Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Adelard LLP, 24 Waterside, 44-48 Wharf Road, London N1 7UXT +44 20 7832 5850 E [email protected] W www.adelard.com
PT/632/309/81
SECURITY INFORMED SAFETY
WHY ITS EASY, WHY ITS HARD
Professor Robin E Bloomfield FREng
Adelard LLPCity, University of London
[email protected]@city.ac.ukJanuary 2019
© 2018 ADELARD LLP
ADELARD
• Adelard is a specialized, influential product and services company working on safety, security and resilience since 1987
• Wide-ranging experience of assessing computer-based systems and components
• Work across different industrial sectors, including nuclear, rail, defence, aviation, financial, medical• Policy, methodology, technology• Product for managing safety and assurance cases (ASCE)• Security-informed safety and dependability
• Consultants PhD level, international team
• Partner in UK Research Institute on Trustworthy ICS (RiTICS)
Slide 2
© 2017 ADELARD LLP
ASSURANCE
• trust and trustworthiness are of enormous societal value
• assurance is an enabler of innovation
• security requires innovation
Slide 3
© 2018 ADELARD LLP
OUTLINE
• Background
• Assessing impact of security on safety• Projects and policies
• Outcomes and ongoing work• Security informed safety case• Codes of Practice (PAS and CoP)• research projects
• Discussion and conclusion• Why easier than feared, why hard
Slide 4
© 2017 ADELARD LLP
SECURITY-INFORMED SAFETY AND RESILIENCE
Assurance and policy
FrameworkClaim
Sub-Claim
Argument
Evidence
Risk assessment
Balise
Traffic management TMS
Indications Interlocking
Train detection Track controls
RBC
Movement authority
Position reports
EVC
Balise antenna
Odometry
Controller
PSTN
Instructions
Queries
Driver
Business systems FTN
GSM-R
External network
SIL 0
Key:
SIL 2
SIL 4
Power management SCADA
Control layer
Safety layer
Business layer
Lineside layer
Systems of systems
5
1.12 The National Risk Register illustrates the kindsof contingency which primarily drive planning bygovernment and the emergency services and forwhich organisations, individuals, families andcommunities can reasonably plan if they want to doso. The selection excludes some risks that areclassified for reasons of national security and specificillustrative examples of risks where there are casesoutstanding in the courts which may be prejudiced.
1.13 The UK has been described as one of thepioneers in coordinated risk management foremergencies, because of the systematic way inwhich we assess the risks and use these assessmentsto help planning.
Chapter One: Introduction
Figure 1: An illustration of the high consequence risks facing the United Kingdom
Major TransportAccidents
Attacks onCritical
Infrastructure
Major IndustrialAccidents
AnimalDisease
SevereWeather
ElectronicAttacks
Non-conventionalAttacks*
CoastalFlooding
PandemicInfluenza
Inland Flooding
Attacks onTransport
Attacks on Crowded
Places
Relative Likelihood
Relative Impact
* The use of some chemical, biological, radiological and nuclear (CBRN) materials has the potential to have very serious andwidespread consequences. An example would be the use of a nuclear device. There is no historical precedent for this type ofterrorist attack which is excluded from the non-conventional grouping on the diagram.
NationalRiskRegister_289116 17/7/08 2:22 pm Page 5 Training
!
Standards and policy
Slide 5
Many projects: Ritics, Sesamo, Aquas, CPNI, IEC, BSI, IET …
© 2018 ADELARD LLP
NUCLEAR
Slide 6
SECURITY-INFORMED SAFETY: INTEGRATING SECURITY WITHIN THE SAFETY DEMONSTRATION OF A SMART DEVICE
Robin Bloomfield1,2, Eoin Butler1, Sofia Guerra1 and Kate Netkachova1,2
1 Adelard LLP 24 Waterside, 44-48 Wharf Road, London N1 7UX, UK
{reb,eb,aslg,kn}@adelard.com
2 City, University of London Northampton Square
London EC1V 0HB, UK {R.E.Bloomfield, Kateryna.Netkachova.2}@city.ac.uk
ABSTRACT
Safety and security engineering have, over the years, developed their own regulations, standards, cultures, and practices. However, there’s a growing realisation that security is closely connected to safety. Safety must be security-informed: if a safety-critical system isn’t secure, it isn’t safe. A safety demonstration is incomplete and unconvincing unless it considers security. In our work for government and industry, we have used the Claims, Arguments, Evidence (CAE) framework to analyse the impact of security on a safety justification or safety case and identified the significant changes needed to address security explicitly. This will impact the design and implementation process as well as the assurance and V&V approach.
