Security- and safety-critical cyber-physical systems

• Atif Mashkoor
• Johannes Sametinger
• Miklós Biró
• Alexander Egyed

Cyber‐physical systems (CPSs) are physical embedded systems with enhanced operations for monitoring, coordination, control, and integration by a computing and communication core.1 Examples of CPSs include transportations systems,2 medical systems,3 and manufacturing systems.4 A CPS can be security‐critical, safety‐critical, or both. A CPS communicating with the outside world and thus opening an attack vector through the communication channel is considered to be a security‐critical CPS. On the other hand, a CPS is considered to be safety‐critical if it can harm its environment, eg, a malfunctioning autonomous vehicle might harm its passengers.5 A CPS dealing with both security and safety concerns is considered to be a security‐ and safety‐critical CPS.

Contemporary systems and software engineering methods often prove inadequate for the trustworthy and reliable design and engineering of CPSs. Traditional engineering deals with security and safety issues as separate problems. However, given the coordination and communication features of CPSs, such a “separation‐of‐concerns” approach is no longer adequate. We need integrated methods to deal with security and safety concerns within CPSs.

The focus of this special issue is to highlight and foster research on security and safety issues in CPSs. This special issue enhances previous efforts by providing an updated and extended view on the implications of security and safety aspects in the CPSs arena. Some of the articles presented in this special issue have been selected from the 2nd International Workshop on Cybersecurity and Functional Safety of Cyber‐Physical Systems (IWCFS'19).6 The selected papers have been extended and further improved for this special issue. The remaining articles were solicited using an open call for papers.

The paper “A Security Risk Mitigation Framework for Cyber Physical Systems” by Maryam Zahid, Irum Inayat, Maya Daneva and Zahid Mehmood proposes an application layer‐specific security risk mitigation framework for CPSs focusing on constraints such as authentication, data‐integrity, data‐freshness, non‐repudiation, and confidentiality. The proposed approach is evaluated on a fire alarm system for railway cabins. The obtained results show a decrease in the severity of the identified security risks such as Man‐in‐the‐Middle attack, spoofing, and data‐tempering.

The paper “Design and Validation of a C++ Code generator from Abstract State Machines Specifications” by Silvia Bonfanti, Angelo Gargantini and Atif Mashkoor presents a methodology to generate C++ code from Abstract State Machine models using the Asm2C++ tool.7 The advantage of the Asm2C++ tool is that the implementation is generated in a seamless manner with an assurance of potential bug freeness of the generated code. The paper extends the Asm2C++ tool in such a way that it can automatically produce unit tests for the generated code: abstract test sequences, either generated randomly or through model checking, are translated to concrete C++ unit tests. In a similar manner, scenarios are also generated in a behavior‐driven development‐style approach. To guarantee the correctness of the code generation process, authors define a mechanism based on the criteria (syntactical correctness and semantic correctness), which are based on the definition of conformance between the specification and the generated code.

The paper “Formal Design of Scalable Conversation Protocols using Event‐B: Validation, Experiments and Benchmarks” by Sarah Benyagoub, Yamine Aït‐Ameur, Meriem Ouederni, Atif Mashkoor and Ahmed Medeghri addresses the design of distributed systems composed of peers (state‐transitions systems) communicating through message exchanges. The authors consider choreographies as the formal model allowing developers to describe and specify peers coordination as a set of conversations, ie, all sequences of messages exchanged between the communicating peers. Proceeding this way neither require building the individual peers nor their composition as they may be obtained by the choreography projection. The correctness of the preservation of such messages exchanges by each peer obtained after projection is a key issue, known as the realizability problem. Checking choreography realizability is mandatory to build third‐party applications with no coordination error, eg, absence of deadlocks, missing messages, and erroneous messaging order. The paper shows how the proposed approach applies and scales to a set of use cases borrowed from the literature and used by the research community. The paper also shows that the presented approach allows to detect failures and failure recovery in case realizability does not hold.

The paper “Security Assessment of Data Management Systems for Cyber‐Physical System Applications” by Natalia Chaudhry, Muhammad Murtaza Yousaf and Muhammad Taimoor Khan presents a comprehensive review of security of various data management systems used in CPS. Modern data management systems, eg, NoSQL and NewSQL, are often used to support efficient and scalable analysis of huge unstructured data. However, they are also vulnerable to numerous security attacks. This paper discusses various security attacks (and corresponding mitigation solutions) on such data management systems. In particular, the paper analyzes the system and data security of popular NoSQL and NewSQL systems. To analyze that, authors defined feature vectors for system and data security and compared the data systems against them. Finally, the paper proposes security solutions for data management systems by identifying various security vulnerabilities in internal security algorithms of such systems.

The paper “Analyzing Encryption Mechanisms and Functional Safety in a ROS‐based Architecture” by Xabier Larrucea, Pablo González‐Nalda, Ismael Etxeberria‐Agiriano and Mari Carmen Otero answers some important research questions about Robot Operating System (ROS), eg, what are the required characteristics and thresholds for a ROS‐based architecture, what safety assumptions are defined during the safety case definition, what ROS aspects are relevant for cross reuse and for its certification, and what is the impact of adding secure communications implementation to a ROS‐based component. The paper also analyses functional safety, impact of Advanced Encryption Standard (AES) encryption mechanism and timing constraints—required for assuring a secure communication between components as suggested by the ISO 26262—of the proposed prototype.

We hope this special issue serves as a drop in the ocean of knowledge on improving the state of the art regarding security and safety of CPSs.