TY - GEN
T1 - Automatic Generation of Security Requirements for Cyber-Physical Systems
AU - Yu, Jinghua
AU - Wagner, Stefan
AU - Luo, Feng
N1 - Publisher Copyright:
© 2021, ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.
PY - 2021
Y1 - 2021
N2 - Security is one of the essential properties in Cyber-Physical Systems (CPS). Attacking systems like autonomous vehicles and health-care systems may lead to financial or privacy losses of stakeholders or even life threats. Security analysis, as an early activity in the system design, addresses security issues and identifies system vulnerabilities in advance to guide further security design. However, the security analysis is mostly performed manually requiring a high workload with human oversight. Besides, the manual analysis is not flexible for modification in later design stages and largely depends on expert knowledge and experience. Therefore, a new security analysis approach has been proposed in this paper to generate security requirements automatically, which is based on the System-Theoretic Process Analysis (STPA) framework and is applicable for data-flow-based CPSs. We have also developed a software prototype to support the implementation of this automatic approach and used it to obtain the security requirements of two CPSs in the automotive domain. Finally, we compared the automatically generated outcomes with the manually obtained ones and evaluated the proposed approach. Based on the experiment results, we found that the automatic way is efficient, effective and flexible. Furthermore, the proposed approach is also extensible. Analysts in a team can establish their own empirical repository to achieve accurate security requirements for their specific systems.
AB - Security is one of the essential properties in Cyber-Physical Systems (CPS). Attacking systems like autonomous vehicles and health-care systems may lead to financial or privacy losses of stakeholders or even life threats. Security analysis, as an early activity in the system design, addresses security issues and identifies system vulnerabilities in advance to guide further security design. However, the security analysis is mostly performed manually requiring a high workload with human oversight. Besides, the manual analysis is not flexible for modification in later design stages and largely depends on expert knowledge and experience. Therefore, a new security analysis approach has been proposed in this paper to generate security requirements automatically, which is based on the System-Theoretic Process Analysis (STPA) framework and is applicable for data-flow-based CPSs. We have also developed a software prototype to support the implementation of this automatic approach and used it to obtain the security requirements of two CPSs in the automotive domain. Finally, we compared the automatically generated outcomes with the manually obtained ones and evaluated the proposed approach. Based on the experiment results, we found that the automatic way is efficient, effective and flexible. Furthermore, the proposed approach is also extensible. Analysts in a team can establish their own empirical repository to achieve accurate security requirements for their specific systems.
KW - Empirical repository
KW - Pattern matching
KW - Security analysis
KW - STPA framework
UR - http://www.scopus.com/inward/record.url?scp=85111172541&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-76063-2_26
DO - 10.1007/978-3-030-76063-2_26
M3 - Conference contribution
AN - SCOPUS:85111172541
SN - 9783030760625
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 372
EP - 385
BT - Science and Technologies for Smart Cities - 6th EAI International Conference, SmartCity360°, Proceedings
A2 - Paiva, Sara
A2 - Lopes, Sérgio Ivan
A2 - Zitouni, Rafik
A2 - Gupta, Nishu
A2 - Lopes, Sérgio F.
A2 - Yonezawa, Takuro
PB - Springer Science and Business Media Deutschland GmbH
T2 - 6th EAI International Conference on Science and Technologies for Smart Cities, SmartCity 2020
Y2 - 2 December 2020 through 4 December 2020
ER -