An assurance case provides an argument to justify certain claims about a system, based on evidence concerning both the system and the environment in which it operates.
The principal advance offered by assurance cases compared to other forms of assurance is provision of an explicit argument connecting evidence to claims.
The idea of structured argument is to facilitate modular comprehension and assessment of the case.
This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
This document provides an overview of state monitoring in the context of the CITADEL project. It discusses the monitoring plane and how it is used to monitor components in the operational plane and resources in the foundational plane. It also describes how the Kaspersky Security System can be used for state monitoring by specifying monitoring policies and integrating them with the system modeling framework. The document outlines different sources of monitoring data and policies and how a layered implementation approach separates concerns between the monitoring, operational, and foundational planes.
The document provides an introduction to CITADEL, which aims to develop an innovative platform for adaptive systems based on the Multiple Independent Levels of Security (MILS) architectural approach. CITADEL builds upon previous research in static and distributed MILS and aims to extend MILS to support dynamic and distributed adaptive systems while maintaining assurability through design-time analysis and runtime assurance. The CITADEL framework adds new planes such as monitoring, adaptation, and certification assurance to the MILS platform to enable closed-loop control of dynamic reconfiguration. The project team for CITADEL includes experts in MILS, separation kernels, and other relevant areas from previous MILS research projects.
This training module overviews the role, interfaces, structure and functionality of the Adaptation Plane, and explains how to start the components which comprise the Adaptation Plane. The module focuses on the information necessary to understand the start-up and operation of the Adaptation
Plane, which is needed in order to deploy the Adaptation Plane as part of the CITADEL Platform.
Key elements
Dynamic Distributed MILS platform
Dynamic MILS platform with deterministic networking
Mechanisms for dynamic reconfiguration and configuration introspection
Declarative dynamic architecture modeling and verification
Language to describe reconfigurable systems architecture, component models, failure models and fault propagation
Theory and framework for dynamic reconfiguration
Theory and framework for adaptation
Language to express critical properties to be verified
Compositional verification framework
Monitoring, Adaptation, Configuration, & Certification Assurance Planes
Assurance-based security evaluation methodology and runtime mechanisms for just-in-time certification of adaptive systems
MILS is a component-based approach to secure and dependable systems design and implementation that encourages a marketplace of general-purpose commercial components, leading to lower development cost
MILS is a two phase approach (John Rushby’s “Modern MILS”):
Design a Policy Architecture
Abstract architecture diagram represented by “boxes and arrows”
Operational components and architecture achieve system purpose
Assumes the architecture (components and connectors) will be strictly enforced in the implementation
Implement the policy architecture on a robust resource-sharing platform
MILS foundational components (FCs) enable sharing of physical resources, creating strongly separated “exported resources”
FCs should be individually developed and assured according to standardized specifications
FCs compose “additively” to form a distributed trusted sharing substrate, the MILS Platform
MILS provides a compositional approach to construction, assurance, and system certification
This document provides an overview of communications monitoring within the CITADEL framework. It discusses various monitoring methods including signature-based monitoring, white-box anomaly detection, and association rules. Signature-based monitoring specifies known malicious situations as signatures to detect. White-box anomaly detection learns a model of normal communications and flags deviations as anomalous. The document also describes how monitoring interacts with the specification and other CITADEL planes.
This document describes the modeling, testing, and verification of system models which are used by
the MILS Adaptation System. Several example models are provided in this document, with one of
them developed in a step-by-step manner. Video demonstrations which accompany this document
demonstrate the use of supporting tools.
This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
This document provides an overview of state monitoring in the context of the CITADEL project. It discusses the monitoring plane and how it is used to monitor components in the operational plane and resources in the foundational plane. It also describes how the Kaspersky Security System can be used for state monitoring by specifying monitoring policies and integrating them with the system modeling framework. The document outlines different sources of monitoring data and policies and how a layered implementation approach separates concerns between the monitoring, operational, and foundational planes.
The document provides an introduction to CITADEL, which aims to develop an innovative platform for adaptive systems based on the Multiple Independent Levels of Security (MILS) architectural approach. CITADEL builds upon previous research in static and distributed MILS and aims to extend MILS to support dynamic and distributed adaptive systems while maintaining assurability through design-time analysis and runtime assurance. The CITADEL framework adds new planes such as monitoring, adaptation, and certification assurance to the MILS platform to enable closed-loop control of dynamic reconfiguration. The project team for CITADEL includes experts in MILS, separation kernels, and other relevant areas from previous MILS research projects.
This training module overviews the role, interfaces, structure and functionality of the Adaptation Plane, and explains how to start the components which comprise the Adaptation Plane. The module focuses on the information necessary to understand the start-up and operation of the Adaptation
Plane, which is needed in order to deploy the Adaptation Plane as part of the CITADEL Platform.
Key elements
Dynamic Distributed MILS platform
Dynamic MILS platform with deterministic networking
Mechanisms for dynamic reconfiguration and configuration introspection
Declarative dynamic architecture modeling and verification
Language to describe reconfigurable systems architecture, component models, failure models and fault propagation
Theory and framework for dynamic reconfiguration
Theory and framework for adaptation
Language to express critical properties to be verified
Compositional verification framework
Monitoring, Adaptation, Configuration, & Certification Assurance Planes
Assurance-based security evaluation methodology and runtime mechanisms for just-in-time certification of adaptive systems
MILS is a component-based approach to secure and dependable systems design and implementation that encourages a marketplace of general-purpose commercial components, leading to lower development cost
MILS is a two phase approach (John Rushby’s “Modern MILS”):
Design a Policy Architecture
Abstract architecture diagram represented by “boxes and arrows”
Operational components and architecture achieve system purpose
Assumes the architecture (components and connectors) will be strictly enforced in the implementation
Implement the policy architecture on a robust resource-sharing platform
MILS foundational components (FCs) enable sharing of physical resources, creating strongly separated “exported resources”
FCs should be individually developed and assured according to standardized specifications
FCs compose “additively” to form a distributed trusted sharing substrate, the MILS Platform
MILS provides a compositional approach to construction, assurance, and system certification
This document provides an overview of communications monitoring within the CITADEL framework. It discusses various monitoring methods including signature-based monitoring, white-box anomaly detection, and association rules. Signature-based monitoring specifies known malicious situations as signatures to detect. White-box anomaly detection learns a model of normal communications and flags deviations as anomalous. The document also describes how monitoring interacts with the specification and other CITADEL planes.
