SECURITY INFORMED SAFETY WHY ITS EASY, WHY ITS HARD€¦ · • Safety systems with one mission • Shut down, stop • Security systems with one mission • Access control, CCTV

Adelard LLP, 24 Waterside, 44-48 Wharf Road, London N1 7UXT +44 20 7832 5850 E [email protected] W www.adelard.com

PT/632/309/81

SECURITY INFORMED SAFETY

WHY ITS EASY, WHY ITS HARD

Professor Robin E Bloomfield FREng

Adelard LLPCity, University of London

[email protected]@city.ac.ukJanuary 2019

© 2018 ADELARD LLP

ADELARD

• Adelard is a specialized, influential product and services company working on safety, security and resilience since 1987

• Wide-ranging experience of assessing computer-based systems and components

• Work across different industrial sectors, including nuclear, rail, defence, aviation, financial, medical• Policy, methodology, technology• Product for managing safety and assurance cases (ASCE)• Security-informed safety and dependability

• Consultants PhD level, international team

• Partner in UK Research Institute on Trustworthy ICS (RiTICS)

Slide 2

© 2017 ADELARD LLP

ASSURANCE

• trust and trustworthiness are of enormous societal value

• assurance is an enabler of innovation

• security requires innovation

Slide 3

© 2018 ADELARD LLP

OUTLINE

• Background

• Assessing impact of security on safety• Projects and policies

• Outcomes and ongoing work• Security informed safety case• Codes of Practice (PAS and CoP)• research projects

• Discussion and conclusion• Why easier than feared, why hard

Slide 4

© 2017 ADELARD LLP

SECURITY-INFORMED SAFETY AND RESILIENCE

Assurance and policy

FrameworkClaim

Sub-Claim

Argument

Evidence

Risk assessment

Balise

Traffic management TMS

Indications Interlocking

Train detection Track controls

RBC

Movement authority

Position reports

EVC

Balise antenna

Odometry

Controller

PSTN

Instructions

Queries

Driver

Business systems FTN

GSM-R

External network

SIL 0

Key:

SIL 2

SIL 4

Power management SCADA

Control layer

Safety layer

Business layer

Lineside layer

Systems of systems

5

1.12 The National Risk Register illustrates the kindsof contingency which primarily drive planning bygovernment and the emergency services and forwhich organisations, individuals, families andcommunities can reasonably plan if they want to doso. The selection excludes some risks that areclassified for reasons of national security and specificillustrative examples of risks where there are casesoutstanding in the courts which may be prejudiced.

1.13 The UK has been described as one of thepioneers in coordinated risk management foremergencies, because of the systematic way inwhich we assess the risks and use these assessmentsto help planning.

Chapter One: Introduction

Figure 1: An illustration of the high consequence risks facing the United Kingdom

Major TransportAccidents

Attacks onCritical

Infrastructure

Major IndustrialAccidents

AnimalDisease

SevereWeather

ElectronicAttacks

Non-conventionalAttacks*

CoastalFlooding

PandemicInfluenza

Inland Flooding

Attacks onTransport

Attacks on Crowded

Places

Relative Likelihood

Relative Impact

* The use of some chemical, biological, radiological and nuclear (CBRN) materials has the potential to have very serious andwidespread consequences. An example would be the use of a nuclear device. There is no historical precedent for this type ofterrorist attack which is excluded from the non-conventional grouping on the diagram.

NationalRiskRegister_289116 17/7/08 2:22 pm Page 5 Training

!

