{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T11:49:19Z","timestamp":1740138559703,"version":"3.37.3"},"reference-count":20,"publisher":"Walter de Gruyter GmbH","issue":"6","license":[{"start":{"date-parts":[[2023,6,1]],"date-time":"2023-06-01T00:00:00Z","timestamp":1685577600000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001659","name":"German Research Foundation","doi-asserted-by":"crossref","award":["432576552, HE8596\/1-1"],"award-info":[{"award-number":["432576552, HE8596\/1-1"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Helmholtz Association","award":["46.23.03"],"award-info":[{"award-number":["46.23.03"]}]},{"DOI":"10.13039\/501100001824","name":"Czech Science Foundation","doi-asserted-by":"crossref","award":["20-24814J"],"award-info":[{"award-number":["20-24814J"]}],"id":[{"id":"10.13039\/501100001824","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Charles University institutional funding SVV","award":["260588"],"award-info":[{"award-number":["260588"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,6,27]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Exchanging data between entities is an essential part of Industry 4.0. However, the data exchange should not affect the confidentiality. Therefore, data should only be shared with the intended entities. In exceptional scenarios, it is unclear whether data should be shared or not and what the impact of the access decision is. Runtime access control systems such as role-based access control often do not consider the impact on the overall confidentiality. Static design-time analyses often provide this information. We use architectural design-time analyses together with an uncertainty variation metamodel mitigating uncertainty to calculate impact properties of attack paths. Runtime access control approaches can then use this information to support the access control decision. We evaluated our approach on four case studies based on real-world examples and research cases.<\/jats:p>","DOI":"10.1515\/auto-2022-0135","type":"journal-article","created":{"date-parts":[[2023,6,6]],"date-time":"2023-06-06T22:12:35Z","timestamp":1686089555000},"page":"443-452","source":"Crossref","is-referenced-by-count":3,"title":["Architecture-based attack propagation and variation analysis for identifying confidentiality issues in Industry 4.0"],"prefix":"10.1515","volume":"71","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0358-6644","authenticated-orcid":false,"given":"Maximilian","family":"Walter","sequence":"first","affiliation":[{"name":"Dependability of Software-Intensive Systems Group (DSiS) , Karlsruhe Institute of Technology (KIT), Institute of Information Security and Dependability (KASTEL) , Am Fasanengarten 5, 76131 Karlsruhe , Germany"}]},{"given":"Sebastian","family":"Hahner","sequence":"additional","affiliation":[{"name":"Dependability of Software-Intensive Systems Group (DSiS) , Karlsruhe Institute of Technology (KIT), Institute of Information Security and Dependability (KASTEL) , Am Fasanengarten 5, 76131 Karlsruhe , Germany"}]},{"given":"Tom\u00e1\u0161","family":"Bure\u0161","sequence":"additional","affiliation":[{"name":"Faculty of Mathematics and Physics , Charles University , Malostransk\u00e9 N\u00e1m\u011bst\u00ed 25, 118 00 Praha 1 , Czech Republic"}]},{"given":"Petr","family":"Hn\u011btynka","sequence":"additional","affiliation":[{"name":"Faculty of Mathematics and Physics , Charles University , Malostransk\u00e9 N\u00e1m\u011bst\u00ed 25, 118 00 Praha 1 , Czech Republic"}]},{"given":"Robert","family":"Heinrich","sequence":"additional","affiliation":[{"name":"Dependability of Software-Intensive Systems Group (DSiS) , Karlsruhe Institute of Technology (KIT), Institute of Information Security and Dependability (KASTEL) , Am Fasanengarten 5, 76131 Karlsruhe , Germany"}]},{"given":"Ralf","family":"Reussner","sequence":"additional","affiliation":[{"name":"Dependability of Software-Intensive Systems Group (DSiS) , Karlsruhe Institute of Technology (KIT), Institute of Information Security and Dependability (KASTEL) , Am Fasanengarten 5, 76131 Karlsruhe , Germany"}]}],"member":"374","published-online":{"date-parts":[[2023,6,7]]},"reference":[{"key":"2023062917121584742_j_auto-2022-0135_ref_001","doi-asserted-by":"crossref","unstructured":"R. Al-Ali, H. Robert, H. Petr, J.-V. Adrian, S. Stephan, and W. Maximilian, \u201cModeling of dynamic trust contracts for Industry 4.0 systems,\u201d in ECSA-C\u201918, Madrid, Spain, ACM, 2018.","DOI":"10.1145\/3241403.3241450"},{"key":"2023062917121584742_j_auto-2022-0135_ref_002","doi-asserted-by":"crossref","unstructured":"M. Walter, R. Heinrich, and R. Reussner, \u201cArchitectural attack propagation analysis for identifying confidentiality issues,\u201d in ICSA\u201922, Honolulu, HI, USA, IEEE, 2022.","DOI":"10.1109\/ICSA53651.2022.00009"},{"key":"2023062917121584742_j_auto-2022-0135_ref_003","unstructured":"OWASP, OWASP Top Ten Web Application Security Risks, 2021. Available at: https:\/\/owasp.org\/www-project-top-ten\/ [accessed: Oct. 25, 2021]."},{"key":"2023062917121584742_j_auto-2022-0135_ref_004","unstructured":"HP, HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack, 2014. Available at: https:\/\/www.hp.com\/us-en\/hp-news\/press-release.html1744676 [accessed: Oct. 05, 2021]."},{"key":"2023062917121584742_j_auto-2022-0135_ref_005","doi-asserted-by":"crossref","unstructured":"S. Seifermann, R. Heinrich, and R. Reussner, \u201cData-driven software architecture for analyzing confidentiality,\u201d in ICSA\u201919, Hamburg, Germany, IEEE, 2019, pp. 1\u201310.","DOI":"10.1109\/ICSA.2019.00009"},{"key":"2023062917121584742_j_auto-2022-0135_ref_006","doi-asserted-by":"crossref","unstructured":"S. Seifermann, R. Heinrich,D. Werle, et al.., Journal of Systems and Software, vol. 184, 2022, Art. no. 111138. https:\/\/doi.org\/10.1016\/j.jss.2021.111138.","DOI":"10.1016\/j.jss.2021.111138"},{"key":"2023062917121584742_j_auto-2022-0135_ref_007","unstructured":"R. Reussner, S. Becker, J. Happe, et al.., Modeling and Simulating Software Architectures \u2013 the Palladio Approach, Cambridge, MA, MIT Press, 2016, p. 408."},{"key":"2023062917121584742_j_auto-2022-0135_ref_008","doi-asserted-by":"crossref","unstructured":"R. Heinrich, S. Koch, K. Busch, R. Reussner, and B. Vogel-Heuser, \u201cArchitecture-based change impact analysis in cross-disciplinary automated production systems,\u201d JSS, vol.\u00a0146, no.\u00a0146, pp.\u00a0167\u2013185, 2018. https:\/\/doi.org\/10.1016\/j.jss.2018.08.058.","DOI":"10.1016\/j.jss.2018.08.058"},{"key":"2023062917121584742_j_auto-2022-0135_ref_009","doi-asserted-by":"crossref","unstructured":"S. Hahner, S. Seifermann, R. Heinrich, and R. Reussner, \u201cA classification of software-architectural uncertainty regarding confidentiality,\u201d in ICETE. To Appear, Cham, Springer, 2023.","DOI":"10.1007\/978-3-031-36840-0_8"},{"key":"2023062917121584742_j_auto-2022-0135_ref_010","doi-asserted-by":"crossref","unstructured":"M. Walter, S. Hahner, S. Seifermann, et al.., \u201cArchitectural optimization for confidentiality under structural uncertainty,\u201d ECSA, vol.\u00a02021, pp.\u00a0309\u2013332, 2022. https:\/\/doi.org\/10.1007\/978-3-031-15116-3_14.","DOI":"10.1007\/978-3-031-15116-3_14"},{"key":"2023062917121584742_j_auto-2022-0135_ref_011","doi-asserted-by":"crossref","unstructured":"M. Levandowsky and D. Winter, \u201cDistance between sets,\u201d Nature, vol.\u00a0234, no.\u00a05323, pp.