Final Project Report. Abstract. Document information

Transcription

1 Final Project Report Document information Project Title ATM Security Coordination and Support Project Number Project Manager EUROCONTROL Deliverable Name Final Project Report Deliverable ID D100 Edition Template Version Task contributors EUROCONTROL. Abstract In order to meet the Single European Sky (SES) performance targets [2], the future ATM system must evolve by applying new operational concepts, using more Commercial Off-The-Shelf products, incorporating open standards, sharing more data, and rationalising the infrastructure. These developments will potentially introduce new vulnerabilities, whose exploitation could hinder the achievement of the performance targets. Project was tasked with developing the means to ensure that the future ATM system is secure and resilient. The project developed the security management framework for SESAR, developing awareness material, methods and tools to facilitate the application of a holistic approach to Air Traffic Management security within the programme. The project also provided support to stakeholders in the application of these deliverables to security activities, assisting them in the development of security risk assessments and in the recommendation of appropriate controls to mitigate risk. Recommendations include applying the concept of design-in security and the achievement of a harmonized minimum level of security across the ATM system

2 Authoring & Approval Prepared By - Authors of the document. Name & Company Position & Title Date John Hird / EUROCONTROL Project Manager 13/04/2016 Reviewed By - Reviewers internal to the project. Name & Company Position & Title Date Jérôme Chaigneau / AIRBUS Project Contributor 15/04/2016 Paul Bongers / AIRBUS Project Contributor 10/05/2016 Birgit Gölz / DFS Project Contributor 10/05/2016 Rosa Ana Casar Rodriguez / ENAIRE Project Contributor 10/05/2016 Francesco Di Maio / ENAV Project Contributor 10/05/2016 Marco Ivaldi / ENAV Project Contributor 22/04/2016 Maria Doris Di Marco / ENAV Project Contributor 22/04/2016 Alessandro Manzo / ENAV Project Contributor 22/04/2016 Kristof Lamont / EUROCONTROL Project Contributor 10/05/2016 Roman Madarasz / FREQUENTIS Project Contributor 10/05/2016 Jorge Alemany Martinez / INDRA Project Contributor 10/05/2016 Enrico Anniballi / FINMECCANICA Project Contributor 10/05/2016 Patrizia Montefusco / FINMECCANICA Project Contributor 10/05/2016 Edouard Painchault / THALES Project Contributor 17/04/2016 David Munoz / THALES Project Contributor 10/05/2016 Gilles Descargues/ THALES Project Contributor 10/05/2016 Reviewed By - Other SESAR projects, Airspace Users, staff association, military, Industrial Support, other organisations. Name & Company Position & Title Date Andreas Tautz Work Package 16 Leader 28/06/2016 Approved for submission to the SJU By - Representatives of the company involved in the project. Name & Company Position & Title Date John Hird / EUROCONTROL Project Manager 03/06/2016 Rejected By - Representatives of the company involved in the project. Name & Company Position & Title Date Rational for rejection None. Document History Edition Date Status Author Justification /01/2016 Draft John Hird Initial draft /04/2016 Draft John Hird Revised draft 2 of 11

3 /04/2016 Draft John Hird Addressed SJU & feedback /06/2016 Final draft John Hird Addressed final feedback /06/2016 Final John Hird Addressed SJU feedback Intellectual Property Rights (foreground) This deliverable consists of SJU foreground. 3 of 11

4 Acronyms Acronym ATM CPDLC EATMA E-OCVM ICT IT KPI MSSC RPAS SecRAM SES SESAR SJU WP Definition Air Traffic Management Controller-Pilot Data-Link Communications European Air Traffic Management Architecture European Operational Concept Validation Methodology Information and Communications Technology Information Technology Key Performance Indicator Minimum Set of Security Controls Remotely Piloted Aircraft System Security Risk Assessment Methodology Single European Sky Single European Sky ATM Research SESAR Joint Undertaking Work Package 4 of 11

5 1 Project Overview In order to meet the Single European Sky (SES) performance targets [2], the future ATM system must evolve by applying new operational concepts, using more Commercial Off-The-Shelf products, incorporating open standards, sharing more data, and rationalising the infrastructure. These developments will potentially introduce new vulnerabilities, whose exploitation could hinder the achievement of the targets. Project was tasked with developing the means to ensure that the future ATM system is secure and resilient. The project developed the security management framework for SESAR, including awareness material, methods, tools, and supporting guidance material, to facilitate the application of a common approach to ATM security within the programme. A holistic approach is taken, addressing the protection of human, physical, information and organizational assets as well as service provision. Consequently, cybersecurity is integral to the approach. The project also provided support to stakeholders in the application of these deliverables to security activities. ATM security is concerned with Preventing an attack from being successful Implementing an emergency response to ensure the continuity of ATM services and, The recovery of operational services to their pre-incident level Collaborative support, which is the provision of services or information from ATM to another agent such as law enforcement, military agencies, search and rescue or incident investigation agencies relating to an act of unlawful interference Project was responsible for coordinating all security-related activities within the SESAR programme. These included the following activities : Setting up the Security Management Framework for the SESAR Development Phase Developing the ATM Security Reference Material, consisting of methods and tools to allow projects, to perform security-related activities Providing security support to the SESAR Work Programme (covering awareness-raising, coaching, training, and hands-on support in the development of security risk assessments) regarding the use of the SESAR Security Reference Material Developing SESAR Security Case(s) based on information from the Security Management and Assurance activities Participating in System Engineering reviews, providing feedback on the security posture of validation exercises aimed at assessing the progress of prototypes towards industrialisation and deployment. Contributing to the SESAR Business Case. 1.1 Project progress and contribution to the Master Plan Project has presided over the development of methods, tools, and guidance for security activities in SESAR. The initial requirement was the development of a suitable security risk assessment methodology and accompanying guidance material, based on international standards, to support a common approach across the program. Awareness and training material was subsequently developed to introduce the material to users, including an example risk assessment and a risk assessment template. A database tool was then developed to facilitate security activities, and catalogues of threats, assets and controls were elaborated as the work progressed. 5 of 11