Standards and policy

Slide 5

Many projects: Ritics, Sesamo, Aquas, CPNI, IEC, BSI, IET …

© 2018 ADELARD LLP

NUCLEAR

Slide 6

SECURITY-INFORMED SAFETY: INTEGRATING SECURITY WITHIN THE SAFETY DEMONSTRATION OF A SMART DEVICE

Robin Bloomfield1,2, Eoin Butler1, Sofia Guerra1 and Kate Netkachova1,2

1 Adelard LLP 24 Waterside, 44-48 Wharf Road, London N1 7UX, UK

{reb,eb,aslg,kn}@adelard.com

2 City, University of London Northampton Square

London EC1V 0HB, UK {R.E.Bloomfield, Kateryna.Netkachova.2}@city.ac.uk

ABSTRACT

Safety and security engineering have, over the years, developed their own regulations, standards, cultures, and practices. However, there’s a growing realisation that security is closely connected to safety. Safety must be security-informed: if a safety-critical system isn’t secure, it isn’t safe. A safety demonstration is incomplete and unconvincing unless it considers security. In our work for government and industry, we have used the Claims, Arguments, Evidence (CAE) framework to analyse the impact of security on a safety justification or safety case and identified the significant changes needed to address security explicitly. This will impact the design and implementation process as well as the assurance and V&V approach.

In this paper we discuss the impact of integrating security when developing a safety demonstration of a smart device. A smart device is an instrument, device or component that contains a microprocessor (and therefore contains both hardware and software) and is programmed to provide specialised capabilities, often measuring or controlling a process variable. Examples of smart devices include radiation monitors, relays, turbine governors, uninterruptible power supplies and heating ventilation, and air conditioning controllers.

Key Words: Smart (embedded) devices, safety assessment, security-informed safety, cyber

1 INTRODUCTION

Safety and security engineering have, over the years, developed their own regulations, standards, cultures, and practices. However, there is a growing acceptance that security is closely connected to safety: it can no longer be assumed that a safety-critical system is immune from malware because it is built using bespoke hardware and software, or that the system cannot be attacked because it is separated from the outside world by a so-called “air gap.” Safety must be security-informed: if a safety-critical system isn’t secure, it isn’t safe. There are also business drivers for security-informed safety: stakeholders do not want to pay twice for assurance, or worse, discover conflicts between safety and security that significantly impact project timescales and require considerable system re-architecting. In addition, reputational risks from actual or period security incidents could be very costly. In the UK, the government has recently published a Civil Nuclear Cyber Security Strategy that further motivates the need and urgency of tackling security issues on both legacy and new systems [1].

In this paper we discuss the impact of integrating security when developing a safety demonstration of a smart device. A smart device is an instrument, device or component that contains a microprocessor (and therefore contains both hardware and software) and is programmed to provide specialised capabilities, often measuring or controlling a process variable. One essential property is that it cannot be programmed

© 2017 ADELARD LLP

SAFETY AND SECURITY

• Safety –the damage the system can do to the environment

System Environment

• Security – the damage the environment (in a broad sense) does to the system

© 2017 ADELARD LLP

Slide 8

SLOGAN

“If it’s not secure, it’s not safe”

© 2017 ADELARD LLP

HOW MUCH SHOULD SAFETY AND SECURITY BE INTEGRATED?

Slide 9

Security Safety

Security Safety

Security and

safety

�

�

�

© 2017 ADELARD LLP

IS THE SECURITY OF INDUSTRIAL SYSTEMS A REAL SAFETY CONCERN?

• Examples

• Late 2014, German steel mill attack• Initial breach via “spear fishing”• Safety controls overridden• Extensive damage to blast furnace• Probably a nation state attack (advanced persistent threat – APT)

• December 2015, Cyber attack on Ukraine Power grid • Cut off 103 towns and cities in Ukraine• Russia blamed

• December 2017 malware detected in Middle Eastern petrochemical facility• Safety system shutdown as the result of a Triton malware attack. • System had been penetrated over a 2 years before detection• Tampering with the process control AND safety systems • Russia blamed

© 2017 ADELARD LLP

SAFETY ANALYSIS

Hazard Accident

Accident Trigger

Barrier

Causal Factor

SYSTEM

Slide 11

© 2017 ADELARD LLP

COMBINED SAFETY AND SECURITY ANALYSIS

Hazard

CompromiseThreat Vulnerability

Accident

Accident Trigger

Barrier

Control

Causal Factor

SYSTEM

Slide 12

Security attacks can also • make safety causal

factors more likely and

• reduce effectiveness of controls and barriers

• increase risk of systemic failure.

