Publications in Scientific Journals:

M. Eckhart, A. Ekelhart, E. Weippl:
"Automated Security Risk Identification Using AutomationML-based Engineering Data";
IEEE Transactions on Dependable and Secure Computing, 1 (2020).

English abstract:
Systems integrators and vendors of industrial components need to establish a security-by-design approach, which includes
the assessment and subsequent treatment of security risks. However, conducting security risk assessments along the engineering
process is a costly and labor-intensive endeavor due to the complexity of the system(s) under consideration and the lack of automated
methods. This, in turn, hampers the ability of security analysts to assess risks pertaining to cyber-physical systems (CPSs) in an
efficient manner. In this work, we propose a method that automatically identifies security risks based on the CPS´s data representation,
which exists within engineering artifacts. To lay the foundation for our method, we present security-focused semantics for the
engineering data exchange format AutomationML (AML). These semantics enable the reuse of security-relevant know-how in AML
artifacts by means of a formal knowledge representation, modeled with a security-enriched ontology. Our method is capable of
automating the identification of security risk sources and potential consequences in order to construct cyber-physical attack graphs that
capture the paths adversaries may take. We demonstrate the benefits of the proposed method through a case study and an
open-source prototypical implementation. Finally, we prove that our solution is scalable by conducting a rigorous performance

cyber-physical systems, information security, AutomationML, security modeling, security risk assessment, industrial control systems, IEC 62443.

"Official" electronic version of the publication (accessed through its Digital Object Identifier - DOI)

Created from the Publication Database of the Vienna University of Technology.