Integrated Safety and Security Risk Assessment Methods: A Survey of Key Characteristics and Applications

Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future

Querying Fault and Attack Trees:Property Specification on a Water Network

We provide an overview of three different query languages whose objective is to specify properties on the highly popular formalisms of fault trees (FTs) and attack trees (ATs). These are BFL, a Boolean Logic for FTs, PFL, a probabilistic extension of BFL and ATM, a logic for security metrics on ATs. We validate the framework composed by these three logics by applying them to the case study of a water distribution network. We extend the FT for this network - found in the literature - and we propose to model the system under analysis with the Fault Trees/Attack Trees (FT/ATs) formalism, combining both FTs and ATs in a unique model. Furthermore, we propose a novel combination of the showcased logics to account for queries that jointly consider both the FT and the AT of the model, integrating influences of attacks on failure probabilities of different components. Finally, we extend the domain specific language for PFL with novel constructs to capture the interplay between metrics of attacks - e.g., "cost", success probabilities - and failure probabilities in the system

セキュリティ対策を組み入れた車載システム開発手法の研究

兵庫県立大学院201

Model-based Safety and Security Co-analysis: a Survey

We survey the state-of-the-art on model-based formalisms for safety and security analysis, where safety refers to the absence of unintended failures, and security absence of malicious attacks. We consider ten model-based formalisms, comparing their modeling principles, the interaction between safety and security, and analysis methods. In each formalism, we model the classical Locked Door Example where possible. Our key finding is that the exact nature of safety-security interaction is still ill-understood. Existing formalisms merge previous safety and security formalisms, without introducing specific constructs to model safety-security interactions, or metrics to analyze trade offs

Cyber LOPA: An Integrated Approach for the Design of Dependable and Secure Cyber Physical Systems

Safety risk assessment is an essential process to ensure a dependable Cyber-Physical System (CPS) design. Traditional risk assessment considers only physical failures. For modern CPS, failures caused by cyber attacks are on the rise. The focus of latest research effort is on safety-security lifecycle integration and the expansion of modeling formalism for risk assessment to incorporate security failures. The interaction between safety and security and its impact on the overall system design, as well as the reliability loss resulting from ignoring security failures are some of the overlooked research questions. This paper addresses these research questions by presenting a new safety design method named Cyber Layer Of Protection Analysis (CLOPA) that extends existing LOPA framework to include failures caused by cyber attacks. The proposed method provides a rigorous mathematical formulation that expresses quantitatively the trade-off between designing a highly-reliable versus a highly-secure CPS. We further propose a co-design lifecycle process that integrates the safety and security risk assessment processes. We evaluate the proposed CLOPA approach and the integrated lifecycle on a practical case study of a process reactor controlled by an industrial control testbed, and provide a comparison between the proposed CLOPA and current LOPA risk assessment practice.Comment: Main Content: Title adjusted, Related work moved to end, added references, Sec IV (prev. sec V): expanded discussion, design and Alg. 1 updated | Sec V (prev. sec VI): Expanded discussion, Table V Expanded. Editorial: Fig 1 redrawn horiz., Eq (4)(5) math notation changed, same content. Eq (25) expanded, Page-wide eq. not ref as fig (shift by 1 of fig num), Fig 4 iterative design values show

Combination of Safety and Security Analysis - Finding Security Problems That Threaten the Safety of a System

In most cases in a safety analysis the influences of security problems are omitted or even forgotten. Because more and more systems are accessible from outside the system via maintenance interfaces, this missing security analysis is becoming a problem. This is why we propose an approach on how to extend the safety analysis by security aspects. Such a more comprehensive analysis should lead to systems that react in less catastrophic ways to attacks