© 2017 ADELARD LLP

Slide 13

TYPICAL URBAN TRANSPORT SYSTEM

Images http://jpninfo.com/57046

© 2017 ADELARD LLP

Slide 14

SYSTEMS OF SYSTEMS

Trackside equipment

Information systems

CCTV and crowd analysis

Office systems, design

information

Control and management

centre

On board braking systems

On board door control

systems

On board information

systems

Connected passenger

Payment systems

Gate control systems

Maintenance systems

© 2017 ADELARD LLP

SAFETY AND SECURITY SYSTEMS

• Plant/Systems with an overall mission, part of which is safety and security• Main mission is to deliver a service

• Safety systems with one mission• Shut down, stop

• Security systems with one mission• Access control, CCTV

• Security systems that can directly impact safety• Crowd control, PA and communications

• Systems that can be used in different stages of an attack • e.g for phishing, gaining information

• Architectures that integrate all types of systems

• Complex incidents - enabled, amplified by systems interactions

Slide 15

© 2017 ADELARD LLP

ASSESSING IMPACT OF SECURITY ON SAFETY

Slide 16

© 2017 ADELARD LLP

Security, resilience and safety

Security and safety

ERTMS Specification analysisAwareness course

~200 engineers Security informed safety case methodologyOverall risk assessment UK

ERTMS enabled railwaySpecific train ETCS assessments

Impact on automotive

Impact of cyber on safety–ATM aviation regulation


Autonomous systems

© 2017 ADELARD LLP

SECURITY-INFORMED SAFETY AND RESILIENCE - OVERVIEW

Assurance and policy

FrameworkClaim

Sub-Claim

Argument

Evidence

Risk assessment

Balise




RBC

Movement authority

Position reports

EVC

Balise antenna

Odometry

Controller

PSTN

Instructions

Queries

Driver


GSM-R

External network

SIL 0

Key:

SIL 2

SIL 4


Control layer

Safety layer

Business layer

Lineside layer

Systems of systems

5






Attacks onCritical

Infrastructure


AnimalDisease

SevereWeather

ElectronicAttacks


CoastalFlooding

PandemicInfluenza

Inland Flooding

Attacks onTransport

Attacks on Crowded

Places

Relative Likelihood

Relative Impact



!

Standards and policy

Slide 18

© 2017 ADELARD LLP

SECURITY-INFORMED ASSURANCE CASES

• Methodology• Express safety case about system behavior in

terms of Claims-Arguments-Evidence • Review how the claims might be impacted by

security • Review security controls to see if these can

be used to provide an argument and evidence for satisfying the claim

• Review impact of deploying controls on architecture and implementation

• Iterative layered approach informed by strategy triangle• Properties, standards, vulnerabilities

Claim

Sub-Claim

Argument

Evidence

© 2017 ADELARD LLP

IMPACT OF SECURITY ON ASSURANCE CASE

• Some observations:• Integration of requirements• Possible exploitation of the device/service to

attack itself or others– Failstop, role of CIA

• Malicious events post deployment• Supply chain integrity• Design changes to address user interactions,

training, configuration, vulnerabilities• Additional functional requirements - security

controls• Reduced lifetime of installed equipment

• With supporting process and analysis techniques

C01 Deployed device delivers

service OK

C02 Deployed service does not facilitate attacks

on itself or others

C2 Confidentiality is maintained

C1 Delivers safe

service

Attribute expansion

Time split

C11 OK initially

Argue over deployment

C31 Purchased device OK

C21 Configured device OK

C22 Training

OK

Configuration

Supply chain

C41 Evaluated device OK

Attribute expansion "OK": good

design, behaviour

Enumerate deployment

hazards

C51 Safety properties

OK

C52 Vulnerabilities and hazards addressed

C53 Design minimises

deployment risks

C66 Address supply, configuration, user

interaction, use, storage

Attributeexpansion

Additional design basis

threats addressed

C42 Supply chain

delivers equivalent

device

C12 OK future

Consider all (benign and malicious) events) events

C23 Benign events

detected and responded to

C23 Malicious

events detected and responded to

C61 Specified

OK

C62 Implemented

OK

C65 by organisation

C64 by lifecycle

C63 by product

© 2017 ADELARD LLP

EXPLICIT DISCUSSION OF TRUSTWORTHINESS OF EVIDENCE

• Changing the threat assumptions impact how we address evidence that is fundamental to the safety case.