This document describes the modeling, testing, and verification of system models which are used by
the MILS Adaptation System. Several example models are provided in this document, with one of
them developed in a step-by-step manner. Video demonstrations which accompany this document
demonstrate the use of supporting tools.
The document discusses the Adaptive MILS Evidential Tool Bus (AM-ETB) which is used to create and maintain certification evidence for adaptive MILS systems. The AM-ETB uses assurance case patterns to develop modular assurance cases. It coordinates the execution of verification tools to generate evidence and update assurance cases. The AM-ETB implementation includes a pattern repository, evidence repository, workflow engine, tool agents, and assurance case repository.
This document discusses software modeling and verification using formal methods. It provides an introduction to formal methods, their motivation and applications. It then discusses the role of formal methods in the CITADEL project, including modeling dynamic architectures, specification of monitors and properties, verification, monitor synthesis, adaptation and assurance case generation. Key aspects of modeling dynamic architectures in CITADEL are parametrized architecture modeling, dynamic architecture modeling, specification of monitors and properties.
This document contains 7 case studies highlighting simulation solutions developed by SILKAN for defense, aerospace, and industrial clients. The case studies cover a range of applications including training simulators, seal design, fire simulation, engine testing, brake systems, weapons effects simulation, and damage assessment. For each case, the document summarizes the client and objectives, and highlights key aspects of the customized simulation solution developed by SILKAN.
On the Transition from Design Time to Runtime Model-Based Assurance CasesRan Wei
Presentation slides for the paper "On the Transition from Design Time to Runtime Model-Based Assurance Cases" at 13th International Workshop on Models@Runtime
MVC Architecture from Maintenance Quality Attributes PerspectiveCSCJournals
This paper provides an explanatory study on MVC (Model-View-Controller) architecture from the perspective of maintenance. It aims to answer a knowledge question about how MVC architecture supports the maintainability quality attributes. This knowledge boosts the potential of utilizing the maintainability of MVC from several sides. To fulfill this purpose, we investigate the main mechanism of MVC with focusing on maintainability quality attributes. Accordingly, we form and discuss MMERFT maintainability set that consists of Modifiability, Modularity, Extensibility, Reusability, Flexibility, and Testability. Besides investigating the mechanism of MVC regarding MMERFT quality attributes, we explain how MVC supports maintainability by examining measures and approaches such as: complexity of code by using a cyclomatic approach, re-engineering process, use of components, time needed to detect bugs, number of code lines, parallel maintenance, automation, massive assignment, and others. Therefore, this paper is dedicated to providing a concrete view of how MVC gets along with maintainability aspects in general and its several attributes particularly. This view helps to maximize the opportunity of taking advantage of MVC's maintainability features that can encourage reconsidering the maintenance decisions and the corresponding estimated cost. The study focuses on maintainability since software that has high maintainability will have the opportunity to evolve, and consequently, it will have a longer life. Our study shows that MVC generally supports maintainability and its attributes, and it is a recommended choice when maintenance is a priority.
Guaranteed Component Assembly with Round Trip Analysis for Energy Efficient H...Ákos Horváth
The document discusses the CONCERTO project, which builds upon the CHESS project to further develop model-driven engineering techniques for designing multi-concern software components across several domains including telecom, aerospace, automotive, petroleum, and medical. The project aims to enhance the multi-concern component methodology and toolset defined in CHESS to support additional domains like telecare through techniques such as property-preserving implementation, model execution, safety modeling, and support for multicore targets and resource partitioning. A telecare demonstrator is presented as an initial application of the round-trip modeling and analysis approach.
2016 state of industrial internet application development.
Study Highlights
This study, carried out in collaboration with GE Digital,
surveyed the existing industrial developer landscape, to better
understand who industrial developers are, how they allocate their time and resources when developing applications, the challenges faced in the development process, and the technological opportunities available to them. The study, a survey of over 1,200 industrial developers, concludes that there is a need within the industrial developer community for focused tools and that these developers would receive significant benefit from using PaaS and infrastructures such as Predix. Relevant findings include the following:
Towards predictive maintenance for marine sector in malaysiaConference Papers
This research uses machine learning on sensor data from ships to predict failures of components and their remaining useful life. Interviews with marine experts identified significant maintenance items to prioritize for ship supply chains. The results were analyzed to provide recommendations to a government company on implementing predictive analytics and supply chain strategies for ship maintenance in Malaysia.
A UML Profile for Security and Code Generation IJECEIAES
Recently, many research studies have suggested the integration of safety engineering at an early stage of modeling and system development using Model-Driven Architecture (MDA). This concept consists in deploying the UML (Unified Modeling Language) standard as aprincipal metamodel for the abstractions of different systems. To our knowledge, most of this work has focused on integrating security requirements after the implementation phase without taking them into account when designing systems. In this work, we focused our efforts on non-functional aspects such as the business logic layer, data flow monitoring, and high-quality service delivery. Practically, we have proposed a new UML profile for security integration and code generation for the Java platform. Therefore, the security properties will be described by a UML profile and the OCL language to verify the requirements of confidentiality, authorization, availability, data integrity, and data encryption. Finally, the source code such as the application security configuration, the method signatures and their bodies, the persistent entities and the security controllers generated from sequence diagram of system’s internal behavior after its extension with this profile and applying a set of transformations.
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultancsandit
The National Institute of Standards and Technology (NIST) has issued a framework to provide
guidance for organizations within critical infrastructure sectors to reduce the risk associated
with cyber security. The framework is called NIST Cyber Security Framework for Critical
Infrastructure (CSF). Many organizations are currently implementing or aligned to different
information security frameworks. The implementation of NIST CSF needs to be aligned with and
complement the existing frameworks. NIST states that the NIST CSF is not a maturity
framework. Therefore, there is a need to adopt an existing maturity model or create one to have
a common way to measure the CSF implementation progress. This paper explores the
applicability of number of maturity models to be used as a measure to the security poster of
organizations implementing the NIST CSF. This paper reviews the NIST CSF and compares it to
other information security related frameworks such as COBIT, ISO/IEC 27001 and the ISF
Standard of Good Practice (SoGP) for Information Security. We propose a new information
security maturity model (ISMM) that fills the gap in the NIST CSF.
This document provides the program for an Architecture-Driven Modernization workshop taking place from March 22-24, 2004 in Chicago, IL. The workshop includes tutorials, presentations, panels and demonstrations on the topics of application modernization, leveraging existing software assets, recovering architecture models from legacy code, and transitioning to model-driven approaches. It features speakers from organizations like IBM, Klocwork, THALES and others discussing their experiences with architecture-driven modernization projects.
