Security Assessment of Systems of Systems
Ilaria Matteucci2019 IEEE/ACM 7th International Workshop on Software Engineering for Systems-of-Systems (SESoS) and 13th Workshop on Distributed Software Development, Software Ecosystems and Systems-of-Systems (WDES)
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Engineering Systems of Systems is one of the new challenges of the last few years. This depends on the increasing number of systems that must interact one with another to achieve a goal. One peculiarity of Systems of Systems is that they are made of systems able to live on their own with well-established functionalities and re quirements, and that are not necessarily aware of the joint mission or prepared to collaborate. In this emergent sce nario, security is one crucial aspect that must be consid ered from the very beginning. In fact, the security of a Sys tem of Systems is not automatically granted even if the se curity of each constituent system is guaranteed. The aim of this paper is to address the problem of assessing security properties in Systems of Systems. We discuss the specific security aspects of such emergent systems, and propose the TeSSoS approach, which includes modelling and test ing security properties in Systems of Systems and intro duces the Red and Blue Requirements Specification con cepts.
Related papers
Addressing Security Properties in Systems of Systems: Challenges and Ideas
Lecture Notes in Computer Science, 2019
Within growing pervasive information systems, Systems of Systems (SoS) emerge as a new research frontier. A SoS is formed by a set of constituent systems that live on their own with well-established functionalities and requirements, and, in certain circumstances, they must collaborate to achieve a common mission. In this scenario, security is one crucial property that needs to be considered since the early stages of SoS lifecycle. Unfortunately, SoS security cannot be guaranteed by addressing the security of each constituent system separately. The aim of this paper is to discuss the challenges faced in addressing the security of SoS and to propose some research ideas centered around the notion of a mission to be carried out by the SoS.
Security engineering in a system of systems environment
2013 IEEE International Systems Conference (SysCon), 2013
This paper describes an actionable engineering framework for security engineering of a system of systems (SoS). The framework is envisioned as a tool for assessing security risks to command and control (C2) and other critical capabilities or missions based on an analysis of the contributing systems and the SoS supporting them. The framework is a continuous five-step process that embeds security engineering into a lifecycle model of SoS engineering. It does so in a way that implicitly recognizes that improvements to mission security need to focus on current and projected operational needs and risks based on the fielded SoS and the evolving tactics and strategies of the adversary. With this approach, analysis and corrective action can be implemented rigorously and continuously to enable rapid response to changing conditions or on an emergency basis when critical risks emerge. Targeted changes in fielded system elements with the greatest impact on mission outcomes can then be identified and implemented as part of ongoing acquisitions, system upgrades or on an emergency basis when conditions warrant. The iterative nature of the approach recognizes that changes will occur in SoS elementsthe systems themselves, user operations, and the environmentcalling for an approach which can adapt over time. An SoS security risk framework is needed to manage the problem of identifying the key elements of risk to SoS missions. The issue is the complexity resulting from the large number of logical paths through an SoS that could represent a security risk. Effectively managing this problem enables the application of security specific analyses to the SoS elements that have been identified as critical. The framework is a bridge between the operational and acquisition/engineering communities that draws on the foundational elements of SoS engineering, particularly an understanding of the SoS components, interdependencies and dynamics. The results of the SoS security engineering analysis can be used to support investment decisions about the constituents of a SoS. While the focus of this framework is on acquisition and engineering materiel solutions, it also accommodates the consideration of non-materiel solutions.
Challenges in Security Engineering of Systems-of-Systems
Systems of systems (SoS) are large-scale systems composed of complex systems with difficult to predict emergent properties. One of the most significant challenges in the engineering of such systems is how to model and analyze their Non-Functional Properties (NFP), such as security. In this review paper we identify, describe, analyze and categorize challenges to security engineering for SoS. This catalog of challenges offers a road-map of major directions for future research activities, and a set of requirements against which present and future solutions of security for SoS can be evaluated.