• Need an explicit claim that the evidence is trustworthy and we may need to factor this by the different organisations that provide it. • risks from the deliberate tampering with evidence • non-reporting or falsification of findings

• Safety standards already require the trustworthiness of tools to be justified, • inclusion of security concerns means that the

different threats become credible e.g. malicious inclusion of code by tools needs consideration.

Slide 21

Evidencedemonstrates X

decompositionby subproperty

Demonstration requiresdirect trustworthy evidence

Evidence istrustworthy

evidenceincorporation

Report showing X

Evidence purports todemonstrate X

"Trustworthy" could beexpanded into attributes such

as relevant, traceable.However, evidence about

evidence could get horriblyrecursive.

© 2017 ADELARD LLP

ERTMS-BASED RAILWAY SYSTEMS

Risk assessment

Balise




RBC

Movement authority

Position reports

EVC

Balise antenna

Odometry

Controller

PSTN

Instructions

Queries

Driver


GSM-R

External network

SIL 0

Key:

SIL 2

SIL 4


Control layer

Safety layer

Business layer

Lineside layer

Systems of systems

5






Attacks onCritical

Infrastructure


AnimalDisease

SevereWeather

ElectronicAttacks


CoastalFlooding

PandemicInfluenza

Inland Flooding

Attacks onTransport

Attacks on Crowded

Places

Relative Likelihood

Relative Impact



!

Slide 22

Bloomfield, R. E., Bendele, M., Bishop, P. G., Stroud, R. & Tonks, S. (2016). The risk assessment of ERTMS-based railway systems from a cyber security perspective: Methodology and lessons learned. Paper presented at the First International Conference, RSSRail 2016, 28-30 Jun 2016, Paris, France.

© 2017 ADELARD LLP

LESSONS LEARNED

1. Start security considerations as early in the lifecycle as possible.

2. Early on, assess the implications of security for the project - low safety criticality can have high security.

3. Define the security and safety engineering and assurance processes and their interaction.

4. Integrate security into safety analysis (e.g., by performing a security-informed Hazop).

5. Develop, validate and update the hazard analysis in light of penetration testing.

6. Require evidence for the service providers’ non-functional requirements (integrity, availability) rather than just relying on SLAs.

7. Provide greater emphasis on resilience and incident recovery.

8. Maintain a “living” safety case. Address changes to threats and strengths of security controls.

9. Be aware of the need for security controls in addition to safety controls in end-users and service providers.

Slide 23

© 2017 ADELARD LLP


Security and safety

ERTMS Specification analysisAwareness course

~200 engineers Security informed safety case methodologyOverall risk assessment UK

ERTMS enabled railwaySpecific train ETCS assessments

Impact on automotive

Impact of cyber on safety–regulation


© 2017 ADELARD LLP

FROM VISION TO OBJECTIVES

Slide 25

Goal

•“We see a world where there is justified confidence that (cyber) security issues do not pose unacceptable risks to the safety and resilience of...”

Consider this from the viewpoint of different stakeholders, • the ARO has justified confidence in its

products• the ARO provides other stakeholders with

justified confidence

This second point is unusual - example of the “good citizen” principles

"We see a world where everyone who chooses tofly, as well as those who do not, has confidence in

a safe and secure aviation sector ..."

