62 Copyright © 2009 Open Geospatial Consortium, Inc.

9.5.10 Summary of the Attacks

For all operations of the SPS it is required to ensure integrity of the request and the response to prevent attacks that modify the content. In order to prevent spoofing attacks, the SPS has to authenticate to the client. The CreateRecord GetCapabilities attacks unveil sensor metadata that is important information to the adversary to exercise other attacks. In order to mitigate the exploitation of the capabilities to an adversary, the GetCapabilities operation can be put under access control to ensure only authenticated users can execute the operation and that the response the capabilities of the SPS is confidential for the identified user. The Record DescribeTasking attack unveils assignment parameters that is valuable input for the adversary. To prevent future attacks based on that information, it is required to ensure confidentiality on the sensor URI in the request and the assignment parameters in the response. Attacks on the Submit operation require that the assignment parameters in the request and the taskID in the response are confidential. It is also important that the SPS associates the identity of the caller to the taskID to control future operations e.g. Update or Cancel on the task for owners only. Attacks leveraging the GetStatus, Update and Cancel operations can be prevented if the SPS establishes Access Control to prevent execution of these operations for entities other than the owner. Further more it is required that the taskID in the request is confidential exept the Cancel operation so that it cannot be recorded by the adversary and misused in future attacks. For the GetFeasibility operation it is required to ensure confidentiality of the assignment parameters and the sensor URI in the request and the feasibilityID in the response to prevent its misuse by the adversary in future attacks. In order to prevent the misuse of assignment parameters that can be obtained by the adversary upon leveraging the Create DescribeTasking attack, it is required that this operation can only be executed by authenticated users and that the assignment parameters in the response are confidential. The Create DescribeResultAccess request attack unveils information to the adversary to obtain the sensor production data of other entities. In order to prevent this, access control shall ensure that only task owners can execute the operation. Confidentiality of the response shall ensure that the access information cannot be recorded by the adversary leveraging the Record DesccribeResultAccess attack. As the taskID and the feasibilityID are handles between different operations, it is important to keep them confidential. It is also important to create secure random task- and feasibility IDs to prevent guessing by the adversary.

9.6 Sensor Observation Service