QualSec: An Automated Quality-Driven Approach for Security Risk Identification in Cyber-Physical Production Systems

Abstract

As the threat landscape in the industrial domain continually advances, security-by-design is an evergrowing concern in the engineering of cyber-physical production systems (CPPSs). Often, quality aspects are not considered when securing CPPSs, which creates attack vectors that could lead to malicious activity affecting the products’ quality. Since quality control systems generally provide inadequate protection against intentionally introduced defects, and can be susceptible to attacks, quality considerations must be integrated into securityaware CPPS engineering. For this purpose, we propose the QualSec method that automatically identifies security risks pertaining to CPPSs, building on the quality characteristics associated with manufacturing operations to determine cascading effects. QualSec is based on a semantic representation of engineering knowledge, allowing to efficiently reuse engineering models from AutomationML artifacts. Moreover, QualSec utilizes Petri nets to facilitate the analysis of security risks and cascading effects. In this way, QualSec informs users about possible attack paths for compromising quality characteristics, how attackers may disguise their malicious actions, and the possible consequences of attacks with respect to product quality. We demonstrate the benefits of QualSec in a case study and analyze its scalability through a rigorous performance evaluation