Requirements and technical hypotheses for the …...Security - principles • Data security/protection shall be ensured to operate a safety system • Steps to be followed: – Identify

Requirements and technical hypotheses for the system design

Catherine Morlet & Andrea Santovincenzo

OverviewOverview

• Iris Requirements

• Capacity analysis

• Service provision area

• Approach to global deployment

• Security: aviation requirements

OverviewOverview






Iris Requirements

OverviewOverview






Capacity analysis Capacity analysis –– principlesprinciples

• COCR (Communication Operating Concept and Requirements – joint FAA and Eurocontrol document) taken as baseline to determine requirements for the future data applications while applications are not yet defined (definition for the airport applications has started)

• Evaluation of the impact on the dimensioning of the system, especially:– Capacity (=volume of information to transmit)– Data rate (=speed at which the information is transmitted)– Number of access (=number of simultaneous communications)– EIRP per carrier at satellite level (=power consumption of the

satellite) – G/T of the satellite antenna (=size of the satellite antenna)

Capacity analysis Capacity analysis -- principlesprinciples

The size of the antenna for the return link is driven

by the user terminal peak rate

Whatever the volume of info, the size will be the same

The payload mass+poweris driven by the volume of information and number of aircraft on the forward link i.e. the number of carriers

Capacity analysis Capacity analysis –– applicationsapplications

• Air traffic growth based on Long Term Forecast published by Eurocontrol (4 different traffic growth options specified)

• All COCR communication applications (i.e. ATS and AOC)

• Various message sizes (as stated in COCR)

• Short messages with stringent latency requirements

• Receive and transmit is infrequent and not predictable

• Average throughput per aircraft is a few bps


• Some uncertainties remaining on the definition of applications:– Definition in COCR is a best guess of future 4D

concept so characterisation of each application (size, occurrence, delay requirement…) is an approximation

– AOC applications are not all safety-critical and not all aircraft flying IFR uses AOC (in particular not all General aviation aircraft)

– No surveillance applications considered but position reporting in particular in oceanic is possible while there is no other mean of communication

• As a result, options for the capacity to be supported by the system need to be considered


• COCR has not been written for a satellite network infrastructure idea of multicast/broadcast almost inexistent and refers to small geographical areas

• COCR doesn’t specify services in multicast/broadcast post 2020

• It could make sense to provide some services by broadcast or multicast in an operational environment, e.g. for a satellite spot beam

It is up to aviation to define the applications and operational concept

Capacity analysis Capacity analysis –– voicevoice

• Voice will still exist and will be used in specific operational cases– In oceanic or remote areas:

» In case of emergency along the flight that cannot be handled by data communications

» In case the 4D applications are not working (in the aircraft or on-ground) but the satellite technology is still up and running

– In continental airspace: as a last mean of voice communication in case of unusual circumstances and when VHF is not working

voice communications shall be a very small amount of the total data communications foreseen. Its volume depends on the quality of the voice required and so of the vocoder technology and compression techniques.

Example of capacity analysis resultExample of capacity analysis result

• Distribution of communication traffic depending on aircraft latitude– Volume of traffic over the 6 peak hours– repartition as a function of the aircraft latitude (the

higher the latitude, the lower the elevation angle of a GEO satellite seen from the aircraft), the worse for getting good “quality” of the transmission:

ECAC areaFL - % Messages RL - % Messages

70-75deg. North 0.04 0.0460-69deg. North 2.56 2.5725-59deg. North 97.40 97.39

OverviewOverview






Geographical Coverage Requirement

The mandatory coverage region is the ECAC region that goes as far North as 73 deg and includes Canary Islands on the West and Azerbaijan on the East

Polygonal coordinates

ECAC Coverage from GEO

Above 73 deg the satellite elevation angle becomes too low to guarantee link availability. Polar coverage impossibleRedundant ECAC coverage with sufficient elevation can be achieved by two satellites within the GEO long arc ~5 W to 5 E

Elevation angle

5 deg

55 deg

Polar Coverage

• Polar Coverage would require an additional constellation of at least three HEO (High Elliptical Orbit) satellites (up to 6 for redundancy).

• Present assumption is that this constellation and the associated Ground Segment are not part of the Iris programme

• However, in order to guarantee interoperability, the communication standard and the User Terminals developed within Iris will be compatible with a HEO system

• There are presently two planned future (2013-2016) HEO missions targeting ATC application:– Polar Communication and Weather (PCW) mission from

CSA (Canadian Space Agency)– ARKTICA mission from Russia

• The Iris programme is looking at collaboration with both to ensure future interoperability

Visible Earth coverage

• From GEO about one third of Earth surface is visible

• In principle, a satellite global beam could provide coverage over Africa and extend coverage over the Atlantic and the Middle East which would benefit intercontinental flights

• This is presently studied as an optional add-on to the ECAC-only design of the satellite payload.

• Depending on the results of this analysis and the impact on the payload and satellite design, a decision will be taken to extend coverage beyond ECAC

OverviewOverview






Approach to global deployment

• It is assumed that the Satellite Communication System deployment will be gradual

A. In timeB. In coverageC. In capacity

• Steps:1. Deployment of pre-operational system with ECAC coverage

only and possibly reduced capacity2. Deployment of the operational system with full capacity and

ECAC coverage + (possibly) global beam3. Extension of the service: Deployment of non-Iris HEO system(s)

for polar coverage and/or Deployment of/interoperability with other non-European regional systems (e.g. Navisat) or global systems

• Key to the success of this strategy is the ICAO standardisation of the communication standard

Airspace Coverage Requirements

P: primaryB: back-up

Present assumption on role of the Satellite System in the different airspaces

Future Communication Systems

Airspaces Satellite Communication

System

LDACS AeroMACS

ORP P NA NA ENR P P NA TMA P P NA APT TBD B (when

available) P

OverviewOverview






Security Security -- principlesprinciples

• Data security/protection shall be ensured to operate a safety system

• Steps to be followed:– Identify threats– Assess risk, based on threats, vulnerabilities and

impact of a threat materializing into a successful attack– Formulating security design requirements– Designing countermeasures– Assessing residual risk, iterating the process is

necessary. Eventually, accepting residual risk

Security Security -- principlesprinciples

• Data security mechanisms are generally identified by the following concepts:– Authentication– Non repudiation– Encryption– Access control– Integrity– Jamming

• Most of the above techniques are linked to each other and one technique can help mitigating risks for several aspects

Security Security –– threatsthreats

• Security mechanisms to be implemented depend on the threats identified

• How to identify the threats?– Who would try to get access to some data exchanges

and for doing what?– Who would try to exchange information with one or

more aircraft or controller and for doing what?– What are the physical entities to protect and against

which attacks? (on-board the aircraft and on ground)

Security Security –– link specificitieslink specificities

• Each link between 2 physical entities of the system requires its own protection since it has its own vulnerability(ies)– User data: AOC may carry more

confidential/commercial information than ATS– Signalling data e.g. for synchronising elements among

themselves is not sensitive but critical for the proper behaviour of the system

– Control and management data among physical elements of the satellite network may carry sensitive information (e.g. billing)

– Satellite operations relies on the telemetry and telecommand which shall be protected

Security Security –– aviation requirementsaviation requirements

• Information exchanges shall be accurate– “better no information than a wrong information”– Calls for implementation of integrity for each radio

technology to be used for air traffic management

• Information exchanges shall be done among authorised entities– Calls for some authentication, access control and

non-repudiation– But is it the person to be identified?, the physical box

used for the transmission? The identifier of the flight and control tower?

– The solution can be internal or external to the satellite radio-link

Security Security –– aviation requirementsaviation requirements

• Information exchanges shall be fast and emergency communications possible with any flight or control tower– Calls for NOT encrypting the emergency data

information– But for AOC there might be data not safety critical and

commercial that would need encryption

• Information exchanges shall be of good “quality” i.e. fast and understandable– Calls for some robustness to jamming by intentional

or unintentional source which would use the frequency band where communication takes place to transmit other data or just noise

– The level of robustness is not determined today

Contact pointsContact points

ESA Iris Programme

[email protected]@esa.int

ESA Iris System Design Studies

[email protected] (System Engineer)[email protected] (Communication System)[email protected] (Iris Safety Board)Tony Azzarelli (Regulatory / frequency matters)

Documentation available via www.telecom.esa.int/iris

Requirements and technical hypotheses for the …...Security - principles • Data security/protection shall be ensured to operate a safety system • Steps to be followed: – Identify

Documents