1. Resilience best practices in the aviation field
- ERNCIP Workshop - Matias KREMPEL
27. April 2016 1

2. 10 years banking industry System development & operations
Matias Krempel
Business Graduate, (Dipl.-Betriebswirt)
10 years banking industry System development & operations
6 years IT-industy
Consulting & Project Management
22 years DFS German Air Traffic Control Project & Security Management
Process & Quality Management
Crisis & Contingency-Management
External activities
Member of SESAR definition and development phase
Convenor of CEN TC 377 WG 1 (ATM Cyber Security)
Member of National Critical Infrastructure Working Groups
German Armed Forces Reserve (LTC)

3. Lessons from the Times of Sailing Ships
Consider all hazards („TAHOI“)
Run the company and their ships as functional systems
Consider the life cycle
Maintain proper trade-offs
A holistic view
The ship as a socio-technical (functional) system (BITOP) with the overall Building, the information, the Technical Systems installed, the organisational structures and rules and the people
The Hazards (TAHOI): Technical Failures (due to weaknessesin construction) , Acts of God (notably in terms of bad weather), Human Error (lack of experience, untrained staff), Organisational Weakness and Intentional acts (pirates, war, mutiny)
Dimensions of resilience
Overall construction
Information (in terms of intelligence to avoid dangerous routes)
Spare parts for repairs, guns for self defence
Organisation (emergency procedures, watch system vs. All hands for endurance)
People (specialists for reparis, multi role training)
Trade offs: security vs. commerical aspects in ship building and operations, special security forces (Bombay navy)
Complementary aspects of safety and security in reslience f.e. in terms of repair capabilities
ISPRA 2016

4. Air Traffic – Element of the Transport Sector
Passengers
Priorities?
Cross Cutting Effects?
Safety
Capacity
Cross cutting effects
+ with other transport infrastructures (example: training)
+ local effects of failures of airports
+ dependency on other critical infrastructures (notably telecom and energy)
Cargo
ISPRA 2016

5. Resilience in Aviation
Safety view: „Avoiding harm to people“
Security view: „Surviving attacks“
Organisation
Upstream
Design
Maintenance
Downstram
Technology
„Managing the Risk Appetite“?
Capacity View: „Maintaining Critical Services“

6. Resilience & Accident Analysis & Risk Assessment methodology
Systematic
since 2009: FRAM, STAMP
Organisational
since 1980
MORT, STEP, MTO, TRIPOD, CREAM, MERMOS, AcciMap
A (new) challenge:
integrating safety & security
Human Factor
since 1930 /1980
(Domino) Swiss cheese, HPES, HERA, TRAEr, AEB
Technical
since 1950, i.e.
FMEA, HAZOP, Fault tree, FMECA

7. The Operational View: Phases of a Flight
ISPRA 2016

8. The Technical View - ATM & CNS Systems
Command & Control
Sensors & Actors

9. The Technical View - ATM & CNS Systems

10. Resilience - Communication
Technical
Multiple redundancy & diversity
Organisational
Formalized communication procedures
Readback / Retransmission
Procedures for communication failure situations (COMLOSS)

11. Resilience - Navigation
Technical
Diversity of sensors (ground & space based)

12. Resilience - Surveillance
Technical
Overlapping of Sensors
Meshing of sensor networking
Organisational
Controlled reduction of service
Airspace capacity reduction
Adjustment of maintenance schedules

13. Resilience – Command & Control
COMMUNICATE – NAVIGATE - AVIATE
Technical
Fall-Back-Systems
Aiding-Failing units
Safety Nets
Organisational
Capacity reduction
Organisational Fallback
Crisis management
Humans
Emergency & crisis management-training
Staff management

14. ARIEL – An Air Traffic Resilience Project
Coping with complexity in resilience
Structured Threat Information Expression (STIX™)

