Automatic Generation of Security Requirements for Cyber-Physical Systems
J. Yu, S. Wagner, and F. Luo. Science and Technologies for Smart Cities, page 372--385. Cham, Springer International Publishing, (2021)
Abstract
Security is one of the essential properties in Cyber-Physical Systems (CPS). Attacking systems like autonomous vehicles and health-care systems may lead to financial or privacy losses of stakeholders or even life threats. Security analysis, as an early activity in the system design, addresses security issues and identifies system vulnerabilities in advance to guide further security design. However, the security analysis is mostly performed manually requiring a high workload with human oversight. Besides, the manual analysis is not flexible for modification in later design stages and largely depends on expert knowledge and experience. Therefore, a new security analysis approach has been proposed in this paper to generate security requirements automatically, which is based on the System-Theoretic Process Analysis (STPA) framework and is applicable for data-flow-based CPSs. We have also developed a software prototype to support the implementation of this automatic approach and used it to obtain the security requirements of two CPSs in the automotive domain. Finally, we compared the automatically generated outcomes with the manually obtained ones and evaluated the proposed approach. Based on the experiment results, we found that the automatic way is efficient, effective and flexible. Furthermore, the proposed approach is also extensible. Analysts in a team can establish their own empirical repository to achieve accurate security requirements for their specific systems.
%0 Conference Paper
%1 yu2021c
%A Yu, Jinghua
%A Wagner, Stefan
%A Luo, Feng
%B Science and Technologies for Smart Cities
%C Cham
%D 2021
%E Paiva, Sara
%E Lopes, Sérgio Ivan
%E Zitouni, Rafik
%E Gupta, Nishu
%E Lopes, Sérgio F.
%E Yonezawa, Takuro
%I Springer International Publishing
%K iste-se myown security
%P 372--385
%T Automatic Generation of Security Requirements for Cyber-Physical Systems
%X Security is one of the essential properties in Cyber-Physical Systems (CPS). Attacking systems like autonomous vehicles and health-care systems may lead to financial or privacy losses of stakeholders or even life threats. Security analysis, as an early activity in the system design, addresses security issues and identifies system vulnerabilities in advance to guide further security design. However, the security analysis is mostly performed manually requiring a high workload with human oversight. Besides, the manual analysis is not flexible for modification in later design stages and largely depends on expert knowledge and experience. Therefore, a new security analysis approach has been proposed in this paper to generate security requirements automatically, which is based on the System-Theoretic Process Analysis (STPA) framework and is applicable for data-flow-based CPSs. We have also developed a software prototype to support the implementation of this automatic approach and used it to obtain the security requirements of two CPSs in the automotive domain. Finally, we compared the automatically generated outcomes with the manually obtained ones and evaluated the proposed approach. Based on the experiment results, we found that the automatic way is efficient, effective and flexible. Furthermore, the proposed approach is also extensible. Analysts in a team can establish their own empirical repository to achieve accurate security requirements for their specific systems.
%@ 978-3-030-76063-2
@inproceedings{yu2021c,
abstract = {Security is one of the essential properties in Cyber-Physical Systems (CPS). Attacking systems like autonomous vehicles and health-care systems may lead to financial or privacy losses of stakeholders or even life threats. Security analysis, as an early activity in the system design, addresses security issues and identifies system vulnerabilities in advance to guide further security design. However, the security analysis is mostly performed manually requiring a high workload with human oversight. Besides, the manual analysis is not flexible for modification in later design stages and largely depends on expert knowledge and experience. Therefore, a new security analysis approach has been proposed in this paper to generate security requirements automatically, which is based on the System-Theoretic Process Analysis (STPA) framework and is applicable for data-flow-based CPSs. We have also developed a software prototype to support the implementation of this automatic approach and used it to obtain the security requirements of two CPSs in the automotive domain. Finally, we compared the automatically generated outcomes with the manually obtained ones and evaluated the proposed approach. Based on the experiment results, we found that the automatic way is efficient, effective and flexible. Furthermore, the proposed approach is also extensible. Analysts in a team can establish their own empirical repository to achieve accurate security requirements for their specific systems.},
added-at = {2022-05-16T08:45:50.000+0200},
address = {Cham},
author = {Yu, Jinghua and Wagner, Stefan and Luo, Feng},
biburl = {https://puma.ub.uni-stuttgart.de/bibtex/2100318bd3847a2697ded4b67d4035443/wagnerst},
booktitle = {Science and Technologies for Smart Cities},
date-added = {2022-04-28 09:25:03 +0200},
date-modified = {2022-04-28 09:25:11 +0200},
editor = {Paiva, Sara and Lopes, S{\'e}rgio Ivan and Zitouni, Rafik and Gupta, Nishu and Lopes, S{\'e}rgio F. and Yonezawa, Takuro},
interhash = {00acc15270d07c9b0e51f14fd2bb519b},
intrahash = {100318bd3847a2697ded4b67d4035443},
isbn = {978-3-030-76063-2},
keywords = {iste-se myown security},
pages = {372--385},
publisher = {Springer International Publishing},
timestamp = {2022-05-16T06:45:50.000+0200},
title = {Automatic Generation of Security Requirements for Cyber-Physical Systems},
year = 2021
}
