research-article

Threat modeling for security assessment in cyberphysical systems

Authors:

Janusz Zalewski,

William McKeever,

Andrew J. KorneckiAuthors Info & Claims

CSIIRW '13: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop

Article No.: 10, Pages 1 - 4

https://doi.org/10.1145/2459976.2459987

Published: 08 January 2013 Publication History

Abstract

In this paper, threat modeling issues in cyberphysical systems are discussed. First a generic model of a cyberphysical system is outlined, with an attack surface suitable for security analysis. Then, a case study of network communication in a road vehicle is presented, with its behavior modeled by a discrete time Markov chain, under the assumption that security violations can cause gradual degradation of functionality. Finally, two ways of numerical assessment of vulnerabilities are analyzed, to help better estimate probabilities of state changes in a Markov model.

References

[1]

Dowd, M., McDonald, J. and J. Schuh 2007. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley, Boston, Mass.

Digital Library

[2]

Herrmann, D. S. 2011. Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience and ROI. Auerbach Publications, London.

Digital Library

[3]

Zuse, H. 2007. A Framework of Software Measurement. Walter de Gruyter, Berlin.

Digital Library

[4]

Stolfo, S., Bellovin, S. M. and Evans, D. 2011. Measuring Security. IEEE Security and Privacy, 9, 3 (May/June 2011), 60--65.

Digital Library

[5]

Zalewski, J. Drager, S., McKeever, W. and Kornecki, A. 2011. Can We Measure Security and How? In Proc. CSIIRW'2011, 7th Annual Cyber Security and Information Intelligence Research Workshop (Oak Ridge, Tenn., October 12--14, 2011).

Digital Library

[6]

Zalewski, J., Drager, S., McKeever, W. and Kornecki, A. 2012. Towards Experimental Assessment of Security Threats in Protecting the Critical Infrastructure. In Proc. ENASE'2012, 7th Int'l Conf. on Evaluation of Novel Approaches to Software Engineering (Wroclaw, Poland, June 29--20, 2012).

[7]

Kornecki, A., Zalewski, J. and Stevenson, W. F. 2011. Availability Assessment of Embedded Systems with Security Vulnerabilities. In Proc. SEW-34, 34th Annual IEEE Software Engineering Workshop (Limerick, Ireland, June 20--21, 2011).

Digital Library

[8]

Athans, M. and Falb, P. 1966. Optimal Control. An Introduction to the Theory and Its Applications. McGraw-Hill, New York.

[9]

ISO/IEC 27005:2011 Information Technology - Security Techniques - Information Security Risk Management. International Organization for Standardization, Geneva, 2011.

[10]

National Information Assurance (IA) Glossary 2010. CNSS Instruction No. 4009. Committee on National Security Systems, 26 April 2010.

[11]

ISO/IEC/IEEE 24765a:2011 Systems and Software Engineering -- Vocabulary. International Organization for Standardization, Geneva, 2011.

[12]

Leveson N. G. 1995. Safeware: System Safety and Computers. Addison-Wesley, Boston, Mass

[13]

Littlewood, B. et al. 1992. Towards Operational Measures of Computer Security. Journal of Computer Security, 2, 2--3 (June 1993), 211--229.

[14]

Aijaz, A. et al. 2006. Attacks on Inter Vehicle Communication Systems -- An Analysis. In Proc. WIT, 3rd International Workshop on Intelligent Transportation (Hamburg, Germany, March 14--15, 2006) 189--194.

[15]

Swiderski, F. and Snyder, W. 2004. Threat Modeling. Microsoft Press, Redmond, Wash.

Digital Library

[16]

Ingalsbe, J. A., Kunimatsu, L., Baten, T. and Mead, N. R. 2008. Threat Modeling: Diving into the Deep End. IEEE Software, 25, 1 (January/February 2008), 28--34.

Digital Library

[17]

Dhilon, D. 2011. Developer-Driven Threat Modeling: Lessons Learned in the Trenches. IEEE Security and Privacy, 9, 4 (July/August 2011), 41--47.

Digital Library

[18]

Vestlund C. 2010. Threat Analysis on Vehicle Computer Systems. Master Thesis, Linköping University, Sweden.

[19]

Microsoft Corp. 2012. Security Development Lifecycle (SDL) Threat Modeling Tool. Redmond, Wash.

Digital Library

[20]

Mell, P., Scarfone, K. and Romanosky, S. (Eds.) 2007. CVSS -- A Complete Guide to the Common Vulnerability Scoring System. Version 2.0. URL: http://www.first.org/cvss/cvss-guide

[21]

Common Industrial Control System Vulnerability Disclosure Framework, 8 June 2012. URL: http://www.us-cert.gov/

Cited By

Leszczyna R(2023)Selecting an Applicable Cybersecurity Assessment Framework: Qualitative Metrics-Based Multiple-Factor AnalysisJournal of Computer Information Systems10.1080/08874417.2023.2288189(1-16)Online publication date: 14-Dec-2023
https://doi.org/10.1080/08874417.2023.2288189
Awotunde JOguns YAmuda KNigar NAdeleke TOlagunju KAjagbe S(2023)Cyber-Physical Systems Security: Analysis, Opportunities, Challenges, and Future ProspectsBlockchain for Cybersecurity in Cyber-Physical Systems10.1007/978-3-031-25506-9_2(21-46)Online publication date: 24-Apr-2023
https://doi.org/10.1007/978-3-031-25506-9_2
Dobaj JMacher GEkert DRiel AMessnarz R(2023)Towards a security‐driven automotive development lifecycleJournal of Software: Evolution and Process10.1002/smr.240735:8Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.1002/smr.2407
Show More Cited By

