Airports are critical and complex systems that represent an excellent case study for establishing a flexible and reusable cyber security framework for risk mitigation. A complex system is made up of interacting components (agents) that adapt their behavior overtime in reaction to changes with respect to their environment and to each other . Within such infrastructures, absolute security does not exist, because it is unfeasible to protect the whole system against every possible threat that might occur, especially those due to human errors and IT cyber degradation events.
However the right use of cyber security best practices, the adoption of a cyclic and stratified Topdown investigative approach, the non-stop review of operating processes, the exertion of an appropriate cyber resilience plan, and the admission of staff training courses in order to raise employee awareness on security issues, can limit the likelihood of triggering events that could cause damage to people, structures, and assets, preventing them from experiencing economic losses or reputation damages.
The only viable solution is to establish a never ending procedure of cyber security improvement, providing a suitable trade off in terms of protection and usability, with the aim of merging it with common everyday practices, avoiding any kind of impact on the company mission.
In this investigation we will assess airport security using an emergent vision, inspired by the paradigms of stigmergy and swarm intelligence, in order to establish a capillary control of complex systems endowed with a chaotic, interconnected, sociotechnical and strongly dynamic-dependent nature, both from a physical and operational point of view. This research has the aim to minimize the risk related to airport weaknesses taking advantage of an analytical complex systems approach and of a continuous improvement in cyber resilience.
A complex system is any system whose evolution cannot be explained starting from the analysis of all the parts and the inputs that make it up. Conversely, a critical system is a system that must operate with a high level of reliability because its failure can cause serious damage to things, environment and people, often irreparable. Moreover another category of system must be taken into account, that of complicated systems, whose nature can be formalized as an intricate set of devices, protocols and procedures that are difficult to setup but which provide an absolutely predictable output. Airports are complex, critical and complicated systems. For this reason they represent an excellent testbed to face the development of a cyber security framework that works efficiently in such contexts. Moreover, within the Air Traffic Management (ATM) community, there is strong interest in cyber security, as demonstrated by the various research areas of the SESAR2020 project. Especially in view of the growing number of interconnections between landside and airside systems expected in the development of the next generation airports .
This paper starts by providing a brief explanation of the limitations of using a traditional approach to cyber security when dealing with a complex system. Section III discusses about a prototype of cyber security framework for securing critical and complicated systems. Section IV contains directions for a theoretical example of the use of artificial intelligence techniques applicable to the cyber security framework described above, with the aim of making it more suitable for the protection of complex systems. Finally, our conclusion follows in Section V.
The limitations of traditional cyber security approaches in complex environments
Cyber attacks are like pathogen infections and, as such, they can be the outcome of a combination of circumstances rather than the result of the exploitation of a standalone vulnerability. In other words, it is the “whole” of the circumstances and actions of the attackers that cause the damage . The problem is that traditional strategies like the divide et impera provide a strong focus on causality, but a complex system cannot be analyzed merely by understanding its parts . This is confirmed by the fact that despite the use of multiple layers of defensive cyber security approaches, cyber attacks still occur. In fact, the use of traditional techniques leads us to a paradox, as Turing has shown in his Halting problem of Undecidability, it is not possible to build a machine that can test another in all its cases, but to find all the faults and the vulnerabilities stored on it, we need to test the system totally. That is the reason why it is necessary to use a holistic approach in order to evaluate the emerging behavior of complex systems.
How to build a framework for risk mitigation in complicated and critical environments
Despite the limitations highlighted above, traditional cyber security techniques are at the heart of system security and, as such, they should not be omitted. In fact, an appropriate use of these techniques is enough to guarantee a high protection profile of critical and complicated infrastructures. In particular, if the set of cyber security best practices becomes part of the ongoing development of an infrastructure, it is possible to drastically reduce both the risk factor and the number of exploitable carriers by cyber threats through the adoption of a flexible, dynamic and well-structured framework.
