An integrated security and systems engineering process and modelling framework

Jose Fran Ruiz, Antonio Maña, Carsten Rudolph

Research output: Contribution to journalArticleResearchpeer-review

Abstract

The modelling, engineering and development of systems with security requirements (which today means all systems) have been the target of different research works that are intended to deal with the increasing complexity of systems and characteristics such as distribution, real-time constraints and heterogeneity and with the need to provide increasing levels of security and privacy for users and businesses. Unfortunately, the situation is that no integral and comprehensive approach has been able to successfully address those challenges and gain acceptance in the industry. In fact, industrial system security engineering is in practice oversimplified, uses inadequate or obsolete solutions and is not treated consistently with the rest of the system engineering to allow an adequate assessment and tracing of the identified security goals, the security decisions made, security mechanisms selected and implemented. As a result, security problems are still too common in most systems. This paper presents a novel engineering process that seamlessly integrates security engineering activities throughout the whole system lifecycle, starting from the very first phases of the engineering process, named integrated security and system engineering process (ISSEP). In order to address the need to use accurate and up-to-date security knowledge by average system engineers, ISSEP follows a separation-of-responsibilities approach. Security knowledge is provided by experts in the form of libraries of engineering artefacts that can then be used by average system engineers in an easy and semi-automatic way. The ISSEP that we present here has been validated in real-world applications by several relevant companies (e.g. RUAG, Technicolor, Mixed Mode, etc.). One of the key points of the ISSEP is that it has been designed to be tool-supported. We have developed different tools to support its application. In particular, the main tool is available as a plugin for MagicDraw that offers support to the different actors in all the steps of the process. An Eclipse-based version is also under development.

Original languageEnglish
Pages (from-to)2328-2350
Number of pages23
JournalComputer Journal
Volume58
Issue number10
DOIs
Publication statusPublished - 2015
Externally publishedYes

Keywords

  • domain specific tools
  • metering system
  • security engineering process
  • security modelling
  • security solutions

Cite this

Ruiz, Jose Fran ; Maña, Antonio ; Rudolph, Carsten. / An integrated security and systems engineering process and modelling framework. In: Computer Journal. 2015 ; Vol. 58, No. 10. pp. 2328-2350.
@article{ce931db351034893b64a5176d44bfdf3,
title = "An integrated security and systems engineering process and modelling framework",
abstract = "The modelling, engineering and development of systems with security requirements (which today means all systems) have been the target of different research works that are intended to deal with the increasing complexity of systems and characteristics such as distribution, real-time constraints and heterogeneity and with the need to provide increasing levels of security and privacy for users and businesses. Unfortunately, the situation is that no integral and comprehensive approach has been able to successfully address those challenges and gain acceptance in the industry. In fact, industrial system security engineering is in practice oversimplified, uses inadequate or obsolete solutions and is not treated consistently with the rest of the system engineering to allow an adequate assessment and tracing of the identified security goals, the security decisions made, security mechanisms selected and implemented. As a result, security problems are still too common in most systems. This paper presents a novel engineering process that seamlessly integrates security engineering activities throughout the whole system lifecycle, starting from the very first phases of the engineering process, named integrated security and system engineering process (ISSEP). In order to address the need to use accurate and up-to-date security knowledge by average system engineers, ISSEP follows a separation-of-responsibilities approach. Security knowledge is provided by experts in the form of libraries of engineering artefacts that can then be used by average system engineers in an easy and semi-automatic way. The ISSEP that we present here has been validated in real-world applications by several relevant companies (e.g. RUAG, Technicolor, Mixed Mode, etc.). One of the key points of the ISSEP is that it has been designed to be tool-supported. We have developed different tools to support its application. In particular, the main tool is available as a plugin for MagicDraw that offers support to the different actors in all the steps of the process. An Eclipse-based version is also under development.",
keywords = "domain specific tools, metering system, security engineering process, security modelling, security solutions",
author = "Ruiz, {Jose Fran} and Antonio Ma{\~n}a and Carsten Rudolph",
year = "2015",
doi = "10.1093/comjnl/bxu152",
language = "English",
volume = "58",
pages = "2328--2350",
journal = "Computer Journal",
issn = "0010-4620",
publisher = "Oxford University Press",
number = "10",

}

An integrated security and systems engineering process and modelling framework. / Ruiz, Jose Fran; Maña, Antonio; Rudolph, Carsten.