Dsd int 2014 - open mi symposium - federated modelling of critical infrastruc...Deltares
This document discusses a meeting to discuss federated modelling and simulation of critical infrastructures. It describes a federated simulation demonstrator that connects four simulators - for telecommunications, electricity, rail, and flooding - using a middleware. The document outlines challenges with federated simulation and the DIESIS approach, which separates technical and semantic interoperability and uses a knowledge base system and flexible modelling.
[SiriusCon 2020] Realization of Model-Based Safety Analysis and Integration w...Obeo
The importance of mission or safety-critical software systems in many application domains of embedded systems is continuously growing, and so is the effort and complexity for reliability and safety analysis. Model-based system engineering (MBSE) is currently one of the key approaches to cope with increasing system complexity.
With Component Fault Trees (CFTs) there is a model- and component-based methodology for safety analysis, which extends the advantages of model-based development to safety & reliability engineering. In this talk, we demonstrate how to ease the development of safety-critical systems by implementing a graphical modeling tool for Component Fault Trees using Sirius and integrate safety analysis capabilities in a model-based system engineering workflow in Capella.
Speaker :
Mark Zeller, Siemens CT
Marc Zeller works as a Senior Key Expert for model-based safety and reliability engineering at Siemens Corporate Technology. His research interests are focused on the efficient and effective development of dependability-relevant Cyber-physical Systems using model-based engineering techniques. Marc Zeller received a diploma in Computer Science from the Karlsruhe Institute of Technology (KIT) in 2007 and obtained a PhD in Computer Science from the University of Augsburg in 2013. With over 10-years' experience in different industrial domains, such as automotive, railway, avionics, or industry automations, he has been involved in various projects establishing model-based engineering techniques and is author of many publications in this area.
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Amazon Web Services
The NIST Cybersecurity Framework (CSF) is endorsed by government and industry as a recommended baseline for use by any organization, regardless of sector or size, to implement risk-management best practices and achieve desired security outcomes. In this session, we discuss how organizations can use AWS to align to the CSF by providing a detailed breakout of AWS services and associated customer responsibilities (security in the cloud) and AWS responsibilities (security of the cloud).
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
The Cloud Controls Matrix (CCM) is an industry accepted set of principles and guidelines that can be leveraged to assess services, products, and your own security posture in the cloud. The framework is based on security requirements and criteria from research conducted by the Cloud Security Alliance (CSA). Learn about the architectural elements of the framework, its impact on international standards, and how it maps to over 30 other industry regulations.
This document provides a critical review of security certification from an economic perspective. It analyzes security certification using theories of transaction cost economics and principal-agent theory to understand information asymmetries in markets. The document also examines experiences with certification in other domains and assesses how current industrial automation security certification initiatives address past failures. It argues that while certification can help reduce information asymmetries, proper contractual incentives are also needed to fully address issues of adverse selection, moral hazard, and hidden intentions.
Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...SLA-Ready Network
The cloud is both a risk and an opportunity depending on the service. Despite the opportunities, security is a top concern for a growing number of cloud service customers, and rightfully so. A key challenge is representing security and measuring it in a service level agreement? How can a cloud service provider grant the security level? And how can a cloud service customer automatically enforce it?
Prof. Massimiliano Raks, University of Naples, talks us through Security Service Level Agreement (SecureSLAs), looking at
Security SLA Negotiation, Security SLA (Automatic) Enforcement and Security SLA Continuous Monitoring with the SPECS platform for SecSLAs.
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...ijcncs
This document summarizes an article from the International Journal of Computer Networks and Communications Security about developing service level agreement (SLA) based information security metrics for cloud computing using the COBIT framework. The article discusses how information security metrics can help cloud customers and providers measure and improve security. It also explains that while SLAs are commonly used to measure performance, they do not typically address information security risks. The article proposes using elements of the COBIT framework to build SLA-based information security metrics for cloud computing.
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES ijwscjournal
Information security covers many areas within an enterprise. Each area has security vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and
provide better protection. The fundamental concepts in information security are the security model, which outlines how security is to be implemented. A security policy outlines how data is accessed, what level of security is required, and what actions should be taken when these requirements are not met. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policy makers into a set of rules that are to be followed by a computer system. In the paper we propose a model driven security assessment and verification for business service. The Security Assessment and Verification verifies whether the Application and Services are secure based on the Service Level Agreement and generates the report on the level of security features. It is designed to help business owners, operators and staff to assess the security of their business. It covers potential areas of vulnerability, and provides suggestions for adapting your security to reduce the risk of crime against your business. A security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to
ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. The security policy is an abstract term that represents the objectives and goals a system must meet and accomplish to be deemed secure and acceptable.
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES ijwscjournal
Information security covers many areas within an enterprise. Each area has security
vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and provide better protection. The fundamental concepts in information security are the security model, which outlines how security is to be implemented. A security policy outlines how data is accessed, what level of security is required, and what actions should be taken when these requirements are not met. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policy makers into a set of rules that are to be followed by a computer system. In the paper we propose a model driven security assessment and verification for business service. The Security Assessment and Verification verifies whether the Application and Services are secure based on the Service Level Agreement and generates the report on the level of security features. It is designed to help business owners, operators and staff to assess the security of their business. It covers potential areas of vulnerability, and provides suggestions for adapting your security to reduce the risk of crime against your business. A security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. The security policy is an abstract term that represents the objectives and goals a system must meet and accomplish to be deemed secure and acceptable.
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICESijwscjournal
Information security covers many areas within an enterprise. Each area has security vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and provide better protection. The fundamental concepts in information security are the security model, which outlines how security is to be implemented. A security policy outlines how data is accessed, what level of security is required, and what actions should be taken when these requirements are not met. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policy makers into a set of rules that are to be followed by a computer system. In the paper we propose a model driven security assessment and verification for business service. The Security Assessment and Verification verifies whether the Application and Services are secure based on the Service Level Agreement and generates the report on the level of security features. It is designed to help business owners, operators and staff to assess the security of their business. It covers potential areas of vulnerability, and provides suggestions for adapting your security to reduce the risk of crime against your business. A security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. The security policy is an abstract term that represents the objectives and goals a system must meet and accomplish to be deemed secure and acceptable.
The document discusses the Adaptive MILS Evidential Tool Bus (AM-ETB) which is used to create and maintain certification evidence for adaptive MILS systems. The AM-ETB uses assurance case patterns to develop modular assurance cases. It coordinates the execution of verification tools to generate evidence and update assurance cases. The AM-ETB implementation includes a pattern repository, evidence repository, workflow engine, tool agents, and assurance case repository.
This document discusses software modeling and verification using formal methods. It provides an introduction to formal methods, their motivation and applications. It then discusses the role of formal methods in the CITADEL project, including modeling dynamic architectures, specification of monitors and properties, verification, monitor synthesis, adaptation and assurance case generation. Key aspects of modeling dynamic architectures in CITADEL are parametrized architecture modeling, dynamic architecture modeling, specification of monitors and properties.
This document contains 7 case studies highlighting simulation solutions developed by SILKAN for defense, aerospace, and industrial clients. The case studies cover a range of applications including training simulators, seal design, fire simulation, engine testing, brake systems, weapons effects simulation, and damage assessment. For each case, the document summarizes the client and objectives, and highlights key aspects of the customized simulation solution developed by SILKAN.
On the Transition from Design Time to Runtime Model-Based Assurance CasesRan Wei
Presentation slides for the paper "On the Transition from Design Time to Runtime Model-Based Assurance Cases" at 13th International Workshop on Models@Runtime
MVC Architecture from Maintenance Quality Attributes PerspectiveCSCJournals
This paper provides an explanatory study on MVC (Model-View-Controller) architecture from the perspective of maintenance. It aims to answer a knowledge question about how MVC architecture supports the maintainability quality attributes. This knowledge boosts the potential of utilizing the maintainability of MVC from several sides. To fulfill this purpose, we investigate the main mechanism of MVC with focusing on maintainability quality attributes. Accordingly, we form and discuss MMERFT maintainability set that consists of Modifiability, Modularity, Extensibility, Reusability, Flexibility, and Testability. Besides investigating the mechanism of MVC regarding MMERFT quality attributes, we explain how MVC supports maintainability by examining measures and approaches such as: complexity of code by using a cyclomatic approach, re-engineering process, use of components, time needed to detect bugs, number of code lines, parallel maintenance, automation, massive assignment, and others. Therefore, this paper is dedicated to providing a concrete view of how MVC gets along with maintainability aspects in general and its several attributes particularly. This view helps to maximize the opportunity of taking advantage of MVC's maintainability features that can encourage reconsidering the maintenance decisions and the corresponding estimated cost. The study focuses on maintainability since software that has high maintainability will have the opportunity to evolve, and consequently, it will have a longer life. Our study shows that MVC generally supports maintainability and its attributes, and it is a recommended choice when maintenance is a priority.
Guaranteed Component Assembly with Round Trip Analysis for Energy Efficient H...Ákos Horváth
The document discusses the CONCERTO project, which builds upon the CHESS project to further develop model-driven engineering techniques for designing multi-concern software components across several domains including telecom, aerospace, automotive, petroleum, and medical. The project aims to enhance the multi-concern component methodology and toolset defined in CHESS to support additional domains like telecare through techniques such as property-preserving implementation, model execution, safety modeling, and support for multicore targets and resource partitioning. A telecare demonstrator is presented as an initial application of the round-trip modeling and analysis approach.
2016 state of industrial internet application development.
Study Highlights
This study, carried out in collaboration with GE Digital,
surveyed the existing industrial developer landscape, to better
understand who industrial developers are, how they allocate their time and resources when developing applications, the challenges faced in the development process, and the technological opportunities available to them. The study, a survey of over 1,200 industrial developers, concludes that there is a need within the industrial developer community for focused tools and that these developers would receive significant benefit from using PaaS and infrastructures such as Predix. Relevant findings include the following:
Towards predictive maintenance for marine sector in malaysiaConference Papers
This research uses machine learning on sensor data from ships to predict failures of components and their remaining useful life. Interviews with marine experts identified significant maintenance items to prioritize for ship supply chains. The results were analyzed to provide recommendations to a government company on implementing predictive analytics and supply chain strategies for ship maintenance in Malaysia.
A UML Profile for Security and Code Generation IJECEIAES
Recently, many research studies have suggested the integration of safety engineering at an early stage of modeling and system development using Model-Driven Architecture (MDA). This concept consists in deploying the UML (Unified Modeling Language) standard as aprincipal metamodel for the abstractions of different systems. To our knowledge, most of this work has focused on integrating security requirements after the implementation phase without taking them into account when designing systems. In this work, we focused our efforts on non-functional aspects such as the business logic layer, data flow monitoring, and high-quality service delivery. Practically, we have proposed a new UML profile for security integration and code generation for the Java platform. Therefore, the security properties will be described by a UML profile and the OCL language to verify the requirements of confidentiality, authorization, availability, data integrity, and data encryption. Finally, the source code such as the application security configuration, the method signatures and their bodies, the persistent entities and the security controllers generated from sequence diagram of system’s internal behavior after its extension with this profile and applying a set of transformations.
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultancsandit
The National Institute of Standards and Technology (NIST) has issued a framework to provide
guidance for organizations within critical infrastructure sectors to reduce the risk associated
with cyber security. The framework is called NIST Cyber Security Framework for Critical
Infrastructure (CSF). Many organizations are currently implementing or aligned to different
information security frameworks. The implementation of NIST CSF needs to be aligned with and
complement the existing frameworks. NIST states that the NIST CSF is not a maturity
framework. Therefore, there is a need to adopt an existing maturity model or create one to have
a common way to measure the CSF implementation progress. This paper explores the
applicability of number of maturity models to be used as a measure to the security poster of
organizations implementing the NIST CSF. This paper reviews the NIST CSF and compares it to
other information security related frameworks such as COBIT, ISO/IEC 27001 and the ISF
Standard of Good Practice (SoGP) for Information Security. We propose a new information
security maturity model (ISMM) that fills the gap in the NIST CSF.
This document provides the program for an Architecture-Driven Modernization workshop taking place from March 22-24, 2004 in Chicago, IL. The workshop includes tutorials, presentations, panels and demonstrations on the topics of application modernization, leveraging existing software assets, recovering architecture models from legacy code, and transitioning to model-driven approaches. It features speakers from organizations like IBM, Klocwork, THALES and others discussing their experiences with architecture-driven modernization projects.
Dsd int 2014 - open mi symposium - federated modelling of critical infrastruc...Deltares
This document discusses a meeting to discuss federated modelling and simulation of critical infrastructures. It describes a federated simulation demonstrator that connects four simulators - for telecommunications, electricity, rail, and flooding - using a middleware. The document outlines challenges with federated simulation and the DIESIS approach, which separates technical and semantic interoperability and uses a knowledge base system and flexible modelling.
[SiriusCon 2020] Realization of Model-Based Safety Analysis and Integration w...Obeo
The importance of mission or safety-critical software systems in many application domains of embedded systems is continuously growing, and so is the effort and complexity for reliability and safety analysis. Model-based system engineering (MBSE) is currently one of the key approaches to cope with increasing system complexity.
With Component Fault Trees (CFTs) there is a model- and component-based methodology for safety analysis, which extends the advantages of model-based development to safety & reliability engineering. In this talk, we demonstrate how to ease the development of safety-critical systems by implementing a graphical modeling tool for Component Fault Trees using Sirius and integrate safety analysis capabilities in a model-based system engineering workflow in Capella.
Speaker :
Mark Zeller, Siemens CT
Marc Zeller works as a Senior Key Expert for model-based safety and reliability engineering at Siemens Corporate Technology. His research interests are focused on the efficient and effective development of dependability-relevant Cyber-physical Systems using model-based engineering techniques. Marc Zeller received a diploma in Computer Science from the Karlsruhe Institute of Technology (KIT) in 2007 and obtained a PhD in Computer Science from the University of Augsburg in 2013. With over 10-years' experience in different industrial domains, such as automotive, railway, avionics, or industry automations, he has been involved in various projects establishing model-based engineering techniques and is author of many publications in this area.
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Amazon Web Services
The NIST Cybersecurity Framework (CSF) is endorsed by government and industry as a recommended baseline for use by any organization, regardless of sector or size, to implement risk-management best practices and achieve desired security outcomes. In this session, we discuss how organizations can use AWS to align to the CSF by providing a detailed breakout of AWS services and associated customer responsibilities (security in the cloud) and AWS responsibilities (security of the cloud).
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
The Cloud Controls Matrix (CCM) is an industry accepted set of principles and guidelines that can be leveraged to assess services, products, and your own security posture in the cloud. The framework is based on security requirements and criteria from research conducted by the Cloud Security Alliance (CSA). Learn about the architectural elements of the framework, its impact on international standards, and how it maps to over 30 other industry regulations.
This document provides a critical review of security certification from an economic perspective. It analyzes security certification using theories of transaction cost economics and principal-agent theory to understand information asymmetries in markets. The document also examines experiences with certification in other domains and assesses how current industrial automation security certification initiatives address past failures. It argues that while certification can help reduce information asymmetries, proper contractual incentives are also needed to fully address issues of adverse selection, moral hazard, and hidden intentions.
Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...SLA-Ready Network
The cloud is both a risk and an opportunity depending on the service. Despite the opportunities, security is a top concern for a growing number of cloud service customers, and rightfully so. A key challenge is representing security and measuring it in a service level agreement? How can a cloud service provider grant the security level? And how can a cloud service customer automatically enforce it?
Prof. Massimiliano Raks, University of Naples, talks us through Security Service Level Agreement (SecureSLAs), looking at
Security SLA Negotiation, Security SLA (Automatic) Enforcement and Security SLA Continuous Monitoring with the SPECS platform for SecSLAs.
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...ijcncs
This document summarizes an article from the International Journal of Computer Networks and Communications Security about developing service level agreement (SLA) based information security metrics for cloud computing using the COBIT framework. The article discusses how information security metrics can help cloud customers and providers measure and improve security. It also explains that while SLAs are commonly used to measure performance, they do not typically address information security risks. The article proposes using elements of the COBIT framework to build SLA-based information security metrics for cloud computing.
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES ijwscjournal
Information security covers many areas within an enterprise. Each area has security vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and
provide better protection. The fundamental concepts in information security are the security model, which outlines how security is to be implemented. A security policy outlines how data is accessed, what level of security is required, and what actions should be taken when these requirements are not met. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policy makers into a set of rules that are to be followed by a computer system. In the paper we propose a model driven security assessment and verification for business service. The Security Assessment and Verification verifies whether the Application and Services are secure based on the Service Level Agreement and generates the report on the level of security features. It is designed to help business owners, operators and staff to assess the security of their business. It covers potential areas of vulnerability, and provides suggestions for adapting your security to reduce the risk of crime against your business. A security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to
ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. The security policy is an abstract term that represents the objectives and goals a system must meet and accomplish to be deemed secure and acceptable.
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES ijwscjournal
Information security covers many areas within an enterprise. Each area has security
vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and provide better protection. The fundamental concepts in information security are the security model, which outlines how security is to be implemented. A security policy outlines how data is accessed, what level of security is required, and what actions should be taken when these requirements are not met. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policy makers into a set of rules that are to be followed by a computer system. In the paper we propose a model driven security assessment and verification for business service. The Security Assessment and Verification verifies whether the Application and Services are secure based on the Service Level Agreement and generates the report on the level of security features. It is designed to help business owners, operators and staff to assess the security of their business. It covers potential areas of vulnerability, and provides suggestions for adapting your security to reduce the risk of crime against your business. A security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. The security policy is an abstract term that represents the objectives and goals a system must meet and accomplish to be deemed secure and acceptable.
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICESijwscjournal
Information security covers many areas within an enterprise. Each area has security vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and provide better protection. The fundamental concepts in information security are the security model, which outlines how security is to be implemented. A security policy outlines how data is accessed, what level of security is required, and what actions should be taken when these requirements are not met. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policy makers into a set of rules that are to be followed by a computer system. In the paper we propose a model driven security assessment and verification for business service. The Security Assessment and Verification verifies whether the Application and Services are secure based on the Service Level Agreement and generates the report on the level of security features. It is designed to help business owners, operators and staff to assess the security of their business. It covers potential areas of vulnerability, and provides suggestions for adapting your security to reduce the risk of crime against your business. A security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. The security policy is an abstract term that represents the objectives and goals a system must meet and accomplish to be deemed secure and acceptable.
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
This document summarizes a research thesis that proposes a trusted cloud computing platform (TCCP) to address critical security issues in cloud computing. The TCCP is designed to provide a closed box execution environment for virtual machines to guarantee confidentiality and integrity of computations outsourced to infrastructure as a service cloud providers. It allows customers to remotely verify whether a cloud provider's backend is running a trusted TCCP implementation before launching a virtual machine. The TCCP leverages advances in trusted computing technologies to securely manage virtual machines and cloud infrastructure through protocols for node registration and virtual machine launch and migration. The goal of the TCCP is to extend the capabilities of traditional trusted platforms to the complex, distributed environments of cloud computing infra
Cloud Security for U.S. Military AgenciesNJVC, LLC
NJVC is an IT contractor that specializes in providing secure IT solutions, including designing, implementing, and maintaining secure cloud architectures for government agencies. NJVC has over a decade of experience hosting hundreds of mission systems and migrating systems between data center environments. Securing systems in the cloud presents unique challenges compared to traditional IT environments due to the shared nature of cloud resources. NJVC outlines a strategic framework for assessing, planning, transitioning, and sustaining secure cloud operations. This includes understanding security responsibilities, implementing necessary security services, properly transitioning systems to the cloud according to best practices, and establishing agreements and continuing authorization to maintain security.
IRJET - Precise and Efficient Processing of Data in Permissioned BlockchainIRJET Journal
1) The document proposes a blockchain-based insurance framework called PEPD-PB that uses Hyperledger Fabric to process insurance claims more efficiently.
2) PEPD-PB involves multiple organizational peers participating in insurance claiming and adjudication. It uses smart contracts to store claims on the blockchain to improve transparency, speed, and security.
3) The proposed system is compared to existing systems, which are manual processes that require data to be fetched from each organization separately, resulting in delays. The blockchain framework allows real-time data sharing without compromising data integrity.
Information security management guidance for discrete automationjohnnywess
This document summarizes guidance for establishing an information security management program for industrial automation departments. It finds that while standards and guidance are now readily available, implementing a comprehensive security program requires extensive cross-functional collaboration. None of the publications can be implemented alone by automation departments due to their complexity and need for interdepartmental expertise in areas like risk assessment and network segmentation. Effectively addressing vulnerabilities will require integrating security practices with existing organizational processes and acquiring new technical knowledge across roles.
Narrative Offshore Europe 2015-LRED-Aberdeen officePieter van Asten
The document discusses using reliability modeling to optimize maintenance costs, safety, and operational performance. It proposes using a reliability model to calculate equipment failure probabilities based on limited failure data. This would allow balancing maintenance costs with safety and uptime. The model considers how maintenance affects reliability and costs. It aims to minimize under-maintenance and over-maintenance to reduce costs while ensuring safety and operational success. A proof of concept was developed using a drillship's blowout preventer. The goal is to bring the concept into a pilot project to demonstrate its benefits for maintenance planning and discussions between maintenance and operations teams.
This document summarizes a research paper on adaptive personalized web search with safety seclusion. It discusses how personalized web search has improved search quality but user privacy concerns have limited its adoption. The paper proposes a system called UPS that can dynamically generalize user profiles during searches while respecting indicated privacy requirements. UPS uses greedy algorithms to balance personalization utility and privacy risk from exposing generalized profiles. The system aims to address limitations in existing personalized search regarding user security and accuracy needs.
This document provides an overview of conceptual security architecture using the SABSA framework. It describes key concepts like security architecture, enterprise frameworks, control objectives, multi-layered security strategies, security entity models, security domains, and security lifetimes and deadlines. The goal is to conceptualize security at a high level to address business risks and requirements through control objectives and a multi-layered approach using concepts like entities, domains, and relationships of trust.
This document discusses methods for validating analog and mixed-signal systems with increased coverage of uncertainty. It begins by explaining that exclusively verifying the analog/mixed-signal portion is insufficient, as these circuits are tightly coupled with hardware/software and applications. It then provides an overview of modeling, verifying, and validating uncertainties in cyber-physical systems. Specifically, it focuses on classifying uncertainties, representing them formally for verification/validation, and approaches like Monte Carlo analysis and worst-case analysis for systems with uncertainties.
This document provides an overview of resource management and security in cloud computing. It discusses inter-cloud resource management, resource provisioning models including advance, dynamic and user self-provisioning, and the global exchange of cloud resources. It also covers why cloud security governance is needed, what cloud security governance entails, common challenges around lack of management buy-in, controls, roles and metrics. Finally, it discusses key objectives for an effective cloud security governance model and what virtualized security is compared to traditional physical security.
This document discusses safety standards for critical systems and proposes a new concept called Assured Reliability and Resilience Level (ARRL). It notes that while safety standards aim to reduce risk, their requirements differ across domains. The document argues that Safety Integrity Levels (SIL) alone are not sufficient and that Quality of Service is a more holistic criterion. It also notes standards provide little guidance on composing systems from components. The ARRL concept aims to address these issues and complement SIL by considering factors like component trustworthiness and fault behavior. The document suggests ARRL could help foster cross-domain safety engineering.
Batteries -Introduction – Types of Batteries – discharging and charging of battery - characteristics of battery –battery rating- various tests on battery- – Primary battery: silver button cell- Secondary battery :Ni-Cd battery-modern battery: lithium ion battery-maintenance of batteries-choices of batteries for electric vehicle applications.
Fuel Cells: Introduction- importance and classification of fuel cells - description, principle, components, applications of fuel cells: H2-O2 fuel cell, alkaline fuel cell, molten carbonate fuel cell and direct methanol fuel cells.
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTjpsjournal1
The rivalry between prominent international actors for dominance over Central Asia's hydrocarbon
reserves and the ancient silk trade route, along with China's diplomatic endeavours in the area, has been
referred to as the "New Great Game." This research centres on the power struggle, considering
geopolitical, geostrategic, and geoeconomic variables. Topics including trade, political hegemony, oil
politics, and conventional and nontraditional security are all explored and explained by the researcher.
Using Mackinder's Heartland, Spykman Rimland, and Hegemonic Stability theories, examines China's role
in Central Asia. This study adheres to the empirical epistemological method and has taken care of
objectivity. This study analyze primary and secondary research documents critically to elaborate role of
china’s geo economic outreach in central Asian countries and its future prospect. China is thriving in trade,
pipeline politics, and winning states, according to this study, thanks to important instruments like the
Shanghai Cooperation Organisation and the Belt and Road Economic Initiative. According to this study,
China is seeing significant success in commerce, pipeline politics, and gaining influence on other
governments. This success may be attributed to the effective utilisation of key tools such as the Shanghai
Cooperation Organisation and the Belt and Road Economic Initiative.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Sinan KOZAK
Sinan from the Delivery Hero mobile infrastructure engineering team shares a deep dive into performance acceleration with Gradle build cache optimizations. Sinan shares their journey into solving complex build-cache problems that affect Gradle builds. By understanding the challenges and solutions found in our journey, we aim to demonstrate the possibilities for faster builds. The case study reveals how overlapping outputs and cache misconfigurations led to significant increases in build times, especially as the project scaled up with numerous modules using Paparazzi tests. The journey from diagnosing to defeating cache issues offers invaluable lessons on maintaining cache integrity without sacrificing functionality.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
Advanced control scheme of doubly fed induction generator for wind turbine us...IJECEIAES
This paper describes a speed control device for generating electrical energy on an electricity network based on the doubly fed induction generator (DFIG) used for wind power conversion systems. At first, a double-fed induction generator model was constructed. A control law is formulated to govern the flow of energy between the stator of a DFIG and the energy network using three types of controllers: proportional integral (PI), sliding mode controller (SMC) and second order sliding mode controller (SOSMC). Their different results in terms of power reference tracking, reaction to unexpected speed fluctuations, sensitivity to perturbations, and resilience against machine parameter alterations are compared. MATLAB/Simulink was used to conduct the simulations for the preceding study. Multiple simulations have shown very satisfying results, and the investigations demonstrate the efficacy and power-enhancing capabilities of the suggested control system.
