Presentation on theme: "EMS 2012 UKSIM – AMSS : 6th European Modelling Symposium"— Presentation transcript:
1 EMS 2012 UKSIM – AMSS : 6th European Modelling Symposium On Mathematical Modelling and Computer Simulation Malta , Nov
2 Presenter- Contributor: Vasilis Tsoulkas, Center for Security Studies (KEMEA)/Ministry of Citizen Protection & University of Athens, GR.Co-Contributors: Dimitris KostopoulosKEMEA / Ministry of Citizen Protection, Athens, GRGeorge LeventakisKEMEA & University of the Aegean, Dept. Of Shipping, Trade and Transport.Mike SurridgeIT Innovation Centre, Univ. of Southampton, UK
3 SERSCIS Group IT Innovation Centre University of Southampton, UK Joanneum Research (JRS)Graz, AustriaCenter for Security Studies (KEMEA)Athens, GreeceAustro Control GmbH (ACG)Vienna, AustriaPort Authority Gijon (PAG)Gijon, Spain
4 Presentation Sections ObjectivesBrief SERSCIS Architecture descriptionBasics of SERSCIS System Modeling StrategySERSCIS – Proof of ConceptA-CDM (Airport - Collaborative Data Management) Ground Handler case (EUROCONTROL)ACDM-components, Info. Sharing Concept, Traffic Critical Parameters, Data quality of KPIs & MetricsSERSCIS Proof of Concept (Ground Handler)SERSCIS Domain core (complete) Ontology and Semantic ModelsSERSCIS Decision Support Tool (DST)9. SERSCIS Stream Reasoning Process.Conclusions- Impact
5 ObjectivesCritical infrastructure ICT components are increasingly interconnectedinformation sharing → greater operational efficiency, but also reduced slack and flexibilityinterconnections → new risks from ICT failure cascade effectsSERSCIS approach: use agile Service Oriented Architecture (SOA) to offset these threatsadapt ICT components and networks to meet changing needsadapt ICT connections to prevent cascades and contain threats
6 To exploit agile Service Oriented Technology to ObjectivesTo exploit agile Service Oriented Technology tocompose ICT connections related to critical infrastructuremonitor and manage ICT components against well-defined dependability criteriaadapt ICT connections in response to disruption or threatsTo validate this approach in Proof of Concept Scenarios from the air traffic sector (A-CDM EUROCONTROL)
7 Brief SERSCIS Architecture description CommitmentsResourcesManagement ChannelApplication ChannelSeparate two channels of communication:Management ChannelApplication ChannelResource ManagerNew capacity models that allow service providers to pursue dynamic provisioning strategies.Semantic storage and discovery of resources that allow workflows matching dependability requirements to be composed from a pool of available resources.Service ManagerBalance the level of commitments with the available resources and operate a flexible management strategy in the response to failure or under-performance in resources.Variable level of autonomy between automated and assisted management.Round trip from service monitoring to a risk management process and back to service management.SLA ManagerSLA is a resource and the root of trust.Dynamically manage trust across domains.
8 Basics of SERSCIS Systems Modelling Strategy Semantic modelling of critical infrastructure ICT including inter-dependency and risksSemantics service orchestration models exploiting dependability criteriaautomatic composition of service inter-connections against dependability criteriaautomated re-composition in response to threatsDynamic security and trust management to control threat propagation between servicesDecision support tool based on semantic system models to assist human operators (model driven DST)
9 A-CDM (basic concepts) EUROCONTROL Airport Collaborative Decision Making (A-CDM): To improve Air Traffic Flow & Capacity Management (ATFCM) at airports by reducing delays, improving event predictability and optimizing the utilization of services and resources.Implementation of Airport CDM: allows each Airport CDM Partner to optimise their decisions in collaboration with other A- CDM PartnersThe decision making by the Airport CDM Partners is facilitated by the sharing of accurate and timely information and by adapted procedures, mechanisms and tools.
10 Applications and SERSCIS Impact Airport Collaborative Decision Making (A-CDM)sharing information between air-traffic control, airports, airlines and airport service providersallows greater operational efficiency, but creates interdependencies that need to be managedSERSCIS SOLUTION: enables improved risk management of complex interconnected assetsSERSCIS Impactgreater awareness of risks in Airtraffic proof of concept scenariosanalysis of requirements and application in other sectorsnovel risk management capabilities for managing interdependency and cascading threats
11 A-CDM componentsThe Airport CDM concept is divided in the following Components:• Airport CDM Information Sharing Component• CDM Turn-around Process – Milestones Approach• Variable Taxi Time Calculation• Collaborative Management of Flight Updates• Collaborative Pre-departure Sequence• Advanced CDMThe efficiency of the Air Transport System is highly dependant on the traffic predictability critical parameters.
