Challenges and Opportunities for Model-Based Security Risk Assessment of Cyber-Physical Systems

  • Marco Rocchetto
  • Alberto Ferrari
  • Valerio SenniEmail author
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


The design of Cyber-Physical Systems (CPS) poses a number of challenges, in particular for cyber-security. Eliciting Security Requirements is a key aspect in the early system design stages; however it is important to assess which requirements are more stringent and grant protection against the higher-value assets. Cyber-security Risk Assessment (SecRA) has a key role in determining threat scenarios and evaluating the risks associated to them but it is a practice that has been principally developed for IT systems, thus focusing on cyber threats. In this chapter, we discuss the state of the art in SecRA methodologies and the challenges to be addressed for developing new CPS-oriented SecRA methodologies. Based on the most relevant standards for industrial control systems and automotive domain (such as the ISA/IEC-62443 and the J3061), we propose the adoption of an asset-driven viewpoint and a model-based approach to SecRA, and we identify current gaps. In particular we discuss (i) CPS (security) modeling languages and methodologies, (ii) vulnerabilities cost models and the network of public repositories of vulnerabilities, (iii) attacker models and profiles, and (iv) complex cyber-physical attack chains. Finally, we discuss our vision, focusing on assets and leveraging model-based design practices can provide a more rigorous approach to SecRA for CPS, allow taking into consideration their peculiarities, and support to manage the large complexity involved in their operation. The desired outcome is to provide the system design team with methods and tools to identify complex attacks and perform a cost/benefit tradeoff analysis to justify the adoption of specific Security Requirements and the necessary costs implied by the corresponding mitigations.