15. Outlook: Drones - „game changers“?
Is there an ethical dimension of resilience ?
ISPRA 2016

16. There is nothing new under the sun
Kohelet

18. Backup slides (provided a different focus is needed)
ISPRA 2016

19. Air Traffic Management - Architectural Elements
Capability Layer
Story Board Step: The operational step defined in the concept story board.
Validation Target: The overall contribution to the high level (ECAC) network performance targets set in the first edition of the ATM Master Plan.
Capability: The ability of one or more of the enterprise?s resources to deliver a specified type of effect or a specified course of action to the enterprise stakeholders.
Operational Layer
Node: A logical entity that performs Activities. Nodes are specified independently of any physical realisation. (includes a Node: Crisis Management)
Role: An aspect of a person or organisation that enables them to fulfil a particular function.
Activity: A logical process, specified independently of how the process is carried out.
Information Exchanges: describes the need for actors to deliver and receive information and information products
Information Element: A formalized representation of information.
Information Entity: A definition (type) of an item of interest
Service Layer
Service: The contractual provision of something (a non-physical object), by one, for the use of one or more others (see SWIM Services)
Service Function: (not defined yet)
Service Interface: (not defined yet)
Data Element: A formalised representation of data.
System Layer
Capability Configuration: A combination of Roles and Systems configured to provide a Capability derived from operational and/or business need(s) of a stakeholder type.
System: A collection of technical components organized to accomplish a specific function or set of functions
Functional Block: A grouping of functions within a System that are assembled to assist in the conducting of one or more Operational Activities.
Resource Interaction: A relationship specifying the need to exchange data between Capability Configurations.
System Port: An interface provided by a System. A System Port Connector asserts that a connection exists between two System Ports.
Programme Layer
Project management: A temporary endeavour undertaken to create a unique product, service or result.
Operational Focus Area: A limited set of dependent operational and technical improvements related to an Operational sub-package, comprising specific interrelated OIs designed to meet specific performance expectations of the ATM Performance Partnership.
Operational Improvement Step: The elementary level of an operational improvement. The EATMA portal currently contains only SESAR Story Board Step 1 information.
Enabler: new or modified technical system/infrastructure, human factors element, procedure, standard or regulation necessary to make (or enhance) an operational improvement

20. Challenges in the aviation age
ISPRA 2016

21. Potential Impacts (SESAR)
Stress, minor injury, …, fatality
Personnel
Reduction, loss
Capacity
Reduction, loss
Performance
Financial loss
Economic
Reputation
Branding
Impact of a Security Failure
The potential impact of a failure in security is broad. Several impacts may be realised simultaneously.
Personnel
Ranges from discomfort, minor injury, through to one or more serious injuries or fatalities.
Capacity
A minor reduction in system capacity through to a complete loss of service. No aircraft in the sky.
Performance (Including other KPAs)
Minor system quality issues through to major quality issues which render multiple, major systems inoperable.
Economic
Minor loss of income through to bankruptcy.
Branding
Reputational loss for one or more stakeholders or for ATM as a whole. For example, a change in the perceived risk of flying in the general public could reduce the number wishing to fly.
Regulatory
A failure to comply with legal or regulatory requirements could result in legal or financial consequences.
Environment
Ranges from insignificant or short term-impact on the environment through severe pollution with long-term impact, to catastrophic impact.
(Obtained from SESAR ATM Security Risk Assessment Methodology, Ed , 24th January 2012).
Breach of requirement
Regulatory
Impact on environment
Environment

22. Risks – Security - Safety

23. Treatment

24. Resilience Recovery Response Continuity Response Emergency Response
Disruptive Incident
Recovery Response
Meet Ongoing Operational Requirements
Preparedness
Continuity Response
Meet Critical Operational Objectives
Organizations must know how to prepare and respond to unexpected and potentially devastating incidents.
Organisational resilience requires pro-active preparation for potential incidents and disruptions to avoid suspension of critical operations or services, and to resume operations and services as rapidly as required by those who depend on them.
Emergency Response – The initial response to a disruptive incident usually involves the protection of people and property from immediate harm.
Continuity Response – Processes, controls and resources are made available to ensure that critical operational objectives continue to be met.
Recovery Response – Processes, resources and capabilities are re-established to meet ongoing operational requirements.
(Source : ISO/PAS 22399: Incident Preparedness and Operational (business) Continuity Management (IPOCM))
Prevention
Emergency Response
Initial response
Pre-incident
t = 0
Time
Post-incident

25. ATM-Safety – Capacity - Financial Availability, Integrity
Services & Security
Business
Objectives
ATM-Safety – Capacity - Financial
Risk Management
Concepts
Sec.Mgmt.
Process
Services &
Processes
"CNS/ATM"
"PDCA"
Sicherheitsmanagement
Security-Management
Architecture
Technology
Security
Architecture
Assets
"BITOP" "NEC"
Security
objective
Availability, Integrity
(Confidentiality)
"CIA"
Security-
Risk
Analysis
Threats
"TAHOI"
Vulnerabilities
Risks
Options
Transfer
Avoid
Reduce
Accept
"TARA"
Measures
Preventive
Reactive
Special
Protection
Basic
Protection
Emergency
& Crisis
mgmt
Contin-
gency/ Continuity
DFS Deutsche Flugsicherung GmbH
VY, Unternehmenssicherheitsmanagement-25
Security-Systems