46 Copyright © 2009 Open Geospatial Consortium, Inc. Likelihood High Impact on Asset None Impact on User None Potential The adversary can use the taskID or the assignment parameters to exercise further attacks at any later time: e.g. GetStatus, Cancel or RequestUpdate operation Reason Espionage, Sabotage Requirement Confidentiality of the taskID in the response and the assignment parameters in the request. Table 18: Record Submit requestresponse Cause ARP-Spoofing Effect User client will send Submit request to adversary’s SPS. Result User client will receive the response from the adversary’s SPS. Scope Application specific knowledge is required to ―properly‖ respond to the request. Example Likelihood Low Impact on Asset No direct affect on asset as the actual sensor will not be tasked. Impact on User As the response is coming from the adversary’s SPS, the user will never be able to undertake the desired tasking of the actual sensor, because it is impossible to determine from the response that was sent by the adversary’s SPS. Potential NA Reason Sabotage Requirement Authentication of SPS and authenticity on the response. Table 19: Redirect Submit request

9.5.5 DescribeResultAccess operation

Asset: Information produced by a sensor provided by the SPS Cause Man-In-The-Middle Copyright © 2009 Open Geospatial Consortium, Inc. 47 Effect SPS will receive a request where to obtain production data for a ficticious taskID. Result User client might obtain fraudulent information where to access sensor production data. Scope Adversary has to have application specific knowledge. Furthermore, the adversary needs to know valid sensorIDs or taskIDs. This is required if the response of the SPS shall point to a data production of another entity. In order to gain information about completed tasks, the adversary must guess a proper taskID. This can be undertaken by exercising the ―Create Submit request‖ attack and then invoke GetStatus. Example Likelihood Medium Impact on Asset None Impact on User Direct affect on use of the asset as the user obtains wrong access information which prevents the user from retrieving the produced data. Depending on the goal of the attack, the adversary will change the request such that it results in an error. This would prevent the user client from obtaining the access information. If the goal is to give the user client the access information to another production perhaps of another entity or an earlier production from the same entity, the change of the taskID needs to be ―properly‖ done. Potential NA Reason Sabotage Requirement Integrity, Access Control: Only the owner of a task can request the information where to obtain the produced information. The rights management should be discretionary so that the owner of the task can decide whom to grant access to the information where the production data can be obtained. Table 20: Modify DescribeResultAccess request Cause Man-In-The-Middle Effect User client will receive fraudulent information where to obtain sensor production data. Result User will use fraudulent access information. Scope Adversary has to have application specific knowledge and know how to ―properly‖ modif y access information for the ―download‖ service. Example Likelihood Medium 48 Copyright © 2009 Open Geospatial Consortium, Inc. Impact on Asset None Impact on User As the user client receives tampered information where to obtain the produced data e.g. points to a service provided by the adversary, this attack can have immediate affect to the use of the asset as further interactions undertaken by the user rely on the information given by the adversary. Impact on User User might access fraudulent data in case of fraudulent service reference. Potential NA Reason Sabotage Requirement Integrity and Authenticity Table 21: Modify DescribeResultAccess response Cause Adversary’s client is able to execute SPS Effect SPS will receive request from adversary’s client where to access sensor production data for a sensorID or a guessed taskID. Result Adversary’s client might obtain access information to sensor production data that belongs to assignments, submitted by other entities. Scope Adversary has to have application specific knowledge and a valid sensorID or taskID. Example Likelihood Medium Impact on Asset None Impact on User Potential for a direct affect on asset exists if the adversary successfully deletes it. Impact on User The adversary might obtain the sensor production data and perhaps can delete it afterwards if the service provides such an operation. This would have affect on the asset effective to all users. Potential Fetch the access information to production data of another entity. Reason Espionage if the production data of another entity will be obtained. Sabotage if the production data of another entity will be tampered or deleted. Requirement Authentication and Access Control to ensure that only a task owner can request the access information. Table 22: Create DescribeResultAccess request Copyright © 2009 Open Geospatial Consortium, Inc. 49 Cause Eavesdropping and adversary’s client can execute SPS Effect Adversary’s client will send recorded DescribeResultAccess request. Result Adversary’s client will receive access information to obtain sensor production data. Scope No application specific information is required. Example Likelihood High Impact on Asset None Impact on User None Potential For using the access information, some other knowledge is required how to succeed when using the access information. Reason Espionage, Sabotage Requirement None Table 23: Replay DescribeResultAccess request Cause Eavesdropping Effect NA Result Adversary’s client will receive access information to obtain sensor production data. Scope No application specific information is required. Example Likelihood High Impact on Asset None Impact on User None Potential For using the access information, some other knowledge is required how to succeed when using the access information. Reason Espionage, Sabotage Requirement Only authenticated users are allows to request the access information and the response is confidential for the legitimate user. Table 24: Record DescribeResultAccess requestresponse 50 Copyright © 2009 Open Geospatial Consortium, Inc.

9.5.6 GetFeasibility operation