Department of Computer Science: MSc Thesis Presentations

Risk-based security requirement methodology for Cyber-Physical Systems

Author: Lija bista
Advisor: Axel Beer
Supervisor: Philip Ginzboorg

Abstract: Cyber-Physical Systems (CPS) integrate mechanical components with software, connectivity, and sensors, making them both safety-critical and increasingly vulnerable to cyber threats. 

Regulators require CPS manufacturers to perform a risk assessment of their products and apply security controls to mitigate identified risks. The EU Cyber Resilience Act (CRA) provides high-level cybersecurity requirements which must be translated into product-level security requirements for industrial equipment. The risk-assessment process is part of product development and is often performed by engineers who are not necessarily security experts. The results are communicated to the management to support product decisions -- implementing security features can be costly. Security professionals often use domain-specific terms such as threats, vulnerabilities, and risks in ways that are difficult for non-security teams to interpret, leading to gaps in understanding and inconsistent implementation. For these reasons, identifying the appropriate product security requirements is a challenge for CPS developers.

This thesis proposes a security requirements methodology for CPS based on (i) CRA, and (ii) the IEC 62443-3-2 and IEC 62443-3-3 standards. The methodology helps engineers and managers assess product-related risks and make product security decisions aligned with the EU Cyber Resilience Act (CRA).