What is C-BRAT™ NAS
The C-BRAT™ NAS features an extremely powerful risk analysis engine that evaluates security risk health profile for the National Airspace System (NAS). The tool can be used at any level including FAA Headquarters, NAS Organization, Region Headquarters, or an individual facility. The risk analysis uses targeted goals to provide optimum solutions for risk reduction activities.

cbratnasfig11

C-BRAT™ NAS provides three alternate methods for conducting risk analysis of a facility. It ensures uniform, standardized facility assessments without analyst bias. This allows a comparison of risk at different facilities using a single scale. It also allows the user to conduct what-if scenarios and integrate the risk from any combination of risk elements.
C-BRAT™ NAS Risk Classification
C-BRAT evaluates risk quantitatively, yet it has the capability to provide qualitative results. Sometimes management may prefer to have qualitative analysis reports. C-BRAT classifies risk in one of the following categories:
Category I – Extremely High Risk: Condition of Facility Security such that occurrence of a threat is extremely highly likely to cause loss of life or complete loss of mission capability for an extended period of time.

Category II – High Risk: Condition of Facility Security such that occurrence of a threat is highly likely to cause complete loss of mission capability for an extended period of time.

Category III – Moderate Risk: Condition of Facility Security such that occurrence of a threat is moderately likely to cause moderate impact on the capability of the facility to accomplish its mission for a short period of time.

Category IV – Negligible Risk: Condition of Facility Security such that occurrence of a threat is unlikely to result in any noticeable adverse impact on the capability of the facility to perform its mission.

cbratnasfig12
C-BRAT™ NAS Risk Attributes
C-BRAT™ NAS uses nine risk attributes (or elements) to assess the risk of a facility. Each element receives a risk score between 0 and 1. The overall risk for a facility is also scored between 0 and 1, and is a weighted average of each of the risk elements. Risk for each element is calculated in a separate module, as described below. User may use one, all, or any combination of risk attributes to conduct the analysis. Risk is calculated as the product of the vulnerability and criticality of each asset. The C-BRAT™ NAS algorithm uses a probabilistic quantitative risk approach and considers the relationship between threats, countermeasures and assets. A detailed discussion is presented later. The ten C-BRAT™ NAS risk attributes are described below:
Physical Security: – Provide protection of human life, safeguarding of mission critical operational infrastructure and violation of system integrity, either intentionally or unintentionally. Modules include Security of Personnel and Contracts, Limited Power System Security and Process Security.

Personnel Security: – Evaluates the overall facility security impact of personnel accessibility to various areas of a facility. It determines the level of security clearances required (based on background checks) per each task to achieve optimum facility security.

Structural Security: – Guards or protects facilities against adverse physical actions or calamities and to preserve government assets. Module includes Blast Security and related process security.

cbratnasfig13

Power System Availability Risk: – Provides prevention of the loss of facility (i.e. ARTCC) function(s) due to power outage. Module includes Electrical Power, UPS, Power Conditioning Equipment, Power Generators and related process security.

Information (INFOSEC) Security: – A composite of factors necessary to protect Federal Information Processing (FIP) systems and the information processed by preventing exploitation through interception, unauthorized electronic access and related technical intelligence threat, and to ensure authenticity. Module includes data exchange between both ground-to-ground facilities and ground-to-air, as well as related process security.

Telecommunications (COMSEC) Security: – System/Networks, services and concepts that constitute protective measures taken to deny unauthorized communication and to insure the authenticity of such communication. Module includes Automated Data Equipment and Automated Voice Equipment and related process security.

Environmental Impacts Risk: – The probability that a natural event, system induced condition or associated human/system component occurrence will result in loss or decrease of any NAS capability. Module includes environmental risk associated with day-to-day activity, special events and related security process.

New Equipment Implementation Risk: – The probability that the equipment including both hardware and software, when introduced into the NAS will operate without disruption of itself or any other components within the total system. Modules also include human errors, system operation training and related process.

Single Point Failure Risk: – The probability that the failure of any part, component, or equipment within the NAS will result in the loss or reduction of any NAS functionality, out of specification or human error, etc.

Maintenance Risk Index: – The probability that the failure of any part, component, or equipment within the NAS will result in the loss or reduction of any NAS functionality, caused by lack of maintenance of unmanned facility.

