SERSCIS has received EC Research Funding

Semantically EnhancedResilient and Secure

Critical InfrastructureServices

EMS 2012 UKSIM – AMSS : 6th European Modelling Symposium

On Mathematical Modelling and Computer Simulation Malta 14-16 , Nov. 2012.

SubtitlePresenter- Contributor: Vasilis Tsoulkas, Center for Security Studies (KEMEA)/Ministry of Citizen Protection & University of Athens, GR.

Co-Contributors: Dimitris Kostopoulos KEMEA / Ministry of Citizen Protection, Athens, GR

George Leventakis KEMEA & University of the Aegean, Dept. Of Shipping, Trade

and Transport. Mike Surridge

IT Innovation Centre, Univ. of Southampton, UK

2

Subtitle

3

SERSCIS Group

• IT Innovation Centre– University of Southampton, UK

• Joanneum Research (JRS)– Graz, Austria

• Center for Security Studies (KEMEA)– Athens, Greece

• Austro Control GmbH (ACG)– Vienna, Austria

• Port Authority Gijon (PAG)– Gijon, Spain

Subtitle

Presentation Sections

1. Objectives2. Brief SERSCIS Architecture description3. Basics of SERSCIS System Modeling Strategy 4. SERSCIS – Proof of Concept5. A-CDM (Airport - Collaborative Data Management)-

Ground Handler case (EUROCONTROL) ACDM-components, Info. Sharing Concept, Traffic Critical

Parameters, Data quality of KPIs & Metrics6. SERSCIS Proof of Concept (Ground Handler) 7. SERSCIS Domain core (complete) Ontology and

Semantic Models8. SERSCIS Decision Support Tool (DST) 9. SERSCIS Stream Reasoning Process. 10. Conclusions- Impact

4

Subtitle

5

Objectives

• Critical infrastructure ICT components are increasingly interconnected information sharing → greater operational efficiency, but also reduced slack and

flexibility interconnections → new risks from ICT failure cascade effects

• SERSCIS approach: use agile Service Oriented Architecture (SOA) to offset these threats adapt ICT components and networks to meet changing needs adapt ICT connections to prevent cascades and contain threats

PhysicalInfrastructure

InformationInfrastructure

DecisionSupport

Changing conditionsand requirements

ManagementActions

MaliciousCyberattack

UserError

PhysicalAttacks

NaturalDisasters

AccidentalDamage

ImplementationErrorSystem

status andadaptation

Subtitle

6

Objectives

• To exploit agile Service Oriented Technology to– compose ICT connections related to critical

infrastructure– monitor and manage ICT components against well-

defined dependability criteria– adapt ICT connections in response to disruption or

threats• To validate this approach in Proof of Concept Scenarios

from the air traffic sector (A-CDM EUROCONTROL)

Subtitle

7

Brief SERSCIS Architecture description

System Governance

SLA Manager Service Manager Resource Manager

Service Access Control Point

Decision Support System Modelling

System Orchestration

«Service Consumer»System

Orchestration

Service

bo

und

ary

Service

bo

und

ary

«Service Consumer»Resource Manager

«Service Provider»SLA Manager

SERSCIS Operator

ApplicationService

«Service Provider»Service Access Control Point

Management Channel

Application Channel

Subtitle

A-CDM (basic concepts) EUROCONTROL

Airport Collaborative Decision Making (A-CDM): To improve Air Traffic Flow & Capacity Management (ATFCM) at airports by reducing delays, improving event predictability and optimizing the utilization of services and resources.

Implementation of Airport CDM: allows each Airport CDM Partner to optimise their decisions in collaboration with other A- CDM Partners

The decision making by the Airport CDM Partners is facilitated by the sharing of accurate and timely information and by adapted procedures, mechanisms and tools.

9

Subtitle

A-CDM components

The Airport CDM concept is divided in the following Components:

• Airport CDM Information Sharing Component

• CDM Turn-around Process – Milestones Approach

• Variable Taxi Time Calculation

• Collaborative Management of Flight Updates

• Collaborative Pre-departure Sequence

• Advanced CDM

The efficiency of the Air Transport System is highly dependant on the traffic predictability critical parameters. 11

Subtitle

Airport CDM Information Sharing Concept Component (ACIS)

The Airport CDM Information Sharing Component :

Defines the sharing of accurate and timely information between the Airport CDM Partners to achieve common situational awareness and to improve traffic parameters predictability.