2. Assurance cases
Developing assurance cases
Assurance cases in CITADEL
Assurance cases in evaluations
Automation of assurance case usage
Agenda
CITADEL training 2atsec information security AB
4. An assurance case provides an argument to
justify certain claims about a system, based on
evidence concerning both the system and the
environment in which it operates.
The principal advance offered by assurance
cases compared to other forms of assurance is
provision of an explicit argument connecting
evidence to claims.
The idea of structured argument is to facilitate
modular comprehension and assessment of
the case.
CITADEL training 4
Assurance case
atsec information security AB
6. Persuasive argumentation and a strong, comprehensive set
of requirements plays a major role in satisfying the claims
of an assurance case.
However, the strength of the arguments and of the
assurance case as a whole depend on the quality and
completeness of the evidence to support high-assurance
claims of security or safety.
Evidence of an assurance case may validate and verify the
requirements through various types of evidence generation such as
testing, simulations, audits and review of artefacts such as design and
guidance documentation and life cycle processes.
In cases where there are multiple ways to demonstrate satisfaction of
goals (i.e. based on different processes) the approach with the most
convincing strategy and evidence is to be chosen.
Evidence
CITADEL training 6atsec information security AB
7. The evidence to substantiate the claims made in
an assurance case should not only consider the
system itself, but should additionally take into
account the operational environment of the
system.
Therefore, the operational environment of the system
should either be considered and included as part of the
evidence, or incorporated as environmental
assumptions.
Hence, it is necessary to specify assumptions under
which the system or design satisfies the claims.
Assumptions
CITADEL training 7atsec information security AB
8. Adaptive MILS systems employ Goal Structured Notation
(GSN) for the development of assurance cases.
GSN assurance cases are constructed and visualised by a
set of GSN elements that collectively establish a goal
structure.
The following elements are used:
GSN
CITADEL training 8
Goal (claim) Strategy
Context
Undeveloped
Goal
Evidence
Assumption
atsec information security AB
9. An assurance case does not replace any specific
technique for analysis or for generating
evidence. It shows the connection between used
techniques and the high level claims.
An assurance case captures the rationale for why
the results of the analyses support our high-level
requirements and goals, and the context for this
support (for example, the assumptions and
scope of any models used).
CITADEL training 9
Why assurance cases?
atsec information security AB
11. There are two different aspects to consider and make use of then
developing an assurance case.
Assurance case argument patterns
● The process of developing an assurance case is simplified through the
introduction of assurance case patterns.
● A catalogue of assurance case argument patterns is developed within the
CITADEL project.
Regulatory standards
● The use of standards can offer various benefits, such as diminishes the
limitations of assurance cases related to confirmation bias. (i.e. only
showing that the system is secure, but not how it is protected against
unsecure states.
● However, it may be difficult to directly apply standards to adaptive MILS
systems, as they comprise a very fast moving field. Instead, the desired
option would be a partly standardised approach towards the instantiation
of the claims made in an argument-based assurance case, as well was
evaluation and certification.
Two aspects of assurance case
CITADEL training 11atsec information security AB
12. Patterns maintain the structure, but not the specific
details, of an argument and therefore can be instantiated
in multiple situations as appropriate.
By building a catalog of patterns (i.e., templates), it is
possible to facilitate the process of assurance case creation
and documentation.
Assurance case patterns offer the benefits of reuse and
repeatability of process, as well as providing some notion
of coverage or completeness of the evidence.
The pattern is instantiated using information provided in
the system model.
CITADEL training 12
Assurance case patterns
atsec information security AB
13. A partly standardised approach towards the
instantiation of the claims made in argument-
based assurance cases.
Comply to ISO/IEC 15026-2, and are extended
with system-specific standards depending on the
nature of the adaptive system.
Standard-based methods provide various
benefits to the development and evaluation of
assurance cases.
13
Standards-based assurance cases
CITADEL trainingatsec information security AB
14. Support the establishment of comprehensive security
requirements.
providing higher assurance of the quality and precision of
claims and sub-claims of which the assurance case is built up.
simplifies the evaluation of the sufficiency of the argument
(during evaluation).
Aid in the specification of evidence required to demonstrate
satisfaction of the requirements.
facilitating the assessment of the sufficiency of the evidence
(during evaluation).
new standards may include new verification approaches to
provide evidence that are better suited to adaptive systems.
Evaluate the system against a consistent set of requirements
that are widely recognised.
time and costs required for certification are kept to a
minimum.
adaptive systems are enabled to comply with certain
standards demanded by legal requirements.
Standards-based method benefits
CITADEL training 14atsec information security AB
16. CITADEL employs a modular approach
Components in the patterns may be modified,
added or deleted at any time.
Both top-down as well as bottom-up.
● Top-down, we divide each claim into components
whose conjunction implies the claim, and recurse
down to sub-claims supported by evidence.
● Bottom-up, we treat each evidentially-supported
sub-claim as an independently settled fact and
conjoin these to produce higher-level sub-claims
that combine recursively to deliver the top claim.
16
Adaptive MILS assurance case
architecture
CITADEL trainingatsec information security AB
18. The patterns developed during the CITADEL project
represent the top claims of the system, the Adaptive
MILS planes and the operational plane.
The Adaptive MILS planes are largely static, i.e. the
planes usually comprise the same sets of components.
System properties pattern
It is the top level pattern of an Adaptive MILS system.
Create argument that an Adaptive MILS system
enforces its required properties. These properties may
regard security, safety, function and real-time
properties.
This pattern includes the Adaptive MILS planes.
Patterns developed for CITADEL
CITADEL training 18atsec information security AB
19. Top level Adaptive MILS argument
CITADEL training 19atsec information security AB
20. The planes consists of compositions and
components, and the goal of the plane is
satisfied when the compositional behaviour of
the compositions and/or components included in
that plane meet their local policies.
Also, the interaction between these must be
ensured as specified in the security policy, which
can be demonstrated through the interface
argument.
Additional patterns exists as modules which can
be added or removed into these plane patterns.
The planes patterns
CITADEL training 20atsec information security AB
21. The operational plane is the application plane of
an Adaptive MILS system.
It is the least pre-defined plane, and can be
further developed manually depending on the
safety and security goals of the application.
This means that it is not as static as the other
Adaptive MILS planes.
A generic argument that the operational plane
guarantees that it’s local policy is met.
Operational plane
CITADEL training 21atsec information security AB
22. The foundational plane includes various
foundation element components:
platform node(s), containing kernel instances
● An argument over each platform node and separation
kernel instance are separated for data and processor time
partitioning.
● An argument that configuration introspection is permitted
by authorised subjects.
MILS network subsystem (NSM) instances
Time Sensitive Network (TSN)
● An argument to ensure that critical information is
delivered timely and that bandwidth is optimised
according to different levels of priority.
Foundational plane
CITADEL training 22atsec information security AB
23. An argument that the monitoring plane provides
a flexible framework for constructing monitoring
applications to ensure continuous correct
functioning of the Adaptive MILS system.
Arguments to obtain monitor data, analyse it for certain
properties or anomalies, and trigger alarms or reports
of the analysis results.
The plane supports state monitoring and
communications monitoring.
Monitoring plane
CITADEL training 23atsec information security AB
24. An argument that the adaptation plane ensures that
adaptations preserve vital overarching properties defined
for the system when developing the adaptation strategy to
adapt to changing environmental conditions or dynamic
repurposing of the system in real-time safety-critical
environments.
The adaptation plane performs dynamic risk assessment
based on context-awareness when developing adaptation
strategies.
An argument that the context-awareness model is correct,
sufficient and assures system safety.
Adaptation plane
CITADEL training 24atsec information security AB
25. The configuration plane develops a
reconfiguration plan, and mediates the use of
the dynamic reconfiguration primitives to the
separation kernel and the network by enforcing
adaptation policies on proposed reconfiguration
plans.
It states an argument that the plane ensures the
establishment of correct configuration and
reconfiguration plans for Adaptive MILS systems.
Also an argument of the dynamic reconfiguration
capabilities.
Configuration plane
CITADEL training 25atsec information security AB
26. It comprises the AM-ETB, which enables tool
integration, as well as the verification and
validation of results.
An argument that the plane verifies that the
model (in current and next configurations chosen
by the adaptation plane) satisfies the system
properties, by generating, collecting and
analysing evidence.
Certification plane
CITADEL training 26atsec information security AB
27. While every claim in an assurance case
should eventually end with an evidence
node, each assurance case pattern does not
necessarily end with an evidence node.
The pattern could, for instance, also be
supported by other argument patterns that
end with evidence nodes.
Such modular patterns have been defined
within the CITADEL project…
Additional argument patterns
CITADEL training 27atsec information security AB
28. Interface pattern
Create an argument that communication between components or
compositions in the architecture only occurs via connections
explicitly defined in the policy architecture.
Threat pattern
Create an argument that threats are sufficiently mitigated.
Modes and transitions / state and transitions patterns
Create arguments that modes/states and transitions between
modes are in accordance with mode models and transition
models.
Composition pattern
Create arguments that formally defined properties of a system are
satisfied by a CITADEL system model and are faithfully implemented by an
Adaptive MILS system.
Process (component) pattern
Create an argument for any process during the development,
real-time adaptation and reconfiguration, and analysis of an
Adaptive MILS system.
Assurance case argument patterns
CITADEL training 28atsec information security AB
29. The process pattern may include one or more properties as
modules within the process.
Tool pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Person pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Organisation pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Artefact pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Technique pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Trusted Software Component pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Process Properties Patterns
CITADEL training 29atsec information security AB
33. Before the evaluation, it should be ensured that the
assurance case is correct.
The assurance case itself is reviewed. The soundness of
the assurance case is verified based on four aspects.
These aspects are explained in the following slides.
Once it is determined that the assurance case is sound, we
can use the assurance during the evaluation of an Adaptive
MILS system.
The evaluation is performed by reviewing the assurance case.
33
Evaluation of the assurance case
CITADEL trainingatsec information security AB
34. Completeness of the assurance case
Shows the degree to which the assurance case
has been finished by looking at instantiated
and undeveloped claims.
Sufficiency of the arguments
Is the argument strong enough to support the
conclusions being drawn?
● Standards-based assurance cases has potential to
increase strength of an argument. (standards
indicates requirements)
Soundness of the assurance case
CITADEL training 34atsec information security AB
35. Sufficiency of evidence
Extent to which the evidence supports the
argument.
The integrity and trustworthiness of evidence.
● If evidence collection and analysis process cannot be
assured, evidence can be ruled as inadmissible. (tool
qualification and assurance)
Sufficiency of assumptions
Extent to which assumptions support the
arguments.
● Assumptions about the system
● Assumptions about the system’s environment
Soundness of the assurance case
CITADEL training 35atsec information security AB
36. The assurance case is reviewed
This also focuses on the quality of the evidence.
Human interaction is required for interpretation of the
assurance case.
Interactive presentation of the assurance case…
enables evaluator to encapsulate selected fragments,
and review the assurance case fragment by fragment.
enables evaluator to indicate whether a claim is
satisfied or not, and leave feedback.
shows comprehensive overview of the results or the
evaluation + metric indicating security or safety of the
adaptive system.
Assurance case during evaluations
CITADEL training 36atsec information security AB
37. The performance of the adaptive mils system is
determined on basis of the analysis of the
evidence supporting each of the arguments of
the entire assurance case.
While the analysis will require human
judgement, automated tools may support the
overall assurance case analysis.
The completeness of the requirements, adequacy
of test case and absence of unintended
behaviours should be evaluated with the
assistance of the AM-ETB tool.
Evaluation of performance
CITADEL training 37atsec information security AB
39. AM-ETB stands for Adaptive MILS
Evidential Tool Bus.
The AM-ETB tool is used for this
automation.
It supports the automatic instantiation of
assurance case patterns.
For further information, please refer to the
training material related to AM-ETB.
AM-ETB
CITADEL training 39atsec information security AB