Systems-of-Systems Issues in Security Engineering
INSIGHT, 2011
SPECIAL FEATURE SoS configuration. An example visualisation is depicted in figure 4. Conclusions The implementation of the high-level security requirements deriving from data policies is critical to gaining participation of systems in an SoS by reassuring systems managers and owners about the use and dissemination of their data. This short article illustrates an overview of a model-based approach that we have introduced to support SoS security engineering for data policies. The approach includes the formal definition of a data-policy concept and intuitive methods for the derivation of high-level security requirements. The approach also includes the injection of these high-level security requirements in the definition of the SoS's functional architecture. Similarly, it is possible to verify that the physical SoS architecture meets the high-level security requirements. The approach is part of the European Space Agency Architectural Framework, thus providing an integrated means for security engineering within the entire SoS engineering process. Graphical and interactive visualisation tools are also provided to more effectively manage the design complexity of the architectural and security issues. References
Model Driven Software Security Architecture of Systems-of-Systems
2016 23rd Asia-Pacific Software Engineering Conference (APSEC), 2016
Recently, there is a growing interest in Systems of Systems (SoS), their architecture, security and application domains. However, their specific characteristics such as the operational independence of SoS constituent systems (CS), the absence of central authority and their emergent behavior make the modeling of their structure, behavior and security a complex task. One of the current main security challenges in the context of SoS is the cascading attack problem. The challenge is to predict the concatenation/sequence of CS's vulnerabilities that could be triggered resulting in destructive cascading failures and take corrective actions to reduce the cost, development time and effect of later changes. In this paper, we propose a domain specific modeling language (DSML) to represent SoS security architecture. Having SoS security models will enable the discovery, analysis and resolution of cascading attacks, in the architecture phase, preventing development time and cost wastage. Following a Model Driven Engineering (MDE) approach, we generate a graphical editor for our DSML and use it to model a Smart Campus case study.
Modeling and Assessment of Systems Security
Information technology (IT) is a crucial resource and enabler in almost every part of our society. However, there are severe risks associated with IT that may substantially decrease the potential benefits. To handle these risks, it is essential to be able to judge the security posture of systems. This requires the ability to perform security assessments. However, since security is an abstract, subjective, and non-tangible property, proper security assessment of non-trivial systems is hard. Currently, there is a lack of methods for efficient, reliable, and valid security assessments. In this paper, problems relating to the structural assessment of system security are addressed. In structural security assessments, the security of systems is quantified based on the security qualities of and inter- relations between sub-systems.
A Framework for System Security
2010
Actors in our general framework for secure systems can exert four types of control over other actors' systems, depending on the temporality (prospective vs. retrospective) of the control and on the power relationship (hierarchical vs. peering) between the actors. We make clear distinctions between security, functionality, trust, and distrust by identifying two orthogonal properties: feedback and assessment. We distinguish four types of system requirements using two more orthogonal properties: strictness and activity. We use our terminology to describe specialised types of secure systems such as access control systems, Clark-Wilson systems, and the Collaboration Oriented Architecture recently proposed by The Jericho Forum.
Survey: security in the system development life cycle
2005
A general approach to security architecture is introduced. A survey of existing attempts to develop the security architecture introduces the topic. Security can be highlighted as part of the system development life cycle. The authors assume that security cannot be achieved by concentrating on one system component but can be achieved by identifying the relationship between these components and how information is used among them. An original sphere of use and interaction is presented upon which security measures can be evaluated and the required security controls can be chosen.
An actionable framework for system of systems and mission area security engineering
2014 IEEE International Systems Conference Proceedings, 2014
This paper describes an actionable engineering framework for security engineering of a system of systems (SoS). The framework is envisioned as a tool for assessing security risks to critical missions based on the contributing systems and SoS supporting them. An SoS security risk framework is needed to manage the problem of identifying the key elements of risk to SoS missions. The issue is the complexity resulting from the large number of potential logical paths through an SoS that could represent a security risk. Managing this problem then enables the application of security specific analyses to the SoS elements that have been identified as critical. The framework draws on the foundational elements of SoS SE, particularly an understanding of the SoS components, interdependencies and dynamics. The results of the analysis support investment decisions about the constituents of a SoS. The framework is a bridge between the operational and acquisition/engineering communities. While the focus of this framework is on acquisition and engineering materiel solutions, it also accommodates the consideration of non-materiel solutions.
