The world we live in is becoming digitalized by transforming our society and economyin an unpredicted way. Digital technologies are transforming products, manufacturingassets, and entire supply chains. These technologies revolutionize how organisations en-gage with customers, other partners, and society depending on the ability to connectpeople, technology, and processes. Distributed services through different platforms, or-ganisations, and even regions are becoming very common with the digital transformationof industrial processes. More and more systems are being constructed by interconnectingexisting and new independent systems. The transformation from traditional and isolatedsystems to connected components in a System of Systems (SoS), provides many advan-tages such as flexibility, efficiency, interoperability, and competitiveness. While it is clearthat digital technology will transform most industries, there are a number of challengesto be addressed, especially in terms of standards and security.In the past, providing a secure environment meant isolation from external access andproviding physical protection, usually based on proprietary standards. Nowadays, withthe development of state-of-the-art technologies, these systems have to meet and provideproof of fulfilling several requirements and involving many stakeholders. Thus, to assurethat organisations can move towards this multi-stakeholder cooperation, security is one ofthe challenges that need to be addressed. With the increasing number of devices, systems,and services in these complex systems and the number of standards and regulationsthey should fulfill, the need for automated standard compliance verification is of utmostimportance. Such verification will ensure that the components included in their businessprocesses comply with the imposed standards, laws and regulations.The research presented in this thesis targets the automated and continuous standardcompliance verification in SoS. Standard compliance verification provides evidence thatprocesses and their components satisfy the requirements defined by national and interna-tional standards. The thesis proposes an automated and continuous standard complianceverification framework that provides evidence if SoS components fulfill security standards’requirements based on extracted measurable indicator points. Since these systems evolveover time, the standard compliance is verified in design time and continuously monitoredand verified during run time after the SoS has been deployed.

The digitalization of manufacturing industry and the profound reliance on interconnected System of Systems (SoS) is demanding for innovative solutions that can handle production processes, while making use of the new data that is being generated by various connected devices. Innovations based on collecting, evaluating, and using this data can improve existing processes and create new business models. Although this is beneficial to the user, at the same time, it opens the way for adversaries to exploit new vulnerabilities. Since the factories are exposing their internal production processes to the internet, security is one of the challenges that should be addressed in this new digitalization era, referred to as the fourth industrial revolution or Industry 4.0. Furthermore, security cannot be seen as independent from other non-functional requirements of SoS, e.g. performance or safety aspects. Addressing security without risking to negatively affect other aspects and vice versa is a main concern for such interconnected systems.

This thesis outlines the progress made towards security management and mitigation in SoS. It proposes an automated and secure onboarding procedure, which is required to introduce a new device in a SoS environment without compromising the already on-boarded devices and the underlying infrastructure. The proposed procedure establishes a chain of trust from the hardware device to its hosted application systems and their provided services by creating a chain of digital certificates. Thus, it allows to rely on the information on which “smart” decisions are being based, while ensuring a secure and trusted communication between the interacting systems.

Even with security controls in place, e.g. the automated onboarding procedure, maintaining a required security level for the SoS as a whole is difficult due to uncertainties that may occur at runtime. Uncertainties may occur due to internal factors, e.g. malfunction of a system, or external factors, e.g. malicious attacks. One approach that can tackle these uncertainties at run time and manage trade-offs between security and other non-functional requirements is self-adaptation. Self-adaptation enables a system to adapt in the face of such uncertainties without human intervention.

This thesis proposes a generic autonomic management system aimed to support the engineers in building self-adaptive systems that should cope with dynamic changes of the environment and system itself, while considering the expected rapid advances of system attacks. Given its generic property, the system can be reused and extended for a variety of use cases without requiring major modifications. This will reduce the software engineering effort needed to implement the generic control mechanisms. A prototype of the system has been implemented and tested.