In: Computer Journal, Vol. 58, No. 10, 2015, p. 2328-2350.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - An integrated security and systems engineering process and modelling framework

AU - Ruiz, Jose Fran

AU - Maña, Antonio

AU - Rudolph, Carsten

PY - 2015

Y1 - 2015

N2 - The modelling, engineering and development of systems with security requirements (which today means all systems) have been the target of different research works that are intended to deal with the increasing complexity of systems and characteristics such as distribution, real-time constraints and heterogeneity and with the need to provide increasing levels of security and privacy for users and businesses. Unfortunately, the situation is that no integral and comprehensive approach has been able to successfully address those challenges and gain acceptance in the industry. In fact, industrial system security engineering is in practice oversimplified, uses inadequate or obsolete solutions and is not treated consistently with the rest of the system engineering to allow an adequate assessment and tracing of the identified security goals, the security decisions made, security mechanisms selected and implemented. As a result, security problems are still too common in most systems. This paper presents a novel engineering process that seamlessly integrates security engineering activities throughout the whole system lifecycle, starting from the very first phases of the engineering process, named integrated security and system engineering process (ISSEP). In order to address the need to use accurate and up-to-date security knowledge by average system engineers, ISSEP follows a separation-of-responsibilities approach. Security knowledge is provided by experts in the form of libraries of engineering artefacts that can then be used by average system engineers in an easy and semi-automatic way. The ISSEP that we present here has been validated in real-world applications by several relevant companies (e.g. RUAG, Technicolor, Mixed Mode, etc.). One of the key points of the ISSEP is that it has been designed to be tool-supported. We have developed different tools to support its application. In particular, the main tool is available as a plugin for MagicDraw that offers support to the different actors in all the steps of the process. An Eclipse-based version is also under development.

AB - The modelling, engineering and development of systems with security requirements (which today means all systems) have been the target of different research works that are intended to deal with the increasing complexity of systems and characteristics such as distribution, real-time constraints and heterogeneity and with the need to provide increasing levels of security and privacy for users and businesses. Unfortunately, the situation is that no integral and comprehensive approach has been able to successfully address those challenges and gain acceptance in the industry. In fact, industrial system security engineering is in practice oversimplified, uses inadequate or obsolete solutions and is not treated consistently with the rest of the system engineering to allow an adequate assessment and tracing of the identified security goals, the security decisions made, security mechanisms selected and implemented. As a result, security problems are still too common in most systems. This paper presents a novel engineering process that seamlessly integrates security engineering activities throughout the whole system lifecycle, starting from the very first phases of the engineering process, named integrated security and system engineering process (ISSEP). In order to address the need to use accurate and up-to-date security knowledge by average system engineers, ISSEP follows a separation-of-responsibilities approach. Security knowledge is provided by experts in the form of libraries of engineering artefacts that can then be used by average system engineers in an easy and semi-automatic way. The ISSEP that we present here has been validated in real-world applications by several relevant companies (e.g. RUAG, Technicolor, Mixed Mode, etc.). One of the key points of the ISSEP is that it has been designed to be tool-supported. We have developed different tools to support its application. In particular, the main tool is available as a plugin for MagicDraw that offers support to the different actors in all the steps of the process. An Eclipse-based version is also under development.

KW - domain specific tools

KW - metering system

KW - security engineering process

KW - security modelling

KW - security solutions

UR - http://www.scopus.com/inward/record.url?scp=84943427876&partnerID=8YFLogxK

U2 - 10.1093/comjnl/bxu152

DO - 10.1093/comjnl/bxu152

M3 - Article

VL - 58

SP - 2328

EP - 2350

JO - Computer Journal

JF - Computer Journal

SN - 0010-4620

IS - 10

ER -