Upload
gabriella-palmer
View
223
Download
3
Tags:
Embed Size (px)
Citation preview
SERSCIS has received EC Research Funding
Semantically EnhancedResilient and Secure
Critical InfrastructureServices
EMS 2012 UKSIM – AMSS : 6th European Modelling Symposium
On Mathematical Modelling and Computer Simulation Malta 14-16 , Nov. 2012.
SubtitlePresenter- Contributor: Vasilis Tsoulkas, Center for Security Studies (KEMEA)/Ministry of Citizen Protection & University of Athens, GR.
Co-Contributors: Dimitris Kostopoulos KEMEA / Ministry of Citizen Protection, Athens, GR
George Leventakis KEMEA & University of the Aegean, Dept. Of Shipping, Trade
and Transport. Mike Surridge
IT Innovation Centre, Univ. of Southampton, UK
2
Subtitle
3
SERSCIS Group
• IT Innovation Centre– University of Southampton, UK
• Joanneum Research (JRS)– Graz, Austria
• Center for Security Studies (KEMEA)– Athens, Greece
• Austro Control GmbH (ACG)– Vienna, Austria
• Port Authority Gijon (PAG)– Gijon, Spain
Subtitle
Presentation Sections
1. Objectives2. Brief SERSCIS Architecture description3. Basics of SERSCIS System Modeling Strategy 4. SERSCIS – Proof of Concept5. A-CDM (Airport - Collaborative Data Management)-
Ground Handler case (EUROCONTROL) ACDM-components, Info. Sharing Concept, Traffic Critical
Parameters, Data quality of KPIs & Metrics6. SERSCIS Proof of Concept (Ground Handler) 7. SERSCIS Domain core (complete) Ontology and
Semantic Models8. SERSCIS Decision Support Tool (DST) 9. SERSCIS Stream Reasoning Process. 10. Conclusions- Impact
4
Subtitle
5
Objectives
• Critical infrastructure ICT components are increasingly interconnected information sharing → greater operational efficiency, but also reduced slack and
flexibility interconnections → new risks from ICT failure cascade effects
• SERSCIS approach: use agile Service Oriented Architecture (SOA) to offset these threats adapt ICT components and networks to meet changing needs adapt ICT connections to prevent cascades and contain threats
PhysicalInfrastructure
InformationInfrastructure
DecisionSupport
Changing conditionsand requirements
ManagementActions
MaliciousCyberattack
UserError
PhysicalAttacks
NaturalDisasters
AccidentalDamage
ImplementationErrorSystem
status andadaptation
Subtitle
6
Objectives
• To exploit agile Service Oriented Technology to– compose ICT connections related to critical
infrastructure– monitor and manage ICT components against well-
defined dependability criteria– adapt ICT connections in response to disruption or
threats• To validate this approach in Proof of Concept Scenarios
from the air traffic sector (A-CDM EUROCONTROL)
Subtitle
7
Brief SERSCIS Architecture description
System Governance
SLA Manager Service Manager Resource Manager
Service Access Control Point
Decision Support System Modelling
System Orchestration
«Service Consumer»System
Orchestration
Service
bo
und
ary
Service
bo
und
ary
«Service Consumer»Resource Manager
«Service Provider»SLA Manager
SERSCIS Operator
ApplicationService
«Service Provider»Service Access Control Point
Management Channel
Application Channel
Subtitle
A-CDM (basic concepts) EUROCONTROL
Airport Collaborative Decision Making (A-CDM): To improve Air Traffic Flow & Capacity Management (ATFCM) at airports by reducing delays, improving event predictability and optimizing the utilization of services and resources.
Implementation of Airport CDM: allows each Airport CDM Partner to optimise their decisions in collaboration with other A- CDM Partners
The decision making by the Airport CDM Partners is facilitated by the sharing of accurate and timely information and by adapted procedures, mechanisms and tools.
9
Subtitle
A-CDM components
The Airport CDM concept is divided in the following Components:
• Airport CDM Information Sharing Component
• CDM Turn-around Process – Milestones Approach
• Variable Taxi Time Calculation
• Collaborative Management of Flight Updates
• Collaborative Pre-departure Sequence
• Advanced CDM
The efficiency of the Air Transport System is highly dependant on the traffic predictability critical parameters. 11
Subtitle
Airport CDM Information Sharing Concept Component (ACIS)
The Airport CDM Information Sharing Component :
Defines the sharing of accurate and timely information between the Airport CDM Partners to achieve common situational awareness and to improve traffic parameters predictability.