In this paper we discuss the impact of integrating security when developing a safety demonstration of a smart device. A smart device is an instrument, device or component that contains a microprocessor (and therefore contains both hardware and software) and is programmed to provide specialised capabilities, often measuring or controlling a process variable. Examples of smart devices include radiation monitors, relays, turbine governors, uninterruptible power supplies and heating ventilation, and air conditioning controllers.
Key Words: Smart (embedded) devices, safety assessment, security-informed safety, cyber
1 INTRODUCTION
Safety and security engineering have, over the years, developed their own regulations, standards, cultures, and practices. However, there is a growing acceptance that security is closely connected to safety: it can no longer be assumed that a safety-critical system is immune from malware because it is built using bespoke hardware and software, or that the system cannot be attacked because it is separated from the outside world by a so-called “air gap.” Safety must be security-informed: if a safety-critical system isn’t secure, it isn’t safe. There are also business drivers for security-informed safety: stakeholders do not want to pay twice for assurance, or worse, discover conflicts between safety and security that significantly impact project timescales and require considerable system re-architecting. In addition, reputational risks from actual or period security incidents could be very costly. In the UK, the government has recently published a Civil Nuclear Cyber Security Strategy that further motivates the need and urgency of tackling security issues on both legacy and new systems [1].
In this paper we discuss the impact of integrating security when developing a safety demonstration of a smart device. A smart device is an instrument, device or component that contains a microprocessor (and therefore contains both hardware and software) and is programmed to provide specialised capabilities, often measuring or controlling a process variable. One essential property is that it cannot be programmed
© 2017 ADELARD LLP
SAFETY AND SECURITY
• Safety –the damage the system can do to the environment
System Environment
• Security – the damage the environment (in a broad sense) does to the system
© 2017 ADELARD LLP
Slide 8
SLOGAN
“If it’s not secure, it’s not safe”
© 2017 ADELARD LLP
HOW MUCH SHOULD SAFETY AND SECURITY BE INTEGRATED?
Slide 9
Security Safety
Security Safety
Security and
safety
�
�
�
© 2017 ADELARD LLP
IS THE SECURITY OF INDUSTRIAL SYSTEMS A REAL SAFETY CONCERN?
• Examples
• Late 2014, German steel mill attack• Initial breach via “spear fishing”• Safety controls overridden• Extensive damage to blast furnace• Probably a nation state attack (advanced persistent threat – APT)
• December 2015, Cyber attack on Ukraine Power grid • Cut off 103 towns and cities in Ukraine• Russia blamed
• December 2017 malware detected in Middle Eastern petrochemical facility• Safety system shutdown as the result of a Triton malware attack. • System had been penetrated over a 2 years before detection• Tampering with the process control AND safety systems • Russia blamed
© 2017 ADELARD LLP
SAFETY ANALYSIS
Hazard Accident
Accident Trigger
Barrier
Causal Factor
SYSTEM
Slide 11
© 2017 ADELARD LLP
COMBINED SAFETY AND SECURITY ANALYSIS
Hazard
CompromiseThreat Vulnerability
Accident
Accident Trigger
Barrier
Control
Causal Factor
SYSTEM
Slide 12
Security attacks can also • make safety causal
factors more likely and
• reduce effectiveness of controls and barriers
• increase risk of systemic failure.
