Aerospace and Electronic Systems Magazine November 2017 - 8

Provisioning for a Distributed ATM Security Management: The GAMMA Approach
control of ATM security. SMP provides the functionality for the
management of security throughout various phases, from prevention to identification of security incidents and the efficient resolution of the resulting incidents. To have a representation of the
overall ATM security context, the other foreseen functionalities
that work as local security functions are specified as below.
C

Information Exchange Gateway (IEG): The IEG is for protecting web services from threats envisaged in the future
ATM system.
SATCOM Security: This is for detecting and providing
countermeasures against the threats to satellite communication (SATCOM).
Information Security System (ISS): ISS is for protecting
data communication at the airport side considering the connections to networks such as PENS (Pan European Network
Services) and ATN (Aeronautical Telecommunication Network).
Secure Air Traffic Control Communication (SACom): SACom is for detecting the intrusion into air-to-ground voice
communication by attackers attempting to give false instructions to aircraft with the intention to disrupt the safe and efficient flow of air traffic [14].
Secure GNSS Communication: This entity serves for detecting GNSS (Global Navigation Satellite System) spoofing or
interference.
Integrated Modular Communications (IMC): The IMC
works as an on-board integrated functional platform offering
off-board communication and on-board network connectivity. As such, IMC is subject to security threats and vulnerabilities [15]. Also, its integral functionality is required to
detect security threats, activate countermeasures, log, and
report the incidents to the SMP.

SCOPE
Establishing the context means defining the bounds of what we
want to analyze. This context establishment sets out the scope of
the security analysis and the criteria that is used to assess the risk,
in order to provide consistent and defensible results and considers:
C

General scope and security boundaries of the ATM at all levels: local, national and European;

Security criteria (C, I, and A);

ATM assets.

Design time identification of vulnerabilities in the specification of
ATM systems and protocols, and mitigation of these, are out of the
scope of this article. We only consider the most feared and critical
run-time attacks in order to make provision for built-in countermeasures.
This study is limited to the EATM (European ATM Master
Plan) architecture specified by SESAR and the essential operational changes defined in the SESAR ATM Master Plan [16].
8

ASSET IDENTIFICATION
The asset identification is performed within the scope defined
above. The activities include:
C

Identification of PA;

Identification of SA and their links to the PA.

Considering that the GAMMA is complementary to SESAR and
covers the SESAR gaps, for context establishment it has been necessary to start from the SESAR context and extend it further. This
approach is used to define the GAMMA PA.
PA are regarded the main resources as the targets of an attack,
which are valuable to the ATM network and its stakeholders. A successful attack would result in damage to the PA assets and have an
impact on the ATM operation. Therefore, we have identified 23 PA
that are categorized as communication and support "services" and
"information" as both are used for safety and operational purposes.
We also identified 121 SA that include communication links, software and hardware systems, infrastructure, personnel, and physical
area. Every SA is linked to the PA that it is supporting. These assets
are reported in GAMMA Deliverable D2.1 [17].

THREAT SCENARIOS
A threat is a combination of an attacker and his/her resources, motivation, and goal, regardless of the existing security measures or
vulnerabilities in the ATM system. The threat is the potential cause
of an unwanted incident which may result in an impact on the ATM
system. In this article, we only focus on intentional, most feared,
and mainly cyber threats to ATM systems and their assets. Therefore, we do not analyze the complete spectrum of threats (e.g.
faults, accidental, natural, criminal, terrorism, or unintentional
misconfiguration of policies), even though some of these threats
may be categorized as intentional threats. The threat scenario is
built as below. As only the SA have vulnerabilities, for each SA:
C

Identify relevant threats;

For each threat, identify the target criteria (C, I, and/or A).

With this data, we build a table combining the threats for every SA,
and with the target criteria, we establish how the PA are impacted.
Only the most relevant threats, according to the scope described
previously, have been selected and applied to the SA. In the study,
we identified 44 threat sources and scenarios that are reported in
GAMMA Deliverable D2.1 [17]. These are ranging from denial of
services, injecting fake instructions, malicious messages and information, jamming signals, spoofing, insider attacks, eavesdropping,
packet injection, denying communication, subverted software, and
so on.

SECURITY RISK ASSESSMENT
For each threat targeting an SA, the impact is assessed according to
the loss or degradation of C, I, and A for every PA. The overall impact is then calculated as the highest of the three impact values of
C, I, and A. We then assess and estimate the likelihood that a threat

IEEE A&E SYSTEMS MAGAZINE

NOVEMBER 2017

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine November 2017