6 The project deliverables have been applied to a broad selection of ATM Projects and Solutions which have been refined using stakeholder feedback. In so doing, the project has contributed to the further development of the ATM Security discipline and provided the means to facilitate the development and deployment of secure ATM systems. Project deliverables have been requested by the European Commission GAMMA consortium (the SecRAM [5] and MSSC [8] and have been adapted for use in that program. Lessons learnt in project have contributed to increased awareness of the importance of addressing ATM Security appropriately as the ATM System evolves. The SJU Cybersecurity Study [24][25][26][27][28] has made several recommendations in this respect, which have raised the profile of ATM Security in the latest version of the ATM Master Plan [2] and directly influenced the approach to security in the SESAR 2020 program. Project deliverables will be applied in the SESAR 2020 program. 1.2 Project achievements The project provided the Guidance Material necessary to allow SESAR projects to perform Security Risk Assessments and subsequently develop Security Cases. Key topics are elaborated below. Security Risk Assessment Methodology The Project developed the SESAR ATM Security Risk Assessment Methodology (SecRAM) which can be applied to a broad scope of Projects and Solutions for the development of Security Risk Assessments. The SecRAM is supported by a number of supporting annexes, including the following : Asset catalogue - a catalogue of assets aligned with the European ATM Architecture model (EATMA) Threat Catalogue - a catalogue of threats based on international standards Control Catalogue - a catalogue of security controls which can be selected to mitigate risk Security Risk Assessment Template - a standard template which follows the SecRAM and can form the basis for the development of a Security Risk Assessment Security Case Approach The Project has developed the concept of a Security Case. The Security Case builds an argument to show that a SESAR Solution is secure enough to move to the deployment phase. The argument comprises a set of claims, which, if true, means that the argument is accepted. If one of the claims is proven to be untrue, then security has not be adequately addressed by the SESAR Solution and it may not be ready for deployment. Tools The Security Database Application (CTRL_S) uses a forms-based interface to guide the user through the workflow required to perform a security risk assessment. The application applies the standard Asset, Threat and Control Catalogues developed for the SecRAM. The application provides a platform in which to store the results of risk assessments, analyse them, and automatically generate reports. It also allows the higher-level aggregation of security risk assessment results for cross-assessment analysis. Support Various levels of support were provided within the programme, ranging from the provision of awareness training, addressing specific requests for information, through to individual coaching and the provision of hands-on support in the development of risk assessments and the recommendation of controls. 6 of 11

7 The Project took part in System Engineering reviews, providing feedback on the security posture of validation exercises aimed at assessing the progress of prototypes towards industrialisation and deployment. One such exercise included security testing on Controller-Pilot Data-Link Communications (CPDLC) during a real-time simulation on a technological platform. Security KPIs were developed in collaboration with projects working on the Performance Framework, while support was provided for the integration of security into EATMA. Security input was also provided to support the development of the SESAR Business Case. Project has raised awareness on the importance of appropriately addressing security in ATM as the System evolves. 1.3 Project Deliverables The following table presents the relevant deliverables that have been produced by the project. Reference Title Description D103 Level 1 ATM Security Reference Material Level 1 This provides high-level guidance on the conduct of security management and associated assurance activities to enable SESAR Solutions to be validated to V3 and move to the industrialisation and deployment phases. It includes a security policy and promotes the use of common methods, tools and techniques to gather evidence needed for a Security Case. An annex on Frequently Asked Questions (FAQ) is provided D103 Level 2 ATM Security Reference Material Level 2 D131 Security Database Application (CTRL_S) This provides detailed, practical guidance on how to conduct security management activities. This addresses the following : Annex I - Threat Catalogue Annex II - Handling of sensitive information in SESAR Annex III - RPAS Annex IV - Cost effectiveness of design-in security Annex V - Alignment of ATM Security and EATMA Using a forms-based interface, this application guides the user through the workflow required to perform a security risk assessment. The asset, threat, and control catalogues are incorporated to support the process. Risk assessment results from different solutions may be uploaded to a centralised database and aggregated, allowing a high-level view of the security posture of the overall system to be obtained. The D131 document is also a guide to the use of the CTRL_S tool. D133 ATM Security Model This describes development history of the database model which underlies the Security Database Application (CTRL_S). 7 of 11