© 2017 ADELARD LLP
Slide 13
TYPICAL URBAN TRANSPORT SYSTEM
Images http://jpninfo.com/57046
© 2017 ADELARD LLP
Slide 14
SYSTEMS OF SYSTEMS
Trackside equipment
Information systems
CCTV and crowd analysis
Office systems, design
information
Control and management
centre
On board braking systems
On board door control
systems
On board information
systems
Connected passenger
Payment systems
Gate control systems
Maintenance systems
© 2017 ADELARD LLP
SAFETY AND SECURITY SYSTEMS
• Plant/Systems with an overall mission, part of which is safety and security• Main mission is to deliver a service
• Safety systems with one mission• Shut down, stop
• Security systems with one mission• Access control, CCTV
• Security systems that can directly impact safety• Crowd control, PA and communications
• Systems that can be used in different stages of an attack • e.g for phishing, gaining information
• Architectures that integrate all types of systems
• Complex incidents - enabled, amplified by systems interactions
Slide 15
© 2017 ADELARD LLP
ASSESSING IMPACT OF SECURITY ON SAFETY
Slide 16
© 2017 ADELARD LLP
Security, resilience and safety
Security and safety
ERTMS Specification analysisAwareness course
~200 engineers Security informed safety case methodologyOverall risk assessment UK
ERTMS enabled railwaySpecific train ETCS assessments
Impact on automotive
Impact of cyber on safety–ATM aviation regulation
Security, resilience and safety
Autonomous systems
© 2017 ADELARD LLP
SECURITY-INFORMED SAFETY AND RESILIENCE - OVERVIEW
Assurance and policy
FrameworkClaim
Sub-Claim
Argument
Evidence
Risk assessment
Balise
Traffic management TMS
Indications Interlocking
Train detection Track controls
RBC
Movement authority
Position reports
EVC
Balise antenna
Odometry
Controller
PSTN
Instructions
Queries
Driver
Business systems FTN
GSM-R
External network
SIL 0
Key:
SIL 2
SIL 4
Power management SCADA
Control layer
Safety layer
Business layer
Lineside layer
Systems of systems
5
1.12 The National Risk Register illustrates the kindsof contingency which primarily drive planning bygovernment and the emergency services and forwhich organisations, individuals, families andcommunities can reasonably plan if they want to doso. The selection excludes some risks that areclassified for reasons of national security and specificillustrative examples of risks where there are casesoutstanding in the courts which may be prejudiced.
1.13 The UK has been described as one of thepioneers in coordinated risk management foremergencies, because of the systematic way inwhich we assess the risks and use these assessmentsto help planning.
Chapter One: Introduction
Figure 1: An illustration of the high consequence risks facing the United Kingdom
Major TransportAccidents
Attacks onCritical
Infrastructure
Major IndustrialAccidents
AnimalDisease
SevereWeather
ElectronicAttacks
Non-conventionalAttacks*
CoastalFlooding
PandemicInfluenza
Inland Flooding
Attacks onTransport
Attacks on Crowded
Places
Relative Likelihood
Relative Impact
* The use of some chemical, biological, radiological and nuclear (CBRN) materials has the potential to have very serious andwidespread consequences. An example would be the use of a nuclear device. There is no historical precedent for this type ofterrorist attack which is excluded from the non-conventional grouping on the diagram.
NationalRiskRegister_289116 17/7/08 2:22 pm Page 5 Training
!
