Proof of concept integration of design modelling
Contents
1. Ba a Show Properties view Es Target ll j biective Security Level Scale re Birdview 5 H Objective Security Level Scale a vulnerability H Risk M t Scal h An overview is not available ea eee eres amp Threat Package af Package acn amp Risk i Risk Management ni ane a A A EEE Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 24 59 Give a name to the scale you have created Go to the Properties tab at the bottom of your application In the value field of the Name property type the name of the security criterion you want to describe for example Confidentiality i Papyrus ATM ATM _risk_analysis riskanalysis Papyrus File Edit Mavigate Search Project Run RiskGnalysis Editor Window Help LPO ee Gs e E ee j Ai Papyrus a ATM model diz Ws ATM_risk_analysis riskanalysis 2 3 Outline es l platform resource AT platform fresource AT pathmap fUML_LIERA Resource Set agr platform resource ATM ATM risk analysis riskanalysis B Model Al pathmap UML PROF El Package pathmap UML _ PROF i 2 Fl Package pathmap HUML_META 4 pathmap UML META H Breach Strength Scale By Security Criterion Fl Package EH Package H platform resource ATM ATM model uml pathmap UML LIBRARIES UMLPrimitive Types library uml ela pathmap UML PROFILES Standard profile uml H pathmap HUML_PROFILES2. D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 45 59 security objective will contribute to the following risk management effect kind e Detection e Protection e Response e Recovery To create an instance of a Security Objective Effect Kind click right on a Package and select New Child and then select Security Objective Effect Kind In the Properties tab at the bottom of your application fill the values of the Security Objective Effect Kind properties The meaning of each value is described below e Name A name for example O1 e Detection Select true if the security objective contributes to detection of the threat e Protection Select true if the security objective contributes to protection of the target e Recovery Select true if the security objective contributes to recovery of essential elements and or targets e Response Select true if the security objective contributes to response to the threat As a 3 step the system security risk manager must verify the way the security objectives cover the risks As a 4 step the system security risk manager will verify the coherence between the objective security level of the Security objective and the targeted objective security level as defined in the Risk management of the risk it applies to 4 3 10Activity n 9 Definition of the security requirements The purpose of this activity is to determine how to achieve the security object
3. Profesionnal and Secondary effects or light PET NN NS communication on P 2 IK lt 25 000 000 Mass Mass Media Serious Serious injuries lt 500 000 Strong measures must Threat to human life accompagn media campaign For each scale create now the steps of the scale Click right on the Damage Cost Scale By Stake you created and select New Child and then select Damage Cost Scale By Stake Step Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 28 59 ri Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run RiskAnalysis Editor Window Help SD 0 4 OC CC Fy OB Papyrus DE Outline 3 gt N platform fresource AT platform fresource AT pathmap UML_LIBRA pathmap UML_PROF pathmap UML_PROF pathmap UML_META 4 pathmap UML_META ATM risk_analysis riskanalysis 23 e ATM_model diz an Resource Set E Le platform resource ATM ATM _risk_analysis riskanalysis Model El Package El Package El gt Damage Cost Scale By Stake Type Safety aka Human life gt Damage Cost Scale Step Safety Human Life Not applicable Damage Cost Scale Step Safety Human Life Low 7 t Scale Step Safety Human Life Medium E E 4 lt gt Damage Cos platform resource ATM 4TM_model uml pathmap UML_LIBRARIES UMLPrimitive Types library uml pathmap UM
4. Property Value Description Name TCC computes the Sequence Represented Element gg Activity gt TOC computes the Sequence Supporting Element In the Properties tab at the bottom of your application fill the values of the Essential Element properties The meaning of each value is described below e Description A description if needed Name A name for example TCC computes the Sequence Represented Element The Activity of the Papyrus Model corresponding to the activity TCC computes the Sequence This activity shows in the combo box if Secure CHANGE D4 4 Proof of concept integration of design modelling solution D version 1 1 page 37 59 the Papyrus model has been correctly uploaded as show in 4 3 1 3 Initialisation of a study e Supporting Element Will be filled at Activity n 3 Determination of the Targets Contains the list of the targets which support the Essential Element 4 3 3 Activity n 2 Analysis of the damage scenarios This activity requires the involvement of the system acquirer It consists of imagining damage scenarios which could occur to the system and hurt it A damage scenario is a composed vector of vectors binding several security metrics such as breach strength conditions and damage cost of a security breach situation The system acquirer can create the damage scenario write a short description of it set the vector of the stakes types evaluate the damage cost according to damage co
5. THERE E Papyrus B Outline 52 m 79 ATM _model aiz le ATM_risk_analysis riskanalysis 3 m W platform resource AT E Resource Set E N platform resource ATM ATM_risk_analysis riskanalysis E S Model El E Pa d Package G Pa New Sibling gt Analysis E gt Pan Ctrl Z Threat Probability Scale Redo Griy amp Threat Probability Scale Step F amp Severity Scale E Cut amp Severity Scale Step Copy Opportunity Scale FE amp Opportunity Scale Step 3 Delete Risk Management Scale amp Risk Management Scale Step Validate Ne A p ns amp Objective Security Level Scale Gontro 5 Objective Security Level Step Run As Breach Strength Scale By Security Criterion Debug As amp Breach Strength Scale Step Profile As TOR amp Damage Cost Scale By Stake Type Team AE D Cost Scale St Compare With gt Snagh si Mes Replace With gt Vulnerability Scale amp Vulnerability Scale Step Load Resource as Damage Refresh Essential Element 4 gt Show Properties View amp Target ape o Yulnerability a Birdview 3 Sa amp Threat 4n overview is not available 3 Agent amp Risk amp Risk Management amp Security Requirement amp Security Objective amp Security Solution amp Risk Level Selection Parent List Tree Table Tree with Columns Risk Reduction us Security Objective Effect Kind E Properties 3 Lo r4 t m m te Selected
6. To create an instance of Risk Management strategy click right on a Package and select New Child and then select Risk Management strategy The Risk Management strategy lists the different risk management strategies The risk management strategies have numbers from 0 to 4 Typically it is a pre defined array of Booleans showing what management strategy will be applied to the risk e Acceptable e Reduction e Transfer e Unacceptable Create now the steps of the scale Click right on the Risk Management strategy you created and select New Child and then select Risk Management strategy Step Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 35 59 Papyrus ATM ATM _risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run Risk4nalysis Editor Window Help I DO 0 09 ee E Papyrus DE Outline 2 4 DES 4 ATM model diz ATM_risk_analysis riskanalysis Fel fap platform resource AT fis Resource Set ru Epa nota ne El fail platform resource ATM ATM risk_analysis riskanalysis pathmap MUML LIBRAI ae ie El Model AUDI RS ES packag pathmap UML_PROF El Package pathmap UML_META El Risk Management Scale pathmap UML META eN Risk Management Scale Step Risk Management Hot Applicable gi Risk Management Scale Step Risk Management Acceptable H Risk Management Scale Step Risk Management Reduction risk Ma
7. Ecore profile uml pathmap UML METAMODELS UML metamodel url H E pathmap UML METAMODELS Ecore metamodel uml A Birdview 2 3 An overview is not available Selection Parent List Tree Table Tree with Columns L Properties 3 Pro ert Value Mame i Confidentiality Create as many scales as the number of security criteria you want to describe 4 3 1 2 2 Definition of the Breach strength scale by security criterion Breach strength scale by security criterion is an array defining the value on a 5 level scale from O not relevant to 4 high of characteristic breach for each of the security criteria The scale might be set after the analysis of the needs through the different business departments of the organization which will enlighten the most relevant damages Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 25 59 For example Criteria Security Availability Confidentiality Integrity Not relevant Not relevant Not relevant Less than 5 seconds Data is kept confidential Integrity is guarantied disruption 2 1 to 59 minutes Data is divulgated within Data is lightly and partially disruption the organisation lost 1 hour to 23 hours Data is divulgated among 6 hours of data disruption partners definitively lost 1 day or more Data is made Public Data is totally lost disruption For each scale create now the steps of the scale Click
8. Opportunity High overall risk level High o Damage Failure in the provisioning of correct or optimal arrival information o Threat ATCO mistake o Activity PLC detects a need for a change in the Sequence TCC computes the Sequence e B16 Failure in the provisioning of correct or optimal arrival information due to non compliance of ATCO with procedures o Severity High Opportunity Low overall risk level before management Medium o Damage Failure in the provisioning of correct or optimal arrival information o Threat Non compliance of ATCO with procedures o Activity PLC detects a need for a change in the Sequence TCC computes the Sequence e B13 Tactical Controller TCC becomes unavailable during arrival management process due to his her physical mental condition o Severity Critical Opportunity Low overall risk level before management High o Damage Loss of information provisioning to from ATCOs o Threat TCC unavailability o Activity TCC computes the Sequence e A12 TCC fails to provide arrival information to all relevant recipients simultaneously due to communication overload radio with A C voice with PLC o Severity Critical Opportunity High overall risk level before management Critical o Damage Loss of information provisioning to from ATCOs o Threat TCC overload o Activity TCC computes the Sequence e B18 ATCO fails to manually update the system which leads to the provisioni
9. UML_LIBRA El platform resource ATM AT risk analysis riskanalysis ED cath El Model ces at Package H E pathmap UML_PROPF Fl Package Fl pathmap UML META a Fl Objective Security Level Scale H E pathmaps UML META pone Objective Security Level Step Objective Security Level Not Applicable 2 ae amp Objective Security Level Step Objective Security Level Low vs Objective Security Level Step Objective Security Level Medium Objective Security Level Step Objective Security Level High Objective Security Level Step Objective Security Level Critical platform resource ATM ATM model uml pathmap UML LIBRARIES UMLPrimitiveTypes library uml F pathmap UML PROFILES Standard profil uml F pathmap H UML_FROFILES Ecore profile uml fla pathmap UML METAMODELS UML metamodel uml a fla pathmap UML METAMODELS Ecore metamodel uml PQ Birdview H T s An overview is not available Selection Parent List Tree Table Tree with Columns E Properties 4 Propert Value Meaning t Severity is Critical Qpportunity is Medium or higher Mame t Objective Security Level Critical valje L44 In the Properties tab at the bottom of your application fill the values of the Objective Security Level Scale Step properties for example e Value 4 e Name Critical e Meaning Severity is critical Opportunity is medium or higher 4 3 1 2 10 Definition of the Risk Management strategy
10. thus representing the link between the two models as described in the above section e The prototype of the DSML was produced using EMF code generation facilities e The tool was completed by plugging the DSML and Papyrus UML together As a result Security DSML is an update site of Papyrus UML Eclipse product The installation of these tools is described in next chapter Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 17 59 3 Installation This chapter describes the installation step for the prototype First install a Papyrus UML current version is Then download the Security DSML update site as a zip file in a given repository for example D Programs PapyrusDSML Update site DSML Then you need to update your Papyrus version with the Security DSML Update site Execute your Papyrus exe file to launch Papyrus In the Help Menu click on Install New Software g Papyrus ATM ATM_model di Papyrus File Edit View Wavigate Search Project Run Window Help l Ti Bite S 0 Qr p Help Contents Fi A Papyrus TA Search ee Dynamic Help 2 odine 7 E Aromaa i F naui Key Assist Ctrl Shift L lz t Tips and Tricks Ea ATM model Cheat Sheets Check For Updates Install Mew Software About Papyrus An Install window prompts Uncheck Group items by category box Click on the Add button and browse for the repository of the Se