C-BRAT™ NAS provides two key features to the user. First, it provides a systematic quantitative way to conduct a cost-risk benefit analysis on any facility in the NAS. Second, it allows the user to conduct risk assessment of a facility in three different ways. The user may choose one of three ways to conduct a risk analysis: modifying the existing C-BRAT™ NAS facility database, entering a risk assessment report and extracting data for C-BRAT™ NAS risk analysis, and independent assessment using an AI-driven engine.
Facility Risk Analysis
C-BRAT™ NAS Vulnerability Assessment
Each C-BRAT™ NAS module performs a vulnerability assessment to determine not only the vulnerability of each asset to specific threats, but also to identify which specific measures will be most effective in eliminating those threats. User is provided advanced control to include other variables to influence vulnerability to meet specific need. The user may also choose to modify analysis parameters involved in the vulnerability calculation as a “sanity check.” This ensures that the risk results have real meaning, and are not dependent on a particular C-BRAT™ NAS calculation scheme.

cbratnasfig14
C-BRAT™ NAS Asset Criticality Assessment
C-BRAT™ NAS evaluates the asset criticality based on its functional importance towards its mission and the cost associated with the replacement dollar value. The evaluation criteria depend upon the type of asset being assessed. For example, a physical asset, such as a network switching hub or another piece of hardware, would be evaluated based on replacement value, spares availability and operations criticality. On the other hand, information assets would be evaluated for its likelihood to cause a system malfunction or shutdown if corrupted, and the availability of backup to restore the data. Replacement dollar value of a software asset would not generally be considered unless no backup data existed.

C-BRAT™ NAS Threat Frequency
C-BRAT™ NAS presently uses 100% threat frequency but the future versions are planned to have a database that contains actual threat frequency from past experience data. In addition, the user will have the ability to specify certain threats, as higher frequency for any facility believed to be a more likely target.

cbratnasfig15
C-BRAT™ NAS Software Description
C-BRAT™ NAS allows user to optimize the benefits with a given capital and sustaining budget. C-BRAT™ NAS is designed in the Oracle database environment. It implements Java for its APIs and GUIs. C-BRAT™ NAS uses state-of-the-art data mining and information extraction techniques because the existing data is qualitative and in a variety of non-uniform formats. C-BRAT™ NAS uses some of the following state-of-the-art key techniques: advanced unique mathematical algorithms, state machine using artificial intelligence (Fuzzy Logic and Neural Networks), data extraction and data fusion techniques. C-BRAT™ NAS allows users from all levels to quickly and efficiently perform their analysis getting real time results. C-BRAT™ NAS simplifies the decision making process while maintaining tight control of the required performance parameters and budget.
C-BRAT™ NAS Enhanced Data Visibility and Automation
The user may choose one of three ways to conduct a risk analysis:

  1. Modify existing data from assessments into risk database format.
  2. Enter raw assessment data and extract data for C-BRAT NAS risk analysis.
  3. Enter drawings and floor plans for existing facilities and perform an independent assessment using an AI-driven engine.

In the first approach, the user enters vulnerability data, layout data and text information directly into the calculation segment of the database. This data is modified and parsed primarily by the user as it is entered. Hence, it is difficult to reproduce the data back into its original form. The second option allows a complete document to be entered in a reproducible form. This data is then mapped to the risk calculation as appropriate. This alternative provides a systematic approach for handling information from various document formats. (This is the Universal Document Storage, or UDS, Module.)

The third method provides further enhancements to the analysis process. The C-BRAT™ NAS Layout Module is shown in Figure 6. This module allows the user to define the layout of a facility in the manner required for a security analysis. The Artificial Intelligence (AI) engine, currently under development, extracts the required layout data automatically from the available drawings to run an analysis. This engine will also extract countermeasure data and automatically provide a list of required countermeasures.

cbratnasfig16

The Layout Module will link to the Cost Module and the Checklist Module. The Cost Module stores unit costs and other information about the cost of countermeasures. It takes input from the Layout Module and provides the cost, based on GSA schedule, price indexing where appropriate, and other factors. For example, the Layout Module might identify that a new fence is required on the West Perimeter. The Layout Module sends the required length and type of fence to the Cost Module, which would calculate the cost and supply it to the risk calculation segment for the Cost-Benefit Analysis.

