System evolution through semi-automatic elicitation of security requirements: A Position Paper

Due to the security threats faced in the connected world, the consideration of security requirements during system design and modeling has become a necessity. Unfortunately, the identification of new requirements that may arise throughout additional phases of a system’s life-cycle (e.g. operation) must also be considered due to the ever-changing threat landscape. These new requirements may derive in system adaptations or modifications that ensure continuous system security. The identification of these new requirements and the implementation of their derived changes must be performed in a timely manner in order to avoid time windows where the system is vulnerable to security attacks. Unfortunately, the timely implementation of security-related changes is a challenge when dealing with automation systems as it may affect their availability and functionality. This position paper presents an approach that allows semiautomatic identification of system vulnerabilities in order to facilitate the derivation of new requirements that allow to ensure the security of a system. This identification is carried out throughout multiple phases of a system’s life-cycle.