An integrated security and systems engineering process and modelling framework

Jose Fran Ruiz, Antonio Maña, Carsten Rudolph

Research output: Contribution to journalArticleResearchpeer-review

11 Citations (Scopus)

Abstract

The modelling, engineering and development of systems with security requirements (which today means all systems) have been the target of different research works that are intended to deal with the increasing complexity of systems and characteristics such as distribution, real-time constraints and heterogeneity and with the need to provide increasing levels of security and privacy for users and businesses. Unfortunately, the situation is that no integral and comprehensive approach has been able to successfully address those challenges and gain acceptance in the industry. In fact, industrial system security engineering is in practice oversimplified, uses inadequate or obsolete solutions and is not treated consistently with the rest of the system engineering to allow an adequate assessment and tracing of the identified security goals, the security decisions made, security mechanisms selected and implemented. As a result, security problems are still too common in most systems. This paper presents a novel engineering process that seamlessly integrates security engineering activities throughout the whole system lifecycle, starting from the very first phases of the engineering process, named integrated security and system engineering process (ISSEP). In order to address the need to use accurate and up-to-date security knowledge by average system engineers, ISSEP follows a separation-of-responsibilities approach. Security knowledge is provided by experts in the form of libraries of engineering artefacts that can then be used by average system engineers in an easy and semi-automatic way. The ISSEP that we present here has been validated in real-world applications by several relevant companies (e.g. RUAG, Technicolor, Mixed Mode, etc.). One of the key points of the ISSEP is that it has been designed to be tool-supported. We have developed different tools to support its application. In particular, the main tool is available as a plugin for MagicDraw that offers support to the different actors in all the steps of the process. An Eclipse-based version is also under development.

Original languageEnglish
Pages (from-to)2328-2350
Number of pages23
JournalThe Computer Journal
Volume58
Issue number10
DOIs
Publication statusPublished - 2015
Externally publishedYes

Keywords

  • domain specific tools
  • metering system
  • security engineering process
  • security modelling
  • security solutions

Cite this