D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
grey. The ADS-B introduction requires the addition of the goal Manage ADS-B signal<br />
and the resource ADS-B signal. Moreover, since the integrity of the ADS-B signal is<br />
critical, introducing a new soft goal Integrity of ADS-B signal specifies this security<br />
need. Notice also that because ADS-B signal becomes part of the surveillance data,<br />
the soft goal Availability of surveillance data is decomposed into the sub goals<br />
Availability of ADS-B signal and Availability of Radar signal. The introduction of<br />
the ADS-B actor may affect the risks due to the introduction of the new soft goals. In<br />
particular, the soft goal Integrity of ADS-B signal is mapped to a corresponding<br />
asset in the CORAS model for which a risk assessment is conducted. As ADS-B is<br />
prone to data spoofing, this issue is addressed and identified as an unacceptable risk<br />
with respect to integrity. The treatment Apply MD5 checksum is considered, and<br />
leads to the addition of a new task Apply MD5 Checksum fulfilling the soft goal<br />
Integrity of ADS-B signal in the SI* model. The new soft goal Availability of ADS-B<br />
signal is also mapped to the CORAS model as a new aspect of the more general<br />
asset Availability of surveillance data. The risk analyst decides not to decompose<br />
this asset with respect to ADS-B and radar when assessing the impact of the ADS-B. A<br />
new threat scenario Loss of ADS-B signal is identified, but the overall risks with<br />
respect to availability of surveillance data do not increase; rather, the likelihood of the<br />
threat scenario Failure of A/C tracking decreases from likely to possible (see Figure<br />
3 (b)).<br />
Component<br />
failure<br />
ADS-B<br />
Radar<br />
Unreliable<br />
RDPS<br />
ADS-B<br />
unreliable<br />
Insufficient<br />
radar<br />
maintenance<br />
Attacker Lack of<br />
integrity<br />
mechanisms<br />
RDPS crashes<br />
[possible]<br />
Loss of ADS-B<br />
signal<br />
Loss of radar signal<br />
in MRT<br />
Spoofing of<br />
ADS-B signal<br />
[rare]<br />
Apply MD5<br />
checksum<br />
Failure of A/C<br />
tracking<br />
[possible]<br />
Run fault tolerant<br />
MRT<br />
Degradation<br />
of A/C<br />
position data<br />
[unlikely]<br />
Failure in<br />
provisioning of<br />
surveillance<br />
data<br />
[possible]<br />
major<br />
Integrity of<br />
ADS-B signal<br />
minor<br />
Availability of<br />
surveillance<br />
data<br />
Radar<br />
ADS-B<br />
De<br />
RDPS<br />
De<br />
Manage<br />
ADS-B signal<br />
Manage<br />
radar signal<br />
Gather aircraft<br />
position<br />
Manage<br />
ADS-B signal<br />
+<br />
Integrity of<br />
ADS-B signal<br />
AND<br />
ADS-B<br />
signal<br />
Manage<br />
surveillance<br />
data<br />
Apply MD5<br />
checksum<br />
ADS-B<br />
signal<br />
Availability of<br />
ADS-B signal<br />
Availability of<br />
surveillance<br />
data<br />
Surveillance<br />
data<br />
AND<br />
Radar<br />
signal<br />
+ +<br />
AND<br />
Availability of<br />
radar signal<br />
Run fault<br />
tolerant<br />
MRT<br />
Figure 4. Post change SI* and CORAS models<br />
Another possible scenario of change-driven interplay is based on the<br />
ServiceToTreatment and TreatmentToTask conceptual mappings. The introduction<br />
of a new actor, the ADS-B, increases the availability of surveillance data. Thus, the<br />
likelihood of the threat scenario Failure of A/C tracking in the CORAS model is<br />
reduced. Consequently, the risk analyst determines that the treatment Run fault<br />
tolerant MRT is no longer needed and therefore removes it from the CORAS model.<br />
<strong>D.3.3</strong> Algorithms for Incremental Requirements Models<br />
Evaluation and Transformation| version 1.19 | page 13/136