Abstract
Cybersecurity risk assessment has become a critical priority in systems development and the operation of complex networked systems. However, current state-of-the-art approaches for detecting vulnerabilities, such as automated security testing or penetration testing, often result in late detections. Thus, there is a growing need for security by design, which involves conducting security-related analyses as early as possible in the system development life cycle. This paper proposes a novel hierarchical model-based security risk assessment approach that enables the early assessment of security risks during the system design process. The approach uses different OMG UML-based models, supplemented by a lightweight extension using profiles and stereotypes. Various security attributes, including vulnerability information and asset values, are then used by algorithms to compute relevant properties including threat space, possible attack paths, and selected network-based security metrics. A real-life industrial example is then used to demonstrate the approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Cai, Z., Wang, A., Zhang, W.: 0-days & Mitigations: Roadways to Exploit and Secure Connected BMW Cars (2019)
Enoch, S.Y., Ge, M., Hong, J.B., Kim, D.S.: Model-based cybersecurity analysis: past work and future directions. In: 2021 Annual Reliability and Maintainability Symposium (RAMS) (2021)
Enoch, S.Y., Hong, J.B., Ge, M., Kim, D.S.: Composite metrics for network security analysis (2020)
Enoch, S.Y., Lee, J.S., Kim, D.S.: Novel security models, metrics and security assessment for maritime vessel networks. Comput. Netw. 189, 107934 (2021)
European Organisation for Civil Aviation Equipment: ED-202A - Airworthiness Security Process Specification (2014)
European Organisation for Civil Aviation Equipment: ED-203A - Airworthiness Security Methods and Considerations (2018)
Ge, M., Cho, J.H., Kim, D., Dixit, G., Chen, I.R.: Proactive defense for internet-of-things: moving target defense with cyberdeception. ACM Trans. Internet Technol. 22, 1–31 (2021)
Ge, M., Hong, J.B., Guttmann, W., Kim, D.S.: A framework for automating security analysis of the Internet of Things. J. Netw. Comput. Appl. 83, 12–27 (2017)
Hammer, M., Maschotta, R., Wichmann, A., Jungebloud, T., Bedini, F., Zimmermann, A.: A model-driven implementation of PSCs specification for C++. In: Proceedings of the 9th International Conference on Model-Driven Engineering and Software Development (2022)
Hong, J.B., Kim, D.S.: HARMs: hierarchical attack representation models for network security analysis. In: 10th Australian Information Security Management Conference (2012)
Hong, J.B., Kim, D.S.: Assessing the effectiveness of moving target defenses using security models. IEEE Trans. Dependable Secure Comput. 13, 163–177 (2016)
MITRE: CAPEC - Common Attack Pattern Enumeration and Classification (2023). https://capec.mitre.org
MITRE: CWE - Common Weakness Enumeration (2023). https://cwe.mitre.org
Monteuuis, J.P., Boudguiga, A., Zhang, J., Labiod, H., Servel, A., Urien, P.: SARA: security automotive risk analysis method. In: Proceedings of the 4th ACM Workshop on Cyber-Physical System Security, pp. 3–14 (2018)
Nie, S., Liu, L., Du, Y.: Hacking Tesla From Wireless to CAN BUS (2017)
OBEO: UML Designer (2023). https://www.umldesigner.org
Object Management Group: Unified Modeling Language, Version 2.5.1 (2017)
Object Management Group: Systems Modeling Language, Version 1.6 (2019)
Pedroza, G.: Towards safety and security co-engineering: challenging aspects for a consistent intertwining. In: Hamid, B., Gallina, B., Shabtai, A., Elovici, Y., Garcia-Alfaro, J. (eds.) CSITS ISSA 2018. LNCS, vol. 11552, pp. 3–16. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16874-2_1
Pedroza, G., Mockly, G.: Method and framework for security risks analysis guided by safety criteria. In: 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems (2020)
Roudier, Y., Apvrille, L.: SysML-Sec - a model driven approach for designing safe and secure systems. In: 2015 3rd International Conference on Model-Driven Engineering and Software Development (MODELSWARD) (2015)
Shaked, A., Reich, Y.: Model-based threat and risk assessment for systems design. In: Proceedings of the 7th International Conference on Information Systems Security and Privacy (2021)
SSE: Model-driven Software Engineering for C++ (2023). https://github.com/MDE4CPP
SSE: UML Designer - TUI.SSE branch (2023). https://github.com/MDE4CPP
Acknowledgements
This work was made possible by RTAPHM (Real-Time Analytic, Prognostics and Health Management) and MISU (Model-based Development of Secure Digital Infrastructures for Service-Driven UAV Systems), reference numbers 20X1720A and 20X1736E. Partially funded by the Federal Ministry for Economic Affairs and Climate Action (BMWK). The statements made herein are solely the responsibility of the authors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Jungebloud, T., H. Nguyen, N., Seong Kim, D., Zimmermann, A. (2024). Hierarchical Model-Based Cybersecurity Risk Assessment During System Design. In: Meyer, N., Grocholewska-Czuryło, A. (eds) ICT Systems Security and Privacy Protection. SEC 2023. IFIP Advances in Information and Communication Technology, vol 679. Springer, Cham. https://doi.org/10.1007/978-3-031-56326-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-56326-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56325-6
Online ISBN: 978-3-031-56326-3
eBook Packages: Computer ScienceComputer Science (R0)