Standards and policy
Slide 18
© 2017 ADELARD LLP
SECURITY-INFORMED ASSURANCE CASES
• Methodology• Express safety case about system behavior in
terms of Claims-Arguments-Evidence • Review how the claims might be impacted by
security • Review security controls to see if these can
be used to provide an argument and evidence for satisfying the claim
• Review impact of deploying controls on architecture and implementation
• Iterative layered approach informed by strategy triangle• Properties, standards, vulnerabilities
Claim
Sub-Claim
Argument
Evidence
© 2017 ADELARD LLP
IMPACT OF SECURITY ON ASSURANCE CASE
• Some observations:• Integration of requirements• Possible exploitation of the device/service to
attack itself or others– Failstop, role of CIA
• Malicious events post deployment• Supply chain integrity• Design changes to address user interactions,
training, configuration, vulnerabilities• Additional functional requirements - security
controls• Reduced lifetime of installed equipment
• With supporting process and analysis techniques
C01 Deployed device delivers
service OK
C02 Deployed service does not facilitate attacks
on itself or others
C2 Confidentiality is maintained
C1 Delivers safe
service
Attribute expansion
Time split
C11 OK initially
Argue over deployment
C31 Purchased device OK
C21 Configured device OK
C22 Training
OK
Configuration
Supply chain
C41 Evaluated device OK
Attribute expansion "OK": good
design, behaviour
Enumerate deployment
hazards
C51 Safety properties
OK
C52 Vulnerabilities and hazards addressed
C53 Design minimises
deployment risks
C66 Address supply, configuration, user
interaction, use, storage
Attributeexpansion
Additional design basis
threats addressed
C42 Supply chain
delivers equivalent
device
C12 OK future
Consider all (benign and malicious) events) events
C23 Benign events
detected and responded to
C23 Malicious
events detected and responded to
C61 Specified
OK
C62 Implemented
OK
C65 by organisation
C64 by lifecycle
C63 by product
© 2017 ADELARD LLP
EXPLICIT DISCUSSION OF TRUSTWORTHINESS OF EVIDENCE
• Changing the threat assumptions impact how we address evidence that is fundamental to the safety case.
• Need an explicit claim that the evidence is trustworthy and we may need to factor this by the different organisations that provide it. • risks from the deliberate tampering with evidence • non-reporting or falsification of findings
• Safety standards already require the trustworthiness of tools to be justified, • inclusion of security concerns means that the
different threats become credible e.g. malicious inclusion of code by tools needs consideration.
Slide 21
Evidencedemonstrates X
decompositionby subproperty
Demonstration requiresdirect trustworthy evidence
Evidence istrustworthy
evidenceincorporation
Report showing X
Evidence purports todemonstrate X
"Trustworthy" could beexpanded into attributes such
as relevant, traceable.However, evidence about
evidence could get horriblyrecursive.
© 2017 ADELARD LLP
ERTMS-BASED RAILWAY SYSTEMS
Risk assessment
Balise
Traffic management TMS
Indications Interlocking
Train detection Track controls
RBC
Movement authority
Position reports
EVC
Balise antenna
Odometry
Controller
PSTN
Instructions
Queries
Driver
Business systems FTN
GSM-R
External network
SIL 0
Key:
SIL 2
SIL 4
Power management SCADA
Control layer
Safety layer
Business layer
Lineside layer
Systems of systems
5
1.12 The National Risk Register illustrates the kindsof contingency which primarily drive planning bygovernment and the emergency services and forwhich organisations, individuals, families andcommunities can reasonably plan if they want to doso. The selection excludes some risks that areclassified for reasons of national security and specificillustrative examples of risks where there are casesoutstanding in the courts which may be prejudiced.
1.13 The UK has been described as one of thepioneers in coordinated risk management foremergencies, because of the systematic way inwhich we assess the risks and use these assessmentsto help planning.
Chapter One: Introduction
Figure 1: An illustration of the high consequence risks facing the United Kingdom
Major TransportAccidents
Attacks onCritical
Infrastructure
Major IndustrialAccidents
AnimalDisease
SevereWeather
ElectronicAttacks
Non-conventionalAttacks*
CoastalFlooding
PandemicInfluenza
Inland Flooding
Attacks onTransport
Attacks on Crowded
Places
Relative Likelihood
Relative Impact
* The use of some chemical, biological, radiological and nuclear (CBRN) materials has the potential to have very serious andwidespread consequences. An example would be the use of a nuclear device. There is no historical precedent for this type ofterrorist attack which is excluded from the non-conventional grouping on the diagram.
NationalRiskRegister_289116 17/7/08 2:22 pm Page 5 Training
!
