Ontology Framework Supporting Security-By-Design of Industrial Control Systems

Abstract

Ensuring cybersecurity in Industrial Control Systems (ICSs) is essential, as cyber-attacks can lead to substantial economic losses and serious safety hazards. Addressing security early in the product and system life cycle is crucial to preventing expensive fixes and severe consequences later. Since requirements engineering and system architecture design are early activities in system development and are interconnected in nature, it is essential to begin integrating security into these activities. IEC 62443 is a widely used ICS cybersecurity standard that provides security requirements and architectural guidance; however, it relies heavily on human experts and manual effort, making the implementation of the standard costly and time-consuming. This article proposes an ontological framework that supports the integrated engineering of security requirements and system architectures, aiming to achieve security by design and conformance with IEC 62443 with reduced reliance on human experts. To evaluate the quality and usability of the proposed ontology, we examine a use case for requirements elicitation and validation scenarios. The findings highlight the potential of ontological approaches in improving ICS cybersecurity, particularly in terms of standard compliance.