D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange

Recommendations

Info

RDPS crashes [possible] Failure in ADS-B Manage ADS-B signal ADS-B signal Apply MD5 checksum Component Unreliable failure RDPS Loss of ADS-B signal Failure of A/C tracking [possible] provisioning of surveillance data [possible] minor Availability of surveillance data De + Integrity of ADS-B signal Surveillance data ADS-B ADS-B unreliable Loss of radar signal in MRT Radar Insufficient radar maintenance Run fault tolerant MRT Radar De Manage ADS-B signal Manage radar signal Gather aircraft AND Manage surveillance data AND ADS-B Radar signal signal + + Availability of Availability of position ADS-B signal radar signal Attacker Lack of integrity mechanisms Spoofing of Degradation ADS-B signal of A/C [rare] position data [unlikely] Apply MD5 checksum major Integrity of ADS-B signal RDPS AND Availability of surveillance data Run fault tolerant MRT Fig. 4. Change-driven interplay ServiceToAsset-TreatmentToTask. When a new soft goal and a protected service are added to the requirement model, a new asset is created in the risk model as specified by the graph transformation rule newAsset (see Listing 1.1). Hence, the requirement analyst passes the new soft goal and the service protected by the goal to the risk analyst. The risk analyst, then, decides if it is the soft goal, the service or both that are mapped to an asset in the risk model. When the asset is added, the risk analyst identifies possible threat scenarios and estimates the associated risks for the asset. If the level of the identified risks is not acceptable, the risk analyst has to select a set of treatments that reduce the risks to an acceptable level. The identified treatments have to be proposed to the requirement analyst who decides whether to implement them or not based on cost/benefit analysis. Thus, the graph transformation rule transformTreatment (see Listing 1.3) is applied to the SI* model, and thus new tasks representing the treatment proposed by the risk analyst is added to the requirement model. The task is linked by a means-end relation to the soft goal and the protected service mapped to the asset which is threatened by the risk mitigated by the treatment. The tasks that correspond to treatments that the requirement analyst decided not to implement, are deleted from the requirement model. Then, the requirement analyst has to return the list of the treatments selected for implementation to the risk analyst. Then, the risk analyst can remove the threat scenarios mitigated by the treatments from the assumptions on which the risk estimates have been calculated. Example 3. To illustrate the scenario above, we consider as prestate models the SI* and CORAS models illustrated in Figure 2. The change we consider first is the introduction of a new actor, the ADS-B, which is intended to increase the accuracy and availability of the surveillance data. The changes that are handled are highlighted in gray in Figure 4. The ADS-B introduction requires the addition of the goal Manage ADS-B signal and the resource ADS-B signal. Moreover, since the integrity of the ADS-B signal is critical, this security need is specified by introducing a new soft goal Integrity of ADS-B signal. Notice also that because ADS-B signal becomes part of the surveillance data, the soft goal Availability of surveillance data is decomposed into the subgoals Availability
of ADS-B signal and Availability of Radar signal. The introduction of the ADS-B actor may affect the risks due to the introduction of the new soft goals. In particular, the soft goal Integrity of ADS-B signal is mapped to a corresponding asset in the CORAS model for which a risk assessment is conducted. As ADS-B is prone to data spoofing, this issue is addressed and identified as an unacceptable risk with respect to integrity. The treatment Apply MD5 checksum is considered, and leads to the addition of a new task Apply MD5 Checksum fulfilling the soft goal Integrity of ADS-B signal in the SI* model. The new soft goal Availability of ADS-B signal is also mapped to the CORAS model as a new aspect of the more general asset Availability of surveillance data. The risk analyst decides not to decompose this asset with respect to ADS-B and radar when assessing the impact of the ADS-B. A new threat scenario Loss of ADS-B signal is identified, but the overall risks with respect to availability of surveillance data do not increase; rather, the likelihood of the threat scenario Failure of A/C tracking decreases from likely (cf. Figure 2 (b)) to possible. ServiceToTreatment-TreatmentToTask. The interaction between the requirement analyst and the risk analyst can also be triggered when a new service is added to the requirement model. If the service is related to another service which is mapped to an asset in the risk model, and the former service reduces the likelihood or the consequence of a threat scenario damaging the asset, the service can be considered as a potential treatment. By a service related to an asset we mean a goal or a task that consumes the