An Attack Model of Autonomous Systems of Systems

Abstract: Context: In order to provide more functionalities and services, systems collaborate with each other creating more complex systems called Systems of Systems. Exploiting security vulnerabilities in such complex systems has an impact over system safety and it is not sufficient to analyze them separately in the development process. Observing these safety and security interdependencies together can be done via the process of attack modeling where attack models deploy a model for detecting vulnerabilities and possible mitigation strategies while observing system security from an adversary point of view. Objective: The aim of the thesis is to explore the interdependencies between safety and security concerns, to provide details on attack model(s) and affected safety requirements of given system, to argument that the system is acceptably safe to operate, and to contribute to the identified business challenges. Method: The thesis work consists of: (i) a literature survey on interdependencies between safety and security, and a literature survey on the existing attack models; (ii) a demonstration on a use case where the argument that the given system is acceptably safe with respect to the selected attack model has been provided using Goal Structuring Notation (GSN). Conclusion: The first literature survey conducted on the topic of interdependencies between safety and security has resulted in a number of papers addressing the importance of investigating safety and security together. Reviewed papers have been focused either on proposing new approaches or extending the existing ones in different industry domains like automotive, railway, industrial, etc. The literature survey on existing attack models has resulted in a number of papers elaborating attack models in general and showing domain-specific attack models such as those in control systems, vehicles, Cloud Computing, IoT, networks, RFID, Recommender Systems, etc. To provide an argument that the given system is acceptably safe by using GSN, investigated results from the selected attack model showed how to protect system while observing it from an adversary point of view. Including security countermeasures, i.e. data and identity authentication and implementation of access control in the system development process can produce an acceptably safe system, whilst, at the same time, affect different business aspects by introducing latency and delay to the system. However, avoiding such mitigation techniques may have catastrophic impact on the system and its environment when attacks are launched.