System of systems modelling for safety and cyber security assessments

Joonas Linnosmaa; Jarmo Alanen; Sami Karadeniz; Risto Tiusanen; Josepha Berger; Timo Malm; Kaupo Viitanen

System of systems modelling for safety and cyber security assessments

Joonas Linnosmaa, Jarmo Alanen, Sami Karadeniz, Risto Tiusanen, Josepha Berger, Timo Malm, Kaupo Viitanen

Research output: Book/Report › Report

149 Downloads (Pure)

Abstract

This report introduces systems of systems (SoS) and of how they can be modelled for safety and cyber security assessments in complex industrial settings. We first establish an understanding of the relevant terminology and standards, which also helps distinguishing SoS from their stand-alone systems (SaS, a term we also introduce in this report) counterparts. The characteristics, classifications, and challenges of SoS are explored, stressing the complexity and importance of managing the interfaces between the different constituent systems. An interesting notion is that differences between a SaS and a SoS are not in the physical or hierarchical structure of its parts but in the behavioural and managerial characteristics of those parts. SoS challenges and the comparison with SaS emphasize the demands placed on systems engineering when dealing with SoS.

The report focuses on the importance of modelling techniques to support risk analyses in cyber-physical SoS. It covers various modelling approaches, such as structure models, behaviour models, SysML, UAF enterprise architecture modelling, system architecture modelling language and method Arcadia, STAMP modelling, data repository modelling with ontologies, and risk analysis modelling with RAAML language. These models are essential for understanding the interactions within SoS and for
identifying potential vulnerabilities, particularly in safety and cyber security contexts.

The normal safety and security analysis methods apply to SoS, but the focus is different from normal stand-alone systems because of the different nature of SoS compared to SaS, such as heterogeneity over homogeneity especially at the enterprise level but also at system level.

In addition to the technical dimension of cyber security assessments. We also discuss the conceptualization and assessment of cyber security culture at the SoS level. We briefly discuss the concept of cyber security culture. We then posit that in a SoS which is formed of a community of organizations, interactions, shared understanding, and alignment to common goals between the members play a key role in the emerging SoS-level cyber security culture. Moreover, we discuss ideas on approaching the assessment of cyber security culture in a SoS using the port community as an example, while recognizing the need for future
investigations on the matter.

Original language	English
Publisher	VTT Technical Research Centre of Finland
Number of pages	49
Publication status	Published - 21 Oct 2024
MoE publication type	D4 Published development or research report or study

Publication series

Series	VTT Research Report
Number	VTT-R-00555-24

Keywords

System of Systems
Modelling
Hybrid risk assessment

Access to Document

VTT-R-00555-24Final published version, 2.99 MB

1 Report

Connected Mobile Machine Lifetime Cyber Security (COMMA) – Project results
Malm, T., Berger, J., Salonen, J., Linnosmaa, J., Ranta, A., Seppälä, J., Silverajan, B., Zhao, H., Heikkilä, M., Järveläinen, J. & Panina, E., 10 Jan 2025, VTT Technical Research Centre of Finland. 13 p.
Research output: Book/Report › Report

Open Access
File

Cite this

@book{77708bae7a3e407b946e4f80ad767c9f,

title = "System of systems modelling for safety and cyber security assessments",

abstract = "This report introduces systems of systems (SoS) and of how they can be modelled for safety and cyber security assessments in complex industrial settings. We first establish an understanding of the relevant terminology and standards, which also helps distinguishing SoS from their stand-alone systems (SaS, a term we also introduce in this report) counterparts. The characteristics, classifications, and challenges of SoS are explored, stressing the complexity and importance of managing the interfaces between the different constituent systems. An interesting notion is that differences between a SaS and a SoS are not in the physical or hierarchical structure of its parts but in the behavioural and managerial characteristics of those parts. SoS challenges and the comparison with SaS emphasize the demands placed on systems engineering when dealing with SoS.The report focuses on the importance of modelling techniques to support risk analyses in cyber-physical SoS. It covers various modelling approaches, such as structure models, behaviour models, SysML, UAF enterprise architecture modelling, system architecture modelling language and method Arcadia, STAMP modelling, data repository modelling with ontologies, and risk analysis modelling with RAAML language. These models are essential for understanding the interactions within SoS and for identifying potential vulnerabilities, particularly in safety and cyber security contexts.The normal safety and security analysis methods apply to SoS, but the focus is different from normal stand-alone systems because of the different nature of SoS compared to SaS, such as heterogeneity over homogeneity especially at the enterprise level but also at system level.In addition to the technical dimension of cyber security assessments. We also discuss the conceptualization and assessment of cyber security culture at the SoS level. We briefly discuss the concept of cyber security culture. We then posit that in a SoS which is formed of a community of organizations, interactions, shared understanding, and alignment to common goals between the members play a key role in the emerging SoS-level cyber security culture. Moreover, we discuss ideas on approaching the assessment of cyber security culture in a SoS using the port community as an example, while recognizing the need for future investigations on the matter. ",