11. Availability Critical secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 27 59 you needed 4 3 1 2 3 Definition of the stake types vector The stake types vector constitutes a reduced list of stakes relevant for the organization and the context The damages costs will be evaluated according to these stakes For example for an organization stakes can be budget image health safety To create an instance of Damage Cost scale by stake type click right on a Package and select New Child and then select Damage Cost Scale by Stake Type Give a name to the scale you have created Go to the Properties tab at the bottom of your application In the value field of the Name property type the name of the security criterion you want to describe for example Safety aka Human life Create as many scales as the number of stakes you want to describe 4 3 1 2 4 Definition of damage cost scale by stake type The Damage Cost scale by stake type is an array expressing the value on a 5 level scale from O not relevant to 4 high of a damage according to one of the stakes After the analysis of the needs through the different business departments of the organization arbitration should be done in order to harmonize the scales of each component of the stake vector For example Cost of the Budget Image Health safety 0 Not Not relevant Not Not relevant Not Not relevant lt 1 000
12. H 4 pathmap UML_METAMODELS UML metamodel uml m 8 pathmap UML_METAMODELS Ecore metamodel uml eG GE 14 lt Undo Set Ctrl Z Redo Gtit y L Copy Paste J Delete Validate A Birdview pos ST Control In the Properties tab at the bottom of your application fill the values of the Breach Strength Scale Step properties for example e Value 4 e Name Critical secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 26 59 e Meaning Classified information g Papyrus ATM ATM_risk_analysis riskanalysis Papyrus Fie Edit Navigate Search Project Run Risk nalysis Editor Window Help Fy Papyrus JE Outline 3 ATM_model di2 A ATM_risk_analysis riskanalysis 8 E platform resource AT Resource Set a platform resource AT El N platform resource ATM ATM_risk_analysis riskanalysis E e pathmap UML_LIBRA lt d Model H E pathmap UML_PROF soos H E th UML_PROF SEE ending AUX Cae lt athmap i Bin p p 2 i Breach Strength Scale By Security Criterion Confidentiality H 4 pathmap UML_META Breach Strength Scale Step Critical H Package Hl gt Package H 4 platform fresource ATM ATM_model uml H E pathmap UML_LIBRARIES UMLPrimitiveTypes library uml pathmap UML_PROFILES Standard profile uml 4 pathmap UML_PROFILES Ecore profile uml pathmap UML_METAMODELS UML metamodel uml
13. Help To Go O Q gt 2 t eo 5 Aa Papyrus DE Outline 23 m Pam model di2 L aTM_risk_analysis riskanalysis 3 1 platform resource ATM ATM_risk_analysis ri platform fresource ATM ATM_model uml pathmap JUML_LIBRARIES UMLPrimitiveType pathmap UML_PROFILES Standard profile y pathmap UML_PROFILES Ecore profile uml E pathmap UML_METAMODELS UML metamoc H E pathmap UML_METAMODELS Ecore metam Es Resource Set platform fresource ATM ATM 1 risk _analysis riskanalysis El Model Package Package Er 4 pee Vulnerability y HIQN coo ion Wy gt vulnerabil ity Non sense lance ay ATCO wil h procedures amp Vulnerability Stress concentration problems health conditions etc lt gt vulnerability Lack of routines for avoiding multitasking 4 gt q Birdview 53 7 an overrienis not available Selection Parent List Tree Table Tree with Columns E Properties 3 S E Propert Value Description gt ATCOs are constraint to high coordination workload between the parallel tasks which they need to accomplish Name High coordination workload vulnerability Scale Step Vulnerability High CHANGE version 1 1 page 40 59 j j Child and then select Vulnerability In the Properties tab at the bottom of your application fill the values of the Vulnerability properties The meaning of each value is d
14. Targets on which applies this security solution e Description A description if needed e Doors component PUID This field enables to import the Product UID of the component as defined in Doors e Name A name for example RBAC e Related ISO Theme A reference to a section of ISO 27002 can be entered here e Represented Element Select the instance of the Papyrus Model represented by this target These instances can be activities of an activity diagram components of a component diagram etc e Security Level f needed this field enables to tag the target with a security level which indicates a confinement zone e Security Solution Cost This field enables to add an estimated cost of the security solution As a 2 step after the Security Solution has been created go back to the related Security Requirement click on the Security Solution field and select the corresponding Security solution of the Security Requirement refer to Activity 9 Definition of the security requirements Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 48 59 As a 3 step the system security risk manager enters the new value of the risk after the implementation of the security risk solution For the risk covered by the security solution create a new instance of a Risk Level as described in the 2 step of Activity 6 Definition of the risks Gives a name such as e Name name for example A12
15. after management MEDIUM Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 49 59 5 Example 9 1 1 Activities modelling with Papyrus Activity diagrams are used under Papyrus to describe the activities of the ATM scenario accomplished by different roles of Air Traffic Controllers such as Tactical Controller TCC Planning Controller PLC After the introduction of the Arrival Manager AMAN automatic computation engine two roles are added the AMAN and the Sequence Manager SQM Before the introduction of the AMAN the activities are the following e PLC monitors the traffic PLC monitors traffic on his her Controller Working Position e PLC detects the need for a change in Sequence by means of the sub activities performed in parallel such as o Read Radar Tracks o Read A C Data o Apply Separation Criteria PLC detects the need for a change in the Sequence e PLC asks for a Sequence Modification After having detected the need for a change in the Sequence PLC asks TCC for a Sequence modification e TCC computes the Sequence by means of the sub activities performed in parallel such as o Read Radar Tracks o Read A C Data o Apply Separation Criteria TCC computes the aircraft sequence e TCC modifies the Sequence 1 Separation criteria shall be applied by Air Traffic Controllers in order to guaranty a safe separation of the aircraft in a sequence of arrivals 2 Sepa
16. and analyses the risks at business and service level He updates the risk model which annotates the system model In order to cover the risks he defines new security objectives and security requirements and propagates these requirements to the requirements models NB in our model the concepts of the requirements are included in our risk model and the propagation is automated between the risk model and the requirements model as shown in the detailed sequence diagram below At third step the requirements engineer then gets the requirements and assesses them Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 14 59 Once the requirements are accepted the System Engineer at fourth step translates them into solutions and models the Logical architecture and the Physical architecture As the system engineer the security engineer at fifth step translates the security requirements into solutions and changes the Logical architecture and the Physical architecture in order to show the security measures to be implemented The sixth step is the overall mitigation and assessment of the system model by the system architect In fact the risk analysis must be conducted also on the Logical architecture and Physical architecture since these layers bring new details on the solutions to be implemented and therefore and the vulnerabilities brought by these solutions The sequence diagram belo
17. integration of design modelling solution CHANGE version 1 1 page 33 59 4 3 1 2 9 Definition of the objective security level scale To create an instance of Objective security level scale click right on a Package and select New Child and then select Objective Security Level scale The objective security level scale scores the level of security that is targeted on a given perimeter The security level scale is defined from 0 to 4 where e 0 means not relevant e 1is low e 2is medium e 3is high e 4 is critical Seyer scale Opportunity scale The two dimensions of severity and opportunity for a risk quantification are projected on a single dimension called security objective level A rule is chosen at the beginning of the study for the correspondence between a severity opportunity vector and its corresponding security level Create now the steps of the scale Click right on the Opportunity scale you created and select New Child and then select Opportunity Scale Step Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 34 59 gl Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Pun Risk4nalysis Editor Window Help Fey OP Papyrus D Cutline 52 C7 aTM model di2 prs ATM_tisk_analysis riskanalysis 0 Fel l platform resources aT Resource Set platform fresource AT E E pathmap
18. of the Integrated Process that is presented in deliverable D2 2 Whereas deliverable D2 2 explains the wider integration of design testing verification risk assessment and requirements engineering we focus here on design risk assessment and requirements engineering The sequence diagram below presents a simplified version of the process It is inspired by the sequence diagram Figure 11 Sample Change Story of D2 2 The main difference consists of the introduction of human actors who analyze and manually change the models where the sequence described in D2 2 propagates automatically the changes between the models System Architect System Model Risk Manager i Risk Model Requirements Model Requ Engineer Security System l l i l l Engineer Engineer i E l changes e L 3 analyses I l l i l I changes l l proposes security requirements to pes risks l i i I l i assesses gets refines the model and proposes solutions l l I 1 i l gets security reqpirements i i i I mitigates and assebses l Figure 5 Simplified sequence diagram of the security engineering process In the figure above at first step the system architect starts modelling the business architecture and the system overall architecture for example Service Oriented Architecture The risk manager at second step gets the model started by the System Architect
19. this field enables to tag the target with a security level which indicates a confinement zone e Represented Element Select the instance of the Papyrus Model represented by this target These instances can be activities of an activity diagram components of a component diagram etc e Name A name for example TCC computes the sequence e Doors component PUID This field enables to import the Product UID of the component as defined in Doors e Description A description if needed As a 2 step when all targets have been created the system security risk manager can link each essential element to the targets which support it Refer to Activity 1 dentifying Essential Elements and fill field Supporting Element of the Essential Element Properties 4 3 5 Activity n 4 Determination of the vulnerabilities This activity consists in assigning vulnerabilities to the previously identified targets This step is optional As 1 step the system security risk manager can perform the vulnerability analysis He will describe the relevant vulnerabilities and the target which they apply to As 2 step the system security risk manager can perform the vulnerability assessment He will assess the vulnerability level of each vulnerability To create an instance of a Vulnerability click right on a BEES and select New Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run Risk nalysis Editor Window
