Multiple Security Domain Nondeducibility Air Traffic Surveillance Systems
Traditional security models partition the securityuniverse into two distinct and completely separate worlds: highand low level. This partition is absolute and complete. Morecomplex situations, such as those that arise in cyber-physicalsystems (CPS) are better treated as sets of increasingly moresecure domains. In a CPS, security partitions often overlap andthe high-low distinction does not hold well. This paper utilizes Multiple Security Domain Nondeducibility(MSDND) as a model to determine information flow amongmultiple partitions, such as those that occur in a CPS. MSDND isapplied to selected aspects of Automatic Dependent Surveillance-Broadcast(ADS-B) air traffic surveillance system under variousphysical and cyber security vulnerabilities to determine when theactual operational state can, and cannot be, deduced. It is alsoused to determine what additional information inputs and flightphysics are needed to determine the actual operational state. Several failure scenarios violating the integrity of the system areconsidered with mitigation using invariants.
A. Thudimilla and B. M. McMillin, "Multiple Security Domain Nondeducibility Air Traffic Surveillance Systems," Proceedings of the 18th IEEE International Symposium on High Assurance Systems Engineering (2017, Singapore), pp. 136-139, IEEE Computer Society, Jan 2017.
The definitive version is available at https://doi.org/10.1109/HASE.2017.29
18th IEEE International Symposium on High Assurance Systems Engineering, HASE 2017 (2017: Jan. 12-14, Singapore)
Keywords and Phrases
Cyber-Physical; Integrity; Monitor; Nondeducibiliy
International Standard Book Number (ISBN)
International Standard Serial Number (ISSN)
Article - Conference proceedings
© 2017 IEEE Computer Society, All rights reserved.