A Model-Based Approach to Security Analysis for Cyber-Physical Systems

TL;DR

This paper proposes a model-based method for security analysis of cyber-physical systems, enabling vulnerability assessment and mitigation planning during early design stages using a generalized attribute schema.

Contribution

It introduces a taxonomy of system attributes and demonstrates how to use models like SysML for security analysis before deployment.

Findings

Developed a generalized attribute schema for cyber-physical systems

Mapped attack vectors to system attributes for vulnerability analysis

Applied the approach to a flight control system model

Abstract

Evaluating the security of cyber-physical systems throughout their life cycle is necessary to assure that they can be deployed and operated in safety-critical applications, such as infrastructure, military, and transportation. Most safety and security decisions that can have major effects on mitigation strategy options after deployment are made early in the system's life cycle. To allow for a vulnerability analysis before deployment, a sufficient well-formed model has to be constructed. To construct such a model we produce a taxonomy of attributes; that is, a generalized schema for system attributes. This schema captures the necessary specificity that characterizes a possible real system and can also map to the attack vector space associated with the model's attributes. In this way, we can match possible attack vectors and provide architectural mitigation at the design phase. We present a model of a flight control system encoded in the Systems Modeling Language, commonly known as SysML, but also show agnosticism with respect to the modeling language or tool used.