Skip to main content
SpringerLink
Log in

Definition and Verification of Security Configurations of Cyber-Physical Systems

  • Conference paper
  • First Online:
Computer Security (CyberICPS 2020, SECPRE 2020, ADIoT 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12501))

Abstract

The proliferation of Cyber-Physical Systems (CPSs) is raising serious security challenges. These are complex systems, integrating physical elements into automated networked systems, often containing a variety of devices, such as sensors and actuators, and requiring complex management and data storage. This makes the construction of secure CPSs a challenge, requiring not only an adequate specification of security requirements and needs related to the business domain but also an adaptation and concretion of these requirements to define a security configuration of the CPS where all its components are related. Derived from the complexity of the CPS, their configurations can be incorrect according to the requirements, and must be verified. In this paper, we propose a grammar for specifying business domain security requirements based on the CPS components. This will allow the definition of security requirements that, through a defined security feature model, will result in a configuration of services and security properties of the CPS, whose correctness can be verified. For this last stage, we have created a catalogue of feature models supported by a tool that allows the automatic verification of security configurations. To illustrate the results, the proposal has been applied to automated verification of requirements in a hydroponic system scenario.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://estigia.lsi.us.es/cyberspl/featureModels/publicFeatureModels/.

References

  1. Baseline security recommendations for IoT (2018). https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot

  2. OWASP Top Ten. Available from OWASP (2020). https://owasp.org/www-project-top-ten/

  3. Arciniegas, J.L., Dueñas, J.C., Ruiz, J.L., Cerón, R., Bermejo, J., Oltra, M.A.: Architecture reasoning for supporting product line evolution: an example on security. In: Kakola, T., Duenas, J.C. (eds.) Software Product Lines, pp. 327–372. Springer, Heidelberg (2006). https://doi.org/10.1007/978-3-540-33253-4_9

    Chapter  Google Scholar 

  4. Arrieta, A., Sagardui, G., Etxeberria, L.: Cyber-physical systems product lines: variability analysis and challenges (2015)

    Google Scholar 

  5. Arrieta, A., Wang, S., Sagardui, G., Etxeberria, L.: Search-based test case selection of cyber-physical system product lines for simulation-based validation. In: Mei, H. (ed.) Proceedings of the 20th International Systems and Software Product Line Conference, SPLC 2016, Beijing, China, 16–23 September 2016, pp. 297–306. ACM (2016). https://doi.org/10.1145/2934466.2946046

  6. Batory, D.: Feature models, grammars, and propositional formulas. In: Obbink, H., Pohl, K. (eds.) SPLC 2005. LNCS, vol. 3714, pp. 7–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11554844_3

    Chapter  Google Scholar 

  7. Beek, M.H.T., Fantechi, A., Gnesi, S.: Product line models of large cyber-physical systems: the case of ertms/etcs. In: Proceedings of the 22nd International Systems and Software Product Line Conference, SPLC ’18, vol. 1, pp. 208–214. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3233027.3233046

  8. Benavides, D., Segura, S., Ruiz-Cortés, A.: Automated analysis of feature models 20 years later: a literature review. Inf. Syst. 35(6), 615–636 (2010). https://doi.org/10.1016/j.is.2010.01.001

    Article  Google Scholar 

  9. Benavides, D., Segura, S., Trinidad, P., Cortés, A.R.: Fama: tooling a framework for the automated analysis of feature models. VaMoS 2007, 01 (2007)

    Google Scholar 

  10. Biffl, S., Eckhart, M., Lüder, A., Weippl, E.: Introduction to security and quality improvement in complex cyber-physical systems engineering. Security and Quality in Cyber-Physical Systems Engineering, pp. 1–29. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25312-7_1

    Chapter  Google Scholar 

  11. Bramberger, R., Martin, H., Gallina, B., Schmittner, C.: Co-engineering of safety and security life cycles for engineering of automotive systems. ACM SIGAda Ada Lett. 39(2), 41–48 (2020)

    Article  Google Scholar 

  12. Carter, B., Adams, S., Bakirtzis, G., Sherburne, T., Beling, P., Horowitz, B., Fleming, C.: A preliminary design-phase security methodology for cyber-physical systems. Systems 7(2), 21 (2019)

    Article  Google Scholar 

  13. Cysneiros, L.M., Leite, J.C.S.D.P.: Nonfunctional requirements: from elicitation to conceptual models. IEEE Trans. Softw. Eng. 30(5), 328–350 (2004). https://doi.org/10.1109/TSE.2004.10

  14. Dechter, R.: Constraint Processing. Morgan Kaufmann Publishers Inc, San Francisco (2003)

    MATH  Google Scholar 

  15. Ding, J.: Intrusion detection, prevention, and response system (IDPRS) for cyber-physical systems (CPSs). In: Securing Cyber-Physical Systems, pp. 371–392. CRC Press, Boca Raton (2015). https://doi.org/10.1201/b19311-16