Slide 22
Bloomfield, R. E., Bendele, M., Bishop, P. G., Stroud, R. & Tonks, S. (2016). The risk assessment of ERTMS-based railway systems from a cyber security perspective: Methodology and lessons learned. Paper presented at the First International Conference, RSSRail 2016, 28-30 Jun 2016, Paris, France.
© 2017 ADELARD LLP
LESSONS LEARNED
1. Start security considerations as early in the lifecycle as possible.
2. Early on, assess the implications of security for the project - low safety criticality can have high security.
3. Define the security and safety engineering and assurance processes and their interaction.
4. Integrate security into safety analysis (e.g., by performing a security-informed Hazop).
5. Develop, validate and update the hazard analysis in light of penetration testing.
6. Require evidence for the service providers’ non-functional requirements (integrity, availability) rather than just relying on SLAs.
7. Provide greater emphasis on resilience and incident recovery.
8. Maintain a “living” safety case. Address changes to threats and strengths of security controls.
9. Be aware of the need for security controls in addition to safety controls in end-users and service providers.
Slide 23
© 2017 ADELARD LLP
Security, resilience and safety
Security and safety
ERTMS Specification analysisAwareness course
~200 engineers Security informed safety case methodologyOverall risk assessment UK
ERTMS enabled railwaySpecific train ETCS assessments
Impact on automotive
Impact of cyber on safety–regulation
Security, resilience and safety
© 2017 ADELARD LLP
FROM VISION TO OBJECTIVES
Slide 25
Goal
•“We see a world where there is justified confidence that (cyber) security issues do not pose unacceptable risks to the safety and resilience of...”
Consider this from the viewpoint of different stakeholders, • the ARO has justified confidence in its
products• the ARO provides other stakeholders with
justified confidence
This second point is unusual - example of the “good citizen” principles
"We see a world where everyone who chooses tofly, as well as those who do not, has confidence in
a safe and secure aviation sector ..."
Decompositioinby different
stakeholders
ARO has justified confidence thatcyber-security issues will not poseunacceptable risks to the safety
and resilience of the UK regulatedservices
in the future
Decomposition bydifferent sources of
confidence
Decomposition byresponsiveness to
different types of eventand changes
Substitution
ARO has justified confidence thatthe regulated system can dealwith cyber related events and
changes
Decompositionby sources of
doubt
ARO has justified confidence thatcyber-security issues do not pose
unacceptable risks to the safety andresilience of the UK regulated
services at present
Other sources (out ofscope)
Confidencecommunicated
Concretion
ARO provides otherstakeholders with
justified confidence in theregulated security and
resilience
Other stakeholders havejustified confidence that
cyber-security issues do notpose unacceptable risks to thesafety and resilience of the UK
regulated services
Decomposition by reasonsfor confidence beingcommunicated and
established
Decomposition byconsidering situation
now and how itevolves
There is justified confidence thatcyber-security issues do not pose
unacceptable risks to the safety andresilience of the UK regulated services
ARO has justified confidencethat cyber-security issues do notpose unacceptable risks to thesafety and resilience of the UK
regulated services
ARO has processes andprocedures to deliver
assessments of cyber-securityinformed safety and resilience
Decompositionby time (now and
in the future)
ARO has capability toundertake cyber roles
Safety case changereview is conducted
and is cyberinformed
ARO has justiifedconfidence inoverall system
Decomposition bydifferent aspectsof ARO activity
Provides confidenceexisting system secure
and resilient
Decomposition bysources ofconfidence
ARO has justifiedconfidence in the technicalapproaches for addressing
cyber-security informedsafety and resilience
Sources of doubtactively managed -
actual and perceived
Audit and assessmentof SMS and SecMS
addresses cyber
Assessment ofresilience is
carried out takingsecurity into
consideration
Incident response andresilience including
rebuttals areOrganisationalcomplexity isaddressed
Technical evaluationsare conducted
Decomposition bynecessary aspects of
delivery Decompositionby sources
Standards andlegislation addresscyber adequately
Standards andlegislationadequately
applied
ARO regulatory activityprovides justified
confidence in the securityand reslience
ARO confident that thecomposition of all the activities
addresses security and resilienceof the regulated system as awhole and are proportionate
ARO has justified confidencein the overall regulatory
institutions and standards
Vulnerabilitydiscovery and
evolving threatsare adequately
Regulatedsystem changesare conducted ina controlled way
Institutional andlegal changes are
performedproperly
Innovation andservice
connectivity areproperly dealt
with
Incidents andaccidents including
attacks areadequately
responded to
Regulated vision
High level objectives
Programme objectives
Detailed objectives
© 2017 ADELARD LLP
IMPACT ON REGULATOR
A CAE-based analysis led to a structured set of objectives for the Cyber Strategy
To support the ARO provided an analysis of some of the challenges :
• cyber-informed safety assurance• resilience• vulnerabilities• systemic risks and interdependencies• awareness, training and education• incident response and organisational learning
From this we developed • recommendations to address these issues, and
related them to the programme objectives. • a preliminary regulatory maturity model to
explain and structure the programme of work and to put into context the challenge: achieving these seven objectives.
