An Intelligent Fault Monitoring and Risk Management Tool for Complex Critical Infrastructures: The SERSCIS Approach in Air-traffic Surface Control
D. Kostopoulos
, G. Leventakis
1, 3
, V. Tsoulkas
and N. Nikitakos
Center for Securit Studies !K"#"$% &#inistr of Citi'en (rotection, $t)ens, G*
+niversit of t)e $eean, Dept. of S)ippin Tradin and Transport, Sa-os, G*
Dept. of nfor-ation / Co--unication Sste-s "nineerin, +niversit of t)e $eean, Karlovassi, Sa-os.,G*."-ail0 di-kostopoulos and
 e provide novel results on t)e develop-ent of an intellient risk -anae-ent and t)reat -onitorin visuali'ation tool reali'ed 4it)in t)e "+ funded pro5ect S"*SCS !Se-anticall "n)anced, *esilient and Secure Critical nfrastructure Services%. $fter a 6rief overvie4 of e7istin risk -anae-ent -et)ods for Cs, t)e S"*SCS -ain o65ectives, -otivation and co-ponents 4e proceed in descri6in t)e )i)l co-ple7 task of aircraft -anae-ent process and t)e adopted risk assess-ent and evaluation -et)odolo for t)e i-ple-entation of t)e t)reat analsis 8 -onitorin solution in t)e aircraft surface operations sector. n particular our case stud and proof 9 of 9 concept prototpe concentrates on t)e tec)nical support and infor-ation presentation capacit to decision -akers and )u-an 8 in t)e loop 8 operators for opti-i'in t)e dna-ic and adaptive 6e)avior of t)e interconnected CT sste-s in an $irport Colla6orative Decision -akin !$8CD#% test case scenario of t)e "uropean $ir Traffic Sste-.Ke4ords0 fault -onitorin, decision support tool !DST%, interlinked CT sste-s, se-antic -odelin, S"S$* risk -et)odolo, air transport Critical nfrastructures !Cs%.
 $ND #:TV$T:N :ver t)e past decade t)e )eav reliance of critical infrastructure operations in various do-ains includin co-ple7 interconnected transportation sste-s see ;13<, ;1=< and aircraft operational net4orks on -odern interconnected CT net4orks ;1<, ;><, )as advanced sinificantl and in an unprecedented 4a t)e level of productivit, efficienc and resources 8 services opti-i'ation. $t t)e sa-e ti-e t)is intensification )as produced ne4 classes of vulnera6ilities ;><, ;1=<, 4)ic) can 6e classified into t)ree 6road cateories0 1.
 Planning and use of ICT systems
 for perfor-ance opti-i'ation under ?nor-al@ operational conditions -akes t)ese sste-s 4eaker to react and respond to ?a6rupt and a6nor-al@ c)anes suc) as accidents or -alicious c6er 9 attacks. 2.
Vulnerability of ICT systems
 -a 6e t)e result of events caused 6p)sical and faultalterations or i-ple-entations or c6er )ackin, or -is-anae-ent leadin to an infor-ation deficit 4)ic) 6 itself disrupts t)e operational functioninand -anae-ent of t)e critical infrastructure. 3.
 Interconnectedness of the ICT systems
 i-plies t)at fault events as -entioned previousloccurrin in a partial su6sste- or co-ponent -a propaate and disrupt t)e nor-al operational conditions of ot)er su6sste-s or net4orks, t)us actin as a vulnera6ilit a-plification sc)e-e, due to stroncouplins. n t)at 4alocal incidents finall -a produce -a5or disruptions in t)e overall critical infrastructure ;2<, ;3<, ;13< and ;1=<.$s it is furt)er analsed in t)e ne7t sections, S"*SCS !Se-anticall "n)anced, *esilient and Secure Critical nfrastructure Services% 6asic oal is to support t)e operation of interlinked net4orks and sste-s of services in CT t)at are used to plan and -anae operational activities in co-ple7 critical infrastructures suc) as airports in con5unction 4it) t)e associated aircraft operations.
.. .
