38 Copyright © 2009 Open Geospatial Consortium, Inc. Table 5 – Analysis Template

9.5 Sensor Planning Service

9.5.1 Identify the Assets

The definition of the asset for SPS is manning fold: It includes the service as such, as well as the physical asset as it is operated by the service. As each operation has different effects on the service andor physical sensor, the concrete asset is defined prior to the operation analysis for each operation individually.

9.5.2 Identify the Threats for GetCapabilities operation

Asset: Sensor metadata and Phenomena Offerings Cause Man-In-The-Middle Effect Client will receive fraudulent sensor metadata andor phenomena offerings. This can include fictitious or removed offerings or an empty list of offerings SensorOfferingList andor PhenomenonOfferingList. The same is true for the sensor metadata. Result User client uses fraudulent sensor metadata and phenomenon offerings. Scope Attacker has to have service instance specific knowledge about the structure and the semantics of the Capabilities document in order to derive fraudulent information that is acceptable by the client but leads to erroneous interactions with the SPS. Example Assuming the SPS provides a sensor that measures the temperature in Degree Centigrade for Munich, Germany. A simple modification could be change Centigrade to Fahrenheit. Another possibility is to change the location of the sensor so that it is not reporting temperature for Munich, Germany 48.160131,11.580276 but for Munich, ND 48.666988,-98.834295. Likelihood Medium Impact on Asset None Impact on User Impact on the use of the asset as the metadata available to the user has changed. Potential NA Reason Sabotage Requirement Integrity Table 6: Modify GetCapabilities response Cause Adversary’s client can execute SPS Copyright © 2009 Open Geospatial Consortium, Inc. 39 Effect Adversary’s client will send GetCapabilities request to SPS Result Adversary’s client will receive metadata about sensors and phenomena offerings. Scope Requires knowledge how to create the GetCapabilities request Example Likelihood High Impact on Asset None Impact on User None Potential Important for exercising other attacks, such as the metadata contains all sensorIDs that are served by the SPS. Reason Future Espionage, Sabotage, DoS Requirement None Table 7: Create GetCapabilites request Cause Eavesdropping and adversary can execute SPS Effect Adversary’s client will send recorded GetCapabilities request to SPS. Result Adversary’s client receives SPS capabilities. Scope The attacker does not have to have any application specific knowledge. Example Likelihood High Impact on Asset None Impact on User None Potential Important for exercising other attacks, such as the metadata contains all sensorIDs that are served by the SPS. Reason Future Espionage, Sabotage, DoS Requirement None Table 8: Replay GetCapabilites request Cause Eavesdropping 40 Copyright © 2009 Open Geospatial Consortium, Inc. Effect Adversary’s client will record GetCapabilities requestresponse to SPS. Result Adversary’s client receives SPS capabilities. Scope No application specific knowledge required to exercise this attack. Example Likelihood High Impact on Asset None Impact on User None Potential Important for exercising other attacks, requiring sensorID as input. Reason Future Espionage, Sabotage, DoS Requirement Allow execution of GetCapabilities for authenticated users only and protect response with confidentiality to prevent unveiling of the metadata. Table 9: Record GetCapabilites requestresponse

9.5.3 Identify the Threats for DescribeTasking operation