The research work related to the safety of critical airport systems, carried out within the SESAR2020 project, was particularly fruitful in this context, maturing the development of a cyber security framework able to manage in time continuity the securing of critical and complicated systems, using a Top-Down analysis approach. This framework exploits the concepts consolidated by the main cyber security standards to actively intervene into the identification, protection, detection, response and recovery of all threats related to the cyber world. The construction and updating of these procedures, however, is the result of periodic investigations, reported in Fig. 1 by three main logical blocks: Cyber Security Audit, Risk Assessment and Cyber Resilience Review. The level of detail involved in these activities grows up as we go down from the top to the bottom, following a pyramidal structure. Performing these three tasks periodically means improving the status and capabilities of the framework under every aspect, providing new scenarios to consider, new countermeasures to be taken, new threats to be assessed and so on, establishing a continuous progress on the needs of the whole infrastructure.
a. Cyber Security Audit
Starting from a vision of the highest level, in which we are exclusively aware of the system as a whole without its parts, it is possible to undertake the cyber security audit task. Firstly, questionnaires are carried out to both operators and infrastructure managers in order to achieve the following purposes:
- to assess whether the best practices of cyber security are applied appropriately;
- to enumerate the sub-systems that make up the infrastructure;
- to identify the operational processes already in use;
- to increase the level of awareness on the risks related to cyber security to all the staff involved;
- to list the points of access to the system both a physical and digital point of view.
Secondly, a first analysis of the obtained results must be carried out, followed by an increasingly more detailed survey aimed at identifying the Primary Assets of the system on the one hand, and both the access control systems and the perimeter defense devices on the other hand. This information will constitute the input parameters of the tasks that follow, respectively the Risk Assessment and the Cyber R esilience Review. Meanwhile the scenarios emerged from the output of the Cyber S ecurity Audit task become part of the framework.
b. Risk Assessment
Historically, the objective of the Risk Assessment activity is to carry out a risk evaluation. The list of identified primary assets is input and a first priority measure is provided. Subsequently we associate each asset with the subsystems and the devices that may have a certain influence on it. Going even further into details, we identify the vulnerabilities related to all the support devices through the activities of Vulnerability Assessment and Penetration Testing. Finally we carry out an assessment of the risks associated both to the vulnerabilities and to the threats previously identified, providing a measured probability and determining their degree of acceptability. From this task, patch management operations, code reviews and targeted hardening processes will emerge, and these will strengthen the security measures used by the framework.
c. Cyber Resilience Review
Starting from the analysis of the configuration files of the access and perimeter defense devices, it is necessary to verify the level of resistance and robustness of the whole infrastructure. This task is called Cyber Resilience Review. We proceed with a thorough check of the countermeasures in place, as well as the functional testing of the detection, alarm, notification and prevention systems. Then move on to the verification of the disaster recovery plan which is used, trying above all to evaluate its efficiency, effectiveness and degree of redundancy. Finally, a deep control of the response systems must be carried out, examining both their flexibility and reaction times. An audit of this type should make the system able to “learn” from its mistakes, equipping the framework with new countermeasures, new operational processes and new response techniques that shape its evolution.
How to increase reliability by including a complexity-based approach into the previous cyber security strategy
The approach described above is perfectly able to manage a critical and complicated system, since it allows to reduce the following issues:
- human or procedural errors;
- risk vectors belonging to the system;
- number of successful attacks
Nevertheless this scenario is not enough to manage a complex system in the best way. Moreover, nowadays there are no sophisticated techniques that allow to manage complex infrastructures automatically. It is in this context that the idea of introducing artificial intelligence techniques can be applied to cyber security, with the aim of further reducing the possibility that attacks on the system are carried out, not because it is essential to protect a complex system, but mainly because these systems are critical and, as such, must be protected with the help of any means.
In the literature, it is possible to identify some examples of artificial intelligence application to cyber security, mostly theoretical, with the aim of making improvements to one or more of the following aspects :
- Situational Awareness;
- Risk Isolation;
Taking into consideration the framework presented in Fig. 1, we could think to equipping it with all these features, thus obtaining the diagram shown in Fig. 2. At a glance, it is clear that, two of the most immediate improvements deriving from artificial intelligence applied to cyber security insist on the activity of Cyber Resilience Review. This result is not the result of chance, in fact, the Cyber R esilience represents the versatile and adaptive engine of the entire infrastructure and, as such, is a complex system itself. Improving Cyber Resilience Review activity is the key to optimize the cyber threat mitigation process, taking advantage of a complex systems management approach. For example, we can consider biological systems, which represent an excellent sample of complex system, whose strength is characterized by their robustness to disturbances and changes. If this concept is abstracted, this is just another way of defining Cyber Resilience.