S"*SCS A$SC $*CBT"CT+*" $ND :A"CTV"S t is a 4ell8kno4n fact t)at failures, or underperfor-ance of an of t)e interlinked infor-ation and co--unication su6sste-s due to faults, c6er8t)reats or -is-anae-ent actions, severel co-pro-ises and derades t)e capa6ilities of 6usinesses to plan and opti-i'e resource usae, -aintenance of accepta6le efficienc levels or sustaina6le provision of data and infor-ation needed 6 ot)er parties. #oreover t)ese CT8induced vulnera6ilities often are difficult if not i-possi6le to detect and analse since t)e are produced and oriinate fro- interactin and stronl or 4eakl coupled infrastructure co-ponents. it)in t)e S"*SCS fra-e4ork efforts are concentrated in t)e develop-ent of service 9 oriented applications !S:$% to create, -onitor and -anae CT sste-s allo4in dna-ic adaptation to -anae ti-e varin operational situations as 4ell as to counter act t)e risk propaation and a-plification effects of interconnected su6 net4orks caused 6 -alicious or un4anted events, ;2<, ;11< and ;12<. T)e ke concept is t)e possi6ilit to -anae risks and interdependencies 6 adaptin t)e CT co-position in response to events. Stated differentlin t)is conte7t, -anae-ent actions are related 4it) t)e trans-ission and sendin of controllin input sinals to t)e CT co-ponents of t)e critical infrastructure 4)en t)e -onitorin data strea-s indicate so. T)e S"*SCS fra-e4ork -onitors t)e C usin a co--on e6 service -anae-ent interface to -anae t)e dna-ic co-position of services and resources see references ;2<, ;3< and ;=<. n i. 1 S"*SCS fra-e4ork interactions
4it) t)e critical infrastructures and )u-an in t)e loop operators are presented sc)e-aticall.
Critical ICT + Infrastructure
SERSCIS-assisted operator Monitoring Monitoring Control Control
Automated management Management by humans
SERSCIS Framework
Policy Cange
iure . S"*SCS interactions 4it) Cs and :perators
Given t)e a6ove, an ontolo )as 6een developed for se-antic -odelin and -ac)ine reasonin to analse C reEuire-ents and vulnera6ilities as 4ell as a fault -anae-ent and securit risk assess-ent tool 6ased on t)is reasonin. T)e developed ontolo captures kno4lede a6out t)e 6e)avior of service oriented sste-s !S:$% and service co-position 6ased on se-antic 4e6 tec)noloies. urt)er-ore it captures kno4lede of t)e addressed critical infrastructure in t)e air8traffic -anae-ent do-ain 4)ic) is furt)er ela6orated in t)e seEuel. T)is kno4lede includes0 roles and access ri)ts of personnel and orani'ations, associated co--unications and social interactions, 4orkin practices, as 4ell as 6e)avior of actions of illeal and unaut)ori'ed roups. T)us t)e developed se-antics 6ased solution addresses t)e pro6le- of relia6le and auto-atic or se-i8auto-atic support of )u-an 8 in t)e loop 8 operators in decision 9 -akin and real ti-e risk -onitorin of -ission critical infrastructures dependent )eavilon CT interconnected net4orks.
... ..