Decompositioinby different

stakeholders

ARO has justified confidence thatcyber-security issues will not poseunacceptable risks to the safety

and resilience of the UK regulatedservices

in the future

Decomposition bydifferent sources of

confidence

Decomposition byresponsiveness to

different types of eventand changes

Substitution

ARO has justified confidence thatthe regulated system can dealwith cyber related events and

changes

Decompositionby sources of

doubt

ARO has justified confidence thatcyber-security issues do not pose

unacceptable risks to the safety andresilience of the UK regulated

services at present

Other sources (out ofscope)

Confidencecommunicated

Concretion

ARO provides otherstakeholders with

justified confidence in theregulated security and

resilience

Other stakeholders havejustified confidence that

cyber-security issues do notpose unacceptable risks to thesafety and resilience of the UK

regulated services

Decomposition by reasonsfor confidence beingcommunicated and

established

Decomposition byconsidering situation

now and how itevolves

There is justified confidence thatcyber-security issues do not pose

unacceptable risks to the safety andresilience of the UK regulated services

ARO has justified confidencethat cyber-security issues do notpose unacceptable risks to thesafety and resilience of the UK

regulated services

ARO has processes andprocedures to deliver

assessments of cyber-securityinformed safety and resilience

Decompositionby time (now and

in the future)

ARO has capability toundertake cyber roles

Safety case changereview is conducted

and is cyberinformed

ARO has justiifedconfidence inoverall system

Decomposition bydifferent aspectsof ARO activity

Provides confidenceexisting system secure

and resilient

Decomposition bysources ofconfidence

ARO has justifiedconfidence in the technicalapproaches for addressing

cyber-security informedsafety and resilience

Sources of doubtactively managed -

actual and perceived

Audit and assessmentof SMS and SecMS

addresses cyber

Assessment ofresilience is

carried out takingsecurity into

consideration

Incident response andresilience including

rebuttals areOrganisationalcomplexity isaddressed

Technical evaluationsare conducted

Decomposition bynecessary aspects of

delivery Decompositionby sources

Standards andlegislation addresscyber adequately

Standards andlegislationadequately

applied

ARO regulatory activityprovides justified

confidence in the securityand reslience

ARO confident that thecomposition of all the activities

addresses security and resilienceof the regulated system as awhole and are proportionate

ARO has justified confidencein the overall regulatory

institutions and standards

Vulnerabilitydiscovery and

evolving threatsare adequately

Regulatedsystem changesare conducted ina controlled way

Institutional andlegal changes are

performedproperly

Innovation andservice

connectivity areproperly dealt

with

Incidents andaccidents including

attacks areadequately

responded to

Regulated vision

High level objectives

Programme objectives

Detailed objectives

© 2017 ADELARD LLP

IMPACT ON REGULATOR

A CAE-based analysis led to a structured set of objectives for the Cyber Strategy

To support the ARO provided an analysis of some of the challenges :

• cyber-informed safety assurance• resilience• vulnerabilities• systemic risks and interdependencies• awareness, training and education• incident response and organisational learning

From this we developed • recommendations to address these issues, and

related them to the programme objectives. • a preliminary regulatory maturity model to

explain and structure the programme of work and to put into context the challenge: achieving these seven objectives.

• programme objectives with links to levels of our maturity model to define an indicative high-level plan.

Bloomfield, R. E., Bishop, P. G., Butler, E. and Netkachova, K. (2017). Using an assurance case framework to develop security strategy and policies. Lecture Notes in Computer Science, 10489, pp. 27-38. doi: 10.1007/978-3-319-66284-8_3T

Slide 26

Slide 27

Cyber safety and resilience strengthening the digital systems that support the modern economy 1

Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3A sector-specific focus – connected health devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2. The challenges for critical and non-critical infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.1 What systems are being created? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.2 What vulnerabilities exist? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3. Policy context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.1 Cyber security – a key component of UK national security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.2 Cyber safety and resilience – the legal and regulatory environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2.1 Cyber safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193.2.2 Cyber resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4. Addressing the challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.1 Supply chain vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 What is the right combination of mechanisms? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.2.1 Government’s role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224.2.2 Market-led interventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224.2.3 The role of system operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234.2.4 The role of the engineering profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.3 Integrating safety, security and resilience in regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254.4 Strengthening the existing legislative framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.5 Transferring expertise in safety-critical systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274.6 Research on systems assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5. Connected health devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.1 Digitalised systems in healthcare – the opportunities and challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.2 The nature of healthcare systems and their vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.3 Cyber safety and resilience – the legal and regulatory context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.4 Improving cyber safety and resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.5 Conclusions: Applying general principles to