Aerospace and Electronic Systems Magazine November 2017 - 19

Asgari et al.
tional architecture and interactions of its components for embedding the defined security controls in the fabric of IMC. To summarize, the security controls for IMC are categorized as below:
C
C

Authenticating users of the IMC;
Controlling access to the resources via access control mechanisms;
Using cryptographic protection to protect the confidentiality
and integrity of assets. This requires the services of a key
manager;
Monitor and control the relevant processes in the IMC.

Risks can be reduced by the monitoring of activities with a view to
identifying activities that are not expected and then take appropriate actions to mitigate emerging risks. In GAMMA, an emulated
IMC prototype with embedded security controls has been designed
and implemented for validation and experimentation purposes.

VALIDATING THE SECURITY SOLUTION
In the course of the GAMMA project, the objectives and acceptance criteria for validation of ATM security prototypes have been
identified and defined. The benchmarks to assess the performance
of the defined security capabilities established through the prototypes have been defined using appropriate KPIs.
Validation activities are carried out following the E-OCVM [10]
developed by SESAR. The validation approach used in GAMMA
is depicted in Figure 7 and divided into three steps. This comprises
validation exercises in: step 1) at prototype level, step 2) at partially
integrated level with combination of prototypes, and step 3) at fully
integrated level for the defined ATM context. This arrangement follows the reference model's hierarchical approach defined at three
levels for managing ATM security as specified in the previous reference model section, i.e. local, national, and European levels.
The first step for validation exercises is focused on the local
security systems verifying and validating the prototypes themselves without any interconnectivity between them. The second
step is directed at the national level validating the applicability of
the local security systems cooperating and communicating at the
NGSMP level. The third step is targeted at the European level by
covering the overall context (LGSOC-NGSMP-EGCC) and how
the devised solutions work together bringing the expected benefits and value proposition defined in the context of the project.
Deliverables D9.1 and D9.2 [17] describe in details the validation
exercises carried out at prototype, partially integrated and fully integrated levels.
After demonstrating the capabilities of each individual prototype in step 1 (Figure 7) and after defining the interoperability
between the prototypes and SMP, variable combinations of prototypes are validated. These steps analyze the combination and
interplay of selected prototypes and the SMP. The objective of the
partially integrated validations is to validate that the information
generated at the local and/or national levels are usable/beneficial
and reliable for designated users and operators. The promulgation
of the local level awareness to the national and European level is
NOVEMBER 2017

Figure 7.

Validation process approach.

shown based on the Concept of Operations (CONOPS) postulated
by the GAMMA project [30].
It should be noted that the validation phase also includes the
other activities related to the development of systems and verification and integration activities and tests. Of high importance for the
success of the validation is the integration of the set of heterogeneous systems within a common validation environment.
An example of the various scenarios that have been prepared
for validation purposes is the one illustrated in Figure 8. This figure shows the process for the SMP prototype and is related to the
dissemination of (sanitized) information from the NGSMP level
to the EGCC level, providing possible countermeasures to local
security systems concerning an ongoing attack.
In this process, a security event is sent from a local security system to the NGSMP and displayed as an alarm by the monitoring
function of the command and control subsystem. The GAMMA operator decides to forward the alarm information to the EGCC. Before forwarding, the operator "sanitizes" the information eliminating
those parts that are not permitted by national dissemination policies.
The sanitized alarm is sent through the IDS module of the NGSMP
to the European level and is displayed via the visualization module
of the SMP instance of the European GAMMA control center.
Furthermore, using the decision support function, the GAMMA operator at the NGSMP level sends to the local security system
a possible countermeasure for the security event.

CONCLUSIONS
This article explained the security management solution proposed
by the GAMMA project for the ATM environment. We performed
a study to identify and prioritize run-time threats to the ATM systems network. Using the SecRAM methodology step-by-step, we
identified possible threats to ATM components, accessed the risk
levels related to these threats, and identified the security controls
to bring the high and medium risk levels down. We analyzed the
requirements and designed the architectural views that have been
used for realizing the GAMMA security solution. A number of
prototypes has been developed and implemented accordingly for
proof of concept validation of the proposed solution and experimentation purposes.

IEEE A&E SYSTEMS MAGAZINE

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine November 2017