$+LT *SK $SS"SS#"NT / #$N$G"#"NT $ND TB" $* T*$C C:NT*:L $((LC$T:N D:#$N
Best practices in risk assessment & management 
n t)is su6section 4e revie4 so-e of t)e e7istin 6est practices approac)es in T polic and risk -anae-ent 4)ic) )ave 6een considered durin t)e desin and i-ple-entation p)ase of t)e fault -onitorin support tool. T)e co-ple7it and criticalitof e7istin critical infrastructures 4it) t)e associated CT co-ponents and net4orks and 4it) t)e ne4 strict overn-ental reulations adopted on local and international level are -akin *isk #anae-ent -et)ods and CT Aest (ractices a strateic i-perative. "speciall in a -ulti8stake )older service oriented environ-ent t)e adoption of a 4ell defined risk -et)odolo t)at 4ill sufficientl uarantee and ensure continuous service provision and operation is of para-ount i-portance and priorit. Special efforts )ave resulted in t)e creation of 4ell esta6lis)ed eneric polic tools, fra-e4orks and standards suc) as t)e S: 2F1 risk assess-ent standard. :n a polic level C:AT ;1H< is suc) a fra-e4ork allo4in decision -akers to i-ple-ent 4ell defined and transparent policies and -easures of CT ood practices and overnance uidelines. Si-ilarl an open *isk #anae-ent fra-e4ork0 #$G"*T version 2 )as 6een released 6 t)e #inisterio De $d-inistraciones (u6licas !Spanis) #inistr for (u6lic $d-inistrations% ;1I< to create a4areness of *isk #anae-ent and assess-ent for T sste-s and to offer a sste-atic tool to analse associated risks.t is enerall ad-itted t)at despite its vital i-portance CT securit and risk -anae-ent especiall for )i)l co-ple7 arc)itectures re-ains an open pro6le-. T)e co-ple7it of e7istin and ne4 )ard4are 9 soft4are co-ponents, t)e )6rid structure !continuous 8 discrete and static 9 dna-ic su68net4orks% as 4ell as t)e interlinked and )eteroeneous nature of CT stake8)older net4orks create serious o6stacles for full o6servation and control even 6 t)e o4ner oranisations adoptin relevant approac)es. T)e co--on t)read of -ost of t)e e7istin and 4ell esta6lis)ed risk analsis tec)niEues for decision -akin is of e-pirical 8 Eualitative or se-i8)euristic and auto-ated nature co-prised of t)ree 6asic co--on staes0 1.*isk $ssess-ent, 2.*isk $nalsis and Decision #akin, 3.*e-ediation (lannin and e7ecution of -easures.
The air-traffic control application domain and the  Airport – Collaboratie !ecision "aking initiatie #A-C!"$
T)e "uropean $ir Traffic Sste- is facin a constantlincreasin load of air traffic and t)e Sinle "uropean Sk initiative platfor- of t)e "uropean Co--ission e7pects t)e nu-6er of fli)ts to dou6le until t)e ear 22, ;=<,;><. #oreover t)e aviation enterprise is 6asicall infor-ation86ound. #anae-ent of aircraft seEuencin, eit)er in t)e air or on t)e surface, reEuires access to lare volu-es of )i)l dna-ic, fast8c)anininfor-ation related to aircraft locations, -ove-ents and intentions, airport surface constraints and under -an circu-stances, 4eat)er data. $dditionall to t)e previous it -ust 6e added t)e infor-ation a6out t)e needs and desires of airport users, aircraft operators and ot)er resource and 6usiness service providers. T)e task of acEuirin, -anain, interpretin, updatin and distri6utin t)e needed infor-ation is )i)l co-ple7. $t t)e sa-e ti-e t)ere is an upper conservative 6ound on t)e airspace capacit and so t)e onl sustaina6le and via6le approac) is t)e introduction of opti-i'ation tools and procedures on t)e usae of all availa6le resources. :ne suc) approac) 4)ic) 4e 6riefldescri6e is t)e "urocontrol initiative called Colla6orative Decision #akin !CD#%. T)e 6asic inredient is 6ased on a pre8processed take8off ti-e of an aircraft seEuencin at t)e airport of departure, allo4in plannin of arrival and departures, so t)at airport processes and facilities can 6e allocated appropriatel. T)e associated operational data e7c)ane 6et4een airports, air naviation service providers !$NS(s% and "urocontolJs C#+ i-poses serious c)allenes in ter-s of t)reat risk -anae-ent and -onitorin due to )eav reliance on CT tec)noloies. T)is is addressed 6 t)e adoption of t)e $irport Colla6orative Decision #akin approac) 4)ic) deals 4it) intense infor-ation s)arin a-on
t)e various stake)olders suc) as0 t)e airport, t)e airlines, t)e round )andlin aencies and t)e $NS(. urt)er-ore an i-ple-entation uideline for $8CD# is a 1H -ilestones seEuencinapproac) descri6ina co-plete fli)t of t)e aircraft 4)ic) is provided in i. 2.