20. to an opportunity scale e Threat operator The agent of the threat Risk A risk is a possibility that a particular threat will adversely impact an element of the system architecture by exploiting a particular vulnerability Properties e Risk level before management the risk level when the risk is evaluated but not managed e Risk level after management the risk level when the risk has been managed through security requirements and security solutions Risk level A risk level stores the values of the risk according to the dimensions describes by the properties Properties e Severity risk level An evaluation of the severity of the risk according to a severity scale e Opportunity risk level An evaluation of the opportunity of the risk according to an opportunity scale Secure CHANGE ce nn E SRNSSENNS ec version 1 1 page 9 59 O e Risk level An evaluation of the overall risk level according to an objective security level scale Risk management A risk level stores the values of the risk according to the dimensions describes by the properties Properties e Objective security level An evaluation of the targeted overall risk level risk according to an objective security level scale e Strategy Shows the strategy adopted for the risk management ie acceptation reduction transfer or non acceptation of the risk Security objective A security objective is an expression of the intention to counter ide
21. 8 pathmap UML _PROFILES Ecore profile url pathmap UML METAMOCELS UML metamodel uml E E pathnap UML METAMODELS Ecore metamodel uml F Selection Parent List Tree Table Tree with Columns E Properties 23 An overview is not available Property Value Meaning L over 1 000 000 Name t Severity Critical Value Liq In the Properties tab at the bottom of your application fill the values of the Severity Scale Step properties for example e Value 4 e Name Critical e Meaning Over 1 000 000 4 3 1 2 8 Definition of the opportunity scale To create an instance of Opportunity scale click right on a Package and select New Child and then select Opportunity scale The opportunity scale is an array defining the value of the chances for a risk to occur The opportunity scale is defined from 0 to 4 where Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 32 59 0 means not relevant 1 is low 2 is medium 3 is high e 4is imminent The system security risk manager can qualify the meaning of this scale according to the context of the study for example Low meaning one time per year or 1 1 000 000 etc Create now the steps of the scale Click right on the Opportunity scale you created and select New Child and then select Opportunity Scale Step g Papyrus ATM ATM risk analysis riskanalysis P
22. L_LIBRARIES UMLPrimitiveType El Model H E pathmap UML_PROFILES Standard profile Einans amp pathmap UML_PROFILES Ecore profile uml H Package H pathmap UML_METAMODELS UML metamoc Package ril re f E pathmap UML_METAMODELS Ecore metame D Package Risk Management B17 SSS gt FP Eirdview X PO z Ary E PAOA O ENET Selection Parent List Tree Table Tree with Columns C Properties 3 Property Value Name 617 Obiective Security Level Objective Security Level Step Objective Security Level Medium trateg Risk Management Scale Step Risk Manag In the Properties tab at the bottom of your application fill the values of the Risk Level properties The meaning of each value is described below e Name name for example B17 Risk Management e Objective Security Level select an Objective Security Level Step corresponding to the adequate value on the scale e Strategy select a Risk Management strategy step corresponding to the adequate management strategy After the Risk Management has been created go back to the related Risk click on the Risk Management field and select the corresponding Risk Management of the risk refer to Activity 6 Definition of the risks As a 3 step the system security risk manager can create a confinement zone For each target of the confinement zone he sets the security level to the Objective security level that is targeted for the confinement zone Refer to Acti
23. L_PROFILES Ecore profile uml Package 4 pathmap UML_METAMODELS UML metamoc Fes di parkas pathmap UML_METAMODELS Ecore metame Se Threat ATCO mistake v Threat Non compliance of ATCO with procedures 2 Sequence Threat TCC unavailability Threat ATCO Fails to manually update the system o E 2 A Birdview 3 Tu 7 uiavarviavile not aval Selection Parent List Tree Table Tree with Columns E Properties 3 Property Value Description 1 Name 1 TCC overloaded Occurence Probability Threat Probability Scale Step Threat Probability High Target Perimeter Target TCC computes the Sequence Threat Breach Strength Breach Strength Scale Step Availability Critical Breach Strength Scale Step Integrity High Threat Operator In the Properties tab at the bottom of your application fill the values of the Threat properties The meaning of each value is described below e Description A description if needed e Name A name for example TCC overload e Occurrence Probability Select a Threat Probability Scale Step corresponding to the adequate value e Target Perimeter Select the list of the targets on which apply the threat e Threat Breach Strength for each relevant Security Criterion select a Breach Strength Scale Step corresponding to the adequate value on the scale e Threat Operator if needed select the agent of the Threat Secure D4 4 Proof of concept integration of de
24. L_PROFILES Standard profile uml pathmap UML_PROFILES Ecore profile uml pathmap UML_METAMODELS UML metamodel uml pathmap UML_METAMODELS Ecore metamodel uml B p pe pe e e EE 66 EE Selection Parent List Tree Table Tree with Columns E Properties 3 Property Value t Serious injuries Meaning Name Safety Human Life Medium Yalue 32 In the Properties tab at the bottom of your application fill the values of the Damage Cost Scale By Stake Step properties for example e Value 2 e Name Medium e Meaning Serious Injuries 4 3 1 2 5 Definition of the vulnerability scale To create an instance of Vulnerability scale click right on a Package and select New Child and then select Vulnerability scale The vulnerability scale is an array defining the value of the weakness of a target together with the ease to exploit it The vulnerability scale is defined from 0 to 4 where e Omeans not relevant e 1is low e 2is medium e 3is high e 4 is critical The system security risk manager can qualify the meaning of this scale according to the context of the study for example Low meaning hardened with a complete checklist and cryptographic means etc Create now the steps of the scale Click right on the Vulnerability scale you created and select New Child and then select Vulnerability Scale Step Secure D4 4 Proof of concept integration of
25. Object Package D marrer o 69 9 gt Oppidum Fen tre d acc L images 64 101206 D4 4 v0 3 Mod 7 Papyrus ATM ATM_ Yj Install3 Paint IX 14 48 In order to link your security concepts to the model elements of the model developed under Papyrus you need to load the System Model Resources into your Risk analysis study Go to the root of the risk analysis tree Click right on it and select Load Resource Load Resource box appears Select Browse workspace and select the uml model you have created with the Papyrus software Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 22 59 Papyrus ATM ATM _risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run RiskAnalysis Editor Window Help MT O Q w i Teren Fy Papyrus 4n overview is not available DE Outline 52 EL platform fresource AT ATM_model di2 se ATM_risk_analysis riskanalysis x Resource Set E IN platform fresource ATM ATM_risk_analysis riskanalysis El Model El Package Bl Package Load Resource D x Hl Package Resource URIs Browse File system Browse Workspace Package cos _ni x E amp ATM B project CB ATM_model di2 ATM_model uml ATM_risk_analysis riskanalysis 4 3 1 2 Definition of security metrics and their scale The following metrics shall be then set at the beginning of e
26. PROFILES Ecore profile uml 4 pathmap UML_METAMODELS UML metamoc pathmap UML_METAMODELS Ecore metame en PA Eirdview D Tm E EA AE Selection Parent List Tree Table Tree with Columns E Properties 23 Property Value Cost For System L4 0 Cost Per Target L4 0 Description Doors Requirement PUID Name Req 01 O1 412 Required Level Objective Security Level Step Objective Security Level Medium Security Solution Specified Objective Security Objective O2 B18 In the Properties tab at the bottom of your application fill the values of the Security Requirement properties The meaning of each value is described below e Specified Objective select the Security Objective which is refined by this security requirement e Security Solution This field will be filled after the security solution of this security requirement has been defined at Activity 10 Definition of the Security Solutions e Required Level This field should be set at the same value of the Objective Security Level field of the corresponding Security Objective e Name A name for example Req 01 01 A12 e Doors Requirement PUID This field enables to import the PUID of the requirement as defined in Door e Description A description if needed e Cost per Target This field enables to add an estimated cost per target e Cost for System field enables to add an estimated cost for the entire s
27. Secure CHANGE TE SS SEVENTH FRAMEWORK PROGRAMME D4 4 Proof of concept integration of design modelling solution Edith Felix Olivier Delande THA Karmel Bekoutou UNITN Document information Document Number Document Title Version Status Work Package Deliverable Type Contractual Date of Delivery Actual Date of Delivery Responsible Unit Contributors Keyword List Dissemination level secure CHANGE D4 4 Framework for integrated documentation of system and assessment results Final Draft WP 4 Prototype 31 January 2011 28 January 2011 Thales THA UNITN system design Risk Analysis Security Requirements PU LIC D4 4 Proof of concept integration of design modelling solution version 1 1 page 1 59 Document change record Version Date Status Author Unit Description 0 1 06 12 10 Draft Thales First draft version incomplete 23 12 10 Draft Thales Second draft version after 50 review 31 12 10 Draft Thales First complete version after 50 review 28 01 11 Final Thales Final version after 100 review secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 2 59 Executive Summary This document describes the D4 4 prototype and presents the Proof of concept integration of design modelling solution The main purpose of this prototype is to implement a solution for the design modelling solutions developed in the cont
28. Security Objective click right on a Package and select New Child and then select Security Objective Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run RiskAnalysis Editor Window Help ry Le Les Le oO Le a X EA 7 7 Y ye r Fy 4 Papyrus B Outline 3 ATM_model diz ATMrisk_analysis riskanalysis 3 E Resource Set i Security Objective O1 B13 4 Security Objective O1 B16 gt Security Objective O1 B17 E N platform fresource ATM ATM_risk_analysis ri E platform fresource ATM ATM_model uml pathmap UML_LIBRARIES UMLPrimitiveT ype pathmap UML_PROFILES Standard profile pathmap UML_PROFILES Ecore profile uml pathmap UML_METAMODELS UML metamoc H E pathmap UML_METAMODELS Ecore metamd LE AP pe Security Objective O2 B18 TA sirdview eS T s n overview is not available Selection Parent List Tree Table Tree with Columns E Properties 33 Property Value Covered Risk Risk 412 Description The Sequence shall be computed automatically by an Arrival Manager system Effect Security Objective Effect Kind O1 Name O1 A12 Objective Security jhevel Obiective Security Level Step Objective Security Level Medium o In the Properties tab at the bottom of your application fill the values of the Security Objective properties The meani
29. Selection Parent List Tree Table Tree with Columns Properties 3 SS Propert Value 1 Classified information Meaning Name Critical Yalue GA At the end you created as a Breach Strength Scale for each of the Security Criterion g Papyrus ATM ATM risk _analysis riskanalysis Papyrus Fie Edit Wavigate Search Project Run RiskAnalysis Editor Window Help Mr O Q e h N men E fl Papyrus i ish analysis tiskanalysis r El Model E k Package Fl Package Breach Strength Scale By Security Criterion Confidentiality ne Breach Strength Scale Step Confidentiality Hot Applicable Breach Strength Scale Step Confidentiality Low Breach Strength Scale Step Confidentiality Medium ire Breach Strength Scale Step Confidentiality High ate Breach Strength Scale Step Confidentiality Critical Breach Strength Scale By Security Criterion Integrity ae Breach Strength Scale Step Integrity Nat Applicable ap Breach Strength Scale Step Integrity Low H Breach Strength Scale Step Integrity Medium ag Breach Strength Scale Step Integrity High soa Breach Strength Scale Step Integrity Critical Breach Strength Scale By Security Criterion Availability ise Breach Strength Scale Step Availability Hot Applicable ae Breach Strength Scale Step Availability Low LE Breach Strength Scale Step Availability Medium H Breach Strength Scale Step Availability High cai Breach Strength Scale Step
30. To create an instance of a Security Solution click right on a Package and select New Child and then select Security Solution g Papyrus ATM ATM risk_analysis riskanalysis Papyrus Fie Edit Navigate Search Project Run Risk nalysis Editor Window Help i 2 7 Ci H OrQ 4 5 ee ee Ey CB Papyrus Oe tine 52 D ie ri ie 52 a Outline 23 ATM_model di2 k ATM_risk_analysis riskanalysis 24 ai ile E 1 platform resource ATM ATM_risk_analysis ri LL Resource Set i e platformi Free A TMATE ROC ENT c 2 Security Solution RBAC pattern Ce pathmap UML_LIBRARIES UMLPrimitiveType ee ET eB pans nc 8 pathmap UML_PROFILES Standard profile Selection Parent List Tree Table Tree with Columns ae ET 5 j m a pathmap UML_PROFILES Ecore profile uml E Properties x H pathmap UML_METAMODELS UML metamoc E E pathmap JUML_METAMODELS Ecore metamce Propert Value Applying Targets Description Doors Component PUID Name Related 150 Theme Represented Element Security Level gt Objective Security Level Step Objective Security Level Medium Security Solution Cost 0 Target TCC computes the Sequence RBAC pattern apl apl api In the Properties tab at the bottom of your application fill the values of the Security Solution properties The meaning of each value is described below e Applying Targets select the
31. UML_METAMODELS Ecore metame A Y Eirdview s g CO Bh An overview is not available Selection Parent List Tree Table Tree with Columns dar 7 a LJ Properties mall G Property Value Damage Damage Loss of information provisioning to from ATCOs Description 1 TCC fails to provide arrival information to all relevant recipients simultaneously due to communication overload radi Name gt 412 Risk Level After Management Risk Level Before Management Risk Level 412 before management CRITICAL Threat Threat TCC overloaded In the Properties tab at the bottom of your application fill the values of the Risk properties The meaning of each value is described below e Damage Select the damage to which the risk corresponds e Description A description if needed e Name A name for example A12 e Risk Level After Management This field is filled at the end of the risk analysis when countermeasures or security solutions have been added to cover the risk Risk Level Before Management This field is filled in the next step e Threat Select the threat to which the risk corresponds e Risk Management This field is filled during Activity 7 Definition of the Continement Zone As a 2 step the system security risk manager can perform the risk assessment He will set the risk opportunity before management according to the related threat probability value and he will set the risk seve
32. ach study Re use of metrics shall be performed from one study to the other The metrics to be set are the following Security criteria vector the security criteria used for the study ie at least confidentiality availability integrity Breach strength scale by security criterion a scale to evaluate the strength of a threat and the misbehavior in terms of security criteria caused by the threat on the system Stake types vector this defines the types of stakes on which the impact of the damages are evaluated Damage Cost scale by stake type a scale to evaluate the impact of the damage per stake type Vulnerability scale a scale to evaluate the level of vulnerability of a target Threat probability scale a scale to evaluate the opportunity of the occurrence of a threat Severity scale a scale to evaluate the severity of a risk Opportunity scale a scale to evaluate the opportunity of a risk Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 23 59 e Objective security level scale a scale to express the targeted security level of a riSk e Risk Management strategy an expression of the security management strategy adopted in term of acceptation reduction transfer non acceptation of the risk 4 3 1 2 1 Definition of the security criteria vector Relevant security criteria for the study are selected and arranged in a security criteria vector The Security criteria vecto
33. al Damage Cost Scale Step Business High secure C ANGE D4 4 Proof of concept integration of design modelling solution l version 1 1 page 38 59 In the Properties tab at the bottom of your application fill the values of the Damage properties The meaning of each value is described below e Stake For each relevant stake select a Damage Cost Scale By Stake Step corresponding to the adequate value on the scale e Name A name for example Loss of information provisioning from to ATCOs e Impacted Element Select the list of essential elements impacted by this damage e Description A description if needed e Damage Total Cost Select a Severity Scale Step corresponding to the adequate value 4 3 4 Activity n 3 Determination of the targets Papyrus ATM ATM _risk_analysis riskanalysis Papyrus Fie Edit Navigate Search Project Run Risk nalysis Editor Window Help ID 0 e 5h E Al Papyrus B Outline 52 m M at_model diz ATM_risk_analysis riskanalysis 3 L platform fresource ATM ATM_risk_analysis ri LL Resource Set H a platform resource ATM 4TM_model uml E3 8 pathmap f UML_LIBRARIES UMLPrimitiveT ype Model pathmap UML_PROFILES Standard profile Ba Package H pathmap UML_PROFILES Ecore profile uml H Package E e pathmap UML_METAMODELS UML metamoc 4 Package E e pathmap fUML_METAMODELS Ecore metamc gt Target PLC monitors the traffic Targe
34. an array defining the severity of a risk if it occurs The severity scale is defined from 0 to 4 where Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 31 59 0 means not relevant 1 is low 2 is medium 3 is high e Ais critical The system security risk manager can qualify the meaning of this scale according to the context of the study for example Low meaning a light degradation of the service without much impact on the organization etc Create now the steps of the scale Click right on the Severity scale you created and select New Child and then select Severity Scale Step NE Ge tS 0 Qe gt MTS Fy Papyrus n Outline 3 TO ATM model diz la ATM_risk_analysis riskanalysis 25 Er Le platform resource AT b Resource Set E e platform resource AT H E pathmap UML LIBRA Et platform resource ATM ATM risk_analysis riskanalysis ce Fl lt gt Model A a A eed gad Fl amp Package H pathmap UML_PROF El Package H E pathmap UML META H Severity Scale H pathmap UML META ee gt Severity Scale Step Severity Not applicable 7 lt gt Severity Scale Step Severity Low a Severity Scale Step Severity Medium RSR Scale alll Sr PUR platform resource ATM ATM model uml pathmap UML LIBRARIES UMLPrimitiveT ypes librar uml pathmap UML PROFILES Standard profile uml 4
35. apyrus File Edit Navigate Search Project Run Risk4nalysis Editor Window Help 6 EH Ee Er EN AE te ee Fy 4 Papyrus DE Outline 2 ATM model diz Lei ATM_risk_analysis riskanalysis eS E l platform resource AT Resource Set ff pathmap UML META pathmap UML META Eh Bistro tesourcey AT I La platform resource ATMIATM risk analysis riskanalysis El pathmap UML LIBRA Ej Madel ped pathmap UML PROF co package m e pathmap i UML PROF ae ere ar Opportunity Scale us Opportunity Scale Step Opportunity Not applicable ios Opportunity Scale Step Opportunity Low cote Opportunity Scale Step Opportunity Medium QE eae Opportunity Scale Step Opportunity High Opportunity Scale Step Opportunity Critical a platform resource ATM ATM model url a pathrap UML LIBRARIES UMLPrinitive Types library uml ree pathmap UML PROFILES Standard profile url a pathmap UML PROFILES Ecore profile url E E pathmap H UML_METAMOCDELS UML metamodel uml 4 pathmap UML METAMODELS Ecore metamodel uml An overview is not available Selection Parent List Tree Table Tree with Columns E Properties Property Value Meaning LE Ever month Marne t Opportunity High value 4 3 In the Properties tab at the bottom of your application fill the values of the Opportunity Scale Step properties for example e Value 3 e Name High e Meaning Every month Secure D4 4 Proof of concept
36. atform resource ATM ATM risk analysis riskanalysis platform resource AT pathmap UML LIBRA E E Model 5 eee aE Package pathmap UML_PROF Fl lt gt Package H 4 pathmap UML META El Threat Probability Scale pathmap UML META Threat Probability Scale Step Threat Probability Hot Applicable ais Threat Probability Scale Step Threat Probability Low ija Threat Probability Scale Step Threat Probability Medium Fa Sam Threat Probability Scale Step Threat Probability High hoe Threat Probability Scale Step Threat Probability Critical Fa platform resource aTMPaTM model uml E E pathmap UML LIBRARIES UMLPrimitiveTy pes library uml E pathmap UML PROFILES Standard profile uml ela pathmap UML PROFILES Ecore profile uml el pathmap UML METAMODELS UML metamodel uml E e pathmap UML METAMODELS Ecore metamodel uml Selection Parent List Tree Table Tree with Columns E Properties 3 Property Value An overview is not available Meaning t Every month Name LE Threat Probability High Value LE e In the Properties tab at the bottom of your application fill the values of the Threat Probability Scale Step properties for example e Value 3 e Name High e Meaning Every month 4 3 1 2 7 Definition of the severity scale To create an instance of Severity scale click right on a Package and select New Child and then select Severity scale The severity scale is
37. curity DSML update site Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 18 59 Papyrus ATM ATM_model di2 Papy File Edit View Navigate Search Project SEGEE lo x lt O available Software El A Papyrus Select a site or enter the location of a site C B Outline 22 ee Work with type or select a site 4dd amp BF C3 ATM_ model Find more software by working with the Available Software Sites preferences type Filter text oO Q There is no site selected Add Site x Name Security DSML Local Location file D Programs PapyrusDSML Update site DSML Archive Details IV Show only the latest versions of available software I Hide items that are already installe Tl Group items by category What is already installed IV Contact all update sites during install to find required software ean Cl PA sirdview K le 3 Click on OK The name of the Risk Analysis update site appears on the main frame of the Install window Check the box corresponding to the new update site Click Finish to install the update site The Security DSML update site is now installed under the name Riskanalysis secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 19 59 Papyrus ATM ATM_model diz Papy Papyrus Installation Details JE iol xi Fi
38. design modelling solution CHANGE version 1 1 page 29 59 Papyrus ATM ATM risk _analysis riskanalysis Papyrus File Edit Navigate Search Project Run Risk nalysis Editor Window Help ro HoOl O 9 J eG E a Papyrus ATM_model diz m ATM_tisk_analysis riskanalysis 2 3 O Outline LS oO l 48 pathmap UML_META pathmap UML META E a glatform jresource AT fe Resource Set A platform ireseuree JAT El ll platform resource ATM ATM risk_analysis riskanalysis H pathmap UML LIBR Ey Model na pathmap MUML PROFIL parkace isi pathmap UML PROF eee Packade Ef Vulnerability Scale i Vulnerability Scale Step Vulnerability Hot applicable Vulnerability Scale Step vulnerability Low Vulnerability Scale Step Yulnerability Medium Vulnerability Scale Step Vulnerability High Ha Vulnerability Scale Step vulnerability Critical Ee platform resource ATM ATM model uml el pathmap UML LIBRARIES UMLPrimitiveT pes library uml ela pathmap UML PROFILES Standard profile uml el pathmap UML PROFILES Ecore profile url ela pathmap UML METAMODELS UML metamodel uml el pathmap UML METAMODELS Ecore metamodel uml z Birdview 25 g An overview is not available E A Selection Parent List Tree Table Tree with Columns E Properties 3 Property Value Meaning 1 Costs more than 10 000 to penetrate Name 1 Vulnerability Low Value Ur In t
39. e a first version of the end user security requirements is produced Security damages are analysed and reported This should concur to define the main constraints of the business architecture by a trade off analysis with balancing other functional and non functional constraints At Service oriented stage security damages are refined according to the related system functions A functional and non functional analysis for security is performed which output is a first service oriented architecture for security At logical stage a complete logical risk analysis is performed leading to a first identification of security objectives and security requirements in order to cover these risks At physical stage a new risk analysis is performed completing the set of the security objectives and security requirements Consolidation of the whole risk management strategy is needed A new version of the architecture is reviewed for each stage with additional security solutions This version is submitted to a new trade off analysis to balance other functional and non functional constraints ms Architecture Framework example Security Engineering process Figure 4 Architecture framework and security engineering process secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 13 59 1 4 2 Towards Secure Change Integrated Process The process described in this section can be understood as a variation
