Specification of Information Flow Security Policies in Model-Based Systems Engineering

Model-based systems engineering provides a multi-disciplinary approach to developing cyber-physical systems. Due to their high degree of interconnection, security is a key factor for cyber-physical systems and needs to be front-loaded to the beginning of the development. However, there is a lack of model-based systems engineering approaches that enable the early specification of security policies. As a consequence, security requirements frequently remain unspecified and therefore are hard to satisfy in the downstream development phases. In this paper, we propose to integrate model-based systems engineering with the theory of information flow security. We extend systems engineering models to information flow policies, enabling systems engineers to specify the information flow security requirements of a system under development. On refinement of the resulting models, our approach allows to derive security requirements for individual software components. We illustrate our approach using a model-based design of an autonomous car.