Abstract
This paper presents a cyber-physical systems modelling language for capturing and describing health-based critical infrastructures. Following this practice incident response plan developers are able to model and reason about security and recovery issues in medical cyber-physical systems from a security requirements engineering perspective. Our work builds upon concepts from the Secure Tropos methodology, where in this paper we introduce novel cyber-physical concepts, relationships and properties in order to carry out analysis of incident response plans based on security requirements. We illustrate our concepts through a case study of a radiological department’s medical cyber-physical systems that have been infected with the WannaCry ransomware. Finally, we discuss how our modelling language enriches security models with incident response concepts, guiding plan developers of health-based critical infrastructures in understanding cyber-physical systems vulnerabilities and support decision making at a tactical and a strategic level, through semi-automated secure recovery analysis.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Antoniol, G., Canfora, G., Casazza, G., De Lucia, A., Merlo, E.: Recovering traceability links between code and documentation. IEEE Trans. Softw. Eng. 28(10), 970–983 (2002)
Bareiss, P., Schutz, D., Priego, R., Marcos, M., Vogel-Heuser, B.: A model-based failure recovery approach for automated production systems combining SysML and industrial standards, pp. 1–7. IEEE, September 2016
Chen, P., Scown, C., Matthews, H.S., Garrett, J.H., Hendrickson, C.: Managing critical infrastructure interdependence through economic input-output methods. J. Infrastruct. Syst. 15(3), 200–210 (2009)
Compagna, L., El Khoury, P., Krausov, A., Massacci, F., Zannone, N.: How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns. Artif. Intell. Law 17(1), 1–30 (2009)
Crane, S., Larsen, P., Brunthaler, S., Franz, M.: Booby trapping software, pp. 95–106. ACM Press (2013)
Filipov, D., Roth, A., Nakashima, E.: Companies struggle to recover after massive cyberattack with ransom demands. The Washington Post, June 2017
Firesmith, D.G.: Engineering safety and security related requirements for software intensive systems, p. 169. IEEE, May 2007
Fox-Brewster, T.: Medical Devices Hit by Ransomware for the First Time in US Hospitals. Forbes, May 2017
Harel, D.: On visual formalisms. Commun. ACM 31(5), 514–530 (1988)
Henley, J., Solon, O.: ‘Petya’ ransomware attack strikes companies across Europe and US. The Guardian, June 2017
Matulevicius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and semantic extensions to secure tropos to support security risk management. J. Univers. Comput. Sci. 18(6), 816–844 (2012)
Mead, N.R.: Requirements engineering for survivable systems. Technical report CMU/SEI-2003-TN-013, Carnegie Mellon University, September 2003
Mead, N.R., Stehney, T.: Security quality requirements engineering (SQUARE) methodology. ACM SIGSOFT Softw. Eng. Notes 30(4), 1 (2005)
Mellado, D., Fernndez-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stand. Interfaces 29(2), 244–253 (2007)
MITRE. Adversarial Tactics, Techniques & Common Knowledge. https://attack.mitre.org/wiki/Main_page. Accessed 30 May 2018
Mohurle, S., Patil, M.: A brief study of WannaCry threat: ransomware attack 2017. Int. J. Adv. Res. Comput. Sci. 8(5), 1938–1940 (2017)
Moody, D.: The physics of notations: toward a scientific basis for constructing visual notations in software engineering. IEEE Trans. Softw. Eng. 35(6), 756–779 (2009)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)
OASIS. Structured Threat Information Expression. https://oasis-open.github.io/cti-documentation/stix/intro. Accessed 30 May 2018
National Audit Office. Investigation: WannaCry cyber attack and the NHS. Department of Health Report HC414, National Audit Office, October 2017
Othman, S.H., Beydoun, G.: A disaster management metamodel (DMM) validated. In: Kang, B.-H., Richards, D. (eds.) PKAW 2010. LNCS (LNAI), vol. 6232, pp. 111–125. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15037-1_11
Recker, J., Indulska, M., Rosemann, M., Green, P.: Business process modeling - a comparative analysis. J. Assoc. Inf. Syst. 10(4), 333–363 (2009)
Homeland Security. Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. Technical report, Department of Homeland Security (DHS) National Cybersecurity, Communications Integration Center (NCCIC) and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), September 2016
Sindre, G., Firesmith, D.G., Opdahl, A.L.: A reuse-based approach to determining security requirements. Requir. Eng. 10, 34–44 (2004)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)
Hwang, S., Kesselman, C.: Grid workflow: a flexible failure handling framework for the grid, pp. 126–137. IEEE Computer Society (2003)
Winkler, S., von Pilgrim, J.: A survey of traceability in requirements engineering and model-driven development. Softw. Syst. Model. 9(4), 529–565 (2010)
Yu, E., Liu, L., Mylopoulos, J.: A social ontology for integrating security and software engineering. In: Integrating Security and Software Engineering: Advances and Future Visions, pp. 70–106 (2007)
Zhu, Z., Sivakumar, K., Parasuraman, A.: A mathematical model of service failure and recovery strategies. Decis. Sci. 35(3), 493–525 (2004)
Acknowledgments
The authors would like to thank the Engineering and Physical Sciences Research Council (EPSRC) for their support.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Athinaiou, M., Mouratidis, H., Fotis, T., Pavlidis, M., Panaousis, E. (2018). Towards the Definition of a Security Incident Response Modelling Language. In: Furnell, S., Mouratidis, H., Pernul, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2018. Lecture Notes in Computer Science(), vol 11033. Springer, Cham. https://doi.org/10.1007/978-3-319-98385-1_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-98385-1_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98384-4
Online ISBN: 978-3-319-98385-1
eBook Packages: Computer ScienceComputer Science (R0)