Investigating Information Security in Systems-of-Systems
Resumo
Context: Changes in society have made information systems more complex. This also happens to a category of systems defined as system-of-systems (SoS) and system-of-information systems (SoIS). Problem: Although SoS offers benefits to organizations, the difficulty of IT managers in dealing with information security in these systems can leave them vulnerable to threats and impacts caused by cyber-attacks. Solution: This study presents mechanisms and technologies that should be implemented to ensure that communication between systems is treated from the perspective of information security. IS theory: This research is based on the General Systems Theory that allows to understand SoS as a type of complex system. With the increase in tasks complexity, constituent systems collaborate and offer functionalities that could not be achieved by them in an isolated form. Method: A systematic mapping study (SMS) was carried out to identify how information security technologies are used in the context of SoS. Moreover, a survey research was conducted to analyze information security aspects in order to evaluate the results obtained in the SMS with respect to their applicability in industry. Summary of Results: 18 studies were reviewed in the SMS and 32 experts participated in the survey. Both studies show that stakeholders need to understand vulnerabilities, exposure, and the contribution technology makes to prevent cyberattacks and mitigate SoS risks. Contributions and Impact in the IS area: This work presents an overview of information security in SoS, highlighting related technologies so that stakeholders can reflect on cyber threats in decision-making processes in organizations, exploring the grand research challenge in IS “Smart Systems-of-Information Systems: Foundations and an Assessment Model for Research Development”.
Palavras-chave:
Systems-of-Systems, Systems-of-Information Systems, Information Security, Information Systems Complexity
Referências
D. Agrawal. 2009. A new schema for security in dynamic uncertain environments. In 2009 IEEE Sarnoff Symposium. 1–5.
J. Axelsson. 2015. A systematic mapping of the research literature on system-of-systems engineering. In 2015 10th System of Systems Engineering Conference (SoSE). 18–23.
Victor R. Basili. 1992. Software Modeling and Measurement: The Goal/Question/Metric Paradigm. Technical Report. USA.
D. J. Bodeau. 1994. System-of-systems security engineering. In Tenth Annual Computer Security Applications Conference. 228–235.
C. Boscarioli, R. M. Araujo, and R. S. P. Maciel. 2017. Introduction. In I GrandDSI-BR - Grand Research Challenges in Information Systems in Brazil 2016 - 2026, C. Boscarioli, R. M. Araujo, and R. S. P. Maciel (Eds.). SBC-Sociedade Brasileira de Computação, Porto Alegre, Chapter 1, 7–11.
S. B. O. G. Carturan and D. H. Goya. 2019. A Systems-of-Systems Security Framework for Requirements Definition in Cloud Environment. In Proceedings of the ECSA ’19 (Paris, France). Association for Computing Machinery, New York, NY, USA, 235–240. https://doi.org/10.1145/3344948.3344977
A. Ceccarelli, T. Zoppi, A. Vasenev, M. Mori, D. Ionita, L. Montoya, and A. Bondavalli. 2018. Threat Analysis in Systems-of-Systems: An Emergence-Oriented Approach. ACM Trans. Cyber-Phys. Syst. 3, 2, Article 18 (Oct. 2018), 24 pages. https://doi.org/10.1145/3234513
Judith S. Dahmann and Kristen J. Baldwin. 2008. Understanding the Current State of US Defense Systems of Systems and the Implications for Systems Engineering. In 2008 2nd Annual IEEE Systems Conference. 1–7. https://doi.org/10.1109/SYSTEMS.2008.4518994
Duncan D.Nulty. 2008. The adequacy of response rates to online and paper surveys: what can be done?Assessment & Evaluation in Higher Education 33, 3 (2008), 301–314. https://doi.org/10.1080/02602930701293231 arXiv: https://doi.org/10.1080/02602930701293231
T. Dyba, T. Dingsoyr, and G. K. Hanssen. 2007. Applying Systematic Reviews to Diverse Study Types: An Experience Report. In ESEM 2007. 225–234.
Adel S. Elmaghraby and Michael M. Losavio. 2014. Cyber security challenges in Smart Cities: Safety, security and privacy. Journal of Advanced Research 5, 4 (2014), 491–497. https://doi.org/10.1016/j.jare.2014.02.006 Cyber Security.
J. C. Fernandes, V. V. Graciano Neto, and R. P. Santos. 2018. Interoperability in Systems-of-Information Systems: A Systematic Mapping Study. In Proceedings of the SBQS 2018 (Curitiba, Brazil). Association for Computing Machinery, New York, NY, USA, 131–140. https://doi.org/10.1145/3275245.3275259
Valdemar Vicente Graciano Neto, Flavio Oquendo, and Elisa Yumi Nakagawa. 2017. Smart systems-of-information systems: Foundations and an assessment model for research development. Sociedade Brasileira de Computação (2017).
