Towards Scenario-Based Security Requirements Engineering for Cyber-Physical Systems

  • Thorsten Koch
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11176)


Cyber-physical systems are characterized among others by strong interconnection with each other, but also with their environment. This interconnection enables on the one hand new functionality with a high complexity and leads on the other hand to a high demand on the security of the systems. Both aspects require tailored development processes with a rigorous requirements engineering. However, current requirements engineering approaches focus either on the functional or on the security aspects but lack an integrated view on modeling and analysing both aspects. Therefore, we present in this paper ongoing research for a formal, model- and scenario-based requirements engineering approach for cyber-physical systems. Our approach enables the requirements engineer in an early stage of the development whether the modeled security requirements are sufficient to mitigate attacks and whether the security requirements influence the functional behavior. We illustrate the approach by means of an advanced driver assistance system from the automotive domain.


  1. 1.
    Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15, 39–91 (2006)CrossRefGoogle Scholar
  2. 2.
    Chattopadhyay, A., Prakash, A., Shafique, M.: Secure cyber-physical systems: current trends, tools and open research problems. In: Design, Automation Test in Europe Conference Exhibition (DATE), pp. 1104–1109, March 2017Google Scholar
  3. 3.
    Firesmith, D.: Security use cases. J. Object Technol. 2(3), 53 (2003). Scholar
  4. 4.
    Firesmith, D.G.: Engineering safety and security related requirements for software intensive systems. In: 29th International Conference on Software Engineering, p. 169. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  5. 5.
    Fitzgerald, J., Larsen, P.G., Verhoef, M.: From embedded to cyber-physical systems: challenges and future directions. In: Fitzgerald, J., Larsen, P.G., Verhoef, M. (eds.) Collaborative Design for Embedded Systems, pp. 293–303. Springer, Heidelberg (2014). Scholar
  6. 6.
    Geismann, J., Gerking, C., Bodden, E.: Towards ensuring security by design in cyber-physical systems engineering processes. In: International Conference on Software and System Processes (ICSSP), 26–27 May 2018Google Scholar
  7. 7.
    Giorgini, P., Mouratidis, H., Zannone, N.: Modelling security and trust with secure tropos. In: Integrating Security and Software Engineering: Advances and Future Vision, pp. 160–189 (2006)Google Scholar
  8. 8.
    Greenyer, J.: Scenario-based Design of Mechatronic Systems. Ph.D. thesis, University of Paderborn (2011).
  9. 9.
    Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–153 (2008)CrossRefGoogle Scholar
  10. 10.
    Harel, D., Marelly, R.: Come, Let’s Play: Scenario-Based Programming Using LSC’s and the Play-Engine. Springer, New York (2003). Scholar
  11. 11.
    Holtmann, J., Bernijazov, R., Meyer, M., Schmelter, D., Tschirner, C.: Integrated and iterative systems engineering and software requirements engineering for technical systems. J. Softw. Evol. Process. 28(9), 722–743 (2016)CrossRefGoogle Scholar
  12. 12.
    Holtmann, J., Fockel, M., Koch, T., Schmelter, D., Brenner, C., Bernijazov, R., Sander, M.: The MechatronicUML requirements engineering method: process and language (2016)Google Scholar
  13. 13.
    Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). Scholar
  14. 14.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005). Scholar
  15. 15.
    Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE International Requirements Engineering Conference, 2003, pp. 151–161 (2003).
  16. 16.
    Mead, N.R., Stehney, T.: Security quality requirements engineering (SQUARE) methodology (2005)CrossRefGoogle Scholar
  17. 17.
    Pauli, J.J., Xu, D.: Misuse case-based design and analysis of secure software architecture. In: ITCC 2005, vol. 2, pp. 398–403. IEEE Computer Society, Los Alamitos (2003)Google Scholar
  18. 18.
    Ramos, A.L., Ferreira, J.V., Barceló, J.: Model-based systems engineering: an emerging approach for modern systems. IEEE Trans. Syst. Man Cybern. Part C (Appl. Rev.) 42(1), 101–111 (2012)CrossRefGoogle Scholar
  19. 19.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar
  20. 20.
    VDI: Design methodology for mechatronic systems (VDI 2206)Google Scholar
  21. 21.
    Whittle, J., Wijesekera, D., Hartong, M.: Executable misuse cases for modeling security concerns. In: Schäfer, W. (ed.) Proceedings of the 30th International Conference on Software Engineering, p. 121. ACM Press, New York (2008)Google Scholar
  22. 22.
    Win, B.D., Scandariato, R., Buyens, K., Grégoire, J., Joosen, W.: On the secure software development process: CLASP, SDL and touchpoints compared. Inf. Softw. Technol. 51(7), 1152–1171 (2009). Special Section: Software Engineering for Secure SystemsCrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Software Engineering and IT Security, Fraunhofer IEMPaderbornGermany

Personalised recommendations