Threat Analysis in Systems-of-Systems
ACM Transactions on Cyber-Physical Systems, 2019
Cyber-physical Systems of Systems (SoSs) are large-scale systems made of independent and autonomous cyber-physical Constituent Systems (CSs) which may interoperate to achieve high-level goals also with the intervention of humans. Providing security in such SoSs means, among other features, forecasting and anticipating evolving SoS functionalities, ultimately identifying possible detrimental phenomena that may result from the interactions of CSs and humans. Such phenomena, usually called emergent phenomena , are often complex and difficult to capture: the first appearance of an emergent phenomenon in a cyber-physical SoS is often a surprise to the observers. Adequate support to understand emergent phenomena will assist in reducing both the likelihood of design or operational flaws, and the time needed to analyze the relations amongst the CSs, which always has a key economic significance. This article presents a threat analysis methodology and a supporting tool aimed at (i) identifyin...
A new approach to security system development
Proceedings New Security Paradigms Workshop, 1994
The development of a security system is generally performed through a multiphase methodology, starting from the initial preliminary analisys of the application environment, up to the physical implementation of the security mechanisms. In this framework, we propose a new approach for the development of security systems based on the reuse of existing security specifications. In the paper we illustrate how reusable specifications can be built by analyzing existing security systems, and how they can be used to develop new security systems not from scratch.
Specification, verification, and quantification of security in model-based systems
Computing, 2015
Your article is protected by copyright and all rights are held exclusively by Springer-Verlag Wien. This e-offprint is for personal use only and shall not be self-archived in electronic repositories. If you wish to self-archive your article, please use the accepted manuscript version for posting on your own website. You may further deposit the accepted manuscript version in any repository, provided it is only made publicly available 12 months after official publication or later and provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: "The final publication is available at link.springer.com".
9.4.2 Incorporating Security and Survivability into the System of Systems Architecting
INCOSE International Symposium, 2007
System of systems (SoS) security and survivability issues have found prominence in the wake of increased importance of such large scale interconnected systems. The threats and risks associated with SoS architectures present unique challenges to system architects. SoS security and survivability practices are needed to ensure the performance and survival of the system under an intrusion. Current security engineering activities are performed independent of the system architecting process, leading to ad hoc solutions and after-the-fact reactions to vulnerabilities as discussed in (Evans et al. 2005). Literature on security and survivability oriented system architecting activities is far and few in between. This paper studies the major classes of threats and risks associated with SoS and the response to such vulnerabilities. Existing works were researched to outline the key characteristics of an effective security and survivability process that can be integrated with systems engineering activities. Overviews of three survivability architectures are provided on the basis of the identified criteria. Comments on the currently available solutions and future areas of emphasis are presented.
A verification approach to applied system security
International Journal on Software Tools for Technology Transfer, 2005
We present a method for the security analysis of realistic models over off-the-shelf systems and their configuration by formal, machine-checked proofs. The presentation follows a large case study based on a formal security analysis of a CVS-Server architecture. The analysis is based on an abstract architecture (enforcing a role-based access control), which is refined to an implementation architecture (based on the usual discretionary access control provided by the POSIX environment). Both architectures serve as a skeleton to formulate access control and confidentiality properties. Both the abstract and the implementation architecture are specified in the language Z. Based on a logical embedding of Z into Isabelle/HOL, we provide formal, machine-checked proofs for consistency properties of the specification, for the correctness of the refinement, and for security properties.
An Approach for the Specification, Verification and Synthesis of Secure Systems
Electronic Notes in Theoretical Computer Science, 2007
In this paper we describe an approach based on open system analysis for the specification, verification and synthesis of secure systems. In particular, by using our framework, we are able to model a system with a possible intruder and verify whether the whole system is secure, i.e. whether the system satisfies a given temporal logic formula that describes its secure behavior. If necessary, we are also able to automatically synthesize a process that, by controlling the behavior of the possible intruder, enforces the desired secure behavior of the whole system.