iure . $8CD# -ilestone seEuence approac)
t is 6eond t)e scope of t)is article to analse furt)er t)is seEuence procedure. e onl stress t)e fact t)at failure or under perfor-ance of t)e interconnected CT sste-s 4ill seriousl co-pro-ise t)e overall capacit and a6ilitof involved airports to function properl and to sustain an accepta6le level of Eualit of service !oS% or even to provide accurate aircraft -ove-ent esti-ates to t)e 4ider "uropean air traffic -anae-ent sste-s, ;< and ;1<. it)in t)e S"*SCS fra-e4ork a series of failure scenarios )ave 6een investiated due to faults on t)e CT sste-s and state of t)e art fault -onitorin and assess-ent as 4ell as visuali'ation tec)niEues )ave 6een i-ple-ented as it is s)o4n in t)e follo4in sections.
The %%A' method
Due to t)eir criticalit $ir Traffic Control sste-s as part of national and international infrastructures )ave 6een t)e su65ect of intense reulations and t)e esta6lis)-ent of -ini-u- strinent standards includin t)e need for relia6le risk -anae-ent -et)ods. T)e S"S$* $T# (reli-inar Securit*isk $ssess-ent #et)od is a 4ell defined and -ature approac) and is co-pati6le 4it) t)e "urocontrol Securit *isk #anae-ent Toolkit as 4ell as 4it) S: 2FI ;<. $ si-ilar Eualitative fra-e4ork 6ut in a -ore eneral conte7t is 4ell presented in ;><, ;1< 4)ile a 6rief account of risk assess-ent tools is iven in ;1<. T)e 6asic step ele-ents are0
 Identification of most important assets and further classification into
pri-ar assets and
supportin !secondar% assets
Threat identification
targeting the primary and supporting assets
 stablishment of a risk ealuated classification
of threat scenarios targeting these assets
 stablishment of a decision making process
for ob(ecties achieement to address security risks)
T)e first step 4)ic) is also used in t)e S"*SCS approac) 6asicall involves t)e definition and population of a sEuare -atri7 4)ic) is co-prised of a set of t)ree criteria0
Confidentialit !
nterit !
$vaila6ilit !
directl related
4it) eac) pre8identified pri-ar asset. $n associated !scale 1 to I%
 *eel of Identification
 is introduced takin into account t)e relevant level of i-portance in ter-s of
C! I! A
, for eac) pri-arasset. Co-putation of
nterit and
vaila6ilitlevels for eac) pri-ar asset allo4s t)e convenient insertion of t)e final values in a sEuare -atri7 for- in 4)ic) for eac) pri-ar asset t)ere is an associated discrete indicator for C,  and $. T)en t)e final
valuation -atri7 is for-ed and t)e final output is a *isk Level colu-n vector. $ tpical risk level calculation is presented in Ta6le 1.Ta6le . *isk level evaluation -atri7
Risk"e#el E#aluationImpact$%&'("ikelihood(
LLL##T)e S"S$* -et)od reEuires t)e selection 6et4een four tpes of response, tpical of an eneric risk -anae-ent -et)od0 acceptance0 reconise t)e t)reat as a risk, 6ut one t)at is so unlikel and&or lo4 i-pact t)at it can 6e toleratedM reduction0 atte-pt to reduce t)e likeli)ood of t)e t)reat 6 introducin e7tra controls into t)e sste-M avoidance0 reduce t)e i-pact of t)e t)reat 6 droppin t)e t)reatened infrastructure o65ectives or c)anin t)e 4at)e infrastructure i-ple-ents t)ose o65ectives so t)e t)reat no loner appliesM transfer0 allocate responsi6ilit for -anain t)e risk to anot)er part, 4)o is 6etter a6le to deal 4it), see references ;<, ;><, ;11<,;12< for analtical presentations.
.V V
TB" S"*SCS T"ST C$S" CB$LL"NG"S $ND TB" S"*SCS $((*:$CB
The %'CI% test case challenges
ollo4in t)e previous analsis alt)ou) co-pre)ensive t)e -et)od is not 4ell fitted for dna-icallco-posed confiurations since t)e ke steps involve0
of asset i-portance,
pat) analsis 6et4een pri-arand secondar assets
+ threat identification
and assessment of attack 
 success iven t)e securit applied controls and
 on appropriate counter8actions for eac)
t)reat. T)e first and last steps reEuire full 6usiness kno4lede 4)ile t)e ot)ers are presented as -anual processes 6ased on su65ective e7pert analsis and 4)ic) are difficult to auto-ate. $s $8CD# interconnects )i)l safe and secure sste-s, suc) as air 9 traffic -anae-ent sste-s, airlines, "uropeJs Control lo4 #anae-ent !C#+% and less safe and secure sste-s suc) as t)e resource plannin of a round )andler, it is evident t)at securit, safet and availa6ilit on t)e net4ork level are of ut-ost i-portance in ac)ievin relia6le co--on situational a4areness. ailure propaation fro- one sste- to anot)er -ust 6e avoided and sste-s need to 6e isolated in case of event failures or securit 6reac)es. T)e S"*SCS set8up focuses on t)e process of ?turnin round@ an aircraft fro- t)e ti-e point it arrives ?in 6lock@ to t)e ti-e point it ?ta7is out@ for final take 9 off, see also ;11<,;12<. $ serious c)allene t)at is addressed is a surviva6ilit strate of $8CD# for accurate predicta6ilit of aircraft surface operations. T)e effect of fault sste-s needs to 6e -itiated t)rou) redundanc and reconfiuration. T)us t)e developed decision and -onitorintool is provided to t)e decision -anaer )elpin )i- to take t)e opti-al counter8actions in a iven safet or securit 6reac) scenario. T)e ke perfor-ance indicators and para-eters 4)ic) are addressed and are dealt 4it) in t)e S"*SCS SL$ !Service Level $ree-ent% arc)itecture are0
Sste- availa6ilit
Data Eualit and interit
Data ti-eliness
The %'%CI% approach
n t)is su6section 4e 6riefl overvie4 t)e approac) taken in S"*SCS, see also ;2<, ;11<, ;12<. T)is is desined to e7ploit se-antic sste- -odels to ena6le t)e use of -ac)ine reasoninto support t)e end user in -akin and i-ple-entin decisions at run8ti-e. T)is translates into0
creatin a se-antic -odel of t)e
 sste- 6ased on t)e availa6le -onitorin data and usin it to reason a6out t)e securit status of t)e sste-.
presentin infor-ation fro- t)is -odel to t)e user, to )elp t)e- understand and address
 securit risks.
iure . (roof of concept decision support fra-e4ork
T)e tools developed support -ac)ine8assisted desin ti-e sste- -odellin, allo4in its structure and properties to 6e descri6ed 6efore t)e actual sste- is created 6 dna-ic run8ti-e co-position. T)is -odel is called an a6stract sste- -odel since it descri6es t)e structure of t)e sste- 6ut not its actual co-position. T)e S"*SCS decision support fra-e4ork 4)ic) sc)e-aticallis iven in i. 3. t)en constructs a concrete sste- -odel representin a snaps)ot of t)e runnin sste-, 6ased on -onitorin data and se-antic reasonin over t)e a6stract sste- -odel. $voidin furt)er analsis 4)ic) 4ould 6e 6eond t)e scope of t)is 4ork 4e -ention t)at t4o separate reasonin processes are takinplace0 1.Se-antic reasoninfor potential t)reat classification 6ased on 4)et)er t)ese are addressed 6 t)e controls present in t)e runnin sste- 2.Aaesian inference for likeli)ood esti-ation t)at eac) t)reat is currentl 6ein carried out.
