System of Systems (SoS) represent a set of independent Constituent Systems (CS) that collaborate in order to provide functionalities that they are unable to achieve independently. We consider SoS as a set of connected services that needs to be adequately protected. The integration of these independent, evolutionary and distributed systems, intensifies SoS complexity and emphasizes the behavior uncertainty, which makes an SoS security analysis a critical challenge. One of the major priorities when designing SoS, is to analyze the unknown dependencies among CS services and vulnerabilities leading to potential cyberattacks. The aim of this work is to investigate how Software Engineering approaches could be leveraged to analyze the cyberattack propagation problem within an SoS. Such analysis is essential for an efficient SoS risk assessment performed early at the SoS design phase and required to protect the SoS from possibly high impact attacks affecting its safety and security. In order to achieve our objective, we present a model-driven analysis approach, based on Bayesian Networks, a sensitivity analysis and Common Vulnerability Scoring System (CVSS) with aim to discover potential cyberattacks propagation and estimate the probability of a security failure and its impact on SoS services. We illustrate this approach in an autonomous quarry example.

To achieve efficient and flexible production at affordable prices, industrial automation is pushed towards a digital transformation. Such a transformation assumes an enhancement of current Industrial Automated Control Systems with a large amount of IoT-devices, forming an Industrial Internet of Things (IIoT). The aim is to enable a shift from automatic towards autonomous control in such systems. This paper discusses some of the main challenges IIoT systems are facing with respect to cybersecurity. We discuss our findings in an example of a flow-control loop, where we apply a simple threat model based on the STRIDE method to deduce cybersecurity requirements in an IIoT context. Moreover, the identified requirements are assessed in the light of current state of the art solutions, and a number of challenges are discussed with respect to a large-scale IIoT system, together with some suggestions for future work.

There is a growing interest in using the Blockchain for resolving IoT security and trustworthiness issues existing in today’s complex systems. Blockchain concerns trust in peer to peer networks by providing a distributed tamper-resistant ledger. However, the combination of these two emerging technologies might create new problems and vulnerabilities that attackers might abuse.In this paper, we aim to investigate the trust mechanism of Lightweight Scalable BlockChain (LSB), that is a Blockchain specifically designed for Internet of Things networks, to show that a malicious participant in a Blockchain architecture have possibility to pursue an On-Off attack and downgrade the integrity of the distributed ledger. We choose a remote software update process as an instance to represent this violation. Finally, using the actor-based language Rebeca, we provide a model of a system under attack and verify the described attack scenario.

In process automation installations, the I/O system connect the field devices to the process controller over a fieldbus, a reliable, real-time capable communication link with signal values cyclical being exchanged with a 10–100 millisecond rate. If a deviation from intended behaviour occurs, analyzing the potentially vast data recordings from the field can be a time consuming and cumbersome task for an engineer. For the engineer to be able to get a full understanding of the problem, knowledge of the used I/O configuration is required. In the problem report, the configuration description is sometimes missing. In such cases it is difficult to use the recorded data for analysis of the problem.In this paper we present our ongoing work towards using neural network models as assistance in the interpretation of an industrial fieldbus communication recording. To show the potential of such an approach we present an example using an industrial setup where fieldbus data is collected and classified. In this context we present an evaluation of the suitability of different neural net configurations and sizes for the problem at hand.

Latest technological trends lead toward systems connected to public networks even in critical domains. Bringing together safety and security work is becoming imperative, as a connected safety-critical system is not safe if it is not secure. The main objective of this study is to investigate the current status of safety and security co-analysis in system engineering by conducting a systematic literature review. The steps of the review are the following: the research questions identification; agreement upon a search string; applying the search string to chosen databases; a selection criterion formulation for the relevant publications filtering; selected papers categorization and analysis. We focused on the early system development stages and identified 33 relevant publications categorized as follows: combined safety and security approaches that consider the mutual influence of safety and security; safety-informed security approaches that consider influence of safety on security; and security-informed safety approaches that consider influence of security on safety. The results showed that a number of identified approaches are driven by needs in fast developing application areas, e.g., automotive, while works focusing on combined analysis are mostly application area independent. Overall, the study shows that safety and security co-analysis is still a developing domain.

Today's industrial automation systems are undergoing a digital transformation that implies a shift towards the Internet of Things (IoT), leading to the Industrial Internet of Things (IIoT) paradigm. Existing Industrial Automated Control Systems (IACS), enriched with a potentially large number of IoT devices are expected to make systems more efficient, flexible, provide intelligence, and ultimately enable autonomous control. In general, the majority of such systems come with high level of criticality that calls for well-established methods and approaches when achieving cybersecurity, preferably prescribed by a standard. IEC 62443 is an industrial standard that provides procedures to manage risks related to cybersecurity threats in IACS. Given the new IIoT paradigm, it is likely that existing standards are not sufficiently aligned with the challenges related to developing and maintaining cybersecurity in such systems. In this paper we review the applicability of the IEC 62443 standard in IIoT contexts and discuss potential challenges the process owners might encounter. Our analysis underlines that some areas within the standard could prove difficult to reach compliance with. In particular, handling of cross zone communication and software updates require additional guidance.

