Security Requirements Analysis, Specification, Prioritization and Policy Development in Cyber-Physical Systems

Abstract

In recent past, the security of cyber-physical systems (CPSs) has been the subject of major concern. One of the reasons is that, CPSs are often applied to mission-critical processes. Also, the automation CPSs bring in managing physical processes, and the detail of information available to them for carrying out their tasks, make securing them a prime importance. Securing CPSs is a difficult task as systems are interconnected. In order to achieve a continuous secured CPS environment, there is the need for an integrated methodology to analyze, specify and prioritize security requirements and also to develop policies to meet them. First, CPS assets are represented using high-order object models. Second, swim lane diagrams are extended to include malactivities and prevention or mitigation options to decompose use cases. We analyze security threats pertaining to the hardware components, software components and the hardware-software interaction. Security requirements are then specified, and an analytical prioritization approach, based on relative priority analysis is employed to prioritize them. Finally, security policies are then developed to meet the requirements. To demonstrate its effectiveness and evaluate its application, the proposed methodology is applied in a structured approach to a test bed -- Ayushman, a Pervasive Health Monitoring System (PHMS).