40. ecture the essential elements that need protection These essential elements define the scope for the system security analysis Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 36 59 As a 1 step the system security risk manager references elements from the system design for example an activity diagram To create an instance of an Essential element click right on a Package and select New Child and then select Essential Element Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Pun Risk4nalysis Editor Window Help IDD 0 6 2 12 Ei Papyrus DE Outline e or F ATM_model di2 4 ATM risk analysis riskanalysis_ 5 E Le platform resources AT H 4 platform fresource AT G8 pathmap UML_LIER Resource Sek El Lei platform resource ATM ATM risk _analssis riskanalysis Ee Model EST pathmap UML PROF Ft gt Package naa pathmap UML PR E gt Package i pathmap UML META g Package E E pathmap HUML_META y Essential Element PLC monitors the traffic Essential Element PLO detects a need For a change in the Sequence pret Essential Element PLE asks for a Sequence modification fama sential Element TCC computes the Sequence rs Essential Element TOC modifies the Sequence An overview is not available Selection Parent List Tree Table Tree with Columns E Properties 3
41. ement HIGH Risk Level B16 before management MEDIUM Risk Level B13 before management HIGH EE Risk Level 412 before management CRITICAL Risk Level B18 before management MEDIUM pial z nen A Birdview 23 T ooo 7 An overview nov available Selection Parent List Tree Table Tree with Columns E Properties 2 Property Value Name 412 before management CRITICAL Opportunity Risk Level Opportunity Scale Step Opportunity High Risk Level Objective Security Level Step Objective Security Level Critical Severity Risk Level Severity Scale Step Severity Critical In the Properties tab at the bottom of your application fill the values of the Risk Level properties The meaning of each value is described below e Name A name for example A12 before management CRITICAL e Risk Level select an Objective Security Level Step corresponding to the adequate value on the scale e Opportunity Level select an Opportunity Level Step corresponding to the adequate value on the scale e Severity Level select a Severity Level Step corresponding to the adequate value on the scale 4 3 8 Activity n 7 Definition of the confinement zone At this stage of the study system security risk managers have got a list of valuated risks They should now define a risk management strategy and confinement zones that set an acceptable risk level for the zone Confinement zone enables the system
42. escribed below e Description A description if needed e Name A name for example TCC computes the sequence e Value Select a Vulnerability Scale Step corresponding to the adequate value 4 3 6 Activity n 5 Analysis of the threats The activity consists in analysing the threats and their targets As 1 step the system security risk manager can perform the threat analysis He will describe the relevant threats and the target which they apply to Threats types are associated with a breach strength which is valued for each security criterion according to the breach strength scale As 2 step the system security risk manager can start the threat assessment He will review the threat probability associated with the threat type and modify it according to the context if necessary To create an instance of a Threat click right on a Package and select New Child and then select Threat g Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run Risk nalysis Editor Window Help Ido 0 5 6e Ti A Papyrus DE Outline 3 Ts TT ATM_model aiz LE ATM_risk_analysis riskanalysis 23 N platform resource ATM ATM _risk_analysis ri Ls Resource Set platform fresource ATM ATM_model uml pathmap UML_LIBRARIES UMLPrimitive Type E IN platform resource ATM ATM_risk_analysis riskanalysis El gt Model pathmap UML_PROFILES Standard profile Eh Package pathmap UM
43. ext of Secure Change project that is to say solutions for security requirements management for long life systems The focus has been put on the integration of a modelling solution with speciality engineering tooling for security which enables to define and assess the security requirements which must be implemented on the system Through this prototype the full Secure Change chain can be demonstrated with a complete tooling which covers system design risk analysis and security requirements management Since this prototype has been implemented by Thales for industry purpose the choice of the tooling selected concerns only the technologies needed for the integration of security engineering with the system software engineering mainstream For intellectual properties reasons the prototype does not present Thales engineering workbench Since the concepts methods and principles applicable for security and developed in the context of Secure Change are universal the integration with a design modelling tool can be very well demonstrated on an Open Source modelling tool supporting UML 2 The choice has been made to use Papyrus UML The prototype presents Security DSML a Domain Specific Modelling Language which captures the security concepts of a risk analysis and enables to annotate a model design The purpose of Security DSML is to provide tools to conduct a risk analysis when designing a system The outputs of the risk analysis are the security requireme
44. fautttacran ts Activity diagram of Monkoring and Modifying the Sequence Before AMAN L ae SS Properties 23 When you click on the Risk analysis tab the menus change to show the Risk analysis ones See figure below 4 2 Model design with Papyrus Please refer to Papyrus User Guide 6 4 3 Risk management with Security DSML Please refer to the overall Risk management methodology paragraph 1 2 For a better understanding of Risk management methodology please refer to EBIOS methodology 2 Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 21 59 4 3 1 Preparation step The objective of this step is to define or select if it already pre exists a referential of security metrics and scales 4 3 1 1 Initialisation of a study The first preparation step is to initialize a study that will link all the data used to go through the security engineering process for one given system at a given time of its lifecycle To create the instances of the risk analysis concepts you can organise them in separate Packages To create a Package click right on the initial Package The list of the available security concepts appears Select Package Papyrus ATM ATM_risk_analysis riskanalysis Papyrus El e x File Edit Navigate Search Project Run RiskAnalysis Editor Window Help wie O rQ XD
45. gh Opportunity Low overall risk level Medium e A12 TCC fails to provide arrival information to all relevant recipients simultaneously due to communication overload radio with A C voice with PLC o Before management Severity Critical Opportunity High overall risk level before management Critical o After AMAN SQM Severity High Opportunity Low overall risk level Medium e B18 ATCO fails to manually update the system which leads to the provisioning of inconsistent data o Before management Severity Medium Opportunity Medium overall risk level before management Medium o After AMAN SQM Severity Medium Opportunity Low overall risk level Low Since all the risks are reduced at least to the Objective risk level MEDIUM this is acceptable as a stable state of the study The definition of these new security requirements implies the emission of a Requirements Change Request for these requirements to be taken into account in the security engineering process The definition of these new security solutions implies the emission of a System Change Request for these new elements of the model to be taken into account in the security engineering process A new iteration of a risk analysis shall be conducted now on the new version of the system in order to refine the comprehension of the security risks after the introduction of the two new elements of the system ie AMAN and SQM Secure D4 4 Proof of concept inte
46. gration of design modelling solution CHANGE version 1 1 page 57 59 Appendix Glossary A C Aircraft AMAN Arrival Manager ATM Air Traffic Management PLC Planning Controller security DSML Security Domain Specific Modelling Language Thales Langage and tool for security risk management SQM Sequence Manager TCC Tactical Controller Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 58 59 References 1 2 3 4 9 6 7 National Information Systems Security INFOSEC Glossary NSTISSI No 4009 January 1999 Revision 1 Expression des Besoins et Identification des Objectifs de S curit EBIOS M thode de gestion des risques January 25 2010 version http www ssi gouv fr site_article45 html Expression des Besoins et Identification des Objectifs de Securite EBIOS Bases de connaissances January 25 2010 version http www ssi gouv fr site_article45 html ISO 27005 Information technology Security techniques Information security risk management http www iso org iso search htm qt 2 7005 amp searchSubmit Search amp sort rel amp type simple amp published on Information technology Security techniques Evaluation criteria for IT security Information technology Security techniques Methodology for IT security evaluation Information technology Security techniques Security assessment of operational sys
47. he Properties tab at the bottom of your application fill the values of the Vulnerability Scale Step properties for example e Value 1 e Name Low e Meaning Costs more than 10 000 to penetrate 4 3 1 2 6 Definition of the Threat probability scale To create an instance of Threat probability scale click right on a Package and select New Child and then select Threat probability scale The threat probability scale is an array defining the value of the probability of occurrence of a threat The threat probability scale is defined from 0 to 4 where e 0 means not relevant e 1 is low e 2 is medium 3 is high e 4 is critical The system security risk manager can qualify the meaning of this scale according to the context of the study for example Low meaning hardened with a complete checklist and cryptographic means etc Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 30 59 Create now the steps of the scale Click right on the Threat probability scale you created and select New Child and then select Threat probability Scale Step Papyrus ATM ATM risk _analysis riskanalysis Papyrus Fils Edit Navigate Search Project Run Risk nalysis Editor Window Help TEE QE GT Ae RERO CE Fy F Papyrus ATM_model di2 4 ATM_risk_analysis riskanalysis 23 Outline ii Resource Set He a platform resource AT El fl pl
48. ith procedures o B13 Tactical Controller TCC becomes unavailable during arrival management process due to his her physical mental condition o A12 TCC fails to provide arrival information to all relevant recipients simultaneously due to communication overload radio with A C voice with PLC e 02 The update of the system should be handled through a dedicated role of Sequence Manager Medium o B17 Failure in the provisioning of correct or optimal arrival information stabilization or coordination of sequence due to ATCO mistakes o B18 ATCO fails to manually update the system which leads to the provisioning of inconsistent data All the risks are covered by at least one security objective 5 1 1 9 Definition of the Security Requirements The following security requirements are defined in order to refine the security related objectives as indicated The required security level of the requirement is indicated Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 55 59 e Req01 The system should integrate an AMAN Medium o O1 The Sequence shall be computed automatically by an Arrival Manager system e Req02 The organisation should integrate a SQM Medium o O2 The update of the system should be handled through a dedicated role of Sequence Manager 5 1 1 10Definition of the Security Solutions The following security solutions are defined in order to implement the security requireme
49. ives i e how to treat the risks affecting the system This requires determining the security requirements on the system Coverage of the security objectives by the functional and assurance requirements must be justified by a rationale indicating their necessity and adequacy As a 1 step the system security risk manager defines security requirements to cover each security objective For each requirement he defines a description and selects the security objectives it applies to He can add the cost of the requirement per target and the cost of the requirement for the whole system To create an instance of a Security Requirement click right on a Package and select New Child and then select Security Requirement Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 46 59 Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run RiskAnalysis Editor Window Help j Y H s LA Oo a a vr a Y 7 Yv oom 4 L4 TT genes E Papyrus a nu nl 7 lni a sarl o Outline 23 O 4 4 ATM_model di2 LS ATM_risk_analysis riskanalysis 23 H platform resource ATM ATM_risk_analysis ri i Resource Set H platform fresource ATM ATM_model uml mao REG DL O 17 H pathmap UML_LIBRARIES UMLPrimitiveT yp4 SO ea A Ana anton le 4 pathmap UML_PROFILES Standard profile P Securty Requirement Req D2 02 817 4 pathmap UML_
