Cybersecurity Vulnerability Identification in System-of-Systems using Model-based Testing

When operationally and managerially independent constituent systems are integrated to form a System of Systems (SoS), cybersecurity vulnerabilities can be exploited by cyber threats that can break the security requirements of SoS due to its collaborative nature. Using model-based testing to generate test cases automatically can potentially aid in discovering vulnerabilities. However, security test case generation is time-consuming, error-prone, and labor-intensive; therefore, it is desirable to fully or partially automate security testing processes. This paper proposes the automatic test data generation using formal models presented as communicating sequential processes. We use the model-checking technique that generates counterexamples when the specified security properties are violated. Our approach then converted those counterexamples into executable test data by applying the conversion rule and defined mapping algorithm. We demonstrate our approach with an experiment using an operation of an air traffic control (ATC) system, a representative of SoS. We developed an agent simulation program to test the operation of the ATC by using the generated test data and evaluating it in terms of vulnerability identification. We incorporated four attack types, and our experimental results show that the security tests generated from the models can identify the known vulnerabilities in the ATC system.