12 Airport CDM Information Sharing Concept Component (ACIS) The Airport CDM Information Sharing Component :Defines the sharing of accurate and timely information between the Airport CDM Partners to achieve common situational awareness and to improve traffic parameters predictability.The main Airport CDM Partners are:• Airport Operator• Aircraft Operators• Ground Handlers• De-icing companies• Air Traffic Service Provider• CFMU
15 Data Quality of A-CDM Key Performance Indicators (KPIs) and metrics Data Confidentiality, Data Integrity, Alarms, Data Display.KPIs data properties: Quality of Time EstimatesAccuracyPredictabilityStability
16 Actors and Ground Handling Services Architecture (Proof of Concept)
17 Ground Handler Services Architecture (Proof of Concept) Service accessible by a consumer (aircraft operator) through SLA template consumer. The GH is responsible for coordination of Ramp Services (catering, fuelling, cleaning, baggage handling)
19 Ground Handling Basic Services Information Sharing Platform ComponentProvides methods to update dataPerforms internal consistency checks of dataCFMU (Central Flow Management Unit)Provides ELDT update of inbound flightsATC (Air Traffic Control )Drives simulation by providing milestone eventsAircraft Operator / Ground HandlerOrchestrates turn around processTriggers sub-servicesAircraft CrewReport ready to ATCRequest startup
20 Ground Handler Basic Services and Functions Fuelling ServiceBaggage Handling ServiceCatering ServiceAircraft Cleaning ServiceAll triggered by aircraft operator or ground handlerProvide specific service within turn-aroundMethodsSchedule and reschedule a servicePrepare for service deliveryStart service deliveryProvide status on remaining service time
21 Ground Handling Workflow Execution Phase (austro control partner)
22 Ground Handler Possible Services Workflow Disruption – Execution Phase Passenger no-showTOBT delayed, potentially resulting in new slot (CTOT)Offload baggageLanding of inbound aircraft delayedChanges in workflow and service choiceChanges in TOBT (Targeted Off Block Time)Ground handling resource problemsHeightened security statusAlternate workflow pathReduced choice of service providers
23 General SERSCIS Modeling Approach The SERSCIS system modelling approach is based on:A generic dependability model - domain ontology - composed of OWL classes. :1). This model captures generic types of SOA system assets such as: services, resources, customers, threats to those assets, and controls that can mitigate those threats.2). The dependability model captures expertise in security of Service- Oriented Systems (SOA).3) The Proof-of-Concept covers a subset of security threats and controls relevant to the Proof-of-Concept evaluation scenario,
24 SERSCIS Modeling Achieved Objectives Development of modelling tools and models capturingsystem requirements and interdependenciessystem threats and vulnerabilitiessystem degradation and relevant countermeasuresDevelopment of system level models for CI in airportsProvide a basis for wider application of the modelling approach
25 New Domain Ontologies have been created : Creation of a new Semantic Dependability Modeling Approach and SERSCIS OntologyNew Domain Ontologies have been created : a critical infrastructure systems of systems ontology to model interdependencies of: airport services such as fuel, food, telecommunications, ATM, etc; (assets and dependabilities) a cause and effect ontology that models potential threats and consequences; a resource dependability metrics ontology that models the dynamic behavior of system entities.
29 SERSCIS Semantic Model A core structure to model a system comprising assets, which may be subject to threats, and can be protected by controls;A dependability semantic model that describes generic types of assets, threats & controls using OWL classes, with their relationships;An abstract system semantic model that describes system-specific assets, threats and controls, extending the dependability model classes by incorporating system-specific security knowledge;A concrete system semantic model that provides snapshots of a running system, with instances to represent participating assets, plus contextualised threats and controls.
30 Core structure of the system modelling approach (Dependability Semantic Model) The approach is designed to capture 3-types of system entities:1. generic asset classes: the types of assets that can be found in a system;2. generic threat classes: ways in which these generic types of assets could be compromised;3. generic control classes: describing the types of controls that could be used to protect these asset types from these threats.
31 Generic Systems Modelling Class – SERSCIS Core Ontology Asset, Control and Threat instancesThreat classDescriptionControls neededUnauthorized accessThe service processes an unauthorised request from an attacker.Client AuthN + Client AuthZUnaccountable accessType of unauthorized access, designed to get the service without paying for it.Service misdirectionType of unauthorized access, designed to make the service mismanage its resources.
32 Generic Dependability Model Assets and Relationships
33 High Level view of SERSCIS Abstract Dependability Model
34 SERSCIS Threat Classification model SWRL rules are evaluated and threats classified by using a semantic reasoner (to be shown in the in the following slides)
35 High Level view of SERSCIS Abstract Dependability Model Services: Are Systems Components that provide servicesClients: Are Systems Components that access these servicesThreat Types:Unauthorized Access (to the service)Data traffic SnoopingMan in the MiddleClient ImpersonationResource Failure
36 Control types are defined for protecting services Service AuthN: Client validates the identity (or attributes) of the service.ClientAuthN: The service validates the identity (or attributes) of a requestorClient AuthZ: The service determines wether a request is authorised.Encryption: encrypts data exchanged with the service so it cannot be read in transitRedundancy: Ti have multiple resources of a given type, so a failure in one does not cause failure of the service.
