Underwater monitoring and surveillance (UMS) for a country surrounded by sea is an exceptionally important task. Important applications include port/harbour security, pollution monitoring, people trafficking, smuggling, maintaining integrity and detecting attacks on underwater infrastructure. The purpose of such systems is to detect, localise and classify underwater targets, and communicate this information to the authorities. The targets can be manned or unmanned underwater and surface vehicles, sources of pollution, mines, pipelines, cables, divers, swimmers, animals, etc. Surveillance has been traditionally based on using surface ships and manned submarines, which are very costly to operate. Due to the physical properties of water, UMS systems, in the majority of cases, exploit acoustic waves. Sound navigation and ranging (SONAR) is a key technology for underwater imaging and target detection, and is an equivalent technology to radio detection and ranging (RADAR) which is widely used in above water environments. Recent developments in underwater acoustic (UWA) communication networks, underwater robotics and vehicles make it timely to consider the development of cooperative UWA networks based on the use of low-cost static and moving sensor (including SONAR) nodes. Our hypothesis is that such networks can significantly enhance performance and reduce the cost of surveillance operations, and that UMS sonar, communication and navigation systems must be jointly designed and optimised to achieve the greatest performance. Given recent developments in radio systems for surveillance, it is clear that significant advances can be similarly achieved in UMS systems. Our aim in this project is to investigate and practically demonstrate (at sea) novel joint designs of low-cost UWA networks for enhanced UMS. This will build upon our experience and recent collaborative success in the theoretical research and practical design of UWA sensor networks at the respective universities.

The ultimate goal of the project is to improve CNI resilience in the UK by enabling timely and efficient incident response. To achieve this, this project will deliver a Framework for creating Risk-Informed Metrics-enriched Playbooks for Critical National Infrastructure (FRIMP4CNI). We propose to approach incident response playbooks in a fundamentally different way. First, playbooks in this project are integrated into core CNI processes affected by an incident, showing how enacting a particular response affects core processes as well as interdependent processes. Second, our playbooks address more than technical actions, they look at aspects beyond technology, e.g. operational response, issues related to staff availability and costs, reporting process, political and communication response. Third, playbooks are risk-informed because each playbook has an associated risk model; and fourth, they are enriched with business-driven multifaceted metrics which reflect the changes that an incident inflicts on a core process. Fifth feature is that our playbooks are optimal: an optimisation algorithm is applied to a set of alternative response strategies to identify the optimal response playbook for each case. A combination of the features listed above makes our approach unique and allows our playbooks to serve both as an action guide enabling improved cybersecurity incident response and as a decision support tool at the Board level. The project has three key objectives: 1. Create an empirically-grounded tool-supported actionable framework for developing bespoke risk-informed metrics-enriched cybersecurity playbooks tailored to the challenges of enhancing resilience in CNI by adopting and modelling incident response best practices in a format of integrated playbooks. 2. Design, implement and test software tools supporting the aspects of the framework related to process modelling, risk assessment and response strategy optimisation, and to integrate them into a comprehensive CNI Playbook Design Toolset. The project will deliver the full technology stack required to develop optimal risk-informed and metric-driven playbooks. Tool-support will increase the intention to use and facilitate faster adoption of the framework in practice. 3. Evaluate the framework using existing testbeds at the participating universities and industry partners, and via focus groups and workshops with industry partners and individual domain experts with a broad range of backgrounds and in varying roles from network engineers to ICS operators to Board members to policy makers. It is essential to conduct extensive evaluation with practitioners to ensure that the framework and tools are effective, accessible and fulfil the intended purposes for each group of stakeholders.

Trusted Execution Environments (TEEs) shield computations using security-sensitive data (e.g. personal data, banking information, or encryption keys) inside a secure "enclave" from the rest of the untrusted operating system. A TEE protects its data and code even if an attacker has gained full root access to the untrusted parts of the system. Today, TEEs like ARM Trustzone and Intel SGX are therefore widely used in general-purposes devices, including most laptops and smartphones. But with increasingly wide-spread use, TEEs have proven vulnerable to a number of hardware and software-based attacks, often leading to the complete compromise of the protected data. In this project, we will use capability architectures (as e.g. developed by the CHERI project) to protect TEEs against such state-of-the-art attacks. We address a wide range of threats from software vulnerabilities such as buffer overflows to sophisticated hardware attacks like fault injection. CAP-TEE will provide a strong, open-source basis for the future generation of more secure TEEs. When developing such disruptive technologies, it is key to minimise the efforts for porting existing codebases to the new system to facilitate adoption in practice. In CAP-TEE, we therefore focus on techniques to ease the transition to our capability-enabled TEE. In industrial cases studies for the automotive and rail sector, we will demonstrate how complex code written in a memory-unsafe language like C(++) can be seamlessly moved to our platform to benefit from increased security without a full redesign.