Today's industrial automation systems are undergoing a digital transformation that implies a shift towards the Internet of Things (IoT), leading to the Industrial Internet of Things (IIoT) paradigm. Existing Industrial Automated Control Systems (IACS), enriched with a potentially large number of IoT devices are expected to make systems more efficient, flexible, provide intelligence, and ultimately enable autonomous control. In general, the majority of such systems come with high level of criticality that calls for well-established methods and approaches when achieving cybersecurity, preferably prescribed by a standard. IEC 62443 is an industrial standard that provides procedures to manage risks related to cybersecurity threats in IACS. Given the new IIoT paradigm, it is likely that existing standards are not sufficiently aligned with the challenges related to developing and maintaining cybersecurity in such systems. In this paper we review the applicability of the IEC 62443 standard in IIoT contexts and discuss potential challenges the process owners might encounter. Our analysis underlines that some areas within the standard could prove difficult to reach compliance with. In particular, handling of cross zone communication and software updates require additional guidance.

Over the past decade technological development has lead to systems being connected to public networks in many critical domains. In such systems bringing safety and security work has become even more important, as a connected safety-critical system is not safe if it is not secure. Given this, the main goal of this study is to investigate the current status of safety and security co-analysis in system engineering by conducting a Systematic Literature Review. In this work we have focused on the early system development stages and identified 33 relevant publications categorised as: combined safety and security approaches that consider the mutual influence of safety and security; safety informed security approaches that consider influence of safety on security; and, security informed safety approaches that consider influence of security on safety. The results showed that a number of identified approaches are driven by needs in fast developing application areas, e.g., automotive, while works focusing on combined analysis are mostly application area independent. Overall, the study shows that safety and security co-analysis is still a developing domain, which requires solutions that rely on two separate disciplines, namely safety and security engineering.

A term systems of systems (SoS) refers to a setup in which a number of independent systems collaborate to create a value that each of them is unable to achieve independently. Complexity of a SoS structure is higher compared to its constitute systems that brings challenges in analyzing its critical properties such as security. An SoS can be seen as a set of connected systems or services that needs to be adequately protected. Communication between such systems or services can be considered as a service itself, and it is the paramount for establishment of a SoS as it enables connections, dependencies, and a cooperation. Given that reliable and predictable communication contributes directly to a correct functioning of an SoS, communication as a service is one of the main assets to consider. Protecting it from malicious adversaries should be one of the highest priorities within SoS design and operation. This study aims to investigate the attack propagation problem in terms of service-guarantees through the decomposition into sub-services enriched with preconditions and postconditions at the service levels. Such analysis is required as a prerequisite for an efficient SoS risk assessment at the design stage of the SoS development life cycle to protect it from possibly high impact attacks capable of affecting safety of systems and humans using the system.

Real-time adaptive systems are complex systems capable to adapt their behavior to changing conditions in the environment, and/or internal state changes. Highly dynamic and possibly unpredictable environments, and uncertain operating conditions call for new paradigms of software design, and run-time adaptation mechanisms, to overcome the lack of knowledge at design time. Main application areas include vehicles or robots that need to collaborate to achieve a common task, e.g., minimize fuel consumption, moving objects at a construction site, or performing a set of operations in a factory. Moreover, these vehicles or robots need to interact and possibly collaborate with humans in a safe way, e.g., avoiding accidents or collisions, and prevent hazardous situations that may harm humans and/or machines. % This paper proposes a framework for developing safe and secure adaptive collaborative systems, with run-time guarantees. To enable this, our focus is on requirement engineering and safety assurance techniques to capture the specific safety and security properties for the collaborative system, and to provide an assurance case guaranteeing that the system is sufficiently safe. Moreover, the paper proposes an architecture and behavioral models to analyze the requirements at run-time. Finally, we design a suitable deployment platform to perform the run-time analysis and planning while guaranteeing the real-time constraints.

With development of cloud computing new ways for easy, on-demand, Internet-based access to computing resources have emerged. In such context a Service Level Agreement (SLA) enables contractual agre ...

For interconnected and complex systems, security is paramount for establishing trust in their correctness and design adequacy. Thus, security needs to be assured and a corresponding security assurance case needs to be presented to system stakeholders, security assessors, as well as to system users. However, security is dynamic by its nature and to maintain its acceptable security level, frequent updates might be required. Traditionally, a security assurance case is built from scratch whenever a change occurs, however given the cost of resources needed for such a task, a more effective and less time consuming way of handling updates is needed. Hence, the challenge of security case run-time adaptation is considered in this work. We survey the state of the art in security assurance and security case development to refine the challenge and identify system decomposition as one the enablers for security case run-time adaptation. We propose to apply system decomposition in terms of services and use service choreographies to facilitate security case run-time adaptation. The proposed approach is illustrated on an E-gas example.

Today's systems are being built to connect to public or semi-public networks, are able to communicate with other systems, e.g., in the context of Internet-of-Things (IoT), involve multiple stakeholders, have dynamic system reconfigurations, and operate in increasingly unpredictable environments. In such complex systems, assuring safety and security in a continuous and joint effort is a major challenge, not the least due to the increasing number of attack surfaces arising from the increased connectivity. In this paper we present an approach that aims to bridge the gap between safety and security engineering. The potential of the approach is illustrated on the example of E-gas system, discussing the cases when unintentional faults as well as malicious attacks are taken into consideration when assuring safety of the described system.

In context of safety-critical Systems of Systems (SoS) that are built as a collection of several systems capable of fulfilling their own function as well as the overall SoS function, increase production efficiency and decrease human effort in such systems, one has to be able to guarantee critical properties such as safety and security. It is not sufficient to analyze and guarantee these critical properties isolated one from another, but one has to be able to provide joint analysis and guarantees on safety and security. This paper is our initial effort towards building a common safety and security assurance approach for complex SoS, where we start from identification and analysis of attack models and connecting them to the already identified functional safety requirements. In this way we will be able to assess system assets and vulnerabilities, and identify ways how an attacker could exploit them. We aim to connect attack modeling process to safety process by aligning mitigation strategies with safety requirements.