Managing cybersecurity risks of cyber-physical systems: the MARISMA-CPS pattern

Abstract

Cyber-physical systems (CPSs) are smart systems that include engineered interacting networks of physical and computational components. CPSs have an increasingly presence on critical infrastructures and an impact in almost every aspect of our daily life, including transportation, healthcare, electric power, and advanced manufacturing. However, CPSs face a growing and serious security issue due to the widespread connectivity between the cyber world and the physical world. Although risk assessment methods for traditional IT systems are now very mature, these are not adequate for risk assessment of CPSs due to the different characteristics of the later. As such, there is an urgent need to define approaches that will adequately support risk assessment for CPSs. To contribute to this important challenge, we propose a novel risk analysis technique for CPSs based on MARISMA, a security management methodology, and eMARISMA, a technological environment in the cloud. Our work contributes to the state of the art through the definition of the MARISMA-CPS pattern that incorporates a set of reusable and adaptable elements that allows risks in CPSs to be managed and controlled, which is aligned with the main CPSs frameworks, such as those defined by NIST and ENISA. A case study for a smart hospital is presented, showing how the reusability and adaptability of the proposal allows the proposed MARISMA-CPS pattern to be easily adapted to any CPS environment. Such adaptability is important to ensure wide application in the domain of CPSs.