• programme objectives with links to levels of our maturity model to define an indicative high-level plan.
Bloomfield, R. E., Bishop, P. G., Butler, E. and Netkachova, K. (2017). Using an assurance case framework to develop security strategy and policies. Lecture Notes in Computer Science, 10489, pp. 27-38. doi: 10.1007/978-3-319-66284-8_3T
Slide 26
Slide 27
Cyber safety and resilience strengthening the digital systems that support the modern economy 1
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3A sector-specific focus – connected health devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2. The challenges for critical and non-critical infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.1 What systems are being created? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.2 What vulnerabilities exist? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3. Policy context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.1 Cyber security – a key component of UK national security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.2 Cyber safety and resilience – the legal and regulatory environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.1 Cyber safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193.2.2 Cyber resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4. Addressing the challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.1 Supply chain vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 What is the right combination of mechanisms? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2.1 Government’s role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224.2.2 Market-led interventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224.2.3 The role of system operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234.2.4 The role of the engineering profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.3 Integrating safety, security and resilience in regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254.4 Strengthening the existing legislative framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.5 Transferring expertise in safety-critical systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274.6 Research on systems assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5. Connected health devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.1 Digitalised systems in healthcare – the opportunities and challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.2 The nature of healthcare systems and their vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.3 Cyber safety and resilience – the legal and regulatory context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.4 Improving cyber safety and resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.5 Conclusions: Applying general principles to the health sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
References and endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Cyber safety and resiliencestrengthening the digital systems that support the modern economy
© 2017 ADELARD LLP
CURRENT PROJECTS
Slide 28
© 2017 ADELARD LLP
SECURITY INFORMED SAFETY CASES – COMMUNICATION AND REASONING
• Safety justification triangle • CAE framework• Concepts• CAE Blocks• Guidance
Slide 29
Property-based approach
Standards compliance
Vulnerability assessment
Safety justification
Claim
Sub-Claim
Argument
Evidence
© 2017 ADELARD LLP
7 STEPS – SECURITY INFORMED SAFETY CASES
Case study Risk assessment Development lifecycle Assurance artefacts
Phase 1 Step 1 – Establish system context and scope of assessment
Requirements and specification
Requirements and Policy Assurance caseStep 2 – Configure risk assessment
Step 3 – Analyse policies and requirements
Phase 2 Step 4 – Preliminary risk analysis Design and implementation
System Safety case
Step 5 – Identify specific attack scenarios
Step 6 – Focused risk analysis
Step 7 – Finalise risk assessment
Slide 30
© 2017 ADELARD LLP
SECURITY AND SAFETY - CODE OF PRACTICE AND PAS
What we are doing:
• Developed a fast track British Standard (PAS Code of Practice) on automotive eco-system security and safety
• Developing a Code of Practice for railways security informed safety
• Sponsored by the UK CPNI with close involvement of industry
• Principle based approach in keeping with UK outcome focused regulation
Slide 31
© 2017 ADELARD LLP
TOP-LEVEL PRINCIPLES (COMMON)
Security policy, organization and culture
Security-aware lifecycle
Maintaining effective defences
Incident management
Secure and safe design
Contributing to a safe and secure world
© 2017 ADELARD LLP
“GOOD CITIZEN” PRINCIPLE
• Detailed recommendations(automotive guidance)
• Explanatory notes
• Supporting rationale
© 2017 ADELARD LLP
SUPPORTING ANNEXES
• Examples from the Rail CoP
• The annexes are informative and are designed to support the recommendations in the main body of the CoP
35
PAS 11281:2018
© The British Standards Institution 2018
Annex D (informative) Approaching safety and security integration
D.1 IntroductionThis PAS deals with many different aspects of considering security in the context of the safety of an automotive ecosystem. One of the most challenging areas is where safety and security interact, particularly in cases where their aims contradict or where there are unintended consequences. Interactions can stem from
a) overlapping requirements;
b) overlapping functionality;
c) the use of shared resources or platforms;
d) information flow; and
e) misuse or abuse.
