Security Standard Compliance in System of Systems

Abstract: The world we live in is becoming digitalized by transforming our society and economyin an unpredicted way. Digital technologies are transforming products, manufacturingassets, and entire supply chains. These technologies revolutionize how organisations en-gage with customers, other partners, and society depending on the ability to connectpeople, technology, and processes. Distributed services through different platforms, or-ganisations, and even regions are becoming very common with the digital transformationof industrial processes. More and more systems are being constructed by interconnectingexisting and new independent systems. The transformation from traditional and isolatedsystems to connected components in a System of Systems (SoS), provides many advan-tages such as flexibility, efficiency, interoperability, and competitiveness. While it is clearthat digital technology will transform most industries, there are a number of challengesto be addressed, especially in terms of standards and security.In the past, providing a secure environment meant isolation from external access andproviding physical protection, usually based on proprietary standards. Nowadays, withthe development of state-of-the-art technologies, these systems have to meet and provideproof of fulfilling several requirements and involving many stakeholders. Thus, to assurethat organisations can move towards this multi-stakeholder cooperation, security is one ofthe challenges that need to be addressed. With the increasing number of devices, systems,and services in these complex systems and the number of standards and regulationsthey should fulfill, the need for automated standard compliance verification is of utmostimportance. Such verification will ensure that the components included in their businessprocesses comply with the imposed standards, laws and regulations.The research presented in this thesis targets the automated and continuous standardcompliance verification in SoS. Standard compliance verification provides evidence thatprocesses and their components satisfy the requirements defined by national and interna-tional standards. The thesis proposes an automated and continuous standard complianceverification framework that provides evidence if SoS components fulfill security standards’requirements based on extracted measurable indicator points. Since these systems evolveover time, the standard compliance is verified in design time and continuously monitoredand verified during run time after the SoS has been deployed.