The main Airport CDM Partners are: • Airport Operator • Aircraft Operators • Ground Handlers • De-icing companies • Air Traffic Service Provider • CFMU
12
Subtitle
Air -Traffic Critical Parameters
13
Subtitle
Air -Traffic Critical Parameters
14
Subtitle
Data Quality of A-CDM Key Performance Indicators (KPIs) and metrics
Key Performance Indicators:
Data Confidentiality, Data Integrity, Alarms, Data Display.
KPIs data properties: Quality of Time Estimates
• Accuracy
• Predictability
• Stability15
Subtitle
16
Actors and Ground Handling Services Architecture (Proof of Concept)
Subtitle
Ground Handler Services Architecture (Proof of Concept)
17
Service accessible by a consumer (aircraft operator) through SLA template consumer. The GH is responsible for coordination of Ramp Services (catering, fuelling, cleaning, baggage handling)
Subtitle
Turn Around - Ground Handling Process
18
Subtitle
Ground Handling Basic Services
•
19
• Information Sharing Platform Component – Provides methods to update data
– Performs internal consistency checks of data
• CFMU (Central Flow Management Unit)
– Provides ELDT update of inbound flights
• ATC (Air Traffic Control )
– Drives simulation by providing milestone events
• Aircraft Operator / Ground Handler
– Orchestrates turn around process
– Triggers sub-services
• Aircraft Crew
– Report ready to ATC
– Request startup
Subtitle
Ground Handler Basic Services and Functions •
20
• Fuelling Service• Baggage Handling Service• Catering Service• Aircraft Cleaning Service
• All triggered by aircraft operator or ground handler
• Provide specific service within turn-around
• Methods
Schedule and reschedule a servicePrepare for service delivery Start service deliveryProvide status on remaining service time
Subtitle
Ground Handling WorkflowExecution Phase (austro control partner)
•
21
wait forcompletion
startcleaning
wait forcleaning and
cateringcompleted
startdeboarding
wait fordeboardingcompleted
wait forcompletion
wait forstart
command
startload
baggage
startrefueling
startunload
baggage
startboarding
startcatering
update ASBT when boarding starts
update TOBT, when deboarding completed update ARDT
when all sub-processes completed
Subtitle
Ground Handler Possible Services Workflow Disruption – Execution Phase
•
22
• Passenger no-showTOBT delayed, potentially resulting in new slot (CTOT)Offload baggage
• Landing of inbound aircraft delayedChanges in workflow and service choiceChanges in TOBT (Targeted Off Block Time)
• Ground handling resource problems• Heightened security status
Alternate workflow pathReduced choice of service providers
Subtitle
General SERSCIS Modeling Approach
The SERSCIS system modelling approach is based on:A generic dependability model - domain ontology - composed of OWL classes. :
1). This model captures generic types of SOA system assets such as: services, resources, customers, threats to those assets, and controls that can mitigate those threats.
2). The dependability model captures expertise in security of Service-Oriented Systems (SOA).
3) The Proof-of-Concept covers a subset of security threats and controls relevant to the Proof-of-Concept evaluation scenario,
23
Subtitle
SERSCIS Modeling Achieved Objectives
24
Development of modelling tools and models capturingsystem requirements and interdependenciessystem threats and vulnerabilitiessystem degradation and relevant countermeasures
Development of system level models for CI in airports
Provide a basis for wider application of the modelling approach
Subtitle
Creation of a new Semantic Dependability Modeling Approach and SERSCIS Ontology
New Domain Ontologies have been created : a critical infrastructure systems of systems ontology to model interdependencies of: airport services such as fuel, food, telecommunications, ATM, etc; (assets and dependabilities)
a cause and effect ontology that models potential threats and consequences;
a resource dependability metrics ontology that models the dynamic behavior of system entities.
