How to Analyze Security with
Respect to Change
Mass Soldal Lund
19 April 2012
CORAS
1
Acknowledgments
 The research for the contents of this
tutorial has partly been funded by the
European Commission through the FP7
project SecureChange and the FP7
network of excellence NESSoS
CORAS
2
Overview
 Use of risk analysis techniques to analyze
security in systems with change




Challenges and perspectives on change
Risk modeling
CORAS with change
Example from Air Traffic Management (ATM)
CORAS
3
Challenges & Motivation
 Model-driven risk analysis is well suited for
analyzing security
 Challenges when change is taken into account
 Reality change and evolve
 The target system and the environment change and evolve
over time
 Security risks change and evolve over time
 Many risk assessments build on unrealistic
assumptions
 Particular configuration of the target
 Particular point in time
 Model-driven approach is helpful to overcome the
challenges
CORAS
4
Three Perspectives on Change
2
Revolution
Planned
revolution
Unplanned
revolution
Evolution
Planned
evolution
Unplanned
evolution
3
1
Proactive
Reactive
1: The maintenance (a posteriori) perspective
2: The before-after (a priori) perspective
3: The continuous evolution perspective
CORAS
5
Maintenance Perspective
Methodological challenges
Updates
Old target
Current target
Old risks
Current risks
 Reuse the old risk
assessment results
 Avoid having to start from
scratch
 Requires
Old risk
picture
Current risk
picture
Risk assessor
 Identifying updates to target
 Identifying parts of risk picture
affected by the updates
 Updating affected parts of risk
picture
CORAS
6
Before-After Perspective
Planned changes
Current target
Current risks
Future target
Risks due
to change
process
Risk picture
Risk assessor
Future risks
Methodological Challenges
 Obtain and present a risk picture
for the current risks, the future
risks, and the risks to the change
 Requires:
 Characterizing target “as-is” and
“to-be“
 Describing of the process of
change
 Identifying current and future risk
 Identifying risks to the change
process
 Providing a risk picture with
current risks, future risks and
risks to the change process
CORAS
7
Continuous Evolution Perspective
Target at
time t0
Risks at
time t0
Evolution
Target at
time t1
Risks at
time t1
Evolution
…
Target at
time tn
…
Risks at
time tn
Methodological challenges
Risk picture
Risk assessor
 Identify and present evolving risks in a
dynamic risk picture/risk model
 Requires:
 Generalizing target to characterizes
evolution
 Identifying the risks affected by evolution
 Characterizing the evolution of risks
 Presenting a dynamic risk picture
related to evolution of target
CORAS
8
CORAS – Model-Driven
Risk Analysis
 CORAS consists of
 Method for risk analysis
 Language for risk modeling
 Tool for editing diagrams
 Stepwise, structured and systematic
process
 Model-driven
 Models as basis for analysis
 Models as documentation of results
 Extension for dealing with changes
 Risk modeling in the before-after
perspective
CORAS
9
Risk Modeling
 Risk analysis: the process of understanding the
nature of risks and determining the risk level
 Risk modeling: techniques for risk identification,
documentation and estimation
 Risk model: structured way of representing the
risk picture as unwanted incidents and its causes
and consequences
 CORAS language is a risk modeling language for
 Structuring events and scenarios leading to incidents
 Estimating likelihoods of incidents
CORAS
10
CORAS Threat Diagram
v1
[P1]
r1
Pb
Threat
Consequence
Pa
v3
[P3]
Pc
v4
[P4]
Pd
v2
[P2]
r2
v7
[P7]
Likelihood
v5
[P5]
r3
Asset
Pe
a
Pf
v6
[P6]
c
Unwanted
incident
Threat scenario
CORAS
11
CORAS with Change
 Risk modeling in the before-after
perspective
 Explicit traceability from risk model to