50. l represented by the target e Doors component PUID This field can be filled with the PUID of the component corresponding to this target in DOORS T REK e Security Level A tag for a needed security level of the target e Security solution cost An evaluation of the cost of the security solution for the entire system 1 3 Risk management methodology The overall process for the risk analysis is compliant to the EBIOS methodology and can be summarized with the following schema The activities performed are e Identifying essential elements aka identifying the perimeter of the study e Analysis of the damages e Determination of the targets e Determination of the vulnerabilities e Analysis of the threats e Definition of the risks e Definition of the confinement zones e Definition of the Security Objectives e Definition of the Security Requirements e Definition of the Security Solutions Secure CHANGE 0 ee ee ees neers SORA version 1 1 page 11 59 O Figure 3 Risk management methodology More details of each steps are given in Chapter 4 secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 12 59 1 4 Overall Security Engineering methodology 1 4 1 Towards standard Architecture Frameworks and MDE Engineering methodology This section presents how this methodology and tooling complement a mainstream System Software Engineering Process At Business architecture stag
51. le Edit View Navigate Search Project i a gt Q Installed Software Installation History Features Plug ins Configuration fe OB Papyrus _ de Papyrus 0 0 0 com cea papyrus product p DZ Outline 53 J amane Wh Riskanalysis 1 0 0 2010 com thalesgroup mde riskan Re Ea ATM model Update Uninstall Properties secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 20 59 4 User Manual 4 1 Getting started with D4 4 prototype When you have clicked on the Papyrus exe file a Papyrus instance starts It shows the Same menus and frames as a standard Papyrus except there is an additional tab for Risk analysis in the central frame showed by the red arrow Papyrus ATMsATM_model di2 Papyrus ex Sile Fdit view Navigate Sezrch Project in Window Help rire be OO Oe nn Se Oe IR ae oe he eo E F Papyrus DE Outline 53 T FJ an model di2 3 L ATM isk analysis rissanalysis 52 ec EE all ss Palette l 1 C ATM_model gt Select i LJ Mrnitaring and in z ge M EE Sequence i Marquee E Acivties gt UML Links co 2 import UMLPrimiiv a oa ara Z CortrolF Psy apatied Star dard p Ba DefaultDiagram UbjactFl Link Ge M El 1 8 Activity 8 Sccap r CertralB Activity gt a lputrin a gt OulpulPi r Dodsion E Comment 2 Corstraint 4 gt Ba De
52. ling tool and Security DSML both integrated under an Eclipse environment Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 6 59 Specific traceability with Risks added Requirements Management Requirements Evolution manageme D4 4 prototype M24 Eclipse Security DSML System Modeling tool Papyrus UML Risk analysis and management UML models Figure 1 Scope of the prototype 1 2 Security DSML metamodel and language Security DSML is the language developed to capture the Security risk analysis concepts The following schema shows the Security DSML meta model The meta model presented below is a simplified version of the meta model where the meta classes related to the general concepts and scales have been removed The meta classes are represented with boxes and class symbol The name of the meta class is written in the first rectangle The properties of the meta classes are described in the second rectangle The properties shown in italic are references to elements of the system model that is to say elements that are described by means of the system modelling tool More details about the link between Security DSML and the UML language are described in Chapter 2 section 2 2 All the elements described below are derived from a meta class Analysis element providing two properties e Name A name for an instance of the meta class e Description A descri
53. nagement Scale Step Risk Management Transfert ne Risk Management Scale Step Risk Management Unacceptatble Ea platform resource ATM ATM model uml H 4 pathmap UML LIBRARIES UMLPrimitive Types library uml H pathmap UML PROFILES Standard profile uml H E pathmap UML PROFILES Ecore profile uml E pathmap UML METAMODELS UML metamodel uml ea pathmap UML METAMODELS Ecore metamodel uml Selection Parent List Tree Table Tree with Columns E Properties 3 Propert Value CP Birdview Ba E An overview is not available Meaning LE The risk is transfered to an insurance company Name gt Risk Management Transfert Value a3 In the Properties tab at the bottom of your application fill the values of the Risk Management strategy Step properties for example e Value 3 e Name Transfer e Meaning Severity is critical Opportunity is medium or higher NB A new Package can be created as a parent to the instances of the next security concepts of the risk analysis To create a package refer to 4 3 1 3 nitialisation of a study 4 3 2 Activity n 1 Identifying essential elements This activity takes as input the functional part of the system architecture elaborated during the mainstream system engineering process by the system architect The functional architecture of the system is analysed by the system security risk manager in order to identify within the functions and data of this system archit
54. nce e Overload of traffic high workload o TCC modifies the Sequence 5 1 1 5 Analysis of the Threats Threats are listed below with a opportunity level For each threat the related activities are indicated as well as the breach strength e ATCO mistake High o PLC detects a need for a change in the Sequence o TCC computes the Sequence Breach Strength Availability Medium Integrity High e Non compliance of ATCO with procedures Low o PLC detects a need for a change in the Sequence o TCC computes the Sequence Breach Strength Availability Medium Integrity High TCC unavailability Low o TCC computes the Sequence Breach Strength Availability Critical Integrity Critical TCC overloaded High o TCC computes the Sequence Breach Strength Availability Critical Integrity High ATCO fails to manually update the system Medium o TCC modifies the Sequence Breach Strength Availability High Integrity High 5 1 1 6 Definition of the Risks The following risks are identified with Severity and Opportunity and overall risk level For each risk the related damages and threats are indicated In order to provide a better reading the related activities are also re called e B17 Failure in the provisioning of correct or optimal arrival information stabilization or coordination of sequence due to ATCO mistakes Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 53 59 o Severity High
55. ng of each value is described below e Objective Security Level select an Objective Security Level Step corresponding to the adequate value on the scale Name A name for example 01 A12 Effect This field is filled during the next step Description A description if needed Covered risk select the list of the risks covered by the Security Objective As a 2 step the security risk manager describes the security objective effect kind The security objective effect kind is a pre defined array of Booleans showing if the iPapyrus ATM ATM risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run Risk nalysis Editor Window Help e bl 0 0 PE ESC Fy TA Papyrus Outline Tr ATM_model di2 4 ATM_risk_analysis riskanalysis xt E Le platform resource ATM ATM_risk_analysis ri te Resource Set Ea Security Objective Effect Kind O1 E platform fresource ATM ATM_model umil Security Objective Effect Kind O2 pathmap UML_LIBRARIES UMLPrimitiveT ype pathmap UML_PROFILES Standard profile H 4 pathmap UML_PROFILES Ecore profile uml H E pathmap UML_METAMODELS UML metamoc H pathmap UML_METAMODELS Ecore metam JE E gt FE sirdview XK m An overview is not available Selection Parent List Tree Table Tree with Columns E Properties 3 Property Value Detection iv False Name t 01 Protection iv true Recovery iv False Response 1 False Secure
56. ng of inconsistent data o Severity Medium Opportunity Medium overall risk level before management Medium Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 54 59 o Damage Failure in the provisioning of correct arrival information o Threat ATCO fails to manually update the system o Activity TCC modifies the Sequence 5 1 1 7 Definition of the confinement zone In the context of this risk analysis performed over activities of a process this activity corresponds into deciding what level of risk is considered as unacceptable and therefore the type of risk management shall be put in place In the domain of Air traffic control risks with risk level from critical to medium shall be managed The goal in this first study is to reduce the risks below a medium objective risk level 5 1 1 8 Definition of the Security Objectives In order to cover the risks defined through the Risk analysis process the following additional Security Objectives are defined For each Security Objective the objective security level and the related risks are indicated e O1 The Sequence shall be computed automatically by an Arrival Manager system Medium o B17 Failure in the provisioning of correct or optimal arrival information stabilization or coordination of sequence due to ATCO mistakes o B16 Failure in the provisioning of correct or optimal arrival information due to non compliance of ATCO w
57. ntified risks by goals regarding the security of the system its organisational security policies its development environment or its operational environment Properties e Effect this records the effect kind of the security objective as security management in terms of detection protection recovery and response e Objective Security Level The security level of the security objective according to an objective security level scale Security requirement A security requirement is a functional or assurance general specification concerning the system or its environment dealing with the security mechanisms to be implemented and covering one or more security objectives Properties e Doors requirement PUID This field can be filled with the PUID of the corresponding requirement in DOORS T REK e Required Level The security level required for the security requirement according to an objective security level scale e Cost for system An evaluation of the cost of the security requirement for the entire system e Cost per target An evaluation of the cost of the security requirement for one target Security solution This meta class derives from the Target meta class A security solution is a security measure that implements a security requirement Properties Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 10 59 e Represented element A pointer to the element of the system mode
58. nts The solutions are presented together with their security level the targets they apply to and the requirement they relate to e AMAN Medium o Applying targets TCC computes the sequence o Requirements Req01 The system should integrate an AMAN e SQM Medium o Applying targets TCC computes the sequence o Requirements Req02 The organisation should integrate a SQM The evaluation of the risks must now be updated with the implementation of the security solutions e B17 Failure in the provisioning of correct or optimal arrival information stabilization or coordination of sequence due to ATCO mistakes o Before management Severity High Opportunity High overall risk level High o After AMAN SQM Severity Medium Opportunity Low overall risk level Low e B16 Failure in the provisioning of correct or optimal arrival information due to non compliance of ATCO with procedures o Before management Severity High Opportunity Low overall risk level before management Medium o After AMAN SQM Severity Medium Opportunity Low overall risk level Low e B13 Tactical Controller TCC becomes unavailable during arrival management process due to his her physical mental condition Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 56 59 o Before management Severity Critical Opportunity Low overall risk level before management High o After AMAN SQM Severity Hi
