Aerospace and Electronic Systems Magazine November 2017 - 10

Provisioning for a Distributed ATM Security Management: The GAMMA Approach
control, strong authorization). This means an attacker needs more
expertise, better tools, and more time to break through the control.
We therefore identify and consider security controls for threats
with a risk level of medium and high. This is to reduce the risk level to the acceptable level that corresponds to the security objective
of SA. The most feared and critical threat scenarios are with the
risks evaluated as high with low security objectives. These have
high priority in treating them.

SEPCIFYING THE REQUIREMENTS
Following the definition of the reference model, the operational
context and the scope and ATM-wide risk assessments, the requirement specification of the proposed solution is undertaken. This is
to translate the conceptual work into detailed specifications for development of functions defined in the previous section (operational
context). The security prototypes are a major part of the system
elements constituting the architecture. Three steps are considered:
the requirements specification, the definition of key performance
indicators (KPI) and the detailed functional and operational architecture, by taking into account the provisioned security controls.
The KPI are defined to measure the effectiveness of the security
controls implemented in the prototypes.

The first set of requirements is specific to the technical security solution related to each threat scenario. These requirements are fully
linked to the security controls and threat scenarios. The second set of
requirements is generally applied to any system. They should be taken into account when implementing any new system in an integrated
environment. These requirements complement the ones related to any
specific systems. In our study, we identified about 400 requirements
that are reported in GAMMA Deliverable D4.1 [17]. Since the list of
requirements is exhaustive, only a small subset related to information
processing at the national and European levels is listed below.

C
C

EGCC shall correlate and store sanitized information/events
in a repository;
EGCC shall fuse security data received from NGSMPs;
The proposed technical solution shall address the collaborative support by ensuring the provision of incident support
related information, including sanitized data/information to
support the activities of the security stakeholders;
Local security systems shall send information (alarms,
alerts, and monitoring data) to the LGSOC/NGSMP;
NGSMP shall sanitize information before disseminating to
EGCC;
The process to sanitize data/information shall consist of:
identification of the restricted, sensitive and confidential
data/information;
identification of the stakeholders that have access to that
sensitive information/data.

According to the ICAO Manual [18], key performance areas (KPA)
are "a way of categorizing performance subjects related to highlevel ambitions and expectations." ICAO has defined 11 KPAs for
safety, security, environmental impact, cost effectiveness, and so on.
The performance of subjects under study is quantitatively expressed
by means of KPIs. We have also established a set of security KPIs
that provide a measurement of the efficiency of the security controls,
and, in total, 27 KPIs have been identified in GAMMA Deliverable
D2.3 [17]. This set of indicators has been identified by taking into
account each threat scenario analyzed during the security risk assessment and treatment processes. Example KPIs are given below:
C

Sec_KPI_03: Number of denial of service attacks detected in
a defined time frame;
Sec_KPI_07: Number of disrupted data detected in a defined
time frame;
Sec_KPI_17: Number of detected dangerous/undesired aircraft behavior events in a defined time frame;
Sec_KPI_21: Number of unauthorized speakers detected in
a defined time frame.

DESCRIPTION OF THE ARCHITECTURE

REQUIREMENTS

KEY PERFORMANCE INDICATORS

The description of the architecture is supported by a methodology and the architectural framework. The architectural framework
contains standardized views, subviews, templates and guidelines,
meta-models, etc. that facilitate the development of the views of a
system. A view addresses a particular stakeholder concern (or set
of closely related concerns) and specifies the kinds of models to be
used in developing the system architecture to address that concern.
Given the complexity of the ATM system, it requires a clearly defined methodology to describe its architecture using appropriate
models and views. Models are used to have a better representation
of a system at some particular point in time or space intended to
promote understanding of the real system. It provides insight into
one or more of the system's aspects, such as its function, structure,
properties, performance, behavior, or cost. A clear definition of the
architecture using appropriate models also helps to understand any
inconsistencies or problems early during the development lifecycle
that should be resolved by the stakeholders.
The GAMMA architecture is described using the selected enterprise architecture views of the NATO Architecture Framework
(NAF) [19]. To ensure complementarity and reusability, SESAR
and GAMMA both use the MEGA modeling tool [20].
There are a number of steps taken for the development of
the GAMMA architecture. As NAF 3.1 defines more than 40
subviews, the specifics of the GAMMA project allows tailoring
of NAF as the way to determine what architectural views to be
produced. The NAF is tailored based on the well-experienced approach; i.e., modeling management process (MMP). Initially, the
architectural objectives are defined in order to establish the project-specific meta-model by defining a common vocabulary and the
concepts as well as their relationships. These concepts are instan-

IEEE A&E SYSTEMS MAGAZINE

NOVEMBER 2017

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine November 2017