target model
 Explicit modeling of
 Risk picture before change
 Risk picture after change
 Changes in likelihoods, consequences and
risk levels
CORAS
12
CORAS Threat Diagram with
Change
Risk element
before
Target element before
t1
Target element before-after
t2
v1
[P1]
Risk element before-after
Pa
r1
Pb/Pb’
v3
[P3]/[P3’]
Pc/Pc’
v4
[P4]/[P4’]
Pd/Pd’
v2
[P2]/[P2’]
v7
[P7]/[P7’]
r2
c/c’
a
Pf
Pe
v5
[P5]
v6
[P6]
r3
t3
Target element after
Risk element after
CORAS
13
Two Views on CORAS Diagrams with Change
Before
After
14
Air Traffic Management (ATM)
 Aggregation of services provided by Air
Traffic Controllers (ATCOs)
 Main responsibility is to maintain horizontal
and vertical separation among aircrafts and
possible obstacles
 Limited interaction with
the external world
 Humans at the centre of
the decision and work
process
CORAS
15
Target of Analysis
 Arrival management and the role of air traffic
controllers (ATCOs) in the area control centre
(ACC)
 Introduction of Arrival manager (AMAN):
 Decision support tool for the automation of arrival
management
 Introduction of Automatic Dependent
Surveillance-Broadcast (ADS-B)
 GPS-based surveillance technology
 Aircrafts constantly broadcast their position to the
ground and to other aircrafts
CORAS
16
New element:
Automatic
Dependent
SurveillanceBroadcast
Target of analysis
class ATM
Flight Data
Processing
System
Aeronautical
Operational
Information
System
Area Control
Centre
network
: FDPS
: Meteostations
: ADS-B
: Radar
: AOIS
: Surveillance
: ACC network
: Technical room[1..*]
: OPS room[1..*]
: Adjacent ATS unit[*]
Operation
room
Location of Air Traffic
Controllers (ATCOs)
: Aircraft[*]
Adjacent
Air Traffic System
unit
CORAS
17
Assets Identification
 Main concern before changes:
 Information provision (availability)
 Additional concerns after changes:
 Information protection (confidentiality)
ATM service
provider
Availability of
arrival
sequences
Availability of
aircraft position
data
Confidentiality
of ATM
information
CORAS
18
Risk Identification and Estimation
Using Threat Diagrams
ATCO fails to comply
with arrival management
procedures
[rare]
ATCO
Technical
room
Lack of
awareness
Software
error
The consolidation of
data from several radar
sources fails
[possible]
CWP
Creation of false
alarms
[possible]
Duplication of labels
[possible]
Delays in sequence
provisioning
[possible]
Degradation of
aircraft position data
[possible]
minor
Availability of
arrival
sequences
minor
Availability of
aircraft position
data
Before
CORAS
19
Technical
room
Creation of false
alarms
[possbile]/[unlikely]
Software
error
The consolidation of
data from several radar
sources fails
[possible]/[possible]
ATCO fails to comply
with arrival management
procedures
[rare]
Lack of
awareness
Duplication of labels
[possbile]/[possible]
ATCO fails to comply
with AMAN sequence
[rare]
ATCO
minor/
minor
Delays in sequence
provisioning
[possible]/[unlikely]
Availability of
arrival
sequences
CWP
Surveillance
ADS-B transponders
not transmitting correct
information
[likely]
ADS-B
transponder
Degradation of
aircraft position data
[possible]/[possible]
minor/
minor
Availability of
aircraft position
data
ADS-B
Spoofing of
ADS-B data
[rare]
Attacker
Dependence on
broadcasting
Before-After
Eavesdropping ADS-B
communication
[certain]
Critical aircraft position data
leakes to unauthorised third
parties
[rare]
major
Confidentiality
of ATM
information
CORAS
20
Summary
 For systems that change, also the security
risks change and should be analyzed as such
 Only the parts of the risk picture affected by
changes should be analyzed anew
 The model-driven approach lend itself to
handling the challenges of change
 CORAS supports
 Traceability of changes from target system to risk
models
 The explicit modeling of changes to risk
CORAS
21