Resilience best practices in the aviation field - ERNCIP Workshop - Matias KREMPEL 27. April 2016 1
10 years banking industry System development & operations Matias Krempel Business Graduate, (Dipl.-Betriebswirt) 10 years banking industry System development & operations 6 years IT-industy Consulting & Project Management 22 years DFS German Air Traffic Control Project & Security Management Process & Quality Management Crisis & Contingency-Management External activities Member of SESAR definition and development phase Convenor of CEN TC 377 WG 1 (ATM Cyber Security) Member of National Critical Infrastructure Working Groups German Armed Forces Reserve (LTC)
Lessons from the Times of Sailing Ships Consider all hazards („TAHOI“) Run the company and their ships as functional systems Consider the life cycle Maintain proper trade-offs A holistic view The ship as a socio-technical (functional) system (BITOP) with the overall Building, the information, the Technical Systems installed, the organisational structures and rules and the people The Hazards (TAHOI): Technical Failures (due to weaknessesin construction) , Acts of God (notably in terms of bad weather), Human Error (lack of experience, untrained staff), Organisational Weakness and Intentional acts (pirates, war, mutiny) Dimensions of resilience Overall construction Information (in terms of intelligence to avoid dangerous routes) Spare parts for repairs, guns for self defence Organisation (emergency procedures, watch system vs. All hands for endurance) People (specialists for reparis, multi role training) Trade offs: security vs. commerical aspects in ship building and operations, special security forces (Bombay navy) Complementary aspects of safety and security in reslience f.e. in terms of repair capabilities ISPRA 2016
Air Traffic – Element of the Transport Sector Passengers Priorities? Cross Cutting Effects? Safety Capacity Cross cutting effects + with other transport infrastructures (example: training) + local effects of failures of airports + dependency on other critical infrastructures (notably telecom and energy) Cargo ISPRA 2016
Resilience in Aviation Safety view: „Avoiding harm to people“ Security view: „Surviving attacks“ Organisation Upstream Design Maintenance Downstram Technology „Managing the Risk Appetite“? Capacity View: „Maintaining Critical Services“
Resilience & Accident Analysis & Risk Assessment methodology Systematic since 2009: FRAM, STAMP Organisational since 1980 MORT, STEP, MTO, TRIPOD, CREAM, MERMOS, AcciMap A (new) challenge: integrating safety & security Human Factor since 1930 /1980 (Domino) Swiss cheese, HPES, HERA, TRAEr, AEB Technical since 1950, i.e. FMEA, HAZOP, Fault tree, FMECA
The Operational View: Phases of a Flight ISPRA 2016
The Technical View - ATM & CNS Systems Command & Control Sensors & Actors
The Technical View - ATM & CNS Systems
Resilience - Communication Technical Multiple redundancy & diversity Organisational Formalized communication procedures Readback / Retransmission Procedures for communication failure situations (COMLOSS)
Resilience - Navigation Technical Diversity of sensors (ground & space based)
Resilience - Surveillance Technical Overlapping of Sensors Meshing of sensor networking Organisational Controlled reduction of service Airspace capacity reduction Adjustment of maintenance schedules
Resilience – Command & Control COMMUNICATE – NAVIGATE - AVIATE Technical Fall-Back-Systems Aiding-Failing units Safety Nets Organisational Capacity reduction Organisational Fallback Crisis management Humans Emergency & crisis management-training Staff management
ARIEL – An Air Traffic Resilience Project Coping with complexity in resilience Structured Threat Information Expression (STIX™)
Outlook: Drones - „game changers“? Is there an ethical dimension of resilience ? ISPRA 2016
There is nothing new under the sun Kohelet
Backup slides (provided a different focus is needed) ISPRA 2016
Air Traffic Management - Architectural Elements Capability Layer Story Board Step: The operational step defined in the concept story board. Validation Target: The overall contribution to the high level (ECAC) network performance targets set in the first edition of the ATM Master Plan. Capability: The ability of one or more of the enterprise?s resources to deliver a specified type of effect or a specified course of action to the enterprise stakeholders. Operational Layer Node: A logical entity that performs Activities. Nodes are specified independently of any physical realisation. (includes a Node: Crisis Management) Role: An aspect of a person or organisation that enables them to fulfil a particular function. Activity: A logical process, specified independently of how the process is carried out. Information Exchanges: describes the need for actors to deliver and receive information and information products Information Element: A formalized representation of information. Information Entity: A definition (type) of an item of interest Service Layer Service: The contractual provision of something (a non-physical object), by one, for the use of one or more others (see SWIM Services) Service Function: (not defined yet) Service Interface: (not defined yet) Data Element: A formalised representation of data. System Layer Capability Configuration: A combination of Roles and Systems configured to provide a Capability derived from operational and/or business need(s) of a stakeholder type. System: A collection of technical components organized to accomplish a specific function or set of functions Functional Block: A grouping of functions within a System that are assembled to assist in the conducting of one or more Operational Activities. Resource Interaction: A relationship specifying the need to exchange data between Capability Configurations. System Port: An interface provided by a System. A System Port Connector asserts that a connection exists between two System Ports. Programme Layer Project management: A temporary endeavour undertaken to create a unique product, service or result. Operational Focus Area: A limited set of dependent operational and technical improvements related to an Operational sub-package, comprising specific interrelated OIs designed to meet specific performance expectations of the ATM Performance Partnership. Operational Improvement Step: The elementary level of an operational improvement. The EATMA portal currently contains only SESAR Story Board Step 1 information. Enabler: new or modified technical system/infrastructure, human factors element, procedure, standard or regulation necessary to make (or enhance) an operational improvement
Challenges in the aviation age ISPRA 2016
Potential Impacts (SESAR) Stress, minor injury, …, fatality Personnel Reduction, loss Capacity Reduction, loss Performance Financial loss Economic Reputation Branding Impact of a Security Failure The potential impact of a failure in security is broad. Several impacts may be realised simultaneously. Personnel Ranges from discomfort, minor injury, through to one or more serious injuries or fatalities. Capacity A minor reduction in system capacity through to a complete loss of service. No aircraft in the sky. Performance (Including other KPAs) Minor system quality issues through to major quality issues which render multiple, major systems inoperable. Economic Minor loss of income through to bankruptcy. Branding Reputational loss for one or more stakeholders or for ATM as a whole. For example, a change in the perceived risk of flying in the general public could reduce the number wishing to fly. Regulatory A failure to comply with legal or regulatory requirements could result in legal or financial consequences. Environment Ranges from insignificant or short term-impact on the environment through severe pollution with long-term impact, to catastrophic impact. (Obtained from SESAR ATM Security Risk Assessment Methodology, Ed. 00.01.01, 24th January 2012). Breach of requirement Regulatory Impact on environment Environment
Risks – Security - Safety
Treatment
Resilience Recovery Response Continuity Response Emergency Response Disruptive Incident Recovery Response Meet Ongoing Operational Requirements Preparedness Continuity Response Meet Critical Operational Objectives Organizations must know how to prepare and respond to unexpected and potentially devastating incidents. Organisational resilience requires pro-active preparation for potential incidents and disruptions to avoid suspension of critical operations or services, and to resume operations and services as rapidly as required by those who depend on them. Emergency Response – The initial response to a disruptive incident usually involves the protection of people and property from immediate harm. Continuity Response – Processes, controls and resources are made available to ensure that critical operational objectives continue to be met. Recovery Response – Processes, resources and capabilities are re-established to meet ongoing operational requirements. (Source : ISO/PAS 22399:2007 - Incident Preparedness and Operational (business) Continuity Management (IPOCM)) Prevention Emergency Response Initial response Pre-incident t = 0 Time Post-incident
ATM-Safety – Capacity - Financial Availability, Integrity Services & Security Business Objectives ATM-Safety – Capacity - Financial Risk Management Concepts Sec.Mgmt. Process Services & Processes "CNS/ATM" "PDCA" Sicherheitsmanagement Security-Management Architecture Technology Security Architecture Assets "BITOP" "NEC" Security objective Availability, Integrity (Confidentiality) "CIA" Security- Risk Analysis Threats "TAHOI" Vulnerabilities Risks Options Transfer Avoid Reduce Accept "TARA" Measures Preventive Reactive Special Protection Basic Protection Emergency & Crisis mgmt Contin- gency/ Continuity DFS Deutsche Flugsicherung GmbH VY, Unternehmenssicherheitsmanagement-25 Security-Systems