14 Copyright © 2009 Open Geospatial Consortium, Inc. UAV sensors are only registered with a SPS to allow tasking. In order to obtain the produced imagery, a SOS is used. After the administrator has registered all relevant sensors with the appropriate Sensor Web Services, the setting up of the sensor web instance can begin. Figure 1: Registration of sensors with a CSW and a Sensor Web Service

5.3.3 Sensor Web Serivces FindBind

During the interactions in this scenario, an administrator searches available catalog services to find applicable services for configuring a sensor web to fulfill particular needs. For the airport fire use case, fire detection sensors and smoke sensors are required. The administrator would link the associated Sensor Planning Services SPS and Sensor Alert Services SAS into the own portal to enable sensor configuration and subscription for fire and smoke alerts for operators. The administrator would further configure sensors via specific interfaces provided by the SPS to accommodate the specific needs. For example, the administrator would set the threshold for the smoke detectors to reflect local environment specific aspects.

5.3.4 Processing

The actors in this scenario are the operators at the FRDO-SD, which are the consumer of the information that the instance of a sensor web is producing. Operators with specific Copyright © 2009 Open Geospatial Consortium, Inc. 15 clearance will receive classified alerts and operators with specific rights will be able to task available UAV sensors via the SPS interface. They will also have access to different SOS providing air pollution information and the imagery production of a UAV. For the purpose of discussing security aspects in a later section of the ER, two different communication patterns can be identified within this scenario: The requestresponse communication pattern that is used by operators to configure and task sensors via a SPS or to subscribe for alerts at a SAS The notification communication pattern, where an SAS is broadcasting alerts to all subscribed users. If the SPS EO profile is used, it will also notify operators after certain operations completed. Figure 2: RequestResponse Communication initiated by the user 16 Copyright © 2009 Open Geospatial Consortium, Inc. Figure 3: Notification Communication initiated by the service Copyright © 2009 Open Geospatial Consortium, Inc. 17 6 Identifying applicable Requirements for a Secure Sensor Web The US Department of Defense describes in their 1985 release of the TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA TSEC also known as ―The Orange Book‖ requirements, certification classes and evaluation criteria for trusted not distributed systems. For a distributed system, ISO defines in their 10181 series, called ―INFORMATION TECHNOLOGY – OPEN SYSTEMS INTERCONNECTION – SECURITY FRAMEWORKS FOR OPEN SYSTEMS‖ see [1], security frameworks and provides security specific requirements. In order to get a complete picture, definitions from ITU X.800 see [67] are also mandatory as they are used in 10181. Any approach to describe a secure system requires determining requirements and their applicability to firmly define what ―secure‖ means and which parts of the entire system it affects. For the purpose of this Engineering Report, we define ―secure‖ in close relationship to The Orange Book. For secure computer systems, the Orange Book states that ―secure systems will control, through use of specific security features, access to information such that only properly authorized individuals, or processes operating on their behalf, will have access to read, write, create, or delete information.‖ [3] It further defines six different types of requirements that can be implemented in different ways to assert trusted behavior compliant to different classes. The Orange Book mainly targets at securing a computer system through requirements and evaluation procedures for operating systems. It is therefore not directly useable for securing the Sensor Web, as it is an open and distributed system based on a Service Oriented Architecture SOA. So the question arises, how the requirements and implementations of assurance classes from The Orange Book can be mapped to target architecture. But in general, the property of the system either being distributed or service oriented shall not have any impact on the security definition from The Orange Book, as cited above. An answer to the question about applicable requirements for distributed systems is given in ISO 10181 all parts. And for a Service Oriented Architecture, [66] defines ―tailored‖ requirements based on ISO 10181, specific for net-centric systems.

6.1 Introduction to TCSEC “The Orange Book”