The main Airport CDM Partners are: • Airport Operator • Aircraft Operators • Ground Handlers • De-icing companies • Air Traffic Service Provider • CFMU

12

Subtitle

Air -Traffic Critical Parameters

13

Subtitle

Air -Traffic Critical Parameters

14

Subtitle

Data Quality of A-CDM Key Performance Indicators (KPIs) and metrics

Key Performance Indicators:

Data Confidentiality, Data Integrity, Alarms, Data Display.

KPIs data properties: Quality of Time Estimates

• Accuracy

• Predictability

• Stability15

Subtitle

16

Actors and Ground Handling Services Architecture (Proof of Concept)

Subtitle

Ground Handler Services Architecture (Proof of Concept)

17

Service accessible by a consumer (aircraft operator) through SLA template consumer. The GH is responsible for coordination of Ramp Services (catering, fuelling, cleaning, baggage handling)

Subtitle

Turn Around - Ground Handling Process

18

Subtitle

Ground Handling Basic Services

•

19

• Information Sharing Platform Component – Provides methods to update data

– Performs internal consistency checks of data

• CFMU (Central Flow Management Unit)

– Provides ELDT update of inbound flights

• ATC (Air Traffic Control )

– Drives simulation by providing milestone events

• Aircraft Operator / Ground Handler

– Orchestrates turn around process

– Triggers sub-services

• Aircraft Crew

– Report ready to ATC

– Request startup

Subtitle

Ground Handler Basic Services and Functions •

20

• Fuelling Service• Baggage Handling Service• Catering Service• Aircraft Cleaning Service

• All triggered by aircraft operator or ground handler

• Provide specific service within turn-around

• Methods

Schedule and reschedule a servicePrepare for service delivery Start service deliveryProvide status on remaining service time

Subtitle

Ground Handling WorkflowExecution Phase (austro control partner)

•

21

wait forcompletion

startcleaning

wait forcleaning and

cateringcompleted

startdeboarding

wait fordeboardingcompleted

wait forcompletion

wait forstart

command

startload

baggage

startrefueling

startunload

baggage

startboarding

startcatering

update ASBT when boarding starts

update TOBT, when deboarding completed update ARDT

when all sub-processes completed

Subtitle

Ground Handler Possible Services Workflow Disruption – Execution Phase

•

22

• Passenger no-showTOBT delayed, potentially resulting in new slot (CTOT)Offload baggage

• Landing of inbound aircraft delayedChanges in workflow and service choiceChanges in TOBT (Targeted Off Block Time)

• Ground handling resource problems• Heightened security status

Alternate workflow pathReduced choice of service providers

Subtitle

General SERSCIS Modeling Approach

The SERSCIS system modelling approach is based on:A generic dependability model - domain ontology - composed of OWL classes. :

1). This model captures generic types of SOA system assets such as: services, resources, customers, threats to those assets, and controls that can mitigate those threats.

2). The dependability model captures expertise in security of Service-Oriented Systems (SOA).

3) The Proof-of-Concept covers a subset of security threats and controls relevant to the Proof-of-Concept evaluation scenario,

23

Subtitle

SERSCIS Modeling Achieved Objectives

24

Development of modelling tools and models capturingsystem requirements and interdependenciessystem threats and vulnerabilitiessystem degradation and relevant countermeasures

Development of system level models for CI in airports

Provide a basis for wider application of the modelling approach

Subtitle

Creation of a new Semantic Dependability Modeling Approach and SERSCIS Ontology

New Domain Ontologies have been created : a critical infrastructure systems of systems ontology to model interdependencies of: airport services such as fuel, food, telecommunications, ATM, etc; (assets and dependabilities)

a cause and effect ontology that models potential threats and consequences;

a resource dependability metrics ontology that models the dynamic behavior of system entities.

25

Subtitle

SERSCIS Domain Ontology snapshot

05/08/2009 Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium 26

Subtitle

SERSCIS Domain Ontology

05/08/2009 Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium 27

Subtitle

SERSCIS Domain Ontology

05/08/2009 Copyright © 2008 University of Southampton IT Innovation Centre and other Members of the SERSCIS Consortium 28

Subtitle

SERSCIS Semantic Model

A core structure to model a system comprising assets, which may be subject to threats, and can be protected by controls;

A dependability semantic model that describes generic types of assets, threats & controls using OWL classes, with their relationships;

An abstract system semantic model that describes system-specific assets, threats and controls, extending the dependability model classes by incorporating system-specific security knowledge;

A concrete system semantic model that provides snapshots of a running system, with instances to represent participating assets, plus contextualised threats and controls.