In general, these safety and security interactions might present the opportunity to make decisions that could result in trade-offs between safety and security. In some cases, they could result in direct conflicts between safety and security that cannot be easily resolved. For example, consider an access system that remains in a locked state if it fails. Such a system is fail-secure, in that an attacker cannot gain access, but is not fail-safe, in that personnel cannot escape in the event of, e.g. fire. The interactions between a security policy and the safety requirements need to be assessed and any trade-offs identified. In some circumstances, increased security might reduce safety so it is essential to consider these holistically.
For safety, the most important considerations are ensuring that systems provide the required functionality with a given level of reliability (comprising integrity and availability). When the security perspective is included, confidentiality also becomes a concern. In this PAS we have recommended measures to protect the confidentiality of information that could be used by a threat agent to identify vulnerabilities or conduct an attack. The privacy of individuals is outside the scope, but there might be situations in which personal data could be used to inform an attack, or where the disclosure of sensitive data leads to non-physical harm.
Figure D.1, taken and generalized from Netkachova et al, “Investigation into a Layered Approach to Architecting Security-Informed Safety Cases” [60], shows different scenarios where security and safety interact:
a) In the bottom left corner is an area of maximum operational benefit, where with low levels of threat and no significant safety challenge, it is relatively straightforward to satisfy both aspects.
b) In the bottom right there is an area where security concerns might dominate due to the threat level. (e.g. with a need to restrict access to the device). In this case, the safety analysis must show that these constraints are acceptably safe even if they do cause higher workload or operational complexities.
c) A corresponding zone in the top left corner, where safety issues dominate and the security policy is the same or weakened. In this case, the security analysis must show that identified security threats are satisfactorily mitigated by other means during this time.
d) The top right hand corner is a very uncertain area where some special capabilities might be needed, e.g. in the form of a manual override to security policy.
Figure D.1 – A schematic showing how security and safety interact in different scenarios
Safe
ty r
isks
Security threat level
Integrated policyand benefits
Safety dominates Resolutionof conflicts
Securitydominates
© 2017 ADELARD LLP
AVAILABILITY
•Rail• Draft for industry consultation• Currently under review• Plan to release guidance Q1
2019
•Automotive• BSI publication December 2018• BSI PAS 11281
© 2017 ADELARD LLP
RESEARCH PROJECTS
Slide 36
© 2017 ADELARD LLP
Slide 37
ASSURED AUTONOMY
“Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS”(TIGARS)
Page | 1 / 30
AssuringAutonomyInternationalProgrammeExpressionofInterestForm–Call01
Towards Identifying and closing Gaps in Assurance of
autonomous Road vehicleS (TIGARS)
Enclosure2
Slide 38
Tigars - Aims & Challenges
Engineering PracticesIdentify current autonomous systems engineering approaches and assess the current state of software engineering development practice.
Assurance GapsAssess the feasibility of deploying current state-of-the-art static analysis, verification, and testing techniques.
Verification & ValidationAddress assurance gaps with new approaches• static analysis of machine learning,• simulation and test strategies• defence in depth.