\u00a034\u201335, 1971. https:\/\/doi.org\/10.1038\/234034a0.","DOI":"10.1038\/234034a0"},{"key":"2023062917121584742_j_auto-2022-0135_ref_012","doi-asserted-by":"crossref","unstructured":"R. Al-Ali, P. Hnetynka, J. Havlik, et al.., \u201cDynamic security rules for legacy systems,\u201d in ECSA 19 \u2013 Volume 2, New York, NY, USA, ACM, 2019, pp. 277\u2013284.","DOI":"10.1145\/3344948.3344974"},{"key":"2023062917121584742_j_auto-2022-0135_ref_013","doi-asserted-by":"crossref","unstructured":"P. Runeson and M. H\u00f6st, \u201cGuidelines for conducting and reporting case study research in software engineering,\u201d Empir. Softw. Eng., vol.\u00a014, no.\u00a02, pp.\u00a0131\u2013164, 2008. https:\/\/doi.org\/10.1007\/s10664-008-9102-8.","DOI":"10.1007\/s10664-008-9102-8"},{"key":"2023062917121584742_j_auto-2022-0135_ref_014","unstructured":"B. A. Hamilton, \u201cIndustrial cybersecurity threat briefing,\u201d Tech. rep., p. 82, 2016."},{"key":"2023062917121584742_j_auto-2022-0135_ref_015","unstructured":"M. Plachkinova and C. Maurer, \u201cSecurity breach at target,\u201d J. Inf. Syst. Educ., vol.\u00a029, no.\u00a01, pp.\u00a011\u201320, 2018."},{"key":"2023062917121584742_j_auto-2022-0135_ref_016","unstructured":"X. Shu, K. Tian, A. Ciambrone, and D. Yao. \u201cBreaking the target: an analysis of target data breach and lessons learned.\u201d In: arXiv:1701.04940 [cs], 2017."},{"key":"2023062917121584742_j_auto-2022-0135_ref_017","unstructured":"K. Katkalov, Ein modellgetriebener Ansatz zur Entwicklung informationsflusssicherer Systeme.\u201d doctoralthesis, Augsburg, Germany, Universit\u00e4t Augsburg, 2017."},{"key":"2023062917121584742_j_auto-2022-0135_ref_018","doi-asserted-by":"crossref","unstructured":"P. Nguyen, M. Kramer, J. Klein, and Y. L. Traon, \u201cAn extensive systematic review on the model-driven development of secure systems,\u201d Inf. Softw. Technol., vol.\u00a068, pp.\u00a062\u201381, 2015. https:\/\/doi.org\/10.1016\/j.infsof.2015.08.006.","DOI":"10.1016\/j.infsof.2015.08.006"},{"key":"2023062917121584742_j_auto-2022-0135_ref_019","doi-asserted-by":"crossref","unstructured":"B. Kordy, L. Pi\u00e9tre-Cambac\u00e9d\u00e8s, and P. Schweitzer, \u201cDAGbased attack and defense modeling: don\u2019t miss the forest for the attack trees,\u201d Comput. Sci. Rev., vols. 13\u201314, pp.\u00a01\u201338, 2014. https:\/\/doi.org\/10.1016\/j.cosrev.2014.07.001.","DOI":"10.1016\/j.cosrev.2014.07.001"},{"key":"2023062917121584742_j_auto-2022-0135_ref_020","doi-asserted-by":"crossref","unstructured":"S. Ananieva, S. Greiner, T. K\u00fchn, et al.., \u201cA conceptual model for unifying variability in space and time,\u201d in SPLC \u201920 Volume A Online, New York, NY, USA, Association for Computing Machinery, pp. 148\u2013158, 2020.","DOI":"10.1145\/3382025.3414955"}],"container-title":["at - Automatisierungstechnik"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.degruyter.com\/document\/doi\/10.1515\/auto-2022-0135\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.degruyter.com\/document\/doi\/10.1515\/auto-2022-0135\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,12,14]],"date-time":"2023-12-14T19:17:08Z","timestamp":1702581428000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.degruyter.com\/document\/doi\/10.1515\/auto-2022-0135\/html"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,1]]},"references-count":20,"journal-issue":{"issue":"6","published-online":{"date-parts":[[2023,6,7]]},"published-print":{"date-parts":[[2023,6,27]]}},"alternative-id":["10.1515\/auto-2022-0135"],"URL":"https:\/\/doi.org\/10.1515\/auto-2022-0135","relation":{},"ISSN":["0178-2312","2196-677X"],"issn-type":[{"type":"print","value":"0178-2312"},{"type":"electronic","value":"2196-677X"}],"subject":[],"published":{"date-parts":[[2023,6,1]]}}}