Cybersecurity: toward safety and privacy by design


As a leading scientific research institute with strong ties to industry, we leverage both in-depth theoretical knowledge and concrete innovation capabilities to match rapid advances in cyberthreats and on-the-ground digital systems reality.

Florent Kirchner

Head of the Cybersecurity Program — CEA-List


Cingulata, which enables computing on encrypted data, was developed by CEA-List to ensure data privacy by design.

A key enabler of digital transformation

Cybersecurity is a key enabler of digital transformation; it is also vital to autonomy and peace in cyberspace. Today’s sprawling, decentralized information systems are often easier to attack than they are to protect. On a playing field that is already far from level, interconnections between the physical and digital worlds have given rise to a new kind of threat: cyber-kinetic attacks targeting not only virtual assets, but physical ones too. These challenges are primarily technical, but they are inextricably linked to more fundamental questions around data privacy and sovereignty in complex economic and geopolitical contexts.

CEA-List is spearheading collaborative initiatives to develop new technologies addressing these issues. The institute is also an active contributor to French and European cybersecurity strategies.

An innovative vision for cybersecurity

Cyberthreats represent such a formidable challenge that a hybrid human-machine approach is the only one likely to be effective against them. We aim at giving human experts massively enhanced knowledge and decision-making capabilities through tools that will allow them to effectively ascertain threats and take appropriate action across the threat-response cycle.

These new, technology-enabled capabilities will enable human experts to effectively address the interfaces of digital systems with the physical world, changes in systems over time, and supplier-dependency issues as they carry out systems and network assessments, audits, and monitoring and management tasks. At CEA-List, we are focusing specifically on automation and on solutions to enable human experts to access and use the results produced by new software tools.

In a world where cyberthreats are unrelenting, “islands of trust” provide a secure location to store information, and a place to retreat to in the event of an attack. They also serve as beachhead for the deployment of cybersecure information systems.

At CEA-List, we are working with our partners to create the building blocks of these islands of trust, a set of software components designed and configured to be resilient against cyberattacks, with:

  • Trusted computing capabilities, regardless of the hardware environment
  • Hardware solutions to reduce the attack surface
  • Software countermeasures against physical attacks
  • Monitoring capabilities covering digital and physical assets
  • Secure runtime and communication orchestration leveraging ultra-light monitoring probes and virtual networks
  • Encryption solutions to protect the privacy of the data exchanged and processed

Any new cybersecurity solutions developed must also meet safety and environmental requirements.

CEA-List is also addressing privacy outside islands of trust, with solutions to enable file transfer and collaborative work on encrypted data in zero-trust environments.

The challenge of smart distributed environments

Distributed ledgers, neural networks, and—in the future—quantum computing are all part of a new and rapidly-developing generation of technology. CEA-List is committed to developing tools and techniques to shield these systems from adversarial attacks.

These systems are creating new vulnerabilities, but they can also be used as tools to build innovative cybersecurity solutions. We are investigating how innovative blockchains can be used to provide proof of integrity and looking at homomorphic data encryption as a way to exchange and process encrypted data, protecting the information it contains. Our cybersecurity research leverages the power of AI to dramatically increase data processing capacities. For example, we have teams exploring how AI can be used to translate requirements provided in natural language into mathematical language with the goal of more effectively addressing cybersecurity from the very early design stages.

CEA-List, helping shape France’s national cybersecurity strategy

Being a world expert in cybersecurity and a technological research institute positions CEA-List as a trusted third party that can work effectively with information and data security regulators like ANSSI in France, major industrial companies like EDF, Siemens, and Thales, government research and technology bodies like ANR in France, academic research labs and startups (Parsec).

The institute also ensures that it can respond to the in-house research needs of the CEA, in particular, to conduct its key missions.

Cybersecurity involves both mathematical theory and experimental research. CEA-List possesses the state-of-the-art tools and techniques necessary to ensure that its scientists, engineers, and partners can conduct this experimental research.


Some of CEA-List’s tools

  • BINSEC (formal binary code analysis for security)
  • Frama-C (program analysis)
  • Cingulata (a privacy-by-design tool used to develop applications that can process encrypted data without having to decrypt it)
  • COGITO (compiler that adds countermeasures to protect data and code running on an electronic architecture from physical side-channel attacks)
  • XanthOS (used during the design of a kernel (OS) to ensure operating safety and security by construction)
  • MAX (blockchain simulation and analysis)
  • SIGMO-IDS (detects attacks on communication links and responds instantly, deploying security countermeasures on networks)

CEA-List is engaged in several French and European cybersecurity initiatives.


Selected projects

The Sparta project is a wide-scale pilot project to create a European cybersecurity community, laying the foundations of the European Cybersecurity Competence Center and Network, reimagining how cybersecurity research, innovation, and training are performed in Europe. CEA-List is coordinator and strategy lead on this project, among a consortium of 44 partners and over 100 Associates.

Campus Cyber: CEA-List is a partner of this French cybersecurity hub, contributing to academia and research actions.

CEA-List is a partner of the LEIA project with company Systerel. Winner of a French government grant for cybersecurity projects, LEIA will develop an automated software analysis platform for secure IoT devices.

SNOWPACK_SCALING is an EIT Digital project in which startup Snowpack is using a CEA-List technology that enables invisible online communications. Snowpack is working with CEA-List to develop software that will position Snowpack as a trusted platform for multi-operator network scenarios. The project will also help Europe regain an advantage in a particularly competitive environment.

CEA-List is developing a trusted cloud-based computing platform that responds to the privacy standards of industrial users for the EIT Manufacturing BOOSTER project, with the objective of supporting European digital sovereignty. The software being developed will enable users to outsource the processing of sensitive data to third parties, even on infrastructure that is not 100% secure, without the need for a hardware security element. Businesses will be able to “blind” process sensitive data for predictive maintenance, federated learning, and other use cases.