  1. 1.
    Sampigethaya K, Poovendran R (2013) Aviation cyber-physical systems: foundations for future aircraft and air transport. Proc IEEE 101(8):1834–1855CrossRefGoogle Scholar
  2. 2.
    Moir I, Seabridge A, Jukes M (2013) Civil avionic systems. Wiley, HobokenGoogle Scholar
  3. 3.
    Shavit M, Gryc A, Miucic R (2007) Firmware update over the air (FOTA) for automotive industry. In: Asia Pacific automotive engineering conference.Google Scholar
  4. 4.
    Howard M, Lipner S (2006) The security development lifecycle, vol 8. Microsoft Press, RedmondGoogle Scholar
  5. 5.
    ISA/IEC 62443 Security for industrial automation and control systemsGoogle Scholar
  6. 6.
    Disterer G (2013) ISO/IEC 27000, 27001 and 27002 for information security management. J Inf Secur 4(2):92–100Google Scholar
  7. 7.
    Joint Task Force Transformation Initiative (2003) SP 800–53 Rev. 4, NISTGoogle Scholar
  8. 8.
    RTCA Inc (2014) DO-356. RTCAGoogle Scholar
  9. 9.
    SAE (2016) J3061 – Surfacae vehicle recommended practice. SAE International technical reportGoogle Scholar
  10. 10.
    ISO/IEC 15408. Information technology – security requirements – evaluation criteria for IT securityGoogle Scholar
  11. 11.
    The CORAS EU Project FP5 IST-2000-25031, FP5-ISTGoogle Scholar
  12. 12.
    Blanchard BS, Fabrycky WJ, Fabrycky WJ (1990) Systems engineering and analysis. Prentice Hall, Englewood CliffsGoogle Scholar
  13. 13.
    Rumbaugh J, Jacobson I, Booch G (2004) Unified modeling language reference manual, 2nd edn. Pearson Higher Education, PekingGoogle Scholar
  14. 14.
    Schneier B (1999) Attack trees. Softw Tools Prof Progr 24(12):21–29Google Scholar
  15. 15.
    Shameli-Sendi A, Aghababaei-Barzegar R, Cheriet M (2016) Taxonomy of information security risk assessment (ISRA). J Comput Secur 57(C):14–30CrossRefGoogle Scholar
  16. 16.
    Shi J, Wan J, Yan H, Suo H (2011) A survey of cyber-physical systems. In: International conference on Wireless Communications and Signal Processing (WCSP)Google Scholar
  17. 17.
    Weinberger S (2011) Computer security: is this the start of cyberwarfare? Nat News 474(7350):142–145CrossRefGoogle Scholar
  18. 18.
    Miller B, Rowe D (2012) A survey SCADA of and critical infrastructure incidents. In: Proceedings of the conference on research in information technologyGoogle Scholar
  19. 19.
    Edwards S, Lavagno L, Lee E, Sangiovanni-Vincentelli A (1997) Design of embedded systems: formal models, validation, and synthesis. Proc IEEE 85(3):366–390CrossRefGoogle Scholar
  20. 20.
    West A (2009) Nasa study on flight software complexity. NASAGoogle Scholar
  21. 21.
    OWASP, The Open Web Applicaiton Security Project (OWASP) [Online]. Available: Accessed Sept 2017
  22. 22.
    MITRE, Common Wekness Enumeration (CWE) [Online]. Available: Accessed Sept 2017
  23. 23.
    Hutchins EM, Cloppert MJ, Amin RM (2011) Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead Issues Inf Warf Secur Res 1(1):80Google Scholar
  24. 24.
    Tankar C (2011) Advanced persistent threats and how to monitor and deter them. Netw Secur 2011(8):16–19CrossRefGoogle Scholar
  25. 25.
    Ict, Sintef, The CORAS method [Online]. Available:
  26. 26.
    ThreatModeler [Online]. Available: Accessed Sept 2017
  27. 27.
    Microsoft Corporation, STRIDE – threat modeling [Online]. Available:
  28. 28.
    RTCA (2011) DO-333 – formal methods supplement to DO-178C and DO-278A. RTCAGoogle Scholar
  29. 29.
    Blanchet B (2012) Security protocol verification: symbolic and computational models. In: International conference on Principles of Security and Trust (POST)Google Scholar
  30. 30.
    Refsdal A, Solhaug B, Stolen K (2015) Cyber risk management. In: Cyber risk management. Springer, Cham, pp 33–47CrossRefGoogle Scholar
  31. 31.
    International Organization for Standardization (2009) ISO 31000 – risk management – principles and guidelinesGoogle Scholar
  32. 32.
    Cherdantseva Y, Burnap P, Blyth A, Eden P, Jones K, Soulsby H, Stoddart K (2016) A review of cyber security risk assessment methods for SCADA systems. Comput Secur 56(C):1–27CrossRefGoogle Scholar
  33. 33.
    NIST, Cybersecurity framework [Online]. Available:
  34. 34.
    Shostack A (2014) Threat modeling: designing for security. Wiley, IndianapolisGoogle Scholar
  35. 35.
    SESAR [Online]. Available:
  36. 36.
    Lund MS, Solhaug B, Stølen K (2011) The CORAS approach. Springer, Berlin/HeidelbergzbMATHGoogle Scholar
  37. 37.
    NIST, National Vulnerability Database (NVD) [Online]. Available: Accessed Sept 2017
  38. 38.
    OMG, UML succsess stories [Online]. Available: Accessed Sept 2017
  39. 39.
    Houmb SH, Den Braber F, Lund MS, Stølen K (2002) Towards a UML profile for model-based risk assessment. In: Workshop on critical systems development with UMLGoogle Scholar
  40. 40.
    Lund MS, Hogganvik I, Seehusen F, Stølen K (2003) UML profile for security assessment. Techinical report STF AGoogle Scholar
  41. 41.
    Lodderstedt T, Basin D, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: Proceedings of the international conference on the unified modeling languageGoogle Scholar
  42. 42.
    Jürjens J (2002) UMLsec: extending UML for secure systems development. In: Proceedings of the international conference on the unified modeling languageGoogle Scholar
  43. 43.
    McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of Computer Security Applications Conference (ACSAC)Google Scholar
  44. 44.
    Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng 10(1):34–44CrossRefGoogle Scholar
  45. 45.
    Weilkiens T (2007) Systems engineering with SysML/UML: modeling, analysis, design. The OMG Press, Amsterdam/BostonzbMATHGoogle Scholar
  46. 46.
    Roudier Y, Apvrille L (2015) SysML-sec: a model driven approach for designing safe and secure systems. In: Model-Driven Engineering and Software Development conference (MODELSWARD)Google Scholar
  47. 47.
    Lugou F, Li LW, Apvrille L, Ameur-Boulifa R (2016) Sysml models and model transformation for security. In: Model-Driven Engineering and Software Development conference (Modelsward)Google Scholar