 Presentation to the user
it)in S"*SCS t)e user is presented 4it) t)ree tpes of infor-ation01.)at are t)e sste- vulnera6ilities, or 4)at t)reats is t)e sste- una6le to -anae 2.)at is t)e current likeli)ood pro6a6ilit eac) t)reat
is 6ein carried out 3.)at is t)e t)reat i-pact on t)e $irport C. #oreover t)atJs classified into t)ree classes0
)locked threat
 if an attacker s)ould carr out t)e t)reat !intentionall or ot)er4ise%, t)e sste- )as controls t)at 4ill prevent t)e attack fro- succeedin.
Mitigated threat
 4)en t)e attacker carries out t)e t)reat, t)e attack cannot 6e prevented, 6ut t)e sste- controls provide a response t)at 4ill counteract its effect on t)e tareted asset.
 -eanin t)e sste- does not )ave an -eans to prevent t)e attack or counteract its effects on t)e tareted sste- asset.
S"*SCS $+LT *SK #:NT:*NG $ND DST +S"* NT"*$C"
iure . S"*SCS DST, as a risk classifier of t)reats.
 T)e o65ectives of t)e -onitorin and decision support tool are 6asicall four. 1.
 'isk Classification
 !lo4, -ediu-, )i) accordin t)eir potential i-pact and 6locked, -itiated, vulnera6ilities dependin on )o4 4ell are addressed 6 controls% 2.
 Periodic assessment 
 !t)e DST refres)es in a periodic fas)ion t)e -odel and dna-icall reduces t)e involved risk factors% 3.
Threat e,planations
!t)e DST provides e7planation of t)reats 4)ic) is ver )elpful to t)e operator in t)e loop for understandin t)e sste- and to take appropriate actions% =.(ropositions !t)e DST allo4s t)e operator to revert to past -odel versions 4)en reEuired allo4in t)e user to -ake ?4)at 9 if@ tests on )is -odel 6 addin controls and co-parin t)e results 4it) t)e oriinal -odel%. So t)e fault -onitorinDST tool provides continuous feed6ack and suests ne4 control actions t)at can 6e useful 4)ile provides t)e capa6ilit to test t)eir effect to ?4)at 9 if? scenarios. i. = provides a screens)ot co-pre)ensive interface vie4 of t)e tool functionalities. Notice t)at t)e user is presented 4it) t)e t)ree vulnera6ilit classifications0 t)e ood ones are to t)e left !6locked and -itiated t)reats% and t)e -ost trou6lin t)reats !vulnera6ilities% are on t)e ri)t.
iure . S"*SCS DST, as a risk classifier of t)reats.
T)e core se-antic lanuae is :L, t)e e6 :ntolo Lanuae -eanin t)at t)e -odels in t)e DST -ust 6e in :L for-at. T)e version of t)e :L lanuae is :L2.T)e support tool is 6uilt on $V$ 1.H and ST 3.F3. #ost 4e6 se-antic pro5ects are 6uilt on $V$ and t)is is t)e -ain reason $V$ is used in S"*SCS DST. T)e reasoner )as a reat role in t)e DST. T)e reasoner used is Ber-it 1.3.I. T)rou) t)e pro5ect ot)er reasoners 4ere used as 4ell !ess !H%, (ellet !F%% 6ut t)e 4ere proved una6le to )andle real and lare volu-es of data. T)ou) Ber-it so far -anaes 4ell 4it) t)e volu-e data, a ne4 reasoned is desined in order to adapt reasonin to Aaes inference used in t)e S"*SCS approac), ;I<, ;H< and ;F<.Conclusivel se-antic -odels )ave 6een proved ver useful in t)e application area of securit and risk -anae-ent of $ir Traffic Cs. T)e S"*SCS tool -ade t)is fact clear especiall to t)e end users and C securit decision -akers.
iure . S"*SCS DST, as a risk classifier of t)reats.iure . S"*SCS DST, as a risk classifier of t)reats.
V. .
$ description of t)e onoin develop-ent efforts for t)e i-ple-entation of an innovative fault -onitorin and risk -anae-ent tool for t)e securit and situational a4areness of Critical nfrastructures in t)e aviation do-ain )as 6een presented. "7istin risk -anae-ent and risk assess-ent CT
of 6