Supporting Cybersecurity Compliance Assessment of Industrial Automation and Control System Components

Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


The chapter presents a case study demonstrating how security requirements of an Industrial Automation and Control System (IACS) component can be represented in a form of Protection Profile that is based on IEC 62443 standards and how compliance assessment of such component can be supported by explicitly representing a conformity argument in a form based on the OMG SACM metamodel. It is also demonstrated how an advanced argument assessment mechanism based on Dempster-Shafer belief function theory can be used to support assessors while analyzing and assessing the conformity argument related to an IACS component. These demonstrations use a NOR-STA tool for representing, managing and assessment of evidence-based arguments, which have been developed in our research group.


Cybersecurity IACS component Protection profile Security standards Evidence-based argument Conformance case Certification Tools 



This work was partially supported by a Statutory Grant of Polish Ministry of Science and Higher Education. The RTU Protection Profile presented in this chapter is based on the RTU Protection Profile originally introduced by Mr. Tomasz Szala from the Mikronika company to the NET-PL group working on validation of the IACS Components Cybersecurity Certification Framework (ICCF).


  1. 1.
    Paul Theron Introduction to the European IACS components Cybersecurity Certification Framework (ICCF). DOI:10.276D/717569Google Scholar
  2. 2.
    Structured Assurance Case Metamodel (SACM), version 2.0, Object Management Group (2017)Google Scholar
  3. 3.
    ISO/IEC 15026 Systems and software engineering – systems and software assuranceGoogle Scholar
  4. 4.
  5. 5.
    ISO 15408 (2009) Information technology – Security techniques – evaluation criteria for IT security – Part 1: introduction and general model. ISOGoogle Scholar
  6. 6.
  7. 7.
  8. 8.
    Cyra L, Górski J (2011) SCF – a framework supporting achieving and assessing conformity with standards. Comput Stand Interfaces Elsevier 33:80–95CrossRefGoogle Scholar
  9. 9.
    Ray A, Cleaveland R (2015) Security assurance cases for medical cyber-physical systems. IEEE Des Test 32(5):56–65CrossRefGoogle Scholar
  10. 10.
    Finnegan A, Mccaffery F (2014) A security argument pattern for medical device assurance cases, In: 2014 IEEE International symposium on software reliability engineering workshops. IEEE, pp 220–225Google Scholar
  11. 11.
    Othmane L,Angin P,Bhargava B(2014), Using assurance cases to develop iteratively security features using scrum. In: 2014 Ninth international conference on availability, reliability and security (ARES), IEEEGoogle Scholar
  12. 12.
    International Society of Automation (ISA), (visited 10.08.2017)
  13. 13.
    IEC 62443-1-1 (2009) Industrial communication networks – Network and system security – Part 1-1: terminology, concepts and models, IECGoogle Scholar
  14. 14.
    IEC 62443-4-2 Technical security requirements for IACS componentsGoogle Scholar
  15. 15.
    Cyra L, Górski J (2011) Support for argument structures review and assessment, reliability engineering and system safety, vol 96. Elsevier, pp 26–37Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Faculty of Electronics, Telecommunications and Informatics, Department of Software EngineeringGdańsk University of TechnologyGdańskPoland
  2. 2.Faculty of Electronics, Telecommunications and InformaticsGdańsk University of TechnologyGdańskPoland
  3. 3.Argevide sp. z o.oGdańskPoland

Personalised recommendations