Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: A case study using smart grid advanced metering infrastructure

Requirements Engineering

Volumn 18, Issue 3, 2013, Pages 251-279

  Suleiman, Husam ^a   Svetinovic, Davor ^a  

^a KHALIFA UNIVERSITY   (United Arab Emirates)

Author keywords

Advanced metering infrastructure (AMI) security; Qualitative research evaluation; Security quality requirements engineering (SQUARE) method; Security requirements engineering method evaluation; Smart grid security

Indexed keywords

IMPACT ANALYSIS; ITS APPLICATIONS; QUALITATIVE RESEARCH; QUALITY REQUIREMENTS; RISK LEVELS; SECURITY REQUIREMENTS; SECURITY REQUIREMENTS ENGINEERING; SMART GRID;

ADVANCED METERING INFRASTRUCTURES; REQUIREMENTS ENGINEERING; RESEARCH; RISK ASSESSMENT; SMART POWER GRIDS;

QUALITY CONTROL;

EID: 84881611525     PISSN: 09473602     EISSN: 1432010X     Source Type: Journal    
DOI: 10.1007/s00766-012-0153-4     Document Type: Article

References (97)

1. Ahl V (2005) An experimental comparison of five prioritization methods. Master's Thesis, School of Engineering, Blekinge Institute of Technology, Ronneby, Sweden.
2. Akao Y (2004) Quality function deployment. Productivity Press, Cambridge.
3. AlAbdulkarim L, Lukszo Z (2009) Smart metering for the future energy systems in the Netherlands. In: 4th IEEE international conference on critical infrastructures (CRIS), Linköping, Sweden, pp 1-7. doi: 10. 1109/CRIS. 2009. 5071484.
4. Alawairdhi M, Aleisa E (2011) A scenario-based approach for requirements elicitation for software systems complying with the utilization of ubiquitous computing technologies. In: The 35th IEEE annual computer software and applications conference workshops (COMPSACW), Munich, Germany, pp 341-344. doi: 10. 1109/COMPSACW. 2011. 63.
5. Ali R, Dalpiaz F, Giorgini P (2010) A goal-based framework for contextual requirements modeling and analysis. Require Eng 15(4): 439-458.
6. Allen W, Fletcher D, Fellhoelter K (2004) Securing critical information and communication infrastructures through electric power grid independence. In: The 25th IEEE international telecommunications energy conference (INTELEC'03), Yokohama, Japan, pp 170-177.
7. Amin M, Wollenberg B (2005) Toward a smart grid: power delivery for the 21st century. IEEE Power Energy Mag 3(5): 34-41. doi: 10. 1109/MPAE. 2005. 1507024.
8. Anderson G (1998) Fundamentals of educational research, vol 1. Routledge.
9. Antón Al, Earp JB (2001) Strategies for developing policies and requirements for secure e-commerce systems. In: Ghosh AK (ed) Recent advances in e-commerce security and privacy. Kluwer Academic Publishers, pp 29-46.
10. Beck K (2000) Extreme programming explained: embrace change. Addison-Wesley Professional.
11. Bennett C, Highfill D (2008) Networking AMI smart meters. In: IEEE Energy 2030 conference, Atlanta, Georgia, pp 1-8. doi: 10. 1109/ENERGY. 2008. 4781067.
12. Boehm B, Ross R (1989) Theory-w software project management principles and examples. IEEE Trans Softw Eng 15(7): 902-916.
13. Brackett J (1990) Software requirements. SEI Curriculum module SEI-CM-19-1. 2. Technical report, Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
14. Butler S (2002) Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th ACM international conference on software engineering. Orlando, Florida, pp 232-240. doi: 10. 1145/581339. 581370.
15. Checkland P (1989) Soft system methodology. Human Syst Manage 8(4): 273-289.
16. Chung L, Hung F, Hough E, Ojoko-Adams D, Mead N (2006) Security quality requirements engineering (SQUARE): case study phase III. Tech. rep., CMU/SEI-2006-SR-003. Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
17. Cleveland F (2008) Cyber security issues for advanced metering infrastructure (AMI). In: IEEE Power and energy society general meeting-conversion and delivery of electrical energy in the 21st century. Pittsburgh, USA, pp 1-5. doi: 10. 1109/PES. 2008. 4596535.
18. Cornford S, Feather M, Hicks K (2001) DDP-A tool for life-cycle risk management. In: IEEE Proceedings of aerospace conference, vol 1. Big Sky, MT, pp 1/441-1/451. doi: 10. 1109/AERO. 2001. 931736.
19. Corporation M (2011) Glossary, MSDN, web service security: scenarios, patterns, and implementation guidance for web services enhancements (WSE) 3. 0, December 2005. http://msdn. microsoft. com/en-us/library/aa480547. aspx.