8 D137 Minimum Set of Security Controls (MSSC) The purpose of this document is to specify a minimum set of security countermeasures that all Solutions shall apply 1.4 Contribution to Standardisation There are many security standards available which address components of the holistic approach to security recommended by , so it was necessary to integrate the essence of several international standards in the development of the Reference Material. In addition, there is little in the way of ATM-specific guidance available which supports this approach to security risk management. Consequently, the Reference Material addresses a known gap. In order to achieve a harmonised level of security across a large number of systems over an extensive geographical area requires the use of common or compatible approaches to permit the comparison, sharing, and aggregation of security-related information. The future application of this material in SESAR 2020 and the current use of certain deliverables by the EC GAMMA project are encouraging signs that the material may in the future contribute to the goal of a common approach to security risk management in ATM. Project has provided inputs in support of standardisation and regulatory roadmap activities [23]. 1.5 Project Conclusion and Recommendations Project has delivered a comprehensive set of deliverables to support the performance of security-related activities in SESAR as part of the development life-cycle. These include : Awareness material to introduce SESAR participants to ATM Security and explain the need for a holistic approach to the topic and for security to be designed-in A security risk assessment methodology and supporting guidelines, which permit assessments to be performed to a common standard, allowing the sharing, comparison, and aggregation of results An approach to the development of a security case A Security Database Application (CTRL_S) which supports the workflow of the methodology, records risk assessment results, provides reporting functionality, permits the aggregation of assessment results, and facilitates their high-level analysis Support activities included the following : Awareness training, coaching and hands-on support provided to projects performing security activities. Support for the development of Security Key Performance Indicators (KPIs) for the SESAR Performance Framework, and for the integration of security into the European Air Traffic Management Architecture (EATMA). Participation in system engineering reviews and in security testing. Providing security input to support the development of the SESAR Business Case. The Security work was carried out progressively and iteratively through the EOCVM V1-V3 validation phases. The aim was to ensure that security was fully addressed in each SESAR Solution. At each System Engineering Review, was required to identify the status of security work and 8 of 11

9 recommend any remedial actions, such as additional security work for the project to pass to the next phase of development. This also provided a means for to identify where its resources could be directed to provide specific hands-on security support. As a result of the experience gained during the SESAR programme, Project recommends the following : l The application of a holistic approach to ATM Security, addressing Personnel, Procedures, Physical Infrastructure and ICT (Information and Communications Technology (cybersecurity)) systems and applications within its scope Security should be addressed throughout the development life-cycle and designed-in from the beginning The establishment of a harmonized, minimum level of security across the ATM system The use of common or compatible methods, tools, and guidance material to permit the comparison, sharing and aggregation of security risk assessment and security case results 9 of 11

10 2 References [1] SESAR Programme Management Plan, Edition [2] European ATM Master Plan [3] Multilateral Framework Agreement ( MFA ) signed between the SJU, EUROCONTROL and its 15 selected members on August 11, 2009, amended on 14 June 2010, 19 October 2010 and 2 July 2012 [4] , ATM Security Reference Material Level 1, D103, Ed , [5] , ATM Security Reference Material Level 2, D103, Ed , [6] , ATM Security Database Application (CTRL_S), D131, Ed , [7] , ATM Security Model, D133, Ed , [8] , ATM Security Best Practice Guidance - Minimum Set of Security Controls (MSSC), D137, Ed , [9] , Security Support Report 2012, D106, Ed , [10] , Security Support Report 2013, D107, Ed , [11] , Security Support Report 2014, D108, Ed , [12] , Security Support Report , D109, Ed , [13] , Security Case and Inputs to Business Case Report 2012, D111, Ed , [14] , System Engineering Release 1 SE 3 Report, D116, Ed , [15] , System Engineering Release 2 SE 3 Report, D118, Ed , [16] , System Engineering Release 3 SE 1 Report, D119, Ed , [17] , System Engineering Release 3 SE 3 Report, D121, Ed , [18] , System Engineering Release 4 SE 1 Report, D122, Ed , [19] , System Engineering Release 4 SE 3 Report, D124, Ed , [20] , System Engineering Release 5 SE 1 Report, D125, Ed , [21] , System Engineering Release 5 SE 3 Report, D127, Ed , [22] , ATM Security & Resilience Implementation Guidance Material, D132, Ed , [23] , Proposed Modifications to Regulations, D136, Ed , [24] SJU Cybersecurity Study, D1 ATM Cyber-Security Threat and Vulnerability Assessment, Ed. 1.2, [25] SJU Cybersecurity Study, D1 ATM Cyber-Security Threat and Vulnerability Assessment - Annexes, Ed. 1.2, [26] SJU Cybersecurity Study, D2 ATM Cyber-Security Framework - Annexes, Ed. 1.0, [27] SJU Cybersecurity Study, D3 ATM Cyber-Security Maturity Assessment, Ed. 1.0, [28] SJU Cybersecurity Study, D4 ATM Cyber-Security Strategy and Evolution, Ed. 1.0, of 11

11 -END OF DOCUMENT- 11 of 11