Towards a Minimum Security Baseline for Cyber-Physical Systems Through Security Standards Harmonization

Resumo

Cyber-Physical Systems (CPS) rely on data collection as a fundamental element to control physical devices through the internet. They are widespread in several environments, such as medical, smart cities, wearable devices, and space environments. Despite its importance, recent security incidents point to a neglect of system security in the development of CPS systems. Such neglect is largely due to the difficulty in understanding security requirements, whether those specified in requirements elicitation documents or those arising from security standards for specific systems. Many of these standards lack clarity and contain ambiguities, leading to subjective interpretations and inconsistent implementation. This study suggests a way to simplify and standardize security requirements, creating a Minimum Security Baseline (MSB) for CPS development, particularly in situations where several standards must be met. Large Language Models (LLMs) are used to process texts in natural language and find complements and intersections among the different documents in order to automate the generation of the MSB. The mission requirements of the CubeSat satellite, model CONASAT-0, created by INPE (National Institute for Space Research), are used as a case study. Using the OWASP IoT Security Verification Standard (ISVS) as the ontological foundation for security words, the MSB is produced by semantically examining the criteria of the NIST, ECSS, and CCSDS standards. The results include an MSB that can be valuable for guiding embedded system implementations, as engineers have a single document to follow that can be applied to CPSs in a variety of contexts.