EPSRC, together with NCSC, jointly support four UK academic research institutes to develop cyber security capability in strategically important areas. These are the:
Each research institute has developed and nurtured a vibrant community of researchers from academia, as well as a range of industry partners involved in the relevant disciplines.
Alongside these institutes, EPSRC’s newly formed digital security and resilience theme wishes to restate its:
- support for cybersecurity research
- intent to work closely with national security agencies in ensuring that it is funding research that:
- is relevant to the cybersecurity challenges faced by the UK
- mitigates the risks posed
- builds national capability in this area.
Building a secure and resilient world has been identified as a strategic theme by UK Research and Innovation. This theme highlights the importance of enhancing national security across virtual and physical spaces, by improving awareness of risks and threats, preparedness, decision-making and response.
EPSRC’s upcoming delivery plan is expected to include a priority on ‘artificial intelligence, digitalisation and data: driving value and security’. The priority contains several ambitions that are relevant to the work promoted by the research institutes, including to:
- realise the transformational impact of digital technologies across industry sectors, society and the public sector (by developing technologies of the future in real world situations that are trusted, reduce negative unintended impacts and realise their potential benefits for society as well as the economy)
- develop technologies that can fully embrace privacy, security, fairness, reliability, safety, transparency and accountability and inclusiveness, addressing the trade-offs that currently exist between them
- build a more secure and resilient digital society from the component through to the system level, and address key challenges in the application of digital technologies in defence and security
- encourage co-created research in this area, and increase translation of research into practice.
Therefore, with these aims and ambitions in mind, EPSRC intends to fund at least eight research projects that are aligned with the goals of the cyber security research institutes. These goals are summarised below.
Research must be mission or user inspired rather than purely fundamental, and therefore we expect that project partners are included in proposals. We ask you to consider national security in the context of all four nations of the UK, delivering research with potential to contribute to your priorities and ambitions within cybersecurity.
You are not expected to engage with current research institutes at the proposal writing stage.
Research Institute for Sociotechnical Cyber Security (RISCS)
RISCS aims to develop scientifically rigorous sociotechnical approaches to cyber security. This will promote understanding of the overall security of organisations, spanning people, their interaction with technology, processes and the wider systems relevant to cyber security.
Sociotechnical security is a broad, interdisciplinary arena. Areas of focus include, but are not limited to:
- international dimensions: critical challenges of cyber security are increasingly globalised and require consideration, exploration and understanding of the international aspects in order to develop effective action and policy on the part of governments, military and industry
- economics and incentives: applying economic thinking and theory to long-standing cyber security problems can provide new strategies for interventions in economic marketplaces that matter to cyber security, and for how we use incentives to influence and change security behaviours
- security challenges in diverse digital lives: the range of digital connected services, and the communities that use them, continues to diversify, evolve and expand. This changing landscape brings new security needs and challenges to people’s everyday lives, many of which are not well understood or considered
- sociotechnical dimensions of securing cyber physical systems: cyber physical systems, that integrate both software and IT with physical and operational technology, underpin our critical national infrastructure such as transport, energy and other industry environments. Securing them depends on many sociotechnical factors. These require exploration to understand the unique challenges and approaches to secure these systems in their organisational settings. Factors may include leadership and culture, safety and security, risk management, communicating security and incident response.
Research Institute in Verified Trustworthy Software Systems (VeTSS)
The overarching research vision for VeTSS is to bring scientific, mathematical methods to the specification and verification of modern software systems, leading to guarantees of correctness, safety and security.
Systems and software should be judged on fundamental scientific principles, with precise answers to questions such as:
- what does this system do and not do
- does the software behave as intended
- how do we assess that the software does what it says it does?
Answering these questions are prerequisites for bringing a rigorous, scientific method to software development, in line with standard engineering practice.
This then raises subsequent research questions related to getting analysis and verification into the industrial software design process in such a way that the software can be properly verified.
The VeTSS research vision also includes verification of cryptographic and protocol designs.
Research Institute in Trustworthy Interconnected Cyber-physical Systems
The aims of this research institute are to:
- understand the harm that threats pose to the provision of critical systems
- confidently articulate these threats as risk to delivery of critical systems at a business and national level
- understand and compare both the effectiveness and costs of potential interventions. This includes technical interventions, such as altering system architecture, through to policy interventions by governments and regulators
- identify novel effective and efficient interventions for business or governments to reduce the risks to critical systems
- best detect intrusion in critical systems, including embedded and bespoke systems, and identify whether incident response differ to established practices for enterprise IT
- identify the obstacles to perceived best practice being applied to critical systems.
Research Institute in Secure Hardware and Embedded Systems
This research institute focuses on the following areas.
Understanding the technologies that underpin hardware security, the vulnerabilities in these technologies and development of countermeasures
- state-of-the-art hardware security primitives, including true random number generators and physical unclonable functions
- novel hardware analysis tool sets and techniques
- attack-resilient hardware platforms and hardware IP building blocks.
Maintaining confidence in security throughout the development process and the product life cycle
- confidence in developing secure hardware devices
- supply chain confidence
- modelling of hardware security
- hardware enforcement of software-defined security policies.
Hardware security use cases and consideration of value propositions
A significant goal of this research is to introduce the research community to new hardware features, and encourage experimentation of novel applications.
- novel authentication, for example alternatives to passwords
- practical applications for attestation and roots of trust.
Development and pull-through
- ease of development and ease of leveraging the best security option
- understanding barriers to adoption
- education of the potential user or developer base.
There is up to £7.5 million available that we anticipate committing to eight or more projects. We will fund projects for up to 36 months.
The full economic cost of your project can be up to £1,093,750. EPSRC will fund 80% of the full economic cost (a maximum award of £875,000).
Smaller projects are welcome.
We expect to fund projects aligned to each research institute. Applicants must state in their case for support which research institute their project is aligned with and why, in order for EPSRC to manage the assessment process effectively.
We will also allow projects that span the remit of more than one of the research institutes, but you must state which research institute is the priority.
Funding can be requested for standard research activities and associated support, but we do encourage applicants to take creative, adventurous approaches to research, and to identify and engage with stakeholders across the UK where appropriate, requesting whatever they need to deliver that.
Equipment over £10,000 in value (including VAT) is not available through this opportunity. Smaller items of equipment (individually under £10,000) should be listed under the ‘Directly Incurred – Other Costs’ heading.
Read EPSRC’s approach to equipment funding.
You are expected to work within the EPSRC framework for responsible innovation.
Applicants planning to include international collaborators on their proposal should visit Trusted Research for guidance on getting the most out of international collaboration whilst protecting intellectual property, sensitive research and personal information.