  16. Dorbala, S., Bhadoria, R.: Analysis for security attacks in cyber-physical systems. In: Cyber-Physical Systems, pp. 395–414. Chapman and Hall/CRC, Baco Raton (2015). https://doi.org/10.1201/b19206-23

  17. Fægri, T.E., Hallsteinsen, S.: A software product line reference architecture for security. In: Kakola, T., Duenas, J.C. (eds.) Software Product Lines, pp. 275–326. Springer, Heidelberg (2006). https://doi.org/10.1007/978-3-540-33253-4_8

    Chapter  Google Scholar 

  18. Galindo, J.A., Benavides, D., Trinidad, P., Gutiérrez-Fernández, A.-M., Ruiz-Cortés, A.: Automated analysis of feature models: Quo vadis? Computing 101(5), 387–433 (2018). https://doi.org/10.1007/s00607-018-0646-1

    Article  MathSciNet  Google Scholar 

  19. Griffor, E., Wollman, D., Greer, C.: Framework for Cyber-Physical Systems: Volume 1, Overview. Technical Report, June, National Institute of Standards and Technology, Gaithersburg, MD (2017). https://doi.org/10.6028/NIST.SP.1500-201

  20. Gunes, V., Peter, S., Givargis, T., Vahid, F.: A survey on concepts, applications, and challenges in cyber-physical systems. KSII Trans. Internet Inf. Syst. 8(12), 4242–4268 (2014). https://doi.org/10.3837/tiis.2014.12.001

    Article  Google Scholar 

  21. Humayed, A., Lin, J., Li, F., Luo, B.: Cyber-physical systems security - a survey. IEEE Internet Things J. 4(6), 1802–1831 (2017). https://doi.org/10.1109/JIOT.2017.2703172

    Article  Google Scholar 

  22. Iglesias, A., Iglesias-Urkia, M., López-Davalillo, B., Charramendieta, S., Urbieta, A.: Trilateral: software product line based multidomain IoT artifact generation for industrial CPS. In: Proceedings of the 7th International Conference on Model-Driven Engineering and Software Development, vol. 1, pp. 64–73. SCITEPRESS-Science and Technology Publications, Lda (2019)

    Google Scholar 

  23. Kenner, A., Dassow, S., Lausberger, C., Krüger, J., Leich, T.: Using variability modeling to support security evaluations: virtualizing the right attack scenarios. In: VaMoS ’20: 14th International Working Conference on Variability Modelling of Software-Intensive Systems, Magdeburg, Germany, 5–7 February 2020, pp. 10:1–10:9 (2020). https://doi.org/10.1145/3377024.3377026

  24. Liu, Y., Peng, Y., Wang, B., Yao, S., Liu, Z.: Review on cyber-physical systems. IEEE/CAA J. Automatica Sinica 4(1), 27–40 (2017). https://doi.org/10.1109/JAS.2017.7510349

    Article  Google Scholar 

  25. Mellado, D., Fernández-Medina, E., Piattini, M.: Security requirements management in software product line engineering. In: Filipe, J., Obaidat, M.S. (eds.) ICETE 2008. CCIS, vol. 48, pp. 250–263. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05197-5_18

    Chapter  Google Scholar 

  26. Mellado, D., Fernández-Medina, E., Piattini, M.: Towards security requirements management for software product lines: a security domain requirements engineering process. Comput. Stand. Interfaces 30(6), 361–371 (2008)

    Article  Google Scholar 

  27. Mellado, D., Mouratidis, H., Fernández-Medina, E.: Secure tropos framework for software product lines requirements engineering. Comput. Stand. Interfaces 36(4), 711–722 (2014)

    Article  Google Scholar 

  28. Nguyen, P.H., Ali, S., Yue, T.: Model-based security engineering for cyber-physical systems: a systematic mapping study (2017). https://doi.org/10.1016/j.infsof.2016.11.004

  29. Peldszus, S., Strüber, D., Jürjens, J.: Model-based security analysis of feature-oriented software product lines. In: Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences, pp. 93–106 (2018)

    Google Scholar 

  30. Publishing, V.H.: The TOGAF Standard, Version 9.2. TOGAF series, Van Haren Publishing (2018). https://books.google.es/books?id=XQ6DtgEACAAJ

  31. ur Rehman, S., Allgaier, C., Gruhn, V.: Security requirements engineering: a framework for cyber-physical systems. In: 2018 International Conference on Frontiers of Information Technology (FIT), pp. 315–320. IEEE (2018)

    Google Scholar 

  32. Rehman, S., Gruhn, V.: An effective security requirements engineering framework for cyber-physical systems. Technologies 6(3), 65 (2018). https://doi.org/10.3390/technologies6030065

    Article  Google Scholar 

  33. Rehman, S., Gruhn, V., Shafiq, S., Inayat, I.: A systematic mapping study on security requirements engineering frameworks for cyber-physical systems. In: Wang, G., Chen, J., Yang, L.T. (eds.) SpaCCS 2018. LNCS, vol. 11342, pp. 428–442. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05345-1_37