59. nts of system Properties e Damage total cost An overall evaluation of the impact of the damage on a Severity scale e Stake An evaluation of the impact of the damage according to scales specific to different type of stakes for example Business Safety or Human life Image etc Target A target is one element of the system potentially threaten by one or more threats Properties Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 8 59 e Represented element A pointer to the element of the system model represented by the target e Doors component PUID This field can be filled with the PUID of the component corresponding to this target in DOORS T REK e Security Level A tag for a needed security level of the target Vulnerability A vulnerability is a weakness in a system system security procedures internal controls or implementation that could be exploited Properties e Vulnerability level An evaluation of the vulnerability of the target according to a vulnerability scale Threat A threat is any circumstance or event with the potential to adversely impact a system through unauthorized access destruction disclosure modification of data and or denial of service Properties e Threat breach strength An overall evaluation of the impact of the damage ona Severity scale e Occurrence probability An evaluation of the opportunity of the threat according
60. nts with a strong rationale related to then These requirements shall be then exported to a Requirement management COTS such as DOORS T REK This document presents the prototype the way to install it and shows an example of a use Case Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 3 59 Index DOCUMENT INFORMATION DOCUMENT CHANGE RECORD EXECUTIVE SUMMARY INDEX 1 OVERVIEW AND METHODOLOGY 1 1 Background and general presentation 1 2 Security DSML metamodel and language 1 3 Risk management methodology 1 4 Overall Security Engineering methodology 1 4 1 Towards standard Architecture Frameworks and MDE Engineering methodology 1 4 2 Towards Secure Change Integrated Process 7 11 13 13 14 2 INTEGRATION BETWEEN THE SECURITY DSML AND PAPYRUS UML 16 2 1 Languages integration 2 2 Tool technical integration 3 INSTALLATION 4 USER MANUAL 4 1 Getting started with D4 4 prototype 4 2 Model design with Papyrus 4 3 Risk management with Security DSML 4 3 1 Preparation step 4 3 2 Activity n 1 Identifying essential elements 4 3 3 Activity n 2 Analysis of the damage scenarios 4 3 4 Activity n 3 Determination of the targets 4 3 5 Activity n 4 Determination of the vulnerabilities 4 3 6 Activity n 5 Analysis of the threats 4 3 7 Activity n 6 Definition of the risks 4 3 8 Activity n 7 Definition of the confinement zone 4 3 9 Activity n 8 Definition of the securit
61. on between the Security DSML and Papyrus UML an open source and popular UML 2 modeling tool using their common EMF foundations 2 1 Languages integration In a risk analysis it is necessary to refer to the system under consideration In our approach centered around modeling languages two perimeters are identified e the risk analysis which is performed using the Security DSML e the system design which is performed in this case using Papyrus UML The risk analysis refers to the system design through specific model elements In our conceptual model the risk analysis interacts with the system around two notions e essential elements which are functions of the system that may be subject to damage e targets which are system components realizing those functions and may have vulnerabilities and threats some of the concepts of the Security DSML reference system elements In the D4 4 prototype since the Security DSML is integrated with Papyrus UML the system elements are described with the UML language Therefore some of the Security DSML meta classes have references to UML classes In security DSML only a few The meta classes EssentialElement Target and Security Solutions Their instances represent the corresponding notions introduced in the previous section e EssentialElement has a reference representedElement of type BehavioredClassifier that refers to the UML system element represented by this essential element e Ta
62. p Blue provides relevant inputs to analyse these activities 5 1 1 2 Analysis of the Damages Possible damages are identified in relation with the activities above with a total cost of the damage level For each damage of the list below the impacted activities are indicated e Loss of information provisioning to from ATCOs Critical o TCC computes the Sequence e Failure in the provisioning of correct arrival information High o TCC modifies the Sequence e Failure in the provisioning of optimal arrival information Medium o PLC detects a need for a change in the Sequence o PLC asks for a Sequence modification o TCC computes the Sequence o TCC modifies the Sequence 5 1 1 3 Determination of the targets The targets are the activities 5 1 1 4 Determination of the Vulnerabilities Vulnerabilities identified on the different actors and activities are the following For each vulnerability of the list below the related activities are indicated e High coordination workload o PLC detects a need for a change in the Sequence o TCC computes the Sequence e Non compliance of ATCO with procedures o PLC detects a need for a change in the Sequence o TCC computes the Sequence e Stress concentration problems health conditions etc o TCC computes the Sequence Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 52 59 e Lack of routines for avoiding multitasking o TCC computes the Seque
63. presented in section 1 2 The Security DSML language is developed in order to capture the security concepts needed to perform a risk analysis and to manage the risks It is compliant to the French EBIOS 2 methodology The overall process of this risk management methodology is presented in section 1 3 The tool is used in the context of a System Engineering process for security specific purposes A challenge here is to propose an evolution for System Engineering methodologies that integrates the security related requirements Although the System Security Engineering methodology which is the focus of WP2 is not the focus of this specific document some explanations are given about the System Security Engineering Methodology in order to contextualise the usage of the tool The integration of security concerns in a generic System Model Driven Engineering methodology is described in section 1 4 Starting from a model design the tool enables to conduct a risk analysis The risk management phase following it produces Security Objectives which are in their turn refined in Security Requirements These security requirements lead to an evolution of the model since Security solutions shall be implemented to complete or transform the model This is how security engineering and security evolution as studied through Secure Change project shall improve Thales system engineering methodology The D4 4 prototype M24 version includes a Papyrus UML system model
64. ption for an instance of the meta class Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 7 59 Risk level Severity Risk Level H Risk management Objective security level Opportunity Risk Level Risk Level Risk level before EH Essential Element Represented element 1 Risk level Risk after management Damage total cost Stake Impacted element Supporting element Threat Target _ Threat breach strength apa Occurrence probability Doors component PUID Target Threat operator Security Level perimeter Covered risk Security objective Effect Applying Objective Security Level targets 0 Ae J Vulnerabilit Vulnerability Level e 0 Represented element Doors component PUID Security solution Security Level Security solution cost Specified objective Security requirement Doors requirement PUID Required Level Cost for system Cost per target Figure 2 Security DSML metamodel Essential element An essential element is an element of the system at Business Architecture or Service oriented Architecture Plans refer to section 1 4 Overall Security Engineering Methodology Properties e Represented element A pointer to the element of the system model represented by the essential element Damage A damage expresses the impact related to a risk on the essential eleme
65. r is usually composed with e Availability e Confidentiality e Integrity e other To create an instance of Breach strength scale by security criterion click right on a Package and select New Child and then select Breach strength scale by security criterion _Fisk_analysis riskanalysis Papyrus Fie Edit Navigate Search Project Run RiskAnalysis Editor Window Help w l0 Qae H ar Ei Papyrus Outline 23 ATM model diz La ATH risk _analysis riskanalysis 5 FN platform fresource AT E Resource Set El m platform resource ATM ATM risk analysis riskanalysis El Model Eh Package a A weed New Child Package ee C Mew Sibling Analysis Ee 5 nyse Car Threat Probability Scale Er 0 peda Chey E Threat Probability Scale Step re ME amp Severity Scale ges rs Severity Scale Step ae DPF Opportunity Scale Pasta E Opportunity Scale Step 8 Delete Risk Management Scale Pui Risk Management Scale Step wisn validate H eee a Objective Security Level Scale tt B ontra Si Objective Security Level Step K Run As d Breach Strength Scale By Security Criterion F 4 Debug As eo Breach Strength Scale Step Profile 45 Fees 4 g Damage Cost Scale By Stake Type D D Cost Scale St amp Damage Cost Scale Ste El B Compare With q P Es Replace with Vulnerability Scale A amp ulnerability Scale Step i Load Resource Damage i a Refresh oe Essential Element ajl
66. ration criteria shall be applied by Air Traffic Controllers in order to guaranty a safe separation of the aircraft in a sequence of arrivals Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 50 59 by means of the sub activities performed in parallel such as o Read Radar Tracks o Read A C Data o Apply Separation Criteria TCC modifies the aircraft sequence The following diagram shows the activity diagram in Papyrus with the PLC activities in yellow and the TCC activities in pink M a 2 Call PLC moniterstraffie Call Apply Separation Criteria Call Read Radar tr Call Read XC d Call PLC detects the need for a change inthe Sequence ES Call PLC asks for a Sequence Modification oo 2 EE 5 1 1 1 Perimeter of the study Identify Essential elements The Security DSML is used over Papyrus design tool in order to perform a risk analysis The perimeter considered for the risk analysis consists on the activity diagrams drawn with Papyrus The activities considered are the following e PLC monitors the traffic e PLC detects a need for a change in the Sequence e PLC asks for a Sequence modification e TCC computes the Sequence Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 51 59 e TCC modifies the Sequence The risk analysis performed with WP5 with the domain experts from Dee
67. rget has a reference representedElement of type Classifier that refers to the UML system element represented by this target Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 16 59 e Security solution refines the class Target It has a reference representedElement of type Classifier that refers to the UML system element represented by this target 2 2 Tool technical integration The technical integration of the Security DSML and Papyrus UML is made possible by the fact that the languages of both tools are defined as Ecore meta models We used this common foundation as an easy way to define a loose coupling The EMF Eclipse Modeling Framework consists of a set of libraries and tools that allows the manipulation of models and the generation of code to quickly develop modeling tools EMF itself sits on top of the Eclipse platform and inherits its modular structure based on plugins and portability using the Java programming language One of the key features of the modular structure of Eclipse is the ability to run several plugins within a single instance of Eclipse This allowed us to build a prototype integrating the Thales Security DSML and Papyrus UML The prototype of the Thales DSML was developed in EMF in several steps e A meta model consisting of the concepts was defined in Ecore e The concepts that interface with the system model were augmented with references to UML elements
68. right on the Breach Strength Scale By Security Criterion you created and select New Child and then select Breach strength scale by security criterion Papyrus ATM ATM _risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run Risk nalysis Editor Window Help Fy Papyrus B Outline 3 4TM_model diz UN ATM_risk_analysis riskanalysis X IN platform resource AT E Resource Set platform resource AT pathmap UML_LIBRA H 4 pathmap UML_PROF 8 pathmap UML_PROF pathmap UML_META pathmap UML_META E IN platform fresource ATM ATM_risk_analysis riskanalysis El Model El Package El Package Damage Cost Scale By Stake Type Safety aka Human life Damage Cost Scale By Stake Type Business Severity Scale Opportunity Scale Vulnerability Scale Threat Probability Scale gt Breach Strength Scale By Security Criterion Confidentiality gt Breach Strength Scale By Security Criterion Integrity Breach Strength Scale By Security Criterion Availability Objective Security Level Scale Risk Management Scale i ka reach Strength Scale By Security Criterion Confidentiality amp Package New Child Breach Strength Scale Step amp Package New Sibling platform resource ATM ATM_model uml pathmap UML_LIBRARIES UMLPrimitiveT ypes library url E pathmap UML_PROFILES Standard profile uml E pathmap UML_PROFILES Ecore profile uml of Cut