25
Subtitle
SERSCIS Domain Ontology snapshot
05/08/2009 Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium 26
Subtitle
SERSCIS Domain Ontology
05/08/2009 Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium 27
Subtitle
SERSCIS Domain Ontology
05/08/2009 Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium 28
Subtitle
SERSCIS Semantic Model
A core structure to model a system comprising assets, which may be subject to threats, and can be protected by controls;
A dependability semantic model that describes generic types of assets, threats & controls using OWL classes, with their relationships;
An abstract system semantic model that describes system-specific assets, threats and controls, extending the dependability model classes by incorporating system-specific security knowledge;
A concrete system semantic model that provides snapshots of a running system, with instances to represent participating assets, plus contextualised threats and controls.
29
Subtitle
Core structure of the system modelling approach (Dependability Semantic Model)
The approach is designed to capture 3-types of system entities:
1. generic asset classes: the types of assets that can be found in a system;
2. generic threat classes: ways in which these generic types of assets could be compromised;
3. generic control classes: describing the types of controls that could be used to protect these asset types from these threats.
30
Subtitle
Generic Systems Modelling Class – SERSCIS Core Ontology
31
Asset, Control and Threat instances
Threat class Description Controls needed
Unauthorized access The service processes an unauthorised request from an attacker.
Client AuthN + Client AuthZ
Unaccountable access
Type of unauthorized access, designed to get the service without paying for it.
Client AuthN + Client AuthZ
Service misdirection Type of unauthorized access, designed to make the service mismanage its resources.
Client AuthN + Client AuthZ
Subtitle
Generic Dependability Model Assets and Relationships
•
32
Subtitle
High Level view of SERSCIS Abstract Dependability Model
33
Subtitle
SERSCIS Threat Classification model
• SWRL rules are evaluated and threats classified by using a semantic reasoner (to be shown in the in the following slides)
34
Subtitle
High Level view of SERSCIS Abstract Dependability Model
• Services: Are Systems Components that provide services• Clients: Are Systems Components that access these
services • Threat Types: 1. Unauthorized Access (to the service) 2. Data traffic Snooping3. Man in the Middle4. Client Impersonation 5. Resource Failure
35
Subtitle
Control types are defined for protecting services
• Service AuthN: Client validates the identity (or attributes) of the service.
• ClientAuthN: The service validates the identity (or attributes) of a requestor
• Client AuthZ: The service determines wether a request is authorised.
• Encryption: encrypts data exchanged with the service so it cannot be read in transit
• Redundancy: Ti have multiple resources of a given type, so a failure in one does not cause failure of the service.
36
Subtitle
Treat Classes – Descriptions – Combined Controls •
37
Threat class Description Controls needed
Unauthorized access
The service processes an unauthorised request from an attacker. This class is never actually used because the threat depends on why the attacker wants access – see the next three subclasses.
Client AuthN + Client AuthZ
Unaccountable access
Type of unauthorized access, designed to get the service without paying for it.
Client AuthN + Client AuthZ
Service misdirection
Type of unauthorized access, designed to make the service mismanage its resources.
Client AuthN + Client AuthZ
Data tampering Type of unauthorized access, designed to alter the service data.
Client AuthN + Client AuthZ
Data traffic snooping
An unauthorized attacker reads service requests and responses.
Encryption
Subtitle
Threat Vulnerability Classification
•
38
3 possible classifications are used as is shown previously•Blocked threat: if an attacker should carry out the threat (intentionally or otherwise), the system has controls that will prevent the attack from succeeding.
•Mitigated threat: if an attacker should carry out the threat, the attack cannot be prevented, but the system controls provide a response that will counteract its effect on the targeted asset.
•Vulnerability: the system does not have any means to prevent the attack or counteract its effects on the targeted system asset.
Subtitle
Threat Vulnerability Classification – Controlling a MissAccountedClientResourceAccess threat
• Classification is performed by semantic reasoning over the concrete system model, using SWRL rules from the SERSCIS dependability model
• For example, the rules are : for MissAccountedClientResourceAccess (SWRL rules)• MissAccountedClientResourceAccess(?t)
ClientSpecifiedResource(?a1) affects(?t,?a1) Customer(?t,?a2) affects(?t,?a2) ServiceGroup(?t,?a3) affects(?t,?a3) ClientAuthentication(?c1) protects(?c1, ?a1) AccessControl(?c2) protects(?c2, ?a1) Delegation(?c3) protects(?c3, ?a2) Identification(?c4) protects(?c4, ?a3) BlockedThreat (?t)
39
Subtitle
Threat Vulnerability Classification - Controlling a MissAccountedClientResourceAccess threat
•
40
Subtitle
Main ideas embodied in the SERSCIS Ontology
• Assets, threats and controls are described as OWL classes
• Assets may have associated metrics for presence or absence of threat-induced behaviors
• Threats have a human readable description, impact severity and prior & current likelihood ratings.