    Chapter  Google Scholar 

  34. Rehman, S.U., Gruhn, V.: An effective security requirements engineering framework for cyber-physical systems. Technologies 6(3), 65 (2018)

    Article  Google Scholar 

  35. Shaaban, A.M., Gruber, T., Schmittner, C.: Ontology-based security tool for critical cyber-physical systems. In: Proceedings of the 23rd International Systems and Software Product Line Conference, vol. B, pp. 207–210 (2019)

    Google Scholar 

  36. Sion, L., Van Landuyt, D., Yskout, K., Joosen, W.: Towards systematically addressing security variability in software product lines. In: Proceedings of the 20th International Systems and Software Product Line Conference, pp. 342–343 (2016)

    Google Scholar 

  37. Span, M., Mailloux, L.O., Mills, R.F., Young, W.: Conceptual systems security requirements analysis: aerial refueling case study. IEEE Access 6, 46668–46682 (2018)

    Article  Google Scholar 

  38. Subramanian, N., Zalewski, J.: Quantitative assessment of safety and security of system architectures for cyberphysical systems using the NFR approach. IEEE Syst. J. 10(2), 397–409 (2016). https://doi.org/10.1109/JSYST.2013.2294628

    Article  Google Scholar 

  39. Varela-Vaca, A.J., Gasca, R.M., Ceballos, R., Gómez-López, M.T., Bernáldez Torres, P.: CyberSPL: a framework for the verification of cybersecurity policy compliance of system configurations using software product lines. Appl. Sci. 9(24) (2019). https://doi.org/10.3390/app9245364

  40. Varela-Vaca, Á.J., Galindo, J.A., Ramos-Gutiérrez, B., Gómez-López, M.T., Benavides, D.: Process mining to unleash variability management: discovering configuration workflows using logs. In: Proceedings of the 23rd International Systems and Software Product Line Conference, vol. A, pp. 265–276 (2019)

    Google Scholar 

  41. Varela-Vaca, Á.J., Gasca, R.M.: Formalization of security patterns as a means to infer security controls in business processes. Logic J. IGPL 23(1), 57–72 (2015). https://doi.org/10.1093/jigpal/jzu042

    Article  MathSciNet  Google Scholar 

  42. Yoo, H., Shon, T.: Challenges and research directions for heterogeneous cyber-physical system based on IEC 61850: Vulnerabilities, security requirements, and security architecture. Fut. Gener. Comput. Syst. 61, 128–136 (2016). https://doi.org/10.1016/j.future.2015.09.026

    Article  Google Scholar 

  43. Zhu, Q., Sangiovanni-Vincentelli, A.: Codesign methodologies and tools for cyber-physical systems. Proc. IEEE 106(9), 1484–1500 (2018)

    Article  Google Scholar 

Download references

Acknowledgement

This research is partially supported by Ministry of Science and Technology of Spain with projects ECLIPSE (RTI2018-094283-B-C33), by Junta de Andalucía with METAMORFOSIS projects, and Junta de Comunidades de Castilla-La Mancha with the GENESIS project (SBPLY-17-180501-000202); and by European Regional Development Fund (ERDF/FEDER).

Author information

Authors and Affiliations

  1. Dpto. Lenguajes y Sistemas de Informóticos, IDEA Research Group, Universidad de Sevilla, Seville, Spain

    Ángel Jesús Varela-Vaca, María Teresa Gómez-López & Rafael M. Gasca

  2. Dpto. Tecnologías y Sistemas de Información, GSyA Research Group, Universidad Castilla-La Mancha, Ciudad Real, Spain

    David G. Rosado, Luis Enrique Sánchez & Eduardo Fernández-Medina

Authors
  1. Ángel Jesús Varela-Vaca
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David G. Rosado
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luis Enrique Sánchez
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. María Teresa Gómez-López
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rafael M. Gasca
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Eduardo Fernández-Medina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ángel Jesús Varela-Vaca .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Polytechnique Montréal, Montréal, QC, Canada

    Frédéric Cuppens

  3. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. Department of Computer Science, University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  7. Georgia Institute of Technology, Atlanta, GA, USA

    Annie Antón

  8. University of Piraeus, Piraeus, Greece

    Stefanos Gritzalis

  9. Technical University of Denmark, Lyngby, Denmark

    Weizhi Meng

  10. University of Nottingham, Nottingham, UK

    Steven Furnell

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Varela-Vaca, Á.J., Rosado, D.G., Sánchez, L.E., Gómez-López, M.T., Gasca, R.M., Fernández-Medina, E. (2020). Definition and Verification of Security Configurations of Cyber-Physical Systems. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE ADIoT 2020 2020 2020. Lecture Notes in Computer Science(), vol 12501. Springer, Cham. https://doi.org/10.1007/978-3-030-64330-0_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64330-0_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64329-4

  • Online ISBN: 978-3-030-64330-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation