Eckhart, M., Ekelhart, A., Biffl, S., Lüder, A., & Weippl, E. R. (2022). QualSec: An Automated Quality-Driven Approach for Security Risk Identification in Cyber-Physical Production Systems. IEEE Transactions on Industrial Informatics. https://doi.org/10.1109/TII.2022.3193119
Cyber-physical production systems, information security, industrial control systems, AutomationML, Petri net, production systems engineering.
en
Abstract:
As the threat landscape in the industrial domain continually advances, security-by-design is an evergrowing concern in the engineering of cyber-physical production systems (CPPSs). Often, quality aspects are not
considered when securing CPPSs, which creates attack
vectors that could lead to malicious activity affecting the
products’ quality. Since quality control systems generally provide inadequate protection against intentionally
introduced defects, and can be susceptible to attacks,
quality considerations must be integrated into securityaware CPPS engineering. For this purpose, we propose
the QualSec method that automatically identifies security
risks pertaining to CPPSs, building on the quality characteristics associated with manufacturing operations to
determine cascading effects. QualSec is based on a semantic representation of engineering knowledge, allowing
to efficiently reuse engineering models from AutomationML
artifacts. Moreover, QualSec utilizes Petri nets to facilitate
the analysis of security risks and cascading effects. In this
way, QualSec informs users about possible attack paths
for compromising quality characteristics, how attackers
may disguise their malicious actions, and the possible
consequences of attacks with respect to product quality.
We demonstrate the benefits of QualSec in a case study
and analyze its scalability through a rigorous performance
evaluation
en
Project title:
Verbesserung der Sicherheit von Informationsprozessen in Produktionssystemen: CDL SQI (CDG Christian Doppler Forschungsgesellschaft; CDG Christian Doppler Forschungsgesellschaft)
-
Research Areas:
Computer Engineering and Software-Intensive Systems: 50% Information Systems Engineering: 50%