C. Guariniello and D. DeLaurentis. 2014. Communications, Information, and Cyber Security in Systems-of-Systems: Assessing the Impact of Attacks through Interdependency Analysis. Procedia Computer Science 28 (2014), 720–727. https://doi.org/10.1016/j.procs.2014.03.086
J. Hosey and R. Gamble. 2010. Extracting Security Control Requirements. In Proceedings of the CSIIRW ’10 (Oak Ridge, Tennessee, USA). Association for Computing Machinery, New York, NY, USA, Article 44, 4 pages. https://doi.org/10.1145/1852666.1852715
ISO. 2013. ISO/IEC 27002:2013 - Information technology — Security techniques — Code of practice for information security controls. International Organization for Standardization.
D. Ki-Aries, S. Faily, H. Dogan, and C. Williams. 2018. Assessing System of Systems Security Risk and Requirements with OASoSIS. In 2018 IEEE 5th International Workshop on Evolving Security Privacy Requirements Engineering (ESPRE). 14–20.
B. Kitchenham and S. Charters. 2007. Guidelines for performing Systematic Literature Reviews in Software Engineering. Technical Report EBSE 2007-001. Keele University and Durham University Joint Report.
Barbara Ann Kitchenham, David Budgen, and Pearl Brereton. 2015. Evidence-Based Software Engineering and Systematic Reviews. Chapman & Hall/CRC.
U. Lang and R. Schreiner. 2009. Model Driven Security Accreditation (MDSA)for Agile, Interconnected It Landscapes. In Proceedings of the WISG ’09 (Chicago, Illinois, USA). Association for Computing Machinery, New York, NY, USA, 13–22. https://doi.org/10.1145/1655168.1655173
Kenneth C Laudon and Jane P Laudon. 2004. Sistemas de informação gerenciais. 5ª Edição.
K. E. Lever and K. Kifayat. 2020. Identifying and mitigating security risks for secure and robust NGI networks. Sustainable Cities and Society 59 (2020), 102098.
M. L. Loper. 2019. Simulation Trust and the Internet of Things. In 2019 Winter Simulation Conference (WSC). 2–16.
Mark W. Maier. 1998. Architecting principles for systems-of-systems. Systems Engineering 1, 4 (1998), 267–284. https://doi.org/10.1002/(SICI)1520-6858(1998)1:4<267::AID-SYS3>3.0.CO;2-D
Marcelo Antônio Osller Malagutti. 2016. O papel da dissuasão no tocante a ofensas cibernéticas. Doutrina Militar Terrestre em Revista 4, 9 (2016), 18–27.
M. Mihaljevic, H. Imai, M. David, K. Kobara, and H. Watanabe. 2011. On Advanced Cryptographic Techniques for Information Security of Smart Grid AMI. In Proceedings of CSIIRW ’11 (Oak Ridge, Tennessee, USA). Association for Computing Machinery, New York, NY, USA, Article 64, 1 pages. https://doi.org/10.1145/2179298.2179371
E. I. Neaga and M. J. C. Henshaw. 2010. Modeling the linkage between systems interoperability and security engineering. In 2010 5th International Conference on System of Systems Engineering. 1–6.
D. Ormrod, B. Turnbull, and K. O'Sullivan. 2015. System of systems cyber effects simulation ontology. In 2015 Winter Simulation Conference (WSC). 2475–2486.
P. Petratos and A. Faccia. 2019. Accounting Information Systems and System of Systems: Assessing Security with Attack Surface Methodology. In Proceedings of the 2019 3rd International Conference on Cloud and Big Data Computing (Oxford, United Kingdom) (ICCBDC 2019). Association for Computing Machinery, New York, NY, USA, 100–105. https://doi.org/10.1145/3358505.3358513
M. M. Rathore, A. Paul, N. Chilamkurthi, W. Hong, and H. Seo. 2017. Real-time secure communication for Smart City in high-speed Big Data environment. Future Generation Computer Systems 83 (11 2017). https://doi.org/10.1016/j.future.2017.08.006
Ian. Sommerville. 2016. Software Engineering, 10th Edition. Pearson.
