To define an Integrated Security Concept for U-space it is necessary to identify the security risks of a successful attack based on likelihood and impact. Because the focus of SECOPS is cyber security the impact is defined as the extent to which a loss of confidentiality, availability or integrity of a U-space service affects the U-space operations. When the risks are not acceptable security controls shall be identified to mitigate the risk to an acceptable level.
A security risk assessment is an iterative process. Three iterations were foreseen using the Security Risk Assessment methodology for SESAR 2020. The purpose of the first iteration was to identify the risks of the U-space concept as known by the partners at that time, assuming that no security controls or mitigation measures were in place. To focus the effort so effectively as possible, so-call Feared Events were introduced to identify the security critical services. A feared event is an event that harms a primary asset such as information or a service, occurs as a result of the exploitation of one or more vulnerabilities, and may lead to not achieved business goals. This resulted in an overview of risks per threat combination, which were classified as low, medium or high. This information was used to identify the security gaps considering that all risks classified as medium and high needed to be mitigated. For each of these gaps, security controls were defined and the risks were determined for the security critical services.
Based on the feared events and identified security controls, a preliminary Integrated Security Concept for U-space was designed. First the relevant security controls were described for each Feared Event, which were transformed into security controls requirements per Feared Event. Hereafter these requirements were consolidated into requirements per service. Also, legal, regulatory, social and safety aspects were taken into account and analysed and a maturity assessment of the security controls was performed to determine the Technology Readiness Levels of technical solutions.
An experimental proof of concept integrating COTS technologies of the consortium partners was executed on June 24th 2019 at the Netherlands RPAS Test Centre (NRTC) in order to demonstrate a preliminary version of the Integrated Security Concept. This experimental proof of concept is called the demonstrator. Objective of this demonstrator was to proof feasibility of parts of the Integrated Security Concept and co-operability of the more mature technical solutions. Based on the demonstrable feared events and security controls, considering the available facilities and equipment and taking into account the given limitations this demonstration incorporated a drone detection system, a UTM interface to display detected drone positions on an air situation display and featured conflict detection, geo-fenced areas and a counter-UAS system. Recording of objective data on positions and weather, combined with several subjective observations demonstrated that rogue drones, conflicts and intrusion of geo-fenced areas can be detected and that counter-UAS action with a net-gun armed drone is possible with the current state-of-the-art of these systems. Several recommendations were made and the results were used as input for the final risk assessment.
The requirements of the preliminary Integrated Security Concept were used in a final risk assessment to assess the risk per service assuming security requirements were implemented. The final risk assessment resulted in 22 medium, and 15 low residual risks. The set of proposed mitigation measures for U-space is the final Integrated Security Concept and is represented by a set of SECOPS requirements mapped to U-space services and capabilities.
In its public ‘Final Project Results Report’ SECOPS identified several standardisation organisations that would benefit from the research done in the SECOPS project. In addition, SECOPS made several recommendations regarding the implementation of the Integrated Security Concept in U-space, continuation of security risk assessment and required activities in the next R&D phase to further mature the security concept.