29

Subtitle

Core structure of the system modelling approach (Dependability Semantic Model)

The approach is designed to capture 3-types of system entities:

1. generic asset classes: the types of assets that can be found in a system;

2. generic threat classes: ways in which these generic types of assets could be compromised;

3. generic control classes: describing the types of controls that could be used to protect these asset types from these threats.

30

Subtitle

Generic Systems Modelling Class – SERSCIS Core Ontology

31

Asset, Control and Threat instances

Threat class Description Controls needed

Unauthorized access The service processes an unauthorised request from an attacker.

Client AuthN + Client AuthZ

Unaccountable access

Type of unauthorized access, designed to get the service without paying for it.

Client AuthN + Client AuthZ

Service misdirection Type of unauthorized access, designed to make the service mismanage its resources.

Client AuthN + Client AuthZ

Subtitle

Generic Dependability Model Assets and Relationships

•

32

Subtitle

High Level view of SERSCIS Abstract Dependability Model

33

Subtitle

SERSCIS Threat Classification model

• SWRL rules are evaluated and threats classified by using a semantic reasoner (to be shown in the in the following slides)

34

Subtitle

High Level view of SERSCIS Abstract Dependability Model

• Services: Are Systems Components that provide services• Clients: Are Systems Components that access these

services • Threat Types: 1. Unauthorized Access (to the service) 2. Data traffic Snooping3. Man in the Middle4. Client Impersonation 5. Resource Failure

35

Subtitle

Control types are defined for protecting services

• Service AuthN: Client validates the identity (or attributes) of the service.

• ClientAuthN: The service validates the identity (or attributes) of a requestor

• Client AuthZ: The service determines wether a request is authorised.

• Encryption: encrypts data exchanged with the service so it cannot be read in transit

• Redundancy: Ti have multiple resources of a given type, so a failure in one does not cause failure of the service.

36

Subtitle

Treat Classes – Descriptions – Combined Controls •

37

Threat class Description Controls needed

Unauthorized access

The service processes an unauthorised request from an attacker. This class is never actually used because the threat depends on why the attacker wants access – see the next three subclasses.

Client AuthN + Client AuthZ

Unaccountable access

Type of unauthorized access, designed to get the service without paying for it.

Client AuthN + Client AuthZ

Service misdirection

Type of unauthorized access, designed to make the service mismanage its resources.

Client AuthN + Client AuthZ

Data tampering Type of unauthorized access, designed to alter the service data.

Client AuthN + Client AuthZ

Data traffic snooping

An unauthorized attacker reads service requests and responses.

Encryption

Subtitle

Threat Vulnerability Classification

•

38

3 possible classifications are used as is shown previously•Blocked threat: if an attacker should carry out the threat (intentionally or otherwise), the system has controls that will prevent the attack from succeeding.

•Mitigated threat: if an attacker should carry out the threat, the attack cannot be prevented, but the system controls provide a response that will counteract its effect on the targeted asset.

•Vulnerability: the system does not have any means to prevent the attack or counteract its effects on the targeted system asset.

Subtitle

Threat Vulnerability Classification – Controlling a MissAccountedClientResourceAccess threat

• Classification is performed by semantic reasoning over the concrete system model, using SWRL rules from the SERSCIS dependability model

• For example, the rules are : for MissAccountedClientResourceAccess (SWRL rules)• MissAccountedClientResourceAccess(?t)

ClientSpecifiedResource(?a1) affects(?t,?a1) Customer(?t,?a2) affects(?t,?a2) ServiceGroup(?t,?a3) affects(?t,?a3) ClientAuthentication(?c1) protects(?c1, ?a1) AccessControl(?c2) protects(?c2, ?a1) Delegation(?c3) protects(?c3, ?a2) Identification(?c4) protects(?c4, ?a3) BlockedThreat (?t)

39

Subtitle

Threat Vulnerability Classification - Controlling a MissAccountedClientResourceAccess threat

•

40

Subtitle

Main ideas embodied in the SERSCIS Ontology

• Assets, threats and controls are described as OWL classes

• Assets may have associated metrics for presence or absence of threat-induced behaviors

• Threats have a human readable description, impact severity and prior & current likelihood ratings.