The introduction of swarm intelligence into the cyber security field, is a first example of the integration of artificial intelligence techniques in the field of adaptive investigation of the evolutionary behavior of a complex system. In this context, a viable strategy is to use a multi-level agent-based approach, designed to quickly and autonomously adapt to the management of anomalies that are detected, exploiting the semi-rationalization and selflearning characteristics of the agents, settled in a hierarchical arrangement, to interpret and correlate the events on a logic basis, in order to improve communication, interaction and intervention between the human operator and the system. The purpose of the hierarchical arrangement is to provide to humans a single point of influence that allows someone to enable multiple points of effect with a simple action .
a. A multi-layer swarm intelligence model
Starting from the last considerations, a well-conceived model is theoretically able to provide an immediate improvement in terms of system capacity in the operations of: detection, risk isolation, situational awareness and response. Fig. 3 shows an example of implementation of a multi-layer swarm intelligence-based analysis model, inspired by the hierarchical structure used by ants. This is a high-level scheme, but it provides a first idea of how to build such platform. At the lowest level of the hierarchy we find the workers, i.e. the systems for processing and collecting massive data, including log analyzers, IDS systems, cyber probes, automatic scripts that process or supply data, and so on. These workers must have the following characteristics: they must perform only simple operations, they must be able to communicate directly only with the upper level agents, they must be authenticated and they must be present in all the parts of the system. The communication between joint workers must be possible only in an implicit way, due to the detection of variations and anomalies that emerge from the observation of the surrounding environment, in full respect of the rules of stigmergy.
The intermediate layer must be careful to scrape the data collected by workers, using intelligent data analysis and correlation engines. This level has to take a first series of choices, which can be summarized as follows: generation of alarms to be passed to the higher level for further evaluation, management of direct interventions to block in real time the attacks in progress, and data filtering in order to discard superfluous notifications. At this level we can find the mid-level SIEMs (male ants), which perform the processing and correlation operations, and the IPS and/or EDR systems (soldier ants), which are concerned to intervene promptly on a threat. Theoretically, to make the analysis and correlation activity carried out at this level really efficient, all medium-level devices should be equipped with a self-learning engine.
At the top of the hierarchy we find the high-level SIEM (queen ant), equipped with an advanced data analysis and correlation engine, entirely based on an artificial intelligence brain, able to collect the alarms coming from the various medium-level SIEMs and to extrapolate from them clear, precise and georeferenced information to be passed to the human operator. The latter will have the responsibility to perform the last level of information filtering that will result in the application of a high-profile intervention process aimed at securing the infrastructure and therefore people safety. Finally it is good to note that not data but information is passed on to the human operator and it is an essential step in order to determine the right behaviour of the model.
The final aim of building and adopting a cyber security framework dedicated to the protection of complex, complicated and critical systems is to save people’s lives. The impact of a cyber attack on a critical system can be literally catastrophic, most often completely inadmissible, so it is important to invest in cyber security, in order to search for increasingly efficient strategies that could allow companies to identify and assess threats into a real time manner. Although there is no a definitive solution to all the cyber threats that may jeopardize the natural functioning of these systems, the main goal is to reduce the level of uncertainty linked to the manifestation of a freak as much as possible, by automating properly detection and correlation operations. In this way it would be possible to bring a simple and immediate result to the attention of the human operator. Formally, the introduction of artificial intelligence techniques in cyber security analysis strategies aims at summarizing at most the alert information received from the various devices that make up the system in order to enable the human operator to intervene promptly in safeguarding both people safety and system security.
- EDR – Endpoint Detection and Response
- IDS – Intrusion Detection System
- IPS – Intrusion Prevention System
- SIEM – Security Information and Event Management
Samuele Foni is a Cyber security System Engineer at Thales Group, involved in the research activity related to the SESAR2020 project. [email protected]
Luca Ronchini is a Security Expert at Thales Group with a grounded experience in IT infrastructures and management of complex architectures, networking and network security.