An Approach to Model-based Development of Secure and Reliable Systems
2011 Sixth International Conference on Availability, Reliability and Security, 2011
A good way to obtain secure systems is to build applications in a systematic way where security is an integral part of the lifecycle. The same applies to reliability. If we want a system which is secure and reliable, both security and reliability must be built together. If we build not only applications but also middleware and operating systems in the same way, we can build systems that not only are inherently secure but also can withstand attacks from malicious applications and resist errors. In addition, all security and reliability constraints should be defined in the application level, where their semantics is understood and propagated to the lower levels. The lower levels provide the assurance that the constraints are being followed. In this approach all security constraints are defined at the conceptual or application level. The lower levels just enforce that there are no ways to bypass these constraints. By mapping to a highly secure platform, e.g., one using capabilities, we can produce a very secure system. Our approach is based on security patterns that are mapped through the architectural levels of the system. We make a case for this approach and we present here three aspects to further develop it. These aspects include a metamodel for security requirements, a mapping of models across architectural levels, and considerations about the degree of security of the system.
An approach for modeling and analysis of security system architectures
IEEE Transactions on Knowledge and Data Engineering, 2003
Security system architecture governs the composition of components in security systems and interactions between them. It plays a central role in the design of software security systems that ensure secure access to distributed resources in networked environment. In particular, the composition of the systems must consistently assure security policies that it is supposed to enforce. However, there is currently no rigorous and systematic way to predict and assure such critical properties in security system design. In this paper, a systematic approach is introduced to address the problem. We present a methodology for modeling security system architecture and for verifying whether required security constraints are assured by the composition of the components. We introduce the concept of security constraint patterns, which formally specify the generic form of security policies that all implementations of the system architecture must enforce. The analysis of the architecture is driven by the propagation of the global security constraints onto the components in an incremental process. We show that our methodology is both flexible and scalable. It is argued that such a methodology not only ensures the integrity of critical early design decisions, but also provides a framework to guide correct implementations of the design. We demonstrate the methodology through a case study in which we model and analyze the architecture of the Resource Access Decision (RAD) Facility, an OMG standard for application-level authorization service.
An Engineering Process and Modelling Framework for development of Secure Systems
2013
This paper presents a novel Security Engineering Process for the creation of security-enhanced system models. The process offers a language for the definition of a domain-specific security knowledge language, the creation of security artefacts using the previous architecture and the use of these artefacts in a system model for fulfilling its security requirements and assurance. It makes security fit naturally in the systems by interleaving security into the initial architecture and system description. The process offers also solutions for the security properties by means of Security Patterns (a new type of patterns developed in the process) and Security Building Blocks. The Security Engineering Process and its Framework has being applied successfully to several and different domains (metering devices, emergency scenarios, set-top boxes, etc.) and is currently being expanded to work with cloud computing scenarios. To illustrate our process we use a mobile command post scenario where ...
Modeling and quantification of security attributes of software systems
2002
Quite often failures in network based services and server systems may not be accidental, but rather caused by deliberate security intrusions. We would like such systems to either completely preclude the possibility of a security intrusion or design them to be robust enough to continue functioning despite security attacks. Not only is it important to prevent or tolerate security intrusions, it is equally important to treat security as a QoS attribute at par with, if not more important than other QoS attributes such as availability and performability. This paper deals with various issues related to quantifying the security attribute of an intrusion tolerant system, such as the SITAR system. A security intrusion and the response of an intrusion tolerant system to the attack is modeled as a random process. This facilitates the use of stochastic modeling techniques to capture the attacker behavior as well as the system's response to a security intrusion. This model is used to analyze and quantify the security attributes of the system. The security quantification analysis is first carried out for steady-state behavior leading to measures like steady-state availability. By transforming this model to a model with absorbing states, we compute a security measure called the "mean time (or effort) to security failure" and also compute probabilities of security failure due to violations of different security attributes.
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.