keywords = "System of Systems, Modelling, Hybrid risk assessment",

author = "Joonas Linnosmaa and Jarmo Alanen and Sami Karadeniz and Risto Tiusanen and Josepha Berger and Timo Malm and Kaupo Viitanen",

note = "VTT-R-00555-24",

year = "2024",

month = oct,

day = "21",

language = "English",

series = "VTT Research Report",

publisher = "VTT Technical Research Centre of Finland",

number = "VTT-R-00555-24",

address = "Finland",

}

TY - BOOK

T1 - System of systems modelling for safety and cyber security assessments

AU - Linnosmaa, Joonas

AU - Alanen, Jarmo

AU - Karadeniz, Sami

AU - Tiusanen, Risto

AU - Berger, Josepha

AU - Malm, Timo

AU - Viitanen, Kaupo

N1 - VTT-R-00555-24

PY - 2024/10/21

Y1 - 2024/10/21

N2 - This report introduces systems of systems (SoS) and of how they can be modelled for safety and cyber security assessments in complex industrial settings. We first establish an understanding of the relevant terminology and standards, which also helps distinguishing SoS from their stand-alone systems (SaS, a term we also introduce in this report) counterparts. The characteristics, classifications, and challenges of SoS are explored, stressing the complexity and importance of managing the interfaces between the different constituent systems. An interesting notion is that differences between a SaS and a SoS are not in the physical or hierarchical structure of its parts but in the behavioural and managerial characteristics of those parts. SoS challenges and the comparison with SaS emphasize the demands placed on systems engineering when dealing with SoS.The report focuses on the importance of modelling techniques to support risk analyses in cyber-physical SoS. It covers various modelling approaches, such as structure models, behaviour models, SysML, UAF enterprise architecture modelling, system architecture modelling language and method Arcadia, STAMP modelling, data repository modelling with ontologies, and risk analysis modelling with RAAML language. These models are essential for understanding the interactions within SoS and for identifying potential vulnerabilities, particularly in safety and cyber security contexts.The normal safety and security analysis methods apply to SoS, but the focus is different from normal stand-alone systems because of the different nature of SoS compared to SaS, such as heterogeneity over homogeneity especially at the enterprise level but also at system level.In addition to the technical dimension of cyber security assessments. We also discuss the conceptualization and assessment of cyber security culture at the SoS level. We briefly discuss the concept of cyber security culture. We then posit that in a SoS which is formed of a community of organizations, interactions, shared understanding, and alignment to common goals between the members play a key role in the emerging SoS-level cyber security culture. Moreover, we discuss ideas on approaching the assessment of cyber security culture in a SoS using the port community as an example, while recognizing the need for future investigations on the matter.

AB - This report introduces systems of systems (SoS) and of how they can be modelled for safety and cyber security assessments in complex industrial settings. We first establish an understanding of the relevant terminology and standards, which also helps distinguishing SoS from their stand-alone systems (SaS, a term we also introduce in this report) counterparts. The characteristics, classifications, and challenges of SoS are explored, stressing the complexity and importance of managing the interfaces between the different constituent systems. An interesting notion is that differences between a SaS and a SoS are not in the physical or hierarchical structure of its parts but in the behavioural and managerial characteristics of those parts. SoS challenges and the comparison with SaS emphasize the demands placed on systems engineering when dealing with SoS.The report focuses on the importance of modelling techniques to support risk analyses in cyber-physical SoS. It covers various modelling approaches, such as structure models, behaviour models, SysML, UAF enterprise architecture modelling, system architecture modelling language and method Arcadia, STAMP modelling, data repository modelling with ontologies, and risk analysis modelling with RAAML language. These models are essential for understanding the interactions within SoS and for identifying potential vulnerabilities, particularly in safety and cyber security contexts.The normal safety and security analysis methods apply to SoS, but the focus is different from normal stand-alone systems because of the different nature of SoS compared to SaS, such as heterogeneity over homogeneity especially at the enterprise level but also at system level.In addition to the technical dimension of cyber security assessments. We also discuss the conceptualization and assessment of cyber security culture at the SoS level. We briefly discuss the concept of cyber security culture. We then posit that in a SoS which is formed of a community of organizations, interactions, shared understanding, and alignment to common goals between the members play a key role in the emerging SoS-level cyber security culture. Moreover, we discuss ideas on approaching the assessment of cyber security culture in a SoS using the port community as an example, while recognizing the need for future investigations on the matter.

KW - System of Systems

KW - Modelling

KW - Hybrid risk assessment

M3 - Report

T3 - VTT Research Report

BT - System of systems modelling for safety and cyber security assessments

PB - VTT Technical Research Centre of Finland

ER -

System of systems modelling for safety and cyber security assessments

Abstract

Publication series

Keywords

Access to Document

Fingerprint

Research output

Connected Mobile Machine Lifetime Cyber Security (COMMA) – Project results

Cite this