A Systems Security Approach for Requirements Analysis of Complex Cyber-Physical Systems

Span, Martin Trae; Mailloux, Logan O.; Grimaila, Michael R.; Young, William Bill

doi:10.1109/cybersecpods.2018.8560682

Cited by 8 publications

(5 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [45] this latter is integrated with the Combined Harm Analysis of Safety and Security for Information Systems (CHASSIS) methods for the information lifecycle analysis to complement and generate additional considerations on top of the ones provided by STPA-Sec analysis. An additional methodological structure is provided also in [46] where the NIST (National Institute of Standards and Technology) requirements have been integrated throughout the security analysis. In [47] it is pointed out how STPA-Sec lacks in considering the IT security issues such as data confidentiality.…”

Section: Literature Reviewmentioning

confidence: 99%

Thinking in Systems, Sifting Through Simulations: A Way Ahead for Cyber Resilience Assessment

et al. 2023

View full text Add to dashboard Cite

The interaction between the physical world and information technologies creates advantages and novel emerging threats. Cyber-physical systems (CPSs) result vulnerable to cyber-related disruptive scenarios, and, for some critical systems, cyber failures may have fallouts on society and environment. Traditional risk analysis in no more sufficient to deal with these problems. New techniques are gaining increasing consensus, especially those based on systems theory. In this context, the System-Theoretic Process Analysis for Security (STPA-Sec) extends the Systems-Theoretic Accident Modelling and Processes (STAMP) model considering cyber threats, and identifying unsafe and unsecure controls throughout a cyber socio-technical system. Despite its large usage as a descriptive tool, there is still limited use of STPA-Sec in (semi-)quantitative terms. This article presents System-Theoretic Process Analysis for Security with Simulations (STPA-Sec/S), a methodological interface between STPA-Sec and quantitative resilience assessment based on simulation models. The methodology is instantiated in a demonstrative case study of a water treatment plant, and its critical CPSs which may impact both community health, and environment. The obtained results show how STPA-Sec/S foster systems understanding, allow a systematic identification of its major criticalities, and the respective quantification.INDEX TERMS Cyber security, cyber-socio-technical systems, hazard analysis, industrial systems engineering, resilience management, systems modeling.Open Access funding provided by 'Università degli Studi di Roma ''La Sapienza''' within the CRUI CARE Agreement

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Thinking in Systems, Sifting Through Simulations: A Way Ahead for Cyber Resilience Assessment

et al. 2023

View full text Add to dashboard Cite

show abstract

“…An unacceptable loss "defines high level, intolerable system outcomes to key stakeholders" [12]. While hazards identify system states that when coupled with worst case conditions lead to an unacceptable loss [5]. In other words, the unacceptable losses must be avoided to enable system success for the stakeholder.…”

Section: Devsecops Ssf Stpa-sec Analysis Case Studymentioning

confidence: 99%

“…SC-33. 5 The system must prevent the unauthorized tampering or modification of system security monitoring.…”

Section: Sc-332mentioning

confidence: 99%

“…Many system security approaches begin with analyzing potential attack paths via access points (e.g., USB ports, wireless connectivity) and vulnerabilities. See [5] for a detailed discussion. These attack path analysis approaches focus on weaknesses and vulnerabilities in both systems physical form (i.e., a bottom up approach) and software, and are fundamentally limited because they do not take advantage of the early developmental design and architecture trade space.…”

Section: Introductionmentioning

confidence: 99%

“…In [1], [5], [12], [13], [11], STPA-Sec is demonstrated as a relatively simple and effective means for performing systems security analysis of complex systems. STPA-Sec can be completed early in the conceptual design phase of the system life cycle and can be accomplished without extensive training.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

STPA‐Sec Analysis for DevSecOps Reference Design

Reule

Feighery

Winstead

et al. 2021

INCOSE International Symp

View full text Add to dashboard Cite

This work describes a top down systems security requirements analysis approach for understanding and eliciting general security requirements for securing Software Factories (SF). More specifically, the System-Theoretic Process Analysis approach for Security (STPA-Sec) is used to understand and elicit systems security requirements for SFs. The effort employs STPA-Sec on the DoD Enterprise DevSecOps Reference Design to detail a conceptual approach to analyze SFs. The intent is to develop functional-level security requirements, design-level engineering considerations, and architectural-level security specification criteria early in the system life cycle. The aim is to secure the SFs themselves, enhancing the security of resulting software generated from the SF. These details were elaborated during a summer collaborative research effort by two United States Air Force Academy Systems Engineering cadets, working with a MITRE team of subject matter expertise (SME's), and guided by their instructor. This work provides insight into a viable systems security requirements analysis approach which results in traceable security, safety, and resiliency requirements that can be designed-for, built-to, and verified with confidence.

show abstract

Systems Security Engineering

2020

Systems Engineering Principles and Practice

View full text Add to dashboard Cite

A Systems Security Approach for Requirements Analysis of Complex Cyber-Physical Systems

Cited by 8 publications

References 11 publications

Thinking in Systems, Sifting Through Simulations: A Way Ahead for Cyber Resilience Assessment

Thinking in Systems, Sifting Through Simulations: A Way Ahead for Cyber Resilience Assessment

STPA‐Sec Analysis for DevSecOps Reference Design

Systems Security Engineering

Contact Info

Product

Resources

About