Index Terms

Threat modeling for security assessment in cyberphysical systems
1. Software and its engineering
  1. Software creation and management
    1. Software development techniques
      1. Reusability
        Software product lines

Recommendations

Capturing industry experience for an effective information security assessment

An Information System (IS) security programme consists of several essential security controls. In order to verify and maintain the effectiveness of an IS security programme, it is pertinent to identify how security controls are compared to each other in ...
Security assessment framework for IoT service

What are the critical requirements to be considered for the security measures in Internet of Things (IoT) services? Further, how should those security resources be allocated? To provide valuable insight into these questions, this paper introduces a ...
Multi-aspect security configuration assessment
SafeConfig '09: Proceedings of the 2nd ACM workshop on Assurable and usable security configuration

Evaluating the security of a computer network system is a challenging task. Configurations of large systems are complex entities in continuous evolution. The installation of new software, a change in the firewall rules, or the discovery of a software ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

CSIIRW '13: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop

January 2013

282 pages

ISBN:9781450316873

DOI:10.1145/2459976

Editors:
Frederick Sheldon
Oak Ridge National Laboratory
,
Annarita Giani
Los Alamos National Laboratory
,
Axel Krings
University of Idaho
,
Robert Abercrombie
Oak Ridge National Laboratory

Copyright © 2013 Authors.

Sponsors

Los Alamos National Labs: Los Alamos National Labs
Sandia National Labs: Sandia National Laboratories
DOE: Department of Energy
Oak Ridge National Laboratory
Lawrence Livermore National Lab.: Lawrence Livermore National Laboratory
BERKELEYLAB: Lawrence National Berkeley Laboratory
Argonne Natl Lab: Argonne National Lab
Idaho National Lab.: Idaho National Laboratory
Pacific Northwest National Laboratory
Nevada National Security Site: Nevada National Security Site

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 January 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CSIIRW '13

Sponsor:

Los Alamos National Labs
Sandia National Labs
DOE
Lawrence Livermore National Lab.
BERKELEYLAB
Argonne Natl Lab
Idaho National Lab.
Nevada National Security Site

CSIIRW '13: Cyber Security and Information Intelligence

January 8 - 10, 2013

Tennessee, Oak Ridge, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
890
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 29 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Leszczyna R(2023)Selecting an Applicable Cybersecurity Assessment Framework: Qualitative Metrics-Based Multiple-Factor AnalysisJournal of Computer Information Systems10.1080/08874417.2023.2288189(1-16)Online publication date: 14-Dec-2023
https://doi.org/10.1080/08874417.2023.2288189
Awotunde JOguns YAmuda KNigar NAdeleke TOlagunju KAjagbe S(2023)Cyber-Physical Systems Security: Analysis, Opportunities, Challenges, and Future ProspectsBlockchain for Cybersecurity in Cyber-Physical Systems10.1007/978-3-031-25506-9_2(21-46)Online publication date: 24-Apr-2023
https://doi.org/10.1007/978-3-031-25506-9_2
Dobaj JMacher GEkert DRiel AMessnarz R(2023)Towards a security‐driven automotive development lifecycleJournal of Software: Evolution and Process10.1002/smr.240735:8Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.1002/smr.2407
Nweke LWeldehawaryat GWolthusen S(2021)Threat Modelling of Cyber–Physical Systems Using an Applied π-CalculusInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2021.10046635:COnline publication date: 1-Dec-2021
https://dl.acm.org/doi/10.1016/j.ijcip.2021.100466
Hao JHan G(2020)On the Modeling of Automotive Security: A Survey of Methods and PerspectivesFuture Internet10.3390/fi1211019812:11(198)Online publication date: 16-Nov-2020
https://doi.org/10.3390/fi12110198
Someswara Rao CMurthy KAppaji SShiva Shankar R(2019)Cyber-Physical Systems Security: Definitions, Methodologies, Metrics, and ToolsSmart Intelligent Computing and Applications10.1007/978-981-32-9690-9_53(477-488)Online publication date: 4-Oct-2019
https://doi.org/10.1007/978-981-32-9690-9_53
Zalewski JBuckley ICzejdo BDrager SKornecki ASubramanian N(2016)A Framework for Measuring Security as a System Property in Cyberphysical SystemsInformation10.3390/info70200337:2(33)Online publication date: 17-Jun-2016
https://doi.org/10.3390/info7020033
Martins GBhatia SKoutsoukos XStouffer KTang CCandell R(2015)Towards a systematic threat modeling approach for cyber-physical systems2015 Resilience Week (RWS)10.1109/RWEEK.2015.7287428(1-6)Online publication date: Aug-2015
https://doi.org/10.1109/RWEEK.2015.7287428
Popalyar F(2015)Threat Model Based Security for Wireless Mesh NetworksMobile Computing, Applications, and Services10.1007/978-3-319-29003-4_20(325-332)Online publication date: 2015
https://doi.org/10.1007/978-3-319-29003-4_20

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents