Cybersafety Analysis of a Central Utilities Plant (CUP) Gas Turbine using STPA-SEC

Khan, Shaharyar; Madnick, Stuart E.; Moulton, Allen

doi:10.2139/ssrn.3370560

Cited by 4 publications

(3 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The STPA-based security analysis approach (STPA-Sec) has been used to identify system security constraints in various industries. Khan, Madnick & Moulton (2018) demonstrated the implementation of STPA-Sec to identify security vulnerabilities of a central utilities plant gas turbine use case in industrial control systems. Mailloux et al (2019) used the STPA-Sec to elicit systems security requirements for a notional autonomous space system.…”

Section: Stpa-sec Applications and Gapsmentioning

confidence: 99%

Data-flow-based adaption of the System-Theoretic Process Analysis for Security (STPA-Sec)

Wagner

Luo

2021

PeerJ Computer Science

View full text Add to dashboard Cite

Security analysis is an essential activity in security engineering to identify potential system vulnerabilities and specify security requirements in the early design phases. Due to the increasing complexity of modern systems, traditional approaches lack the power to identify insecure incidents caused by complex interactions among physical systems, human and social entities. By contrast, the System-Theoretic Process Analysis for Security (STPA-Sec) approach views losses as resulting from interactions, focuses on controlling system vulnerabilities instead of external threats, and is applicable for complex socio-technical systems. However, the STPA-Sec pays less attention to the non-safety but information-security issues (e.g., data confidentiality) and lacks efficient guidance for identifying information security concepts. In this article, we propose a data-flow-based adaption of the STPA-Sec (named STPA-DFSec) to overcome the mentioned limitations and elicit security constraints systematically. We use the STPA-DFSec and STPA-Sec to analyze a vehicle digital key system and investigate the relationship and differences between both approaches, their applicability, and highlights. To conclude, the proposed approach can identify information-related problems more directly from the data processing aspect. As an adaption of the STPA-Sec, it can be used with other STPA-based approaches to co-design systems in multi-disciplines under the unified STPA framework.

show abstract

Section: Stpa-sec Applications and Gapsmentioning

confidence: 99%

Data-flow-based adaption of the System-Theoretic Process Analysis for Security (STPA-Sec)

Wagner

Luo

2021

PeerJ Computer Science

View full text Add to dashboard Cite

show abstract

“…The STPA-based security analysis approach (STPA-Sec) has been used to identify system security constraints in various industries. Khan et al (2018) demonstrated the implementation of STPA-Sec to identify security vulnerabilities of a central utilities plant gas turbine use case in industrial control systems. Mailloux et al (2019) used the STPA-Sec to elicit systems security requirements for a notional autonomous space system.…”

Section: Stpa-sec Applications and Gapsmentioning

confidence: 99%

Peer Review #1 of "Data-flow-based adaption of the System-Theoretic Process Analysis for Security (STPA-Sec) (v0.2)"

2021

View full text Add to dashboard Cite

Security analysis is an essential activity in security engineering to identify potential system vulnerabilities and specify security requirements in the early design phases. Due to the increasing complexity of modern systems, traditional approaches lack the power to identify insecure incidents caused by complex interactions among physical systems, human and social entities. By contrast, the System-Theoretic Process Analysis for Security (STPA-Sec) approach views losses as resulting from interactions, focuses on controlling system vulnerabilities instead of external threats, and is applicable for complex sociotechnical systems. However, the STPA-Sec pays less attention to the non-safety but information-security issues (e.g. data confidentiality) and lacks efficient guidance for identifying information security concepts. In this paper, we proposed a data-flow-based adaption of the STPA-Sec (named STPA-DFSec) to overcome the mentioned limitations and elicit security constraints systematically. We used the STPA-DFSec and STPA-Sec to analyze a vehicle digital key system and investigated the relationship and differences between both approaches, their applicability, and highlights. To conclude, the proposed approach can identify information-related problems more directly from the data processing aspect. As an adaption of the STPA-Sec, it can be used with other STPA-based approaches to co-design systems in multi-disciplines under the unified STPA framework.

show abstract

“…The STPA-Sec approach or its extensions have been used to identify system security constraints in various industries. Khan, Madnick and Moulton [22] demonstrated the implementation of STPA-Sec to identify security vulnerabilities of a use case (Central Utilities Plant Gas Turbine) in industrial control systems. Carter [23] used STPA-Sec with a previous information elicitation process to analyze a small reconnaissance unmanned aerial vehicles.…”

Section: Stpa-sec Applications and Gapsmentioning

confidence: 99%

Data-Flow-Based Extension of the System-Theoretic Process Analysis for Security (STPA-Sec)

Yu,

Wagner,

Luo

2020

Preprint

View full text Add to dashboard Cite

Security analysis is an essential activity in security engineering to identify potential system vulnerabilities and achieve security requirements in the early design phases. Due to the increasing complexity of modern systems, traditional approaches, which only consider component failures and simple cause-and-effect linkages, lack the power to identify insecure incidents caused by complex interactions among physical systems, human and social entities. By contrast, a top-down System-Theoretic Process Analysis for Security (STPA-Sec) approach views losses as resulting from interactions, focuses on controlling system vulnerabilities instead of external threats and is applicable for complex socio-technical systems. In this paper, we proposed an extension of STPA-Sec based on data flow structures to overcome STPA-Secs limitations and achieve security constraints of information-critical systems systematically. We analyzed a Bluetooth digital key system of a vehicle by using both the proposed and the original approach to investigate the relationship and differences between both approaches as well as their applicability and highlights. To conclude, the proposed approach can identify more information-related problems with technical details and be used with other STPA-based approaches to co-design systems in multi-disciplines under the unified STPA process framework.

show abstract

Cybersafety Analysis of a Central Utilities Plant (CUP) Gas Turbine using STPA-SEC

Cited by 4 publications

References 7 publications

Data-flow-based adaption of the System-Theoretic Process Analysis for Security (STPA-Sec)

Data-flow-based adaption of the System-Theoretic Process Analysis for Security (STPA-Sec)

Peer Review #1 of "Data-flow-based adaption of the System-Theoretic Process Analysis for Security (STPA-Sec) (v0.2)"

Data-Flow-Based Extension of the System-Theoretic Process Analysis for Security (STPA-Sec)

Contact Info

Product

Resources

About