asset or a resource that is part of the asset. The execution of the graph transformation rule potentialTreatment (see Listing 1.2) is triggered and, thus, a potential treatment is suggested to the risk analyst, who evaluates which is the impact of it on the risk profile. The introduction of the treatment might not reduce sufficiently the risk associated with the mitigated threat scenario, and thus the risk analyst decides to not update the risk model with the new treatment; or it can lead to the removal of another treatment because the new treatment reduces the level of risk of a threat scenario which was mitigated by the treatment. In this case, the requirement analyst needs to be informed about the removal of a treatment because it has to remove from the requirement model the task that is mapped to the treatment. Example 4. The ADS-B introduction increases the availability of surveillance data. Thus, the likelihood of the threat scenario Failure of A/C tracking in the CORAS model is reduced. Consequently, the risk analyst determines that the treatment Run fault tolerant MRT is no longer needed and therefore removes it from the CORAS model. This treatment is mapped to the corresponding task in the requirement model since it protects the soft goal Availability of radar data, and hence the more general soft goal Availability of surveillance data. Therefore, the removal of treatment Run fault tolerant MRT in the CORAS model leads to the removal of the mapped task Run fault tolerant MRT. In Figure 4 the removal of elements is indicated by the diagonally striped elements. TreatmentToTask. The interaction between the risk analyst and the requirement analyst is also required when the likelihood or the consequence scale changes or new threats emerge. For example, when a new security incident is reported, the risk analyst has to consider new threat scenarios for the damaged asset, and evaluate the risk associated with them. If the level of risk associated with the new threat scenarios is high,
Page 1 and 2: D.3.3 ALGORITHMS FOR INCREMENTAL RE
Page 3 and 4: 1.14 19 January Final 1.15 23 Janua
Page 5 and 6: Index DOCUMENT INFORMATION 1 DOCUME
Page 7 and 8: 1 Introduction This deliverable pre
Page 9 and 10: (Clause 6.4.3) processes of ISO/IEC
Page 11 and 12: 3 Orchestrating Requirements and Ri
Page 13 and 14: grey. The ADS-B introduction requir
Page 15 and 16: The security risk manager identifie
Page 17 and 18: are supported by the argumentation
Page 19 and 20: ADS-B Manage ADS-B signal ADS-B sig
Page 21 and 22: the stagnation suite (i.e. obsolete
Page 23 and 24: 5 A framework for modeling and reas
Page 25 and 26: sectors. And there is 42% of probab
Page 27 and 28: SDA(C) = {DA 2 , DA 4 , DA 8 , DA 1
Page 29 and 30: application contexts is saved if th
Page 31 and 32: Figure 14. ATM model state after qu
Page 33 and 34: References [1] Yudis Asnar, Fabio M
Page 35 and 36: Managing Changes with Legacy Securi
Page 37 and 38: Failure in the provisioning of corr
Page 39 and 40: propagated to the system designer a
Page 41 and 42: APPENDIX B D.3.3 Algorithms for Inc
Page 43 and 44: is sometimes difficult, especially
Page 45 and 46: Tactical Monitor air R controller t
Page 47 and 48: protected from harm. Since in CORAS
Page 49: CModel. The postcondtion checks the
Page 53 and 54: extensions to i* to model and analy
Page 55 and 56: 3. Bzivin, J., Dup, G., Jouault, F.
Page 57 and 58: APPENDIX C D.3.3 Algorithms for Inc
Page 59 and 60: steps. Section V demonstrates the R
Page 61 and 62: that should be mitigated by the sys
Page 63 and 64: CPU value PINconfirmed(PIN, card-de
Page 65 and 66: TABLE IV PRIORITIZATION OF RISKS FO
Page 67 and 68: context. We believe that the Common
Page 69 and 70: Managing Evolution by Orchestrating
Page 71 and 72: 1.1 The Contribution of this Paper
Page 73 and 74: Fig. 3. Integrated Change Managemen
Page 75 and 76: The requirement analysis is an iter
Page 77 and 78: Table 1. Conceptual Interface Requi
Page 79 and 80: Legend: Goals surrounded by dashed
Page 81 and 82: Table 5. Test Suite for GP-2.2 Tran
Page 83 and 84: 6. P. K. Chittimalli and M. J. Harr
Page 85 and 86: Noname manuscript No. (will be inse
Page 87 and 88: Dealing with Known Unknowns: A Goal
Page 101 and 102:
Dealing with Known Unknowns: A Goal
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Understanding How to Manage Require
Page 115 and 116:
Chatzoglou et al. [4] conducted a s
Page 117 and 118:
Evolution Elicitation Probability E
Page 119 and 120:
Table 2. Participants Background Pa
Page 121 and 122:
for the defined success criteria. O
Page 123 and 124:
Fig. 3. Codes Coverage ATM systems,
Page 125 and 126:
The feedbacks provided by the ATM e
Page 127 and 128:
3. P. Carlshamre, K. Sandahl, M. Li
Page 129 and 130:
Quick fix generation for DSMLs Ábe
Page 131 and 132:
• extensibility: the supported li
Page 133 and 134:
Fig. 7. Overview of the Quick fix g
Page 135 and 136:
Fig. 9. Evaluation results (|V(M I
show all

D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange

Create successful ePaper yourself

Delete template?

Save as template?