  48. 48.
    E-safety Vehicle Intrusion Protected Applications (EVITA) EU FP7 Programme, 2007–2013Google Scholar
  49. 49.
    AADL [Online]. Available: Accessed Mar 2018
  50. 50.
    Ellison R, Householder A, Hudak J, Kazman R, Woody C Extending AADL for security design assurance of cyber-physical systems. CMU/SEI-2015-TR-014Google Scholar
  51. 51.
    Rocchetto M, Tippenhauer NO (2017) Towards formal security analysis of industrial control systems. In: Asia conference on Computer and Communications Security (AsiaCCS)Google Scholar
  52. 52.
    Ahmed CM, Murgia C, Ruths J (2017) Model-based attack detection scheme for smart water distribution networks. In: Asia conference on Computer And Communication Security (AsiaCCS)Google Scholar
  53. 53.
    Rocchetto M, Tippenhauer NO (2016) On attacker models and profiles for cyber-physical systems. In: European symposium on Research in Computer Science (ESORICS)Google Scholar
  54. 54.
    Lanotte R, Merro M, Muradore R, Viganò L (2017) A formal approach to cyber-physical attacks. In: Computer Security Foundation symposium (CSF)Google Scholar
  55. 55.
    Herley C (2016) Unfalsifiability of security claims. Natl Acad Sci 113(23):6415–6420CrossRefGoogle Scholar
  56. 56.
    Blanchet B (2016) Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found Trends Priv Secur 1(1–2):1–135Google Scholar
  57. 57.
    Garlan D (2003) Formal modeling and analysis of software architecture: components, connectors, and events. In: Proceedings of formal methods for software architecturesGoogle Scholar
  58. 58.
    Schmidt M, Lipson H (2009) Distilling free-form natural laws from experimental data. Science 324(5923):81–85CrossRefGoogle Scholar
  59. 59.
    Schupp S, Abraham E, Chen X, Makhlouf IB, Frehse G, Sankaranarayanan S, Kowalewski S (2015) Current challenges in the verification of hybrid systems. In: CyPhy 2015, LNCS 9361, pp 8–24CrossRefGoogle Scholar
  60. 60.
    Platzer A (2010) Logical analysis of hybrid systems. Springer, Berlin/HeidelbergCrossRefGoogle Scholar
  61. 61.
    de Moura L, Bjørner N (2008) Z3: an efficient SMT solver. In: Tools and Algorithms for the Construction and Analysis of Systems conference (TACAS)Google Scholar
  62. 62.
    Jovanović D, de Moura L (2012) Solving non-linear arithmetic. In: International Joint Conference of Automated Reasoning (IJCAR)Google Scholar
  63. 63.
    Dutertre B (2014) Yices 2.2. In: Computer Aided Verification (CAV)Google Scholar
  64. 64.
    Cimatti A, Griggio A, Schaafsma BJ, Sebastiani R (2013) The MathSAT5 SMT solver. In: Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS)Google Scholar
  65. 65.
    Barrett C, Conway CL, Morgan D, Hadarean L, Jovanović D, King T, Reynolds A, Tinelli C (2011) Cvc4. In: International conference on Computer Aided Verification (CAV)Google Scholar
  66. 66.
    Cimatti A, Griggio A, Irfan A, Roveri M, Sebastiani R (2017) Invariant checking of NRA transition systems via incremental reduction to LRA with EUF. In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS)Google Scholar
  67. 67.
    Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208MathSciNetCrossRefGoogle Scholar
  68. 68.
    Escobar S, Meadows C, Meseguer J (2006) A rewriting-based inference system for the nrl protocol analyzer and its meta-logical properties. Theory Comput Sci 367(1–2):162–202MathSciNetCrossRefGoogle Scholar
  69. 69.
    Basin D, Capkun S, Schaller P, Schmidt, B (2009) Let’s get physical: models and methods for real-world security protocols. In: International conference on Theorem Proving in Higher order Logics (TPHOL)Google Scholar
  70. 70.
    Barik MS, Segupta A, Mazumdar C (2016) Attack graph generation and analysis technique. Def Sci J 66(6):559–567CrossRefGoogle Scholar
  71. 71.
    Wang JA, Guo M (2009) Ovm: an ontology for vulnerability management. In: Workshop on Cyber Security and Information Intelligence Research (CSIIRW)Google Scholar
  72. 72.
    Felderer M, Zech P, Breu R, Büchler M, Pretschner A (2016) Model-based security testing: a taxonomy and systematic classification. Softw Test Verif Reliab 26(2):119–148CrossRefGoogle Scholar
  73. 73.
    Mell P, Scarfone K, Romanosky S (2006) Common vulnerability scoring system. IEEE Secur Priv 4(6):85–89CrossRefGoogle Scholar
  74. 74.
    Mell P, Grance T (2002) Use of the common vulnerabilities and exposures (cve) vulnerability naming scheme. National Insitute of Standards and Technology, Computer Security Division, Gaithersburg MDGoogle Scholar
  75. 75.
    MITRE, Open Vulnerbility and Assessment Language (OVAL) [Online]. Available: Accessed Sept 2017
  76. 76.
    MITRE, Common Attack Pattern and Enumeration and Classification (CAPEC) [Online]. Available: Accessed Sept 2017
  77. 77.
    Glinz M (1995) An integrated formal model of scenarios based on statecharts. In: Software Engineering (ESEC)Google Scholar
  78. 78.
    Arnold A, Baleani M, Ferrari A, Marazza M, Senni V, Legay A, Quilbeuf J, Etzien C (2016) An application of SMC to continuous validation of heterogeneous systems. In: SimuTools, ICST, Brussels, BelgiumGoogle Scholar
  79. 79.
    Mathur AP, Tippenhauer NO (2016) SWaT: a water treatment testbed for research and training on ICS security. In: Proceedings of the cyber-physical systems for smart water networks (CySWater) workshopGoogle Scholar
  80. 80.
    Urbina D, Giraldo J, Tippenhauer NO, Cardenas A (2016) Attacking fieldbus communications in ICS: applications to the SWaT Testbed. In: Proceedings of Singapore Cyber security conference (SG-CRC)Google Scholar
  81. 81.
    Rocchetto M, Tippenhauer NO (2016) CPDY: extending the Dolev-Yao attacker with. In: International Conference on Formal Engineering Methods (ICFEM)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2019

Authors and Affiliations

  • Marco Rocchetto
    • 1
  • Alberto Ferrari
    • 1
  • Valerio Senni
    • 1
    Email author
  1. 1.United Technology Research CenterEast HartfordUSA

Personalised recommendations