By András Földvári and András Pataricza, Budapest University of Technology and Economics
In today’s connected world, complex IoT systems play a critical role in several critical industries, where cybersecurity intrusions affecting the IT part may lead to severe or catastrophic consequences amplified by the controlled physical process. Here, the assurance of a proper level of security faces serious problems. Their growing complexity creates extensive attack surfaces that are difficult to analyze and secure using traditional expert heuristics-based methods. These methods fail to provide high assurance against rare but high-risk events. Additionally, the long lifespan of IoT systems contrasts with the rapid evolution of cyber threats, necessitating continuous updates to both the systems and the tools used for security assessment to remain effective.
Model-Based Systems Engineering (MBSE) [1] emerges as the primary approach for addressing the complexity of IoT and cyber-physical system (CPS) design. MBSE offers a higher level of application representation than offered by traditional “pure coding.” The International Council on Systems Engineering (INCOSE) [2] defines Model-Based System Engineering (MBSE) as the formalized application of modeling to support system requirements, design, analysis, verification, and validation activities beginning in the conceptual design phase and continuing throughout development and later life cycle phases. This methodology has become integral in designing complex cyber-physical systems due to its standardized approach to capturing and managing system requirements, architecture, design, and processes, as well as identifying its environment as a system of systems. Frequently, visual design languages support MBSE, reducing the abstraction gap between the domain and IT implementation.
Security is often considered an afterthought, thus not underlying a similar disciplined process beyond general design requirements. However, the increased technical and legal requirements make the MBSE-based approach inevitable in critical applications. One of the significant advancements in MBSE for security assurance is the integration of digital engineering practices, transforming traditional document-based systems engineering processes into more efficient digital engineering workflows. This shift enables more robust and systematic approaches to ensuring security throughout the system lifecycle.
Our goal is to develop an MBSE-based Impact Assessment [3,4] solution to estimate the potential unwanted consequences of malicious attacks by exhaustive mathematical analysis of the risks and focusing the efforts on critical cases. In IoT and CPS systems, however, risks can manifest in a hazardous interaction of the IT part with the physical part of such systems, impacting other extra-functional attributes. The purpose of impact analysis is to identify the components within a system whose failure—whether accidental or intentional—could have critical consequences for the entire system. By highlighting these components, the analysis enables the identification of initial attack targets in the digital twin. Specifically, it helps to define the kind of damage that must be inflicted on a given component to violate certain system requirements.
Figure 1 Architecture of the model-based security analysis solution
For the modeling of the impact assessment task, we have chosen an MBSE-based solution, the main structure of which is shown in Figure 1. The key requirements for modeling start with the need to integrate system models from various sources. In any large-scale project, the modeler works with a variety of tools such as ArchiMate, SysML, and Matlab, each offering distinct approaches to modeling several aspects. To perform the security analysis with the most comprehensive information available, we must manage and integrate multiple models.
It is essential to emphasize the importance of a common terminology for submodules. Interoperability is critical, requiring a shared language that connects these modules—whether they involve a safety-critical subsystem, a business process, or security modeling aspects. Every component must be understandable and explainable across different teams and platforms.
Another critical requirement is the precise definition of concepts. It is necessary to handle all this information in a way that is both machine-readable and interpretable. By formalizing these concepts in a mathematical description, we can address these challenges more effectively and automate various processes.
Finally, we must ensure the extensibility and reusability of models. Modern systems, especially IT/OT and IoT systems, must be adaptive, particularly as new components are dynamically added or removed from the system. Also, models should be self-interpretable and capable of evolving as new requirements emerge. We should also strive for reusability, enabling us to save time and resources by applying the same models to new but similar problems in the future.
All these requirements are tied together under the concept of Ontology-Based Metamodels, which provide the structure and formalism necessary to achieve these goals effectively.
We chose the ArchiMate modeling language and tool for creating the input models in our solution. The goal of the ArchiMate [5] model is to enable the simultaneous modeling of the structural elements of a system, its deployment aspects, and the elements required for modeling the data flow. An example is shown in Figure 2.
Figure 2 Static system model example in ArchiMate using the specializations for the domain-specific modeling
The input models for the evaluation are very versatile and provide an abstract representation of the architecture, components, and interactions within a system. It serves as a foundation for understanding the underlying structure of the system. Stored in a Neo4j graph database [6], this model captures the logical relationships between entities and enables detailed mapping to deployment models and attack scenarios. It is designed to be flexible, extensible, and capable of modeling complex systems, making it a critical tool for systems engineering and analysis.
Given the rich and versatile structure of input file formats like ArchiMate, Ansible, and Terraform, as well as the critical need to establish a seamless interface for impact and security analysis, while effectively representing diverse data points, their hierarchical relationships, and associated attributes, we sought a graph database solution capable of managing such complexity effortlessly. This search directed our attention to the open-source Neo4j project.
Figure 3 Neo4j representation of a system component for the Impact Assessment task
MBSE, accompanied by automated code generation, results in a similar productivity and quality gain in the implementation process as high-level programming languages vs. assembly. In the domain of (primarily safety) critical applications, certified code generators support rapid application development based solely on checked models. The code required for the analysis can be generated based on models stored in Neo4j. The solution supports the generation of custom code using a template-based approach. During the analysis, Prolog and ASP [7] code can be generated from the models stored in Neo4j to perform the Impact Assessment task.
In our solution, the goal is to support security assessment in complex IoT and CPSs, where traditional methods struggle due to growing system complexity and evolving cyber threats. It advocates for MBSE as a solution, offering structured modeling to address system requirements, design, and security analysis. The approach integrates digital engineering practices and employs tools like ArchiMate for domain-specific modeling and Neo4j for managing models from different sources. The focus is on creating extensible, reusable models and automated code generation to ensure automatic impact assessment against potential malicious attacks.
References
[1] A. Pataricza, “Systematic generation of dependability cases from functional models,” in Formal Methods for Automation and Safety in Railway and Automotive Systems. Proc. Symposium FORMS/FORMAT, October, 2007, pp. 9–10.[2] INCOSE (Ed.). (2023). INCOSE systems engineering handbook. John Wiley & Sons.
[3] Földvári, A., Biczók, G., Kocsis, I., Gönczy, L., & Pataricza, A. (2021, November). Impact Assessment of IT Security Breaches in Cyber-Physical Systems: Short paper. In 2021 10th Latin-American Symposium on Dependable Computing (LADC). IEEE.
[4] Földvári, A., Brancati, F., & Pataricza, A. (2023, June). Preliminary Risk and Mitigation Assessment in Cyber-Physical Systems. In 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). IEEE.
[5] Band, I., Engelsman, W., Feltus, C., Paredes, S. G., & Diligens, D. (2015). Modeling enterprise risk management and security with the ArchiMate®. Language, The Open Group.
[6] Neo4j. “Neo4j Graph Database Platform.” Neo4j, https://neo4j.com.
[7] Gebser, M., Kaminski, R., Kaufmann, B., & Schaub, T. (2019). Multi-shot ASP solving with Clingo. Theory and Practice of Logic Programming, 19(1), 27-82.