A Process-Oriented Framework for Security Assessment of Cyber-Physical Systems

Abstract

Due to digitalization and technological advancement, systems and their requirements are changing, and there is an increasing use of Cyber-Physical Systems (CPS) with a direct connection between the physical and the digital world. These systems process data and have integrated functions and a real-time requirement. There is a great need for security, protection of data, and reliability. The use of digital systems in the energy sector is increasing and changing, as are consumers and generators. This requires a secure IT, communications infrastructure, and highly performing data platforms. The new systems being created are called CPS, which are highly scalable, dynamic, and volatile and process many data of various kinds. One significant aspect of a CPS is security. Personal data and business-sensitive data may be processed, or mission-critical processes may be mapped. Risk analysis and security assessments based on conventional methods and guidelines (for example, BSI IT Basic Protection) have revealed drawbacks. Present security assessment methods focus on analyzing corporate information systems or are applied for software development life cycles. CPS criteria and their impact on security have not yet been accounted for in today’s security assessments and their corresponding frameworks. This thesis concentrates on modeling CPS security and deriving a framework for CPS security assessments. The considered criteria are data security as conventional, expanded by scalability, and real-time. The underlying framework is process-oriented. CPS use cases will be broken down into (atomic) processes and the security assessed based on each process’ data security, scalability and real-time model. Eventually, this will mean security measures can be mapped at the process level. Conducting this research, the focus was on smart grid systems as one example of CPS. For the discussion of mapping security measures, authentication was selected. The result analysis shows an added value in the security assessment of CPS based on the criteria of data security, scalability, real-time, and the breakdown at the process level. The underlying model allows to cope with the complexity of CPS and more precisely assess the security of CPS. The overall approach of CPS security modeling and provision by using a process-oriented framework is highly innovative and provides a concept for developing future CPS security assessment tools.