Standards & PoliciesRecommendations to regulatory and policy organisations• principles-based framework to
address autonomy• near-term interpretation of
existing standards.
39
OVERVIEW
Multi infrastructure stochastic models
PIA FARA
Communication modelsTrade offs, decision support
Assurance Case to explain and justify decision
Explanation of decision based on Claims,
Arguments, Evidence
Assurance Case to justify trust in models
Claim “safety risk tolerable including cyber issues”
Adversary models
More detailed CAE
© 2017 ADELARD LLP
RITICS ROADMAPPING – SHORT TERM
• With Dr Peter Popov
• Landscape and road mapping• Identify issues with practitioners– Transport, Nuclear,– Resilience community
• Develop issues– Breadth and selective depth
• Combine – Technology and threat awareness
• Develop short R&D roadmap
• Help and interest welcome!
• Structure of issues from• RAEng Cyber Safety + PAS + IAEA• Autonomy from Tigars and AAIP• Resilienceshift (Arup) and NIC
40
© 2017 ADELARD LLP
DISCUSSION – THE YES BUT…
Slide 41
© 2017 ADELARD LLP
WHY IT MIGHT BE EASIER THAN FEARED
• Success of dependability engineering• Automotive engineering
• Air and rail transportation
• Finance system
• Nuclear power
• Consumer products
Succeed through initial high quality, fault tolerance, failure management and recovery
Already address
• Safety cases and myriad sources of risk
• Competency and culture
• Incident response and organisational learning
• Updates to system and recertification
• Defence in depth and systemic risk
• Supply chains already managed
• Dependability built in
Slide 42
© 2017 ADELARD LLP
BUT ACHIEVING DEPENDABLE SYSTEMS IS HARD
• Automotive engineering• Yet Toyota, VW
• Air and rail transportation• Yet Spanish crash, Nimrod
• Finance system• Yet crashes, $400M bug
• Nuclear power• Yet Fukushima, QA fraud
• Consumer products• Yet recalls and data loss
• Medical systems• Yet avoidable deaths
“Normal business”, achieving dependable conventional digital systems is hard
© 2017 ADELARD LLP
DISCUSSION – THE YES BUT…
• The impact of security on safety now known in general and have techniques for identifying this and detailing it further:• Security policy, organization and culture• Security-aware lifecycle• Maintaining effective defences• Incident management• Secure and safe design• Contributing to a safe and secure world
• Known and very significant impact
Slide 44
© 2017 ADELARD LLP
YES BUT…
• Security will have a major impact on all aspects of organisation, governance, requirements, architecture, development, assurance• Management of institutional and regulatory change• Legacy and long lived systems• Systems engineering and systems thinking• Technologies and architectures• Assurance strategies
• Security, like quality, intrinsic to everything – need to address security mindedness
• Political, social and threat context is changing
• Technology and systems are changing• AI,ML, IoT
Slide 45
© 2017 ADELARD LLP
CONCLUSIONS
• Security will impact on all aspects of organisation, governance, requirements, architecture, development, assurance• Security policy, organization and
culture• Security-aware lifecycle• Maintaining effective defences• Incident management• Secure and safe design• Contributing to a safe and secure
world
• “Normal business” achieving dependable conventional digital systems is hard
• A way forward• Industry implement objectives of PAS• Government and NGO address RAEng
and social policy issues• Research needed to support this
• Awareness of • Political, social and threat context is
changing• Technology and systems are changing• Need for holistic approach
• Provides opportunities not just problems
• Innovate and integrate!!
Slide 46
© 2017 ADELARD LLP
Slide 47
FURTHER READING
Bloomfield, R. E., Bendele, M., Bishop, P. G., Stroud, R. & Tonks, S. (2016). The risk assessment of ERTMS-based railway systems from a cyber security perspective: Methodology and lessons learned. Paper presented at the First International Conference, RSSRail 2016, 28-30 Jun 2016, Paris, France.
IEEE Computer June 2016
© 2018 ADELARD LLP
Slide 48