cbratnasfig17

The Checklist Module contains all of the requirements for facility security from FAA Order 1600.69 and other documents. The user can generate a checklist to see all of the vulnerabilities in a facility that need to be addressed, as well as those areas that are not vulnerable. The user can also generate data checklists, to indicate whether the database requires any further data in order to conduct a risk analysis for any given facility. Checklists are invaluable for a manager responsible for follow-up on security and risk-related issues.
C-BRAT™ NAS Cost-Benefit Analysis
C-BRAT™ NAS provides guidance in apportioning funds. This is the Cost-Benefit function of the tool. In order to perform a Cost-Benefit Analysis, one needs a cost and a benefit. Each required action, countermeasure or safeguard reduces risk by addressing a risk contributor (vulnerability). Each has an associated cost to implement. The benefit is a direct quantitative measure of the portion of the overall facility risk that is removed by implementing a countermeasure or safeguard.

C-BRAT™ NAS normalizes all of the risk elements at the facility level, putting them all on the same scale so that the overall risk of a facility can be broken down into contributing factors. A manager or other user gains immediate insight into the specific vulnerabilities and high risk items that have the most impact on the total risk of a facility. No other tool available is able to combine the different risk elements into the same analysis. This allows a manager to determine how to best disburse his or her available funds between different risk elements. This can be invaluable in determining how to apportion a facility’s budget among Physical Security, Information Systems Security and other risks.

cbratnasfig1

The same capability is provided at region and NAS levels. Risk of each facility and its vulnerabilities is rated on a normalized scale. This allows a direct comparison from Facility A to Facility B. This means that if a certain vulnerability in Facility A has a higher risk contribution than any vulnerability in Facility B, then it really is a higher risk and must take priority. This result sounds simple, but it is an important and unique feature of C-BRAT™ NAS. This allows a region-level manager to determine proportion of funds to allocate to various facilities. This also provides NAS-level managers with a way of determining fund allocation among different regions or facilities. Thus, the risk at each facility is considered in view of the entire NAS.
C-BRAT™ NAS Analysis Output
Fig. 2 – Provides an overall status of all or selected facilities to evaluate and combine overall risk. The button mapping view provides a graphic representation of all the NAS facilities.

cbratnasfig2

Fig. 3 – ws the user to conduct a cost-benefit risk analysis, either investment-based or risk-based. In the investment-based mode, the user is allowed to put available capital and sustaining investment, applied to integrated NAS or selected regions. C-BRAT™ NAS allocates these funds into the appropriate regions for optimal risk reduction. In the risk-based mode, the user can define the acceptable risk category. C-BRAT™ NAS will then evaluate the investment required to reach that level.

cbratnasfig3

The result button provides the user the necessary investment required in each of the selected regions as shown in Figure 4.

cbratnasfig4

In the investment-based mode, when the investment is not sufficient to improve the facility risk from one risk category to the next, it provides a percentage improvement made. The mapping view button is the same as described in Figure 2, which provides a geographical view of risk across the NAS. The summary button provides a summary report of the results described above, as shown in Figure 5.

cbratnasfig5

One of the most important features of the C-BRAT™ NAS analysis is its adaptive learning risk analysis module, as shown in Figure 6. An electronic facility map is analyzed via knowledge-based tool to extract the information to conduct an independent risk analysis and provide and provide risk mitigation tools along with the necessary investment for those activities.

cbratnasfig6

Figure 7 below shows a region-level investment analysis report. Once the C-BRAT™ NAS investment analysis apportions available funds, this report provides details on how that money is going to be used at various facilities to implement risk reduction activities. This is one of the many outputs available for the user.

cbratnasfig7
Conclusion
C-BRAT™ NAS is a powerful, state-of-the-art tool to manage NAS risk. C-BRAT™ NAS gives real-time status of the overall risk at NAS, region and facility levels, and integrates risk arising from the nine source attributes described above. C-BRAT™ NAS is the Total NAS Risk Management Tool. For more information about C-BRAT™ NAS, please contact: business@sti-inc.com