Automatic Generation of Security Requirements for Cyber-Physical Systems

Security is one of the essential properties in Cyber-Physical Systems (CPS). Attacking systems like autonomous vehicles and health-care systems may lead to financial or privacy losses of stakeholders or even life threats. Security analysis, as an early activity in the system design, addresses security issues and identifies system vulnerabilities in advance to guide further security design. However, the security analysis is mostly performed manually requiring a high workload with human oversight. Besides, the manual analysis is not flexible for modification in later design stages and largely depends on expert knowledge and experience. Therefore, a new security analysis approach has been proposed in this paper to generate security requirements automatically, which is based on the System-Theoretic Process Analysis (STPA) framework and is applicable for data-flow-based CPSs. We have also developed a software prototype to support the implementation of this automatic approach and used it to obtain the security requirements of two CPSs in the automotive domain. Finally, we compared the automatically generated outcomes with the manually obtained ones and evaluated the proposed approach. Based on the experiment results, we found that the automatic way is efficient, effective and flexible. Furthermore, the proposed approach is also extensible. Analysts in a team can establish their own empirical repository to achieve accurate security requirements for their specific systems.