An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even with this simplification, no methodology has been widely adopted primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to unified co-assurance which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. With this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronisation activities

How to Generate Security Cameras: Towards Defence Generation for Socio-Technical Systems

Recently security researchers have started to look into automated generation of attack trees from socio-technical system models. The obvious next step in this trend of automated risk analysis is automating the selection of security controls to treat the detected threats. However, the existing socio-technical models are too abstract to represent all security controls recommended by practitioners and standards. In this paper we propose an attack-defence model, consisting of a set of attack-defence bundles, to be generated and maintained with the socio-technical model. The attack-defence bundles can be used to synthesise attack-defence trees directly from the model to offer basic attack-defence analysis, but also they can be used to select and maintain the security controls that cannot be handled by the model itself.Comment: GraMSec 2015, 16 page

Time dependent analysis with dynamic counter measure trees

The success of a security attack crucially depends on time: the more time available to the attacker, the higher the probability of a successful attack. Formalisms such as Reliability block diagrams, Reliability graphs and Attack Countermeasure trees provide quantitative information about attack scenarios, but they are provably insufficient to model dependent actions which involve costs, skills, and time. In this presentation, we extend the Attack Countermeasure trees with a notion of time; inspired by the fact that there is a strong correlation between the amount of resources in which the attacker invests (in this case time) and probability that an attacker succeeds. This allows for an effective selection of countermeasures and rank them according to their resource consumption in terms of costs/skills of installing them and effectiveness in preventing an attack

An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons, such as mismatched processes, inadequate information, differing use of language and philosophies, etc. Many co-assurance techniques rely on disregarding some of these challenges to present a unified methodology. Even with this simplification, no methodology has been widely adopted, primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to a unified co-assurance, which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. In this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronization activities

Development of an ontology supporting failure analysis of surface safety valves used in Oil & Gas applications

Treball desenvolupat dins el marc del programa 'European Project Semester'.The project describes how to apply Root Cause Analysis (RCA) in the form of a Failure Mode Effect and Criticality Analysis (FMECA) on hydraulically actuated Surface Safety Valves (SSVs) of Xmas trees in oil and gas applications, in order to be able to predict the occurrence of failures and implement preventive measures such as Condition and Performance Monitoring (CPM) to improve the life-span of a valve and decrease maintenance downtime. In the oil and gas industry, valves account for 52% of failures in the system. If these failures happen unexpectedly it can cause a lot of problems. Downtime of the oil well quickly becomes an expensive problem, unscheduled maintenance takes a lot of extra time and the lead-time for replacement parts can be up to 6 months. This is why being able to predict these failures beforehand is something that can bring a lot of benefits to a company. To determine the best course of action to take in order to be able to predict failures, a FMECA report is created. This is an analysis where all possible failures of all components are catalogued and given a Risk Priority Number (RPN), which has three variables: severity, detectability and occurrence. Each of these is given a rating between 0 and 10 and then the variables are multiplied with each other, resulting in the RPN. The components with an RPN above an acceptable risk level are then further investigated to see how to be able to detect them beforehand and how to mitigate the risk that they pose. Applying FMECA to the SSV mean breaking the system down into its components and determining the function, dependency and possible failures. To this end, the SSV is broken up into three sub-systems: the valve, the actuator and the hydraulic system. The hydraulic system is the sub-system of the SSV responsible for containing, transporting and pressurizing of the hydraulic fluid and in turn, the actuator. It also contains all the safety features, such as pressure pilots, and a trip system in case a problem is detected in the oil line. The actuator is, as the name implies, the sub-system which opens and closes the valve. It is made up of a number of parts such as a cylinder, a piston and a spring. These parts are interconnected in a number of ways to allow the actuator to successfully perform its function. The valve is the actual part of the system which interacts with the oil line by opening and closing. Like the actuator, this sub-system is broken down into a number of parts which work together to perform its function. After breaking down and defining each subsystem on a functional level, a model was created using a functional block diagram. Each component also allows for the defining of dependencies and interactions between the different components and a failure diagram for each component. This model integrates the three sub-systems back into one, creating a complete picture of the entire system which can then be used to determine the effects of different failures in components to the rest of the system. With this model completed we created a comprehensive FMECA report and test the different possible CPM solutions to mitigate the largest risks