69. rity before management according to the Total cost of the Damage The risk level is a unique value which synthesizes the two dimensions of severity and opportunity mentioned above according to the Security Objective Level scale Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 42 59 NB new Package can be created as a parent to the instances of the following security concepts of the risk analysis Risk Level Risk Management Security Objective Effect Kind To create a package refer to 4 3 1 3 nitialisation of a study To create an instance of a Risk Level click right on a Package and select New Child and then select Risk Level 4 i Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run RiskAnalysis Editor Window Help M BHoOl 8 O Q Pele nid Oo E TA Papyrus JE Outline 3 TE C9 at _model ci2 la ATM_risk_analysis riskanalysis 3 platform resourcesATMIATM fisk analysis fil i Resource Set a 2 platform fresource ATM ATM_model umi i IN platform resource ATM ATM_risk_analysis riskanalysis H e pathmap UML_LIBRARIES UMLPrimitiveType E Model E pathmap UML_PROFILES Standard profile Package E e pathmap UML_PROFILES Ecore profile uml gt Package H e pathmap UML_METAMODELS UML metamoc Ba package pathmap UML_METAMODELS Ecore metam E gt Package Risk Level B17 before manag
70. security risk manager to define a perimeter of essential elements and targets where a given security objective level is targeted as a goal The security objectives usually consist of an expression of the level of the system acquirer s will to cover the risks As a 1 step the system security risk manager defines the targeted Objective Security Level for each risk according to the Objective Security Level scale As a 2 step the system security risk manager sets for each risk the risk management strategy The risk management strategy is a predefined list of Booleans showing if the risk management should contribute to Detection Protection Response or Recovery Both of these steps are captured by the Risk Management Concept To create an instance of a Risk Management click right on a Package and select New Child and then select Risk Management Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 43 59 Papyrus ATM ATM _risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run RiskAnalysis Editor Window Help SEDED E E Papyrus a R ial f mA 3 or Rie ox Outline o TA atm model diz i ATM_risk_analysis riskanalysis 2 E pa platform resource ATM ATM_risk_analysis ri For Resource Set 2 8 plotform jresource ATM ATM_model um LA platform resource ATM ATM _isk_analysis riskanalysis H E pathmap UM
71. sign modelling solution CHANGE version 1 1 page 41 59 4 3 7 Activity n 6 Definition of the risks Risks occur when there is a potential of exploitation by a threat of vulnerability on a target Risks are expressed at both functional and architecture plans of the system architecture respectively by means of the damages and of the threats As a 1 step the system security risk manager can perform the risk analysis He will describe the relevant risks For each risk he can review the damage associated to it and the essential elements it applies to He can also review the threats associated to it and the targets it applies to He can assign a name and a short description to each risk To create an instance of a Risk click right on a Package and select New Child and then select Risk g Papyrus ATM ATM risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run RiskAnalysis Editor Window Help t3 G oo amp O Q l i 6G Fy TA Papyrus DE Outline 53 79 atm _model ciz Le aTM_risk_analysis riskanalysis 3 IN platform resource ATM A4TM_risk_analysis ri Resource Set 48 platform resource ATM ATM_model uml T bed RikB13 E e pathmap UML_LIBRARIES UMLPrimitiveT ype Risk B16 H pathmap UML_PROFILES Standard profile Risk B17 1 pathmap UML_PROFILES Ecore profile uml Risk B18 E e pathmap UML_METAMODELS UML metamoc gt sear pathmap
72. st scale define the essential elements it applies to and describe the damage condition of the damage scenario To create an instance of a Damage click right on a Package and select New Child and then select Damage Papyrus ATM ATM_risk_analysis riskanalysis Papyrus File Edit Navigate Search Project Run RiskAnalysis Editor Window Help ISBD I 0 2 Mey ee Oe sig TA Papyrus BE Outline 5 Cam model diz 4 ATM_tisk_analysis riskanalysis 23 g IN platform fresource AT i Resource Set H 4 platform fresource AT D es E Le platform fresource ATM ATM_risk _analysis riskanalysis pathmap UML_LIBRA Model i Sop gA g Package a ue Package 0 Hel pathmap UML_META El Package H pathmap UML_META Damage Failure in the provisioning of correct or optimal arrival information Damage Failure in the provisioning of correct arrival information gt O amnage Loss of information provisioning to from ATCOs Aas a Birdview 23 n overview is not available a i Selection Parent List Tree Table Tree with Columns E Properties 3 Property Value Damage Total Cost Severity Scale Step Severity Critical Description 1 Impacted Element Essential Element TCC computes the Sequence Name 1 Loss of information provisioning to from amp 4TCOs Stake Damage Cost Scale Step Safety Human Life Critic
73. t PLC detects a need for a change in the Sequence Target PLC asks for a Sequence modification aed Target TCC computes the Sequence Target TCC modifies the Sequence t E IN platform resource ATM ATM_risk_analysis riskanalysis a Birdview 23 Tu n FAP ec ier eye RE EER Selection Parent List Tree Table Tree with Columns E Properties 3 Property Value Description t Doors Component PUID Z Name TCC computes the Sequence Represented Element Q93 lt Activity gt TCC computes the Sequence Security Level This activity takes as input the logical or the physical part of the system architecture elaborated during the mainstream system engineering process by the system architect Targets determination is performed through analysing the entities of the physical system architecture and identifying the dependencies with the essential elements As a 1 step the system security risk manager references elements from the system logical or physical architecture To create an instance of a Target click right on a Package and select New Child and then select Target Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 39 59 In the Properties tab at the bottom of your application fill the values of the Target properties The meaning of each value is described below e Security Level f needed
74. tems http www iso org iso search htm qt 15408 amp published on amp active_tab standards Papyrus UML User Guide http www papyrusuml org Papyrus Userguide http wiki eclipse org Papyrus User Guide V Normand and E F lix Toward model based security engineering developing a security analysis DSML in ECMDA Workshop in Security in Model Driven Architecture 2009 Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 59 59
75. vity 3 Determination of the Targets field Security Level 4 3 9 Activity n 8 Definition of the security objectives The security objectives must cover all the risks that it has been decided to cover taking into account the assumptions security rules and various context elements especially the constraints and issues at stake They must be consistent with the operational objective or declared product objective of the target system and any knowledge of its physical environment The security objectives usually consist of the expression of the system acquirer s will to cover the risks without specifying the solutions for achieving this They will therefore constitute a complete set of directions which remains open in terms of the solutions to adopt and is perfectly adapted to the issues facing the system The purpose of the security objectives determined above is to counter or minimise the risks affecting the target system The system security risk manager conducting the study must now check that they are necessary and sufficient for covering all the identified risks and assumptions Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 44 59 As a 1 step the system security risk manager can define the objectives to cover the risks For each objective he can enter its description the risk it applies to the objective security level and its effect kind To create an instance of a
76. w shows the detailed version of the process eee eme et ace EE changes analyses l changes l l l proposes secyrity i requirements to cover risks l r propagates i i assesses refines thelmodel and proposeg solutions analyses I changes proposes security requirements to cover risks propagates e i Pa l proposes security solutions Imitigates and assesbes l l l i Figure 6 Detailed sequence diagram of the security engineering process Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 15 59 2 Integration between the Security DSML and Papyrus UML This chapter presents the integration of Thales own security modeling tool the Security DSML with a generic model design workbench The Security DSML is dedicated to risk analysis and security concerns both as a language and as tool and is intended to serve as a security viewpoint in a more general engineering workbench lt was designed to capture security concepts relevant to the risk analysis including risks targets objectives and requirements and supports standard methodologies such as EBIOS Those methodologies are generic and not tied to particular practices in main engineering which is reflected in the fact that the Security DSML can be coupled to a number of tools supporting system design In the context of Secure Change Thales developed an integrati
77. y objectives Secure CHANGE D4 4 Proof of concept integration of design modelling solution version 1 1 page 4 59 16 17 18 21 21 4 3 10 Activity n 9 Definition of the security requirements 4 3 11 Activity n 10 Definition of the security solution 5 EXAMPLE 5 1 1 Activities modelling with Papyrus APPENDIX GLOSSARY REFERENCES Secure 46 47 50 50 58 59 CHANGE D4 4 Proof of concept integration of design modelling solution version 1 1 page 5 59 1 Overview and methodology 1 1 Background and general presentation The tool presented in this document developed at Thales after EU FP6 Modelplex project shall be regarded as a security viewpoint of a system model design tool in the sense where viewpoint is intended in the IEEE 1471 standard as a technology to provide non functional properties tooling integrated to a system engineering workbench This technology is the focus on French research project Movida ANR Call 8 In the last progress of the work for Secure Change project this security view point has been integrated as a security viewpoint above model design tool Papyrus UML The tool is based on a Domain Specific Modelling Language for Security called Security DSML which focuses on a risk management process at system design phase By extension and abusively the tool itself takes the name of the language and is commonly called Security DSML The meta model and the language are
78. ystem Access Rights to AMAN on Computing the Sequence QUI As a 2 step the system security risk manager must verify the way the security requirements cover security objectives As a 3 step the system security risk manager will verify the coherence between the objective security level of the requirements and the security level of the Objective it covers He shall set the required objective security level according to the objective security level of the Objective it covers 4 3 11Activity n 10 Definition of the security solution The purpose of this activity is to translate Security Requirements into security solutions as a feedback on the model design The output architecture will be then proposed for evaluation to the mainstream engineering process for a trade off analysis between other speciality engineering proposals Secure D4 4 Proof of concept integration of design modelling solution CHANGE version 1 1 page 47 59 As a 1 step the system security risk manager defines security solutions to cover the security requirement For each solution he defines a description and selects the security requirement it applies to He can also refer to existing targets on which the security solution shall be deployed He can add the cost of the security solution for the system He can also reference an ISO Theme for example a section of ISO 27002 it contributes in order to ease the management of the best practices
Download Pdf Manuals
Related Search