37 Treat Classes – Descriptions – Combined Controls Threat classDescriptionControls neededUnauthorized accessThe service processes an unauthorised request from an attacker. This class is never actually used because the threat depends on why the attacker wants access – see the next three subclasses.Client AuthN + Client AuthZUnaccountable accessType of unauthorized access, designed to get the service without paying for it.Service misdirectionType of unauthorized access, designed to make the service mismanage its resources.Data tamperingType of unauthorized access, designed to alter the service data.Data traffic snoopingAn unauthorized attacker reads service requests and responses.Encryption
38 Threat Vulnerability Classification 3 possible classifications are used as is shown previouslyBlocked threat: if an attacker should carry out the threat (intentionally or otherwise), the system has controls that will prevent the attack from succeeding.Mitigated threat: if an attacker should carry out the threat, the attack cannot be prevented, but the system controls provide a response that will counteract its effect on the targeted asset.Vulnerability: the system does not have any means to prevent the attack or counteract its effects on the targeted system asset.
39 For example, the rules are : for Threat Vulnerability Classification – Controlling a MissAccountedClientResourceAccess threatClassification is performed by semantic reasoning over the concrete system model, using SWRL rules from the SERSCIS dependability modelFor example, the rules are : forMissAccountedClientResourceAccess (SWRL rules)MissAccountedClientResourceAccess(?t) ClientSpecifiedResource(?a1) affects(?t,?a1) Customer(?t,?a2) affects(?t,?a2) ServiceGroup(?t,?a3) affects(?t,?a3) ClientAuthentication(?c1) protects(?c1, ?a1) AccessControl(?c2) protects(?c2, ?a1) Delegation(?c3) protects(?c3, ?a2) Identification(?c4) protects(?c4, ?a3) BlockedThreat (?t)
40 Threat Vulnerability Classification - Controlling a MissAccountedClientResourceAccess threat
41 Main ideas embodied in the SERSCIS Ontology Assets, threats and controls are described as OWL classesAssets may have associated metrics for presence or absence of threat-induced behaviorsThreats have a human readable description, impact severity and prior & current likelihood ratings.In the following schematic dashed arrows does not represent a conventional OWL relationship but SWRL rules.These rules classify threat instances as: Mitigated or Blocked based on the presence of adequate controls.
46 SERSCIS STREAM REASONING PROCESS - Basics It allows the concrete system model to be continuously updated,It reduces the time lag between the evolution of the real system and that of the concrete system model, making it possible to resolve recent and rapid changes in the real system;It represents protracted as well as instantaneously observed behaviours in the model by including information over an extended (sliding) time window;It allows reasoning algorithms to take account of system changes during the time window, target than only the instantaneous system composition and status.
50 Intrusion Detection basics We use the Non-Parametric CUSUM testTwo performance criteria: i). False Alarm Timeii). Detection Time.
51 Recent (2012) DST design concepts (Under Constrution) Physical asset displayAssetsPlease select an asset classThreatsPlease select an assetBehavioursPlease select an asset classUpdateUp to date
52 Recent (2012) DST design concepts (Under Constrution) AssetsPlease select an asset classThreatsPlease select an assetBehavioursPlease select an asset classUpdate
53 SERSCIS INNOVATIONSSemantic system modelling of critical infrastructure ICT including inter- dependency and other risksSemantic service dependability models encoded in SLAsemi-automatic management of services against dependability criteriaSemantic service orchestration models exploiting dependability criteriaautomatic composition of service inter-connections against dependability criteriaautomated re-composition in response to dependability threatsDynamic security and trust management to control threat propagation between servicesautomatic policy updates driven by service dependability managementAdvanced Decision support interface based on semantic system models to assist human operatorsInnovative Stream reasoning technologies for Event Analytics and Behavior Assets Reasoning in conjunction with detection algorithms.
54 CONCLUSIONS- IMPACT Airport Collaborative Decision Making – (A-CDM) sharing information between air-traffic control, airports, airlines and airport service providersallows greater operational efficiency, but also creates interdependencies that need to be managedSERSCIS will enable improved risk managementgoal is not to enable A-CDM, but to better manage itIntroduction of state of the art risk analysis proceduresStream reasoning processes and event processing in risk managementOther applications will be considered (especially Port Community Operations)Expected impactgreater awareness of risks in A-CDM especially from interdependencyanalysis of requirements and application in other sectorsnovel risk management capabilities based on agile SOA especially for managing interdependency and cascading threats;