20. Cox W, Considine T, Principal T (2009) Architecturally significant interfaces for the smart grid.
21. Creswell J (2009) Research design: qualitative, quantitative, and mixed methods approaches. Sage Publications, London.
22. Darimont R, Delor E, Massonet P, van Lamsweerde A (1997) Grail/kaos: an environment for goal-driven requirements engineering. In: Proceedings of the 19th ACM international conference on software engineering (ICSE '97). Boston, Massachusetts, pp 612-613. doi: 10. 1145/253228. 253499.
23. Davis A (2003) The art of requirements triage. IEEE Computer 36(3): 42-49. doi: 10. 1109/MC. 2003. 1185216.
24. Davis A (2005) Just enough requirements management: where software development meets marketing.
25. Den Braber F, Hogganvik I, Lund M, Stolen K, Vraalsen F (2007) Model-based security analysis in seven steps a guided tour to the CORAS method. BT Technol J 25(1): 101-117. doi: 10. 1007/s10550-007-0013-9.
26. Diallo M, Romero-Mariona J, Sim S, Richardson D (2006) A comparative evaluation of three approaches to specifying security requirements. In: 12th Working conference on requirements engineering: foundation for software quality (REFSQ '06). Luxembourg.
27. Elahi G, Yu E (2007) A goal oriented approach for modeling and analyzing security trade-offs. In: Proceedings of the 26th international conference on Conceptual modeling, ER'07. Springer, Berlin, pp 375-390. http://dl. acm. org/citation. cfm?id=1784489. 1784524.
28. Ericsson G (2010) Cyber security and power system communication essential parts of a smart grid infrastructure. IEEE Trans Power Deliv 25(3): 1501-1507.
29. Fabian B, Gurses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Require Eng 15(1): 7-40.
30. Farhangi H (2009) The path of the smart grid. IEEE Power Energy Mag 8(1): 18-28.
31. Fernandez E, Larrondo-Petrie M (2010) Designing secure SCADA systems using security patterns. In: 43rd IEEE Hawaii international conference on system sciences (HICSS). Poipu, Kauai, pp 1-8. doi: 10. 1109/HICSS. 2010. 139.
32. FitzPatrick G, Wollman D (2010) NIST interoperability framework and action plans. In: IEEE power and energy society general meeting, Minneapolis, pp 1-4. doi: 10. 1109/PES. 2010. 5589699.
33. Fossey E, Harvey C, McDermott F, Davidson L (2002) Understanding and evaluating qualitative research. Aust NZ J Psych 36(6): 717-732.
34. Gellings C, Samotyj M, Howe B (2004) The future's smart delivery system [electric power supply]. IEEE Power Energy Mag 2(5): 40-48.
35. Gordon D, Stehney T, Wattas N, Yu E (2005) System quality requirements engineering (SQUARE): case study on asset management system, phase II. Special rep., CMU/SEI-2005-SR-005. Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
36. Haimes Y (2009) Risk modeling, assessment, and management. Wiley, London.
37. Haley C, Laney R, Nuseibeh B (2004) Deriving security requirements from crosscutting threat descriptions. In: Proceedings of the 3rd ACM international conference on aspect-oriented software development (AOSD '04). Lancaster, UK, pp 112-121. doi: 10. 1145/976270. 976285.
38. Haley C, Laney R, Moffett J, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans on Softw Eng 34(1): 133-153.
39. Hassan R, Radman G (2010) Survey on smart grid. In: Proceedings of the IEEE SoutheastCon (SoutheastCon), Charlotte-Concord, NC, pp 210-213. doi: 10. 1109/SECON. 2012. 5453886.
40. Horsburgh D (2003) Evaluation of qualitative research. J Clin Nurs 12(2): 307-312.
41. Hubbard RP (1999) Design, implementation and evaluation of a process to structure the collection of software project requirements. Ph. D. thesis AAI9921957.
42. Hubbard R, Schroeder C, Mead N (2000) An assessment of the relative efficiency of a facilitator-driven requirements collection process with respect to the conventional interview method. In: Proceedings of 4th IEEE international conference on requirements engineering. Schaumburg, IL, pp 178-186. doi: 10. 1109/ICRE. 2000. 855608.
43. Jacobson I, Christerson M, Jonsson P, Overgaard G (1992) Object-oriented software engineering: a use case driven approach. Addison-Wesley, Boston.
44. Jakimi A, Sabraoui A, Badidi E, Idri A, El Koutbi M (2007) Use cases and scenarios engineering. In: 4th IEEE international conference on innovations in information technology (IIT '07), Dubai, United Arab Emirates, pp 521-525. doi: 10. 1109/IIT. 2007. 4430418.
45. Jrjens J (2010) Secure systems development with UML. Springer, Berlin.
