Electrical, Computer, Software and Systems Engineering - Daytona Beach College of Engineering 2013 Fault Tree Analysis for Safety/Security Verification in viationA Software Andrew J. Kornecki Embry-Riddle Aeronautical University, [email protected] Mingye Liu Embry-Riddle Aeronautical University Follow this and additional works at: https://commons.erau.edu/db-electrical-computer-engineering Part of the Management and Operations Commons, and the Multi-Vehicle Systems and Air Traffic Control Commons Scholarly Commons Citation Kornecki, A. J., & Liu, M. (2013). Fault Tree Analysis for Safety/Security Verification in viationA Software. Electronics, 2(1). https://doi.org/10.3390/electronics2010041 This Article is brought to you for free and open access by the College of Engineering at Scholarly Commons. It has been accepted for inclusion in Electrical, Computer, Software and Systems Engineering - Daytona Beach by an authorized administrator of Scholarly Commons. For more information, please contact [email protected]. Electronics 2013, 2, 41-56; doi:10.3390/electronics2010041 OPEN ACCESS electronics ISSN 2079-9292 www.mdpi.com/journal/electronics Technical Note Fault Tree Analysis for Safety/Security Verification in Aviation Software Andrew J. Kornecki * and Mingye Liu ECSSE, Embry Riddle Aeronautical University, Daytona Beach, FL 32114, USA; E-Mail: [email protected] * Author to whom correspondence should be addressed; E-Mail: [email protected]; Tel.: +1-386-226-6888; Fax: +1-386-226-6678. Received: 27 September 2012; in revised form: 15 January 2013 / Accepted: 21 January 2013 / Published: 31 January 2013 Abstract: The Next Generation Air Traffic Management system (NextGen) is a blueprint of the future National Airspace System. Supporting NextGen is a nation-wide Aviation Simulation Network (ASN), which allows integration of a variety of real-time simulations to facilitate development and validation of the NextGen software by simulating a wide range of operational scenarios. The ASN system is an environment, including both simulated and human-in-the-loop real-life components (pilots and air traffic controllers). Real Time Distributed Simulation (RTDS) developed at Embry Riddle Aeronautical University, a suite of applications providing low and medium fidelity en-route simulation capabilities, is one of the simulations contributing to the ASN. To support the interconnectivity with the ASN, we designed and implemented a dedicated gateway acting as an intermediary, providing logic for two-way communication and transfer messages between RTDS and ASN and storage for the exchanged data. It has been necessary to develop and analyze safety/security requirements for the gateway software based on analysis of system assets, hazards, threats and attacks related to ultimate real-life future implementation. Due to the nature of the system, the focus was placed on communication security and the related safety of the impacted aircraft in the simulation scenario. To support development of safety/security requirements, a well-established fault tree analysis technique was used. This fault tree model-based analysis, supported by a commercial tool, was a foundation to propose mitigations assuring the gateway system safety and security. Electronics 2013, 2 42 Keywords: national airspace system; simulation; safety; security; fault tree 1. Introduction The early phases of the software development life cycle that include description of the concept, requirements specification and design descriptions are the foundation of the entire development project. The quality of the requirements and design documents has a significant impact on the remaining deliverables and the ultimate outcome of the project. Data in the NIST report [1] show that about 70% of defects are introduced in the requirements and design phases. It is quite costly to fix those defects due to the need of a substantial rework from the beginning and through almost all life-cycle phases. The cost increases five- to thirty-fold when the defects are corrected in the subsequent phases of the lifecycle. From this perspective, requirements are the top factor in a project’s success or failure. The safety and security of a system is of primary concern for dependable systems in regulated industries like aerospace, medical, nuclear, transportation, etc. One needs to thoroughly analyze the hazards due to not only system failures, but also external conditions caused by both benevolent and malicious events. The Fault Tree Analysis (FTA) technique is one of the most popular to be applied in such scenarios. We applied FTA to the analysis of a component of NextGen simulation. Appropriate FTA models have been built to develop safety/security requirements, and the possible mitigation means have been proposed. The paper is organized as follows. Section 2 describes the application domain. In Sections 3 and 4, we introduce safety, security and fault tree analysis concepts. Section 5 describes the detail of the fault tree model. Section 6 describes simulation results and analyses using the selected tool. In section 7, we present the resulting safety and security requirements and propose mitigation methods. The paper’s main contribution is to show how application of the FTA technique leads to identification of safety and security requirements of the gateway and, subsequently, proposing appropriate mitigations. 