Making (Implicit) Security Requirements Explicit for Cyber-Physical Systems: A Maritime Use Case Security Analysis
The increased connectivity of critical maritime infrastructure (CMI) systems to digital networks have raised concerns of their vulnerability to cyber attacks. As less emphasis has been placed, to-date, on ensuring security of cyber-physical maritime systems, mitigating these cyber attacks will require the design and engineering of secure maritime infrastructure systems. Systems theory has been shown to provide the foundation for a disciplined approach to engineering secure cyber-physical systems. In this paper, we use systems theory, and concepts adapted from safety analysis, to develop a systematic mechanism for analysing the security functionalities of assets’ interactions in the maritime domain. We use the theory to guide us to discern the system’s requirement, likely system losses, potential threats, and to construct system constraints needed to inhibit or mitigate these threats. Our analyses can be used as springboards to a set of principles to help enunciate the assumptions and system-level security requirements useful as the bases for systems’ security validation and verification.
KeywordsMaritime security Systems theory System Theoretic Process Analysis (STPA) Threat analysis Cyber-Physical System Security
- 1.United States Navy Biography. http://www.navy.mil/navydata/leadership/quotes.asp?q=253&c=6. Accessed 28 Nov 2018
- 2.UK Cabinet Office: National Cyber Security Strategy 2016 to 2021. UK Cabinet Office, November 2016Google Scholar
- 3.Leveson, N.G., Thomas, J.P.: STPA Handbook (2018)Google Scholar
- 4.Howard, G., Butler, M., Colley, J., Sassone, V.: Formal analysis of safety and security requirements of critical systems supported by an extended STPA methodology. In: 2nd Workshop on Safety & Security aSSurance (2017). https://doi.org/10.1109/EuroSPW.2017.68
- 6.Dürrwang, J., Beckers, K., Kriesten, R.: A lightweight threat analysis approach intertwining safety and security for the automotive domain. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10488, pp. 305–319. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66266-4_20 CrossRefGoogle Scholar