• In the following schematic dashed arrows does not represent a conventional OWL relationship but SWRL rules.

• These rules classify threat instances as: Mitigated or Blocked based on the presence of adequate controls.

41

Subtitle

Proof of Concept: Updated core Ontology

42

Subtitle

43

SERSCIS Decision Support Tool Framework – Run Time Dynamic Model

Subtitle

Old version of Decision Support Tool – Dynamic Interface

44

Subtitle

SERSCIS STREAM REASONING PROCESS - Basics

45

Subtitle

SERSCIS STREAM REASONING PROCESS - Basics

• It allows the concrete system model to be continuously updated,

• It reduces the time lag between the evolution of the real system and that of the concrete system model, making it possible to resolve recent and rapid changes in the real system;

• It represents protracted as well as instantaneously observed behaviours in the model by including information over an extended (sliding) time window;

• It allows reasoning algorithms to take account of system changes during the time window, target than only the instantaneous system composition and status.

46

Subtitle

Proposed SERSCIS Stream reasoning

47

Subtitle

Proposed SERSCIS stream reasoning – Behavior Analyzer basic notion

TimeTOBT updates

(QoS)TOBT updates

(QoE)(QoE-QoS)/totalFlights

29/07/2010 00:00 0 0 0.000

29/07/2010 12:50 15 30 0.313

29/07/2010 13:00 19 38 0.396

29/07/2010 15:15 20 40 0.417

29/07/2010 16:05 22 44 0.458

29/07/2010 16:30 25 50 0.521

29/07/2010 17:00 32 64 0.667

29/07/2010 18:25 33 66 0.688

29/07/2010 19:00 38 76 0.792

29/07/2010 19:25 42 84 0.875

29/07/2010 21:50 45 90 0.938

29/07/2010 22:10 48 96 1.000

48

Subtitle

Evolution of QoS and QoE in time

49

Subtitle

Intrusion Detection basics

• We use the Non-Parametric CUSUM test

• Two performance criteria: i). False Alarm Time• ii). Detection Time.

50

n n nZ =a+ξ I(n<m)+(h+η )I(n m)

0( )

1n

N nn

if y Nd y

if y N

1

0

( )

0

max(0, )

n n ny y Z

y

X x

Subtitle

Recent (2012) DST design concepts (Under Constrution)

• Physical asset display

51

Assets

Please select an asset classThreats

Please select an asset

Behaviours

Please select an asset class

UpdateUpdateUp to date

Subtitle

Recent (2012) DST design concepts (Under Constrution)

52

Assets

Please select an asset class

Threats

Please select an asset

Behaviours

Please select an asset class

UpdateUpdate

Subtitle

SERSCIS INNOVATIONS

53

• Semantic system modelling of critical infrastructure ICT including inter- dependency and other risks

• Semantic service dependability models encoded in SLAsemi-automatic management of services against dependability criteria

• Semantic service orchestration models exploiting dependability criteriaautomatic composition of service inter-connections against dependability criteriaautomated re-composition in response to dependability threats

• Dynamic security and trust management to control threat propagation between services

automatic policy updates driven by service dependability management

• Advanced Decision support interface based on semantic system models to assist human operators

•Innovative Stream reasoning technologies for Event Analytics and Behavior Assets Reasoning in conjunction with detection algorithms.

Subtitle

CONCLUSIONS- IMPACT

Airport Collaborative Decision Making – (A-CDM)sharing information between air-traffic control, airports, airlines and airport service providers

allows greater operational efficiency, but also creates interdependencies that need to be managed

SERSCIS will enable improved risk managementgoal is not to enable A-CDM, but to better manage it Introduction of state of the art risk analysis proceduresStream reasoning processes and event processing in risk management

Other applications will be considered (especially Port Community Operations)Expected impact

greater awareness of risks in A-CDM especially from interdependencyanalysis of requirements and application in other sectorsnovel risk management capabilities based on agile SOA especially for managing interdependency and cascading threats

;

54

Subtitle

S E THANK YOU for your attention

Email: tsoulkas.kemea@gmail.com

55