• In the following schematic dashed arrows does not represent a conventional OWL relationship but SWRL rules.
• These rules classify threat instances as: Mitigated or Blocked based on the presence of adequate controls.
41
Subtitle
Proof of Concept: Updated core Ontology
42
Subtitle
43
SERSCIS Decision Support Tool Framework – Run Time Dynamic Model
Subtitle
Old version of Decision Support Tool – Dynamic Interface
44
Subtitle
SERSCIS STREAM REASONING PROCESS - Basics
45
Subtitle
SERSCIS STREAM REASONING PROCESS - Basics
• It allows the concrete system model to be continuously updated,
• It reduces the time lag between the evolution of the real system and that of the concrete system model, making it possible to resolve recent and rapid changes in the real system;
• It represents protracted as well as instantaneously observed behaviours in the model by including information over an extended (sliding) time window;
• It allows reasoning algorithms to take account of system changes during the time window, target than only the instantaneous system composition and status.
46
Subtitle
Proposed SERSCIS Stream reasoning
47
Subtitle
Proposed SERSCIS stream reasoning – Behavior Analyzer basic notion
TimeTOBT updates
(QoS)TOBT updates
(QoE)(QoE-QoS)/totalFlights
29/07/2010 00:00 0 0 0.000
29/07/2010 12:50 15 30 0.313
29/07/2010 13:00 19 38 0.396
29/07/2010 15:15 20 40 0.417
29/07/2010 16:05 22 44 0.458
29/07/2010 16:30 25 50 0.521
29/07/2010 17:00 32 64 0.667
29/07/2010 18:25 33 66 0.688
29/07/2010 19:00 38 76 0.792
29/07/2010 19:25 42 84 0.875
29/07/2010 21:50 45 90 0.938
29/07/2010 22:10 48 96 1.000
48
Subtitle
Evolution of QoS and QoE in time
49
Subtitle
Intrusion Detection basics
• We use the Non-Parametric CUSUM test
• Two performance criteria: i). False Alarm Time• ii). Detection Time.
50
n n nZ =a+ξ I(n<m)+(h+η )I(n m)
0( )
1n
N nn
if y Nd y
if y N
1
0
( )
0
max(0, )
n n ny y Z
y
X x
Subtitle
Recent (2012) DST design concepts (Under Constrution)
• Physical asset display
51
Assets
Please select an asset classThreats
Please select an asset
Behaviours
Please select an asset class
UpdateUpdateUp to date
Subtitle
Recent (2012) DST design concepts (Under Constrution)
52
Assets
Please select an asset class
Threats
Please select an asset
Behaviours
Please select an asset class
UpdateUpdate
Subtitle
SERSCIS INNOVATIONS
53
• Semantic system modelling of critical infrastructure ICT including inter- dependency and other risks
• Semantic service dependability models encoded in SLAsemi-automatic management of services against dependability criteria
• Semantic service orchestration models exploiting dependability criteriaautomatic composition of service inter-connections against dependability criteriaautomated re-composition in response to dependability threats
• Dynamic security and trust management to control threat propagation between services
automatic policy updates driven by service dependability management
• Advanced Decision support interface based on semantic system models to assist human operators
•Innovative Stream reasoning technologies for Event Analytics and Behavior Assets Reasoning in conjunction with detection algorithms.
Subtitle
CONCLUSIONS- IMPACT
Airport Collaborative Decision Making – (A-CDM)sharing information between air-traffic control, airports, airlines and airport service providers
allows greater operational efficiency, but also creates interdependencies that need to be managed
SERSCIS will enable improved risk managementgoal is not to enable A-CDM, but to better manage it Introduction of state of the art risk analysis proceduresStream reasoning processes and event processing in risk management
Other applications will be considered (especially Port Community Operations)Expected impact
greater awareness of risks in A-CDM especially from interdependencyanalysis of requirements and application in other sectorsnovel risk management capabilities based on agile SOA especially for managing interdependency and cascading threats
;
54