46. Kang K, Cohen S, Hess J, Novak W, Peterson A (1990) Feature-oriented domain analysis (FODA) feasibility study. Tech. rep., CMU/SEI-90-TR-021. Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
47. Karlsson J (1995) Towards a strategy for software requirements selection. Department of Computer and Information science, Linkoping University, Linkoping, Sweden, Licentiate thesis 513.
48. Karlsson J (1996) Software requirements prioritizing. In: Proceedings of the 2nd IEEE international conference on requirements engineering (ICRE '96). Colorado Springs, Colorado, USA, pp 110-116. doi: 10. 1109/ICRE. 1996. 491435.
49. Karlsson J, Ryan K (1997) A cost-value approach for prioritizing requirements. IEEE Software 14(5): 67-74. doi: 10. 1109/52. 605933.
50. Khurana H, Hadley M, Lu N, Frincke D (2010) Smart-Grid Security Issues. IEEE Secur Priv 8(1): 81-85.
51. Kunz W, Rittel H (1970) Issues as elements of information systems. Working Paper No 131, Institute of Urban and Regional Development, University of California, Berkeley, CA.
52. Leffingwell D, Widrig D (2003) Managing software requirements: a use case approach. Addison-Wesley.
53. Lipson H, Mead N, Moore A (2001) A risk-management approach to the design of survivable COTS-based systems.
54. Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE international requirements engineering conference. Monterey, California, pp 151-161. doi: 10. 1109/ICRE. 2003. 1232746.
55. Lodderstedt T, Basin D, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. UML The Unified Modeling Language, Lecture Notes in Computer Science, Springer, vol 2460/2002, pp 426-441. doi: 10. 1007/3-540-45800-X_33.
56. McLaughlin S, Podkuiko D, McDaniel P (2010) Energy theft in the advanced metering infrastructure. Critic Inform Infrastruct Secur, Lecture Notes in Computer Science, vol 6027/2010, pp 176-187. doi: 10. 1007/978-3-642-14379-3_15.
57. Mead N, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology. In: Proceedings of the ACM workshop on software engineering for secure systems building trustworthy applications, pp 1-7. doi: 10. 1145/1083200. 1083214.
58. Mead N, Ellison R, Linger R, Longstaff T, McHugh J (2000) Survivable network analysis method. Tech. rep., CMU/SEI-2000-TR-013. Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
59. Mead N, Viswanathan V, Padmanabhan D (2008) Incorporating security quality requirements engineering (SQUARE) into standard life-cycle models. Technical Note, CMU/SEI-2008-TN-006. Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
60. Moisiadis F (2000) Prioritising scenario evolution. In: Proceedings of the 4th IEEE international conference on requirements engineering. Schaumburg, IL, pp 85-94. doi: 10. 1109/ICRE. 2000. 855595.
61. Moisiadis F, McRae A (2001) A requirements prioritisation tool. In: 6th Australian workshop on requirements engineering (AWRE 2001), Sydney, Australia.
62. Moore A, Ellison R, Linger R (2001) Attack modeling for information security and survivability. Technical note, SEI-2001-TN-001. Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
63. Mouratidis H, Giorgini P (2007) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(2): 285-309.
64. Mouratidis H, Giorgini P (2009) Enhancing secure Tropos to effectively deal with security requirements in the development of multiagent systems. Safe Secur Multiagent Syst, Lecture Notes in Computer Science, vol 4324/2009, pp 8-26. doi: 10. 1007/978-3-642-04879-1_2.
65. Mouratidis H, Jurjens J (2010) From goal-driven security requirements engineering to secure design. Int J Intell Syst 25(8): 813-840.
66. Mullery G (1979) CORE-a method for controlled requirement specification. In: Proceedings of the 4th IEEE international conference on software engineering (ICSE '79). Munich, West Germany, pp 126-135.
67. National Security Agency IAM (2004) Information security assurance training and rating program (ISATRP). http://www. isatrp. org/index. php.
68. Network, telecom dictionary, encyclopedia-NetworkDictionary: Information, computer and network security terms glossary and dictionary-d-networkdictionary (2004-2011). http://www. networkdictionary. com/security/d. php.
69. Office UGA (1999) Information security risk assessment: practices of leading organizations. No.: GAO/AIMD-00-33, p 50.
70. Ojoko-Adams D, Chen P, Dean M, Osman H, Lopez L, Xie N, Mead N (2004) System quality requirements engineering (SQUARE) methodology: case study on asset management system. Special Report, CMU/SEI-2004-SR-015. Software Engineering Institute, Carnegie Mellon University, Pittsburgh.