2. Application Domain The Next Generation Air Traffic Management (ATM) system (NextGen), to replace the contemporary ground radar-based system, is a blueprint of the future National Airspace System (NAS) based on satellite navigation and advanced system interconnectivity [2]. One of the NextGen products is the Enhanced Traffic Management System (ETMS) designed to react to air traffic congestion and, thus, improving the efficiency of the system. The long-term transition plan is implemented in stages, with the final implementation planned for 2025. The NextGen Global Positioning System (GPS) technology is designed to save time and fuel, reduce delays, increase capacity and permit controllers to monitor and manage aircraft with greater safety margins. In June 2010, American and European authorities reached a preliminary agreement on interoperability between their future air traffic management systems, NextGen and its European equivalent, SESAR (the Single European Sky ATM Research), supporting the Single European Sky legislation [3]. Electronics 2013, 2 43 NextGen consists of five elements [2]: Automatic Dependent Surveillance-Broadcast (ADSB) will provide air traffic controllers and pilots with much more accurate information using Global Positioning System (GPS) satellite signals. Aircraft transponders receive GPS signals and use them to determine the aircraft's precise position in the sky and on the ground. System Wide Information Management (SWIM) will provide a single infrastructure and information management system to deliver data to many users and applications, by reducing the number and types of interfaces and systems. Next Generation Data Communications will provide exchange of routine controller-pilot messages and clearances via data links, reducing the need for extensive voice communications, improving air traffic controller productivity and enhancing capacity and safety. Next Generation Network Enabled Weather (NNEW) will provide a common weather picture across the entire national airspace system, fusing thousands of weather observations and sensor reports from ground-, airborne- and space-based sources. NAS Voice Switch (NVS), replacing seventeen different voice switching systems in the NAS with a single air/ground and ground/ground voice communications system. The NextGen system is a collaborative project of industry, government and academic entities. It is evident that development of such a complex system requires a great deal of preparation. One of the critical questions to ask is: “would it work?” To answer such a question, one needs to simulate and evaluate a variety of scenarios reflecting potential situations that may occur in the national airspace. Aviation Simulation Network (ASN) allows collaboration within the aviation community, enabling integration of a variety of real-time simulations via the Internet. Embry Riddle Aeronautical University (ERAU) is an academic partner in the NextGen Program. The NextGen ERAU Aviation Research Laboratory (NEAR Lab) is dedicated to support NextGen research. In the past, we developed Real-Time Distributed Simulation (RTDS), which is a suite of applications providing low and medium fidelity en-route human-in-the-loop (HITL) simulation capabilities contributing to the ASN. During simulation, RTDS generates and maintains two types of messages that can be shared with other simulation participants. These are messages defining the aircraft route (ETMS-route) and aircraft state (ADSB-state). RTDS is one of many simulation components that are supposed to interact within the nation-wide ASN. ASN, following the object-oriented paradigm, defines two different dedicated types of messages defining the flight (FlightObject) and aircraft (AircraftObject). To support the interconnectivity with the ASN, we designed and implemented a dedicated ASN Gateway (ASNG) acting as an intermediary, providing logic for data translation, two-way communication and transfer messages between RTDS and ASN and storage for the exchanged data. The ASNG, designed and implemented as an artifact of an earlier project in the NEAR Lab [4], supports timely translation of the messages and, thus,