Attacks such as Stuxnet have shown that malware can cause widespread damage in critical devices, industrial control systems and national infrastructure. The 2019 global cost of cyber-crime is estimated to be over $500 billion; 30% of these are estimated to be malware-based attacks. As digital devices become more complex, connected and commonplace, the frequency and ferocity of such attacks is only likely to increase. What can be done to protect from such attacks? One solution is the use of attestation services, which provides a mechanism for establishing a trust relationship between a verifier and prover. Attestation is used in a wide range of commercial deployments (e.g., Android Key Attestation, Azure Cloud Attestation, Samsung Knox, Windows Server etc), where devices are required to authenticate their identity, ensure the integrity and trust of the system software, and certify that they are running a trusted code base. There are many forms of attestation providing services ranging from static (e.g., boot time) to dynamic (e.g., run-time) guarantees. We are interested in remote attestation, where a verifier checks the internal state of a prover on a different machine across a network. Remote attestation has many applications in future systems involving SMART, internet of things (IoT) and other embedded devices, however, also suffers from scalability issues. Therefore, researchers have developed swarm attestation services that are designed attest a large number of medium/low-end devices. Here, protocol designers must address issues such as device heterogeneity, allowing seamless integration and security across different types of hardware (e.g., smart sensors, car navigation systems, routers, etc). Given a particular implementation of a protocol, how can one ensure that the system is correct, i.e., works as intended by the protocol designer? Our work will consider formal verification of the attestation protocols, which allows one to prove correctness using formal logic and mathematically rigorous arguments. Formal verification will be applied to top-level swarm attestation protocols, and we use a correct-by-construction methodology to develop executable implementations. Then simulation will be used to show applicability of the swarm attestation protocols across real-world applications; our case studies include a vehicular simulation involving intelligent transport systems and a industrial control system developed in collaboration with our project partners.

Mobile autonomous robots offer huge potential to help humans and reduce risk to life in a variety of potentially dangerous defence and security (as well as civilian) applications. However, there is an acute lack of trust in robot autonomy in the real world - in terms of operational performance, adherence to the rules of law and safety, and human values. Furthermore, poor transparency and lack of explainability (particularly with popular deep learning methods) add to the mistrust when autonomous decisions do not align with human "common sense". All of these factors are preventing the adoption of autonomous robots and causing a barrier to the future vision of seamless human-robot cooperation. The crux of the problem is that autonomous robots do not perform well under the many types of ambiguity that arise commonly in the real world. These can be caused by inadequate sensing information or conflicting objectives of performance, safety, and legality. On the other hand, humans are very good at recognising and resolving these ambiguities. This project aims to imbue autonomous robots with a human-like ability to handle real-world ambiguities. This will be achieved through the logical and probabilistic machine learning approach of Bayesian meta-interpretive learning (BMIL). In simple terms, this approach uses a set of logical statements (i.e., propositions, connectives, etc.) that are akin to human language. In contrast, the popular approach of deep learning uses complex multi-layered neural networks with millions of numerical connections. It is through the logical reprsentation and human-like reasoning of BMIL that it will be possible to encode expert human knowledge into the perceptive "world model" and deliberative "planner" of the robot's "artificial brain". The human-like decision-making will be encoded in a variety of ways: A) By design from operational and legal experts in the form of initial logical rules; B) Through passive learning of new logical representations and rules during intervention by human overrides when the robot is not behaving as expected; and C) Through recognising ambiguities before they arise and active learning of rules to resolve them with human assistance. A general autonomy framework will be developed to incorporate the new approach. It is intended that this will be applicable to all forms of autonomous robots in all applications. However, as a credible and feasible case study, we are focusing our real-world experiments on aquatic applications using an uncrewed surface vehicle (USV) or "robot boat" with underwater acoustic sensors (sonar) for searching underwater spaces. This problem is relevant in several areas of defence and security, including water gap crossing, naval mine countermeasures, and anti-submarine warfare. Specifically, our application focus will be on the police underwater search problem, which has challenging operational goals (i.e., finding small and potentially concealed objects underwater and amidst clutter), as well as considerations for the safety of the human divers and other users of the waterway (e.g., akin to the International Regulations for Preventing Collisions at Sea), and legal obligations relating to preservation of the evidence chain and timeliness due to custodial constraints.