71. Rowley J (2002) Using case studies in research. Manage Res News 25(1): 16-27.
72. Saaty T (1980) Analytic hierarchy process. McGraw-Hill, New York.
73. Schiffrin D (1994) Approaches to discourse, vol 8. Wiley-Blackwell.
74. Shein R (2010) Security Measures for Advanced Metering Infrastructure Components. In: IEEE Asia-Pacific power and energy engineering conference (APPEEC), Chengdu, China, pp 1-3. doi: 10. 1109/APPEEC. 2010. 5448261.
75. Shenton A (2004) Strategies for ensuring trustworthiness in qualitative research projects. Educ inform 22(2): 63-76.
76. Sindre G, Opdahl A (2001) Capturing security requirements through misuse cases. Norsk Informatik konferanse (NIK '01). http://www. nik. no.
77. Smart D (2002) Increase flexibility and security in prepayment, through the use of a separate consumer interface. In: 9th IET international conference on (Conf. Publ. No. 462) metering and tariffs for energy supply. Birmingham, UK, pp 242-247. doi: 10. 1049/cp: 19990145.
78. Software Engineering Institute CMU (2010) SQUARE. https://buildsecurityin. us-cert. gov/bsi/articles/best-practices/requirements/232-bsi. html.
79. Software Engineering Institute CMU (2010) SQUARE. http://www. cert. org/sse/square/square-faq. html.
80. Software Engineering Institute CMU (2011) http://www. sei. cmu. edu/.
81. Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems. NIST special publication 800, 30.
82. Stouffer K, Falco J, Scarfone K (2007) Guide to industrial control systems (ICS) security. NIST Special Publication 800, 82.
83. Sui H, Wang H, Lu M, Lee W (2009) An AMI system for the deregulated electricity markets. IEEE Trans Indus Appl 45(6): 2104-2108.
84. Sutcliffe A, Maiden N, Minocha S, Manuel D (1998) Supporting scenario-based requirements engineering. IEEE Trans Softw Eng 24(12): 1072-1088.
85. Ten C, Govindarasu M, Liu C (2007) Cybersecurity for electric power control and automation systems. In: IEEE international conference on systems, man and cybernetics ISIC. Montreal, Quebec, pp 29-34. doi: 10. 1109/ICSMC. 2007. 4414239.
86. Ten CW, Liu CC, Govindarasu M (2007) Vulnerability assessment of cybersecurity for SCADA systems using attack trees. In: IEEE power engineering society general meeting. Tampa, Florida, pp 1-8. doi: 10. 1109/PES. 2007. 385876.
87. Ten C, Manimaran G, Liu C (2010) Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybernet Part A Syst Humans 40(4): 853-865.
88. van Lamsweerde A (2007) Engineering requirements for system reliability and security. NATO Secur Through Sci Series D-Inform Commun Secur 9: 196.
89. Wang H, Jia Z, Shen Z (2009) Research on security requirements engineering process. In: 16th International conference on industrial engineering and engineering management, IEEM '09. Beijing, China, pp 1285-1288. doi: 10. 1109/ICIEEM. 2009. 5344450.
90. Watts D (2003) Security and vulnerability in electric power systems. In: 35th North American power symposium (NAPS '03). University of Missouri Rolla in Rolla, Missouri, USA, pp 559-566.
91. Wei D, Lu Y, Jafari M, Skare P, Rohde K (2010) An integrated security system of protecting Smart Grid against cyber attacks. In: IEEE innovative smart grid technologies (ISGT). Gaithersburg, MD, pp 1-7. doi: 10. 1109/ISGT. 2010. 5434767.
92. Wiegers K (2003) Software requirements: practical techniques for gathering and managing requirements throughout the product development cycle. Microsoft Press.
93. won Park J, Port D, Boehm B (1999) Supporting distributed collaborative prioritization for winwin requirements capture and negotiations. In: 3rd International world multiconference on systemics, cybernetics and informatics (SCI '99), IIIS, vol 2. Orlando, FL, pp 578-584.
94. Wood J, Silver D (1989) Joint application design: how to design quality systems in 40 % less time. Wiley, New York.
95. Wright D (2008) Threats and vulnerabilities. Safeguards in a World of Ambient Intelligence. Springer, pp 143-178.
96. Yin R (2003) Case study research: design and methods, volume 5 of applied social research methods series. Sage Publications, Thousand Oaks, USA.
97. Yu E, Mylopoulos J (1998) Why goal-oriented requirements engineering. In: Proceedings of the 4th international workshop on requirements engineering: foundations of software quality. Pisa, Italy, pp 15-22.