Abstract

Model-Based System Engineering (MBSE) provides a number of ways on how to create, validate, and verify the complex system design; unfortunately, the inherent security aspects are addressed neither by the SysML language that is the main MBSE enabler nor by popular MBSE methods. Although there are many common points between MBSE and security requirements engineering, the key advantages of MBSE (such as managed complexity, reduced risk and cost, and improved communication across a multidisciplinary team) have not been exploited enough. This paper reviews security requirements engineering processes and modeling methods and standards and provides the MBSE security profile as well, which is formalized with the UML 2.5 profiling capability. The new UML-based security profile conforms to the ISO/IEC 27001 information security standard. In addition to the MBSE security profile, this paper also presents the security profile application use case and the feasibility study of current status for security and systems engineering processes.

Highlights

  • Works ere are many common points between Model-Based System Engineering (MBSE) and security requirements engineering; these disciplines still have not been connected in terms of the standard method, approach, or framework. is leads to the fact that powerful advantages of MBSE are still being underexploited in the workflow of security engineers and systems engineers. e literature analysis and feasibility survey showed that systems engineers and security engineers recognize the value of integrating systems and security processes, but this has not been implemented in practice yet

  • Is paper contributes to linking MBSE discipline with the security analysis approaches in two aspects: (1) It maps the concepts from the security requirement engineering field and UML/SysML-based modeling approaches for security analysis. e mapping and the security domain model could help users to understand and compare security terms

  • (2) It introduces the UML security profile based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 information security standard that allows describing and analyzing security aspect together with the system model. e use of modelbased techniques ensures that the security and system artefacts are aligned at the early phase of system design and MBSE benefits are extended to security engineer discipline

Read more

Summary

Introduction

Modern systems among industries such as automotive, medical devices, aerospace, and defence are becoming extremely complex; traditional engineering methods are not sufficient for their successful realization. e systems have become more complex, due to many factors, to name a few:. Security and Communication Networks (c) Improving communication across a multidisciplinary team (d) Enabling autogeneration of documentation (ii) Reduced risk by early and iterative requirements validation and design verification (iii) Managed complexity ere are a number of methods that guide users on how to get all of the MBSE benefits when creating a system design model. E detailed review of these MBSE methodologies and frameworks is available in the previous papers [9, 10]; sadly, neither of the analyzed methods deals with the security analysis at an early stage of system design Many researchers in their studies [11,12,13,14] agree that there is a need to identify and tackle security risks during the systems engineering lifecycle. We introduce a small case study that presents the potential value of using a model-based approach for security analysis

Feasibility Study
Security Domain Model
Security Profile Structure and Content
Security Profile Application Use Case
Findings
Conclusions and Future

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.