|Authors||P. H. Nguyen, S. Ali and T. Yue|
|Title||Model-Based Security Engineering for Cyber-Physical Systems: A Systematic Mapping Study|
|Afilliation||Software Engineering, The Certus Centre (SFI), Software Engineering|
|Project(s)||MBT4CPS: Model-Based Testing For Cyber-Physical Systems , The Certus Centre (SFI)|
|Publication Type||Journal Article|
|Year of Publication||2016|
|Journal||Information and Software Technology|
|Keywords||Cyber-Physical Systems, Security Testing, Testing, Uncertainty|
Context: Cyber-physical systems (CPSs) have emerged to be the next generation of engineered systems driving the so-called fourth industrial revolution. CPSs are becoming more complex, open and more prone to security threats, which urges security to be engineered systematically into CPSs. Model-Based Security Engineering (MBSE) could be a key means to tackle this challenge via security by design, abstraction and automation.
Objective: We aim at providing an initial assessment on the state of the art in MBSE for CPSs (MBSE4CPS). Specifically, this work focuses on finding out 1) the publication statistics of MBSE4CPS studies; 2) the characteristics of MBSE4CPS studies; and 3) the open issues of MBSE4CPS research.
Method: We conducted a systematic mapping study (SMS) following a rigorous protocol that was developed based on the state-of-the-art SMS and systematic review guidelines. From thousands of relevant publications, we systematically identified 34 primary MBSE4CPS studies for data extraction and synthesis to answer predefined research questions.
Results: SMS results show that for two recent years (2014-2015) the number of primary MBSE4CPS studies has increased significantly. Within the primary studies, the popularity of using Domain-Specific Languages (DSLs) is comparable with the use of the standardized UML modeling notation. Most primary studies do not explicitly address specific security concerns (e.g., confidentiality, integrity) but rather focus on security analyses in general on threats, attacks or vulnerabilities. Few primary studies propose to engineer security solutions for CPSs. Many focus on the early stages of development lifecycle such as security requirement engineering or analysis.
Conclusion: The SMS does not only provide the state of the art in MBSE4CPS, but also points out several open issues that would deserve more investigation, e.g., the lack of engineering security solutions for CPSs, limited tool support, too few industrial case studies, and the challenge of bridging DSLs in engineering secure CPSs.