An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even with this simplification, no methodology has been widely adopted primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to unified co-assurance which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. With this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronisation activities

Safety and Security Co-engineering and Argumentation Framework

Automotive systems become increasingly complex due to their functional range and data exchange with the outside world. Until now, functional safety of such safety-critical electrical/electronic systems has been covered successfully. However, the data exchange requires interconnection across trusted boundaries of the vehicle. This leads to security issues like hacking and malicious attacks against interfaces, which could bring up new types of safety issues. Before mass-production of automotive systems, arguments supported by evidences are required regarding safety and security. Product engineering must be compliant to specific standards and must support arguments that the system is free of unreasonable risks. This paper shows a safety and security co-engineering framework, which covers standard compliant process derivation and management, and supports product specific safety and security co-analysis. Furthermore, we investigate process- and product-related argumentation and apply the approach to an automotive use case regarding safety and security.This work is supported by the projects EMC2 and AMASS. Research leading to these results has received funding from the EU ARTEMIS Joint Undertaking under grant agreement no. 621429 (project EMC2), project AMASS (H2020-ECSEL no 692474; Spain’s MINECO ref. PCIN-2015-262) and from the COMET K2 - Competence Centres for Excellent Technologies Programme of the Austrian Federal Ministry for Transport, Innovation and Technology (bmvit), the Austrian Federal Ministry of Science, Research and Economy (bmwfw), the Austrian Research Promotion Agency (FFG), the Province of Styria and the Styrian Business Promotion Agency (SFG)

An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons, such as mismatched processes, inadequate information, differing use of language and philosophies, etc. Many co-assurance techniques rely on disregarding some of these challenges to present a unified methodology. Even with this simplification, no methodology has been widely adopted, primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to a unified co-assurance, which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. In this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronization activities

A Novel System-Theoretic Matrix-Based Approach to Analysing Safety and Security of Cyber-Physical Systems

Cyber-Physical Systems (CPSs) are getting increasingly complex and interconnected. Consequently, their inherent safety risks and security risks are so intertwined that the conventional analysis approaches which address them separately may be rendered inadequate. STPA (Systems-Theoretic Process Analysis) is a top-down hazard analysis technique that has been incorporated into several recently proposed integrated Safety and Security (S&S) analysis methods. This paper presents a novel methodology that leverages not only STPA, but also custom matrices to ensure a more comprehensive S&S analysis. The proposed methodology is demonstrated using a case study of particular commercial cloud-based monitoring and control system for residential energy storage systems

A Novel System-Theoretic Matrix-Based Approach to Analysing Safety and Security of Cyber-Physical Systems

Cyber-Physical Systems (CPSs) are getting increasingly complex and interconnected. Consequently, their inherent safety risks and security risks are so intertwined that the conventional analysis approaches which address them separately may be rendered inadequate. STPA (Systems-Theoretic Process Analysis) is a top-down hazard analysis technique that has been incorporated into several recently proposed integrated Safety and Security (S&S) analysis methods. This paper presents a novel methodology that leverages not only STPA, but also custom matrices to ensure a more comprehensive S&S analysis. The proposed methodology is demonstrated using a case study of particular commercial cloud-based monitoring and control system for residential energy storage systems

A Comparison of Hazards and Efficiencies of Conventional and Adaptive Control Algorithms Using Systems-Theoretic Process Analysis

Control systems are an important and increasingly complex part of most industrial and non-industrial systems. As such, identifying and handling associated risks is increasingly important. Systems- Theoretic Process Analysis (STPA) is a relatively new hazard identification method developed to analyze modern, complex control systems. While traditional hazard analysis methods mainly focus on the failures of a system, STPA focuses on interactions among control commands and environmental conditions, so that potential non-failure problems, mainly caused by unsafe control actions, can be identified. Proportional-Integral-Derivative (PID) controllers are the most common conventional controllers (CCs) and are widely used in industry due to their simplicity. PID controllers are tuned for operation and based on the system behaviour, in a certain limited operating region. If the behavior and/or operating region of a system changes over time, the PID controller requires retuning to perform as desired and prevent loss of production, or accidents, due to inadequate control. Adaptive controllers (ACs) are able to self-adjust and adapt to changes in the system parameters and operating region, such that the overall control task is performed without the need for continuous re-tuning by an operator. The tuning of an AC is done once, at the time of implementation. This can be very helpful for both the efficiency and the safety of the control system. The interactions between the operator and the control system are reduced when the controller is able to self-adjust, potentially reducing the number of hazards. On the other hand, the complexity of ACs may introduce new kinds of hazards that do not exist when using CCs. In this paper, we compare CCs and ACs from both a control and a safety perspective using STPA. As a test case, we compare the efficiencies and hazards of a CC, and an AC applied to a pipeline-riser system subject to slug flow, a hazardous phenomenon occurring in mixed oil and gas pipes. This phenomenon is difficult to control since the behaviour changes drastically with different flow conditions

Learning from safety science: A way forward for studying cybersecurity incidents in organizations

In the aftermath of cybersecurity incidents within organizations, explanations of their causes often revolve around isolated technical or human events such as an Advanced Persistent Threat or a “bad click by an employee.” These explanations serve to identify the responsible parties and inform efforts to improve security measures. However, safety science researchers have long been aware that explaining incidents in socio-technical systems and determining the role of humans and technology in incidents is not an objective procedure but rather an act of social constructivism: what you look for is what you find, and what you find is what you fix. For example, the search for a technical “root cause” of an incident might likely result in a technical fix, while from a sociological perspective, cultural issues might be blamed for the same incident and subsequently lead to the improvement of the security culture. Starting from the insights of safety science, this paper aims to extract lessons on what general explanations for cybersecurity incidents can be identified and what methods can be used to study causes of cybersecurity incidents in organizations. We provide a framework that allows researchers and practitioners to proactively select models and methods for the investigation of cybersecurity incidents