T. Tagarev and G. Sharkov. 2019. Computationally Intensive Functions in Designing and Operating Distributed Cyber Secure and Resilient Systems. In Proceedings of the CompSysTech ’19 (Ruse, Bulgaria). Association for Computing Machinery, New York, NY, USA, 8–18. https://doi.org/10.1145/3345252.3345255
S. Tbatou, A. Ramrami, and Y. Tabii. 2017. Security of Communications in Connected Cars Modeling and Safety Assessment. In Proceedings of the BDCA’17 (Tetouan, Morocco). Association for Computing Machinery, New York, NY, USA, Article 56, 7 pages. https://doi.org/10.1145/3090354.3090412
M. E. Whitman and H. J. Mattord. 2009. Principles of information security(3 ed.). Thompson Course Technology.
B. Zhou, O. Drew, A. Arabo, D. Llewellyn-Jones, K. Kifayat, M. Merabti, Q. Shi, R. Craddock, A. Waller, and G. Jones. 2010. System-of-systems boundary check in a public event scenario. In SoSE 2010. 1–8.
J. Axelsson. 2015. A systematic mapping of the research literature on system-of-systems engineering. In 2015 10th System of Systems Engineering Conference (SoSE). 18–23.
Victor R. Basili. 1992. Software Modeling and Measurement: The Goal/Question/Metric Paradigm. Technical Report. USA.
D. J. Bodeau. 1994. System-of-systems security engineering. In Tenth Annual Computer Security Applications Conference. 228–235.
C. Boscarioli, R. M. Araujo, and R. S. P. Maciel. 2017. Introduction. In I GrandDSI-BR - Grand Research Challenges in Information Systems in Brazil 2016 - 2026, C. Boscarioli, R. M. Araujo, and R. S. P. Maciel (Eds.). SBC-Sociedade Brasileira de Computação, Porto Alegre, Chapter 1, 7–11.
S. B. O. G. Carturan and D. H. Goya. 2019. A Systems-of-Systems Security Framework for Requirements Definition in Cloud Environment. In Proceedings of the ECSA ’19 (Paris, France). Association for Computing Machinery, New York, NY, USA, 235–240. https://doi.org/10.1145/3344948.3344977
A. Ceccarelli, T. Zoppi, A. Vasenev, M. Mori, D. Ionita, L. Montoya, and A. Bondavalli. 2018. Threat Analysis in Systems-of-Systems: An Emergence-Oriented Approach. ACM Trans. Cyber-Phys. Syst. 3, 2, Article 18 (Oct. 2018), 24 pages. https://doi.org/10.1145/3234513
Judith S. Dahmann and Kristen J. Baldwin. 2008. Understanding the Current State of US Defense Systems of Systems and the Implications for Systems Engineering. In 2008 2nd Annual IEEE Systems Conference. 1–7. https://doi.org/10.1109/SYSTEMS.2008.4518994
Duncan D.Nulty. 2008. The adequacy of response rates to online and paper surveys: what can be done?Assessment & Evaluation in Higher Education 33, 3 (2008), 301–314. https://doi.org/10.1080/02602930701293231 arXiv: https://doi.org/10.1080/02602930701293231
T. Dyba, T. Dingsoyr, and G. K. Hanssen. 2007. Applying Systematic Reviews to Diverse Study Types: An Experience Report. In ESEM 2007. 225–234.
Adel S. Elmaghraby and Michael M. Losavio. 2014. Cyber security challenges in Smart Cities: Safety, security and privacy. Journal of Advanced Research 5, 4 (2014), 491–497. https://doi.org/10.1016/j.jare.2014.02.006 Cyber Security.
J. C. Fernandes, V. V. Graciano Neto, and R. P. Santos. 2018. Interoperability in Systems-of-Information Systems: A Systematic Mapping Study. In Proceedings of the SBQS 2018 (Curitiba, Brazil). Association for Computing Machinery, New York, NY, USA, 131–140. https://doi.org/10.1145/3275245.3275259
Valdemar Vicente Graciano Neto, Flavio Oquendo, and Elisa Yumi Nakagawa. 2017. Smart systems-of-information systems: Foundations and an assessment model for research development. Sociedade Brasileira de Computação (2017).
C. Guariniello and D. DeLaurentis. 2014. Communications, Information, and Cyber Security in Systems-of-Systems: Assessing the Impact of Attacks through Interdependency Analysis. Procedia Computer Science 28 (2014), 720–727. https://doi.org/10.1016/j.procs.2014.03.086
J. Hosey and R. Gamble. 2010. Extracting Security Control Requirements. In Proceedings of the CSIIRW ’10 (Oak Ridge, Tennessee, USA). Association for Computing Machinery, New York, NY, USA, Article 44, 4 pages. https://doi.org/10.1145/1852666.1852715
ISO. 2013. ISO/IEC 27002:2013 - Information technology — Security techniques — Code of practice for information security controls. International Organization for Standardization.
D. Ki-Aries, S. Faily, H. Dogan, and C. Williams. 2018. Assessing System of Systems Security Risk and Requirements with OASoSIS. In 2018 IEEE 5th International Workshop on Evolving Security Privacy Requirements Engineering (ESPRE). 14–20.
B. Kitchenham and S. Charters. 2007. Guidelines for performing Systematic Literature Reviews in Software Engineering. Technical Report EBSE 2007-001. Keele University and Durham University Joint Report.
Barbara Ann Kitchenham, David Budgen, and Pearl Brereton. 2015. Evidence-Based Software Engineering and Systematic Reviews. Chapman & Hall/CRC.
U. Lang and R. Schreiner. 2009. Model Driven Security Accreditation (MDSA)for Agile, Interconnected It Landscapes. In Proceedings of the WISG ’09 (Chicago, Illinois, USA). Association for Computing Machinery, New York, NY, USA, 13–22. https://doi.org/10.1145/1655168.1655173
Kenneth C Laudon and Jane P Laudon. 2004. Sistemas de informação gerenciais. 5ª Edição.
K. E. Lever and K. Kifayat. 2020. Identifying and mitigating security risks for secure and robust NGI networks. Sustainable Cities and Society 59 (2020), 102098.
M. L. Loper. 2019. Simulation Trust and the Internet of Things. In 2019 Winter Simulation Conference (WSC). 2–16.
Mark W. Maier. 1998. Architecting principles for systems-of-systems. Systems Engineering 1, 4 (1998), 267–284. https://doi.org/10.1002/(SICI)1520-6858(1998)1:4<267::AID-SYS3>3.0.CO;2-D
Marcelo Antônio Osller Malagutti. 2016. O papel da dissuasão no tocante a ofensas cibernéticas. Doutrina Militar Terrestre em Revista 4, 9 (2016), 18–27.
M. Mihaljevic, H. Imai, M. David, K. Kobara, and H. Watanabe. 2011. On Advanced Cryptographic Techniques for Information Security of Smart Grid AMI. In Proceedings of CSIIRW ’11 (Oak Ridge, Tennessee, USA). Association for Computing Machinery, New York, NY, USA, Article 64, 1 pages. https://doi.org/10.1145/2179298.2179371
E. I. Neaga and M. J. C. Henshaw. 2010. Modeling the linkage between systems interoperability and security engineering. In 2010 5th International Conference on System of Systems Engineering. 1–6.
D. Ormrod, B. Turnbull, and K. O'Sullivan. 2015. System of systems cyber effects simulation ontology. In 2015 Winter Simulation Conference (WSC). 2475–2486.
P. Petratos and A. Faccia. 2019. Accounting Information Systems and System of Systems: Assessing Security with Attack Surface Methodology. In Proceedings of the 2019 3rd International Conference on Cloud and Big Data Computing (Oxford, United Kingdom) (ICCBDC 2019). Association for Computing Machinery, New York, NY, USA, 100–105. https://doi.org/10.1145/3358505.3358513
M. M. Rathore, A. Paul, N. Chilamkurthi, W. Hong, and H. Seo. 2017. Real-time secure communication for Smart City in high-speed Big Data environment. Future Generation Computer Systems 83 (11 2017). https://doi.org/10.1016/j.future.2017.08.006
Ian. Sommerville. 2016. Software Engineering, 10th Edition. Pearson.
T. Tagarev and G. Sharkov. 2019. Computationally Intensive Functions in Designing and Operating Distributed Cyber Secure and Resilient Systems. In Proceedings of the CompSysTech ’19 (Ruse, Bulgaria). Association for Computing Machinery, New York, NY, USA, 8–18. https://doi.org/10.1145/3345252.3345255
S. Tbatou, A. Ramrami, and Y. Tabii. 2017. Security of Communications in Connected Cars Modeling and Safety Assessment. In Proceedings of the BDCA’17 (Tetouan, Morocco). Association for Computing Machinery, New York, NY, USA, Article 56, 7 pages. https://doi.org/10.1145/3090354.3090412
M. E. Whitman and H. J. Mattord. 2009. Principles of information security(3 ed.). Thompson Course Technology.
B. Zhou, O. Drew, A. Arabo, D. Llewellyn-Jones, K. Kifayat, M. Merabti, Q. Shi, R. Craddock, A. Waller, and G. Jones. 2010. System-of-systems boundary check in a public event scenario. In SoSE 2010. 1–8.
Publicado
16/05/2022
Como Citar
DIAS, Roberto Monteiro; ZACARIAS, Rodrigo Oliveira; VARELLA, Jorge Luis de Lima; DOS SANTOS, Rodrigo Pereira.
Investigating Information Security in Systems-of-Systems. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 18. , 2022, Curitiba.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.