Periodic Reporting for period 2 - SECOPS (An Integrated Security Concept for Drone Operations)
Okres sprawozdawczy: 2018-10-01 do 2019-12-31
The use of drones is growing rapidly as is the drone technology itself. Because of this the drones become cheaper and more affordable by the general public. This increases the concerns about privacy and illegal and dangerous use of drones. Security, besides safety, is essential for the public acceptance of flying with drones. SECOPS (an integrated SECurity concept for drone OPerationS) contributes to the public acceptance by ensuring that security risks in U-space are mitigated to an acceptable level, with a focus on cyber security. Secure drone operations cannot be achieved by security mitigation measures on drones alone. It has to be a combination of different security functions at different levels in the drone end-to-end system, managed by a dedicated set of procedures and supported by clear regulations. These aspects are addressed by the SECOPS ‘Integrated Security Concept’. By assessing and prioritizing potential security risks, this Integrated Security Concept defines requirements for U-space and proposes potential security controls. Some parts of the Integrated Security Concept were verified by a demonstration.
To define an Integrated Security Concept for U-space it is necessary to identify the security risks of a successful attack based on likelihood and impact. Because the focus of SECOPS is cyber security the impact is defined as the extent to which a loss of confidentiality, availability or integrity of a U-space service affects the U-space operations. When the risks are not acceptable security controls shall be identified to mitigate the risk to an acceptable level.
A security risk assessment is an iterative process. Three iterations were foreseen using the Security Risk Assessment methodology for SESAR 2020. The purpose of the first iteration was to identify the risks of the U-space concept as known by the partners at that time, assuming that no security controls or mitigation measures were in place. To focus the effort so effectively as possible, so-call Feared Events were introduced to identify the security critical services. A feared event is an event that harms a primary asset such as information or a service, occurs as a result of the exploitation of one or more vulnerabilities, and may lead to not achieved business goals. This resulted in an overview of risks per threat combination, which were classified as low, medium or high. This information was used to identify the security gaps considering that all risks classified as medium and high needed to be mitigated. For each of these gaps, security controls were defined and the risks were determined for the security critical services.
Based on the feared events and identified security controls, a preliminary Integrated Security Concept for U-space was designed. First the relevant security controls were described for each Feared Event, which were transformed into security controls requirements per Feared Event. Hereafter these requirements were consolidated into requirements per service. Also, legal, regulatory, social and safety aspects were taken into account and analysed and a maturity assessment of the security controls was performed to determine the Technology Readiness Levels of technical solutions.
An experimental proof of concept integrating COTS technologies of the consortium partners was executed on June 24th 2019 at the Netherlands RPAS Test Centre (NRTC) in order to demonstrate a preliminary version of the Integrated Security Concept. This experimental proof of concept is called the demonstrator. Objective of this demonstrator was to proof feasibility of parts of the Integrated Security Concept and co-operability of the more mature technical solutions. Based on the demonstrable feared events and security controls, considering the available facilities and equipment and taking into account the given limitations this demonstration incorporated a drone detection system, a UTM interface to display detected drone positions on an air situation display and featured conflict detection, geo-fenced areas and a counter-UAS system. Recording of objective data on positions and weather, combined with several subjective observations demonstrated that rogue drones, conflicts and intrusion of geo-fenced areas can be detected and that counter-UAS action with a net-gun armed drone is possible with the current state-of-the-art of these systems. Several recommendations were made and the results were used as input for the final risk assessment.
The requirements of the preliminary Integrated Security Concept were used in a final risk assessment to assess the risk per service assuming security requirements were implemented. The final risk assessment resulted in 22 medium, and 15 low residual risks. The set of proposed mitigation measures for U-space is the final Integrated Security Concept and is represented by a set of SECOPS requirements mapped to U-space services and capabilities.
In its public ‘Final Project Results Report’ SECOPS identified several standardisation organisations that would benefit from the research done in the SECOPS project. In addition, SECOPS made several recommendations regarding the implementation of the Integrated Security Concept in U-space, continuation of security risk assessment and required activities in the next R&D phase to further mature the security concept.
A security risk assessment is an iterative process. Three iterations were foreseen using the Security Risk Assessment methodology for SESAR 2020. The purpose of the first iteration was to identify the risks of the U-space concept as known by the partners at that time, assuming that no security controls or mitigation measures were in place. To focus the effort so effectively as possible, so-call Feared Events were introduced to identify the security critical services. A feared event is an event that harms a primary asset such as information or a service, occurs as a result of the exploitation of one or more vulnerabilities, and may lead to not achieved business goals. This resulted in an overview of risks per threat combination, which were classified as low, medium or high. This information was used to identify the security gaps considering that all risks classified as medium and high needed to be mitigated. For each of these gaps, security controls were defined and the risks were determined for the security critical services.
Based on the feared events and identified security controls, a preliminary Integrated Security Concept for U-space was designed. First the relevant security controls were described for each Feared Event, which were transformed into security controls requirements per Feared Event. Hereafter these requirements were consolidated into requirements per service. Also, legal, regulatory, social and safety aspects were taken into account and analysed and a maturity assessment of the security controls was performed to determine the Technology Readiness Levels of technical solutions.
An experimental proof of concept integrating COTS technologies of the consortium partners was executed on June 24th 2019 at the Netherlands RPAS Test Centre (NRTC) in order to demonstrate a preliminary version of the Integrated Security Concept. This experimental proof of concept is called the demonstrator. Objective of this demonstrator was to proof feasibility of parts of the Integrated Security Concept and co-operability of the more mature technical solutions. Based on the demonstrable feared events and security controls, considering the available facilities and equipment and taking into account the given limitations this demonstration incorporated a drone detection system, a UTM interface to display detected drone positions on an air situation display and featured conflict detection, geo-fenced areas and a counter-UAS system. Recording of objective data on positions and weather, combined with several subjective observations demonstrated that rogue drones, conflicts and intrusion of geo-fenced areas can be detected and that counter-UAS action with a net-gun armed drone is possible with the current state-of-the-art of these systems. Several recommendations were made and the results were used as input for the final risk assessment.
The requirements of the preliminary Integrated Security Concept were used in a final risk assessment to assess the risk per service assuming security requirements were implemented. The final risk assessment resulted in 22 medium, and 15 low residual risks. The set of proposed mitigation measures for U-space is the final Integrated Security Concept and is represented by a set of SECOPS requirements mapped to U-space services and capabilities.
In its public ‘Final Project Results Report’ SECOPS identified several standardisation organisations that would benefit from the research done in the SECOPS project. In addition, SECOPS made several recommendations regarding the implementation of the Integrated Security Concept in U-space, continuation of security risk assessment and required activities in the next R&D phase to further mature the security concept.
For the protection of third parties many technical developments are ongoing. They all fill in a need in the concepts of detection, classification, identification and neutralisation of drones. They all have in common that their aim is to detect and neutralise drones and this requires equipment to be at or near a specific location that needs to be protected. SECOPS looked at these concepts in a broader scope and analysed how these techniques can cooperate together and can be combined with the concept of geo-fencing, in order to preserve secure drone operations. In addition, SECOPS analysed the needed protection of a drone itself. SECOPS investigated security requirements for U-space and combined them into an Integrated Security Concept, taking also legal, regulatory and social aspects into account. The Integrated Security Concept developed and demonstrated within SECOPS will make drone operations more secure, which is an important enabler for drone-related market growth. In addition, the Integrated Security Concept will help in increasing public acceptance of drones by reducing third party risk.