance the security and resilience of their smart infrastructures and services. She will also discuss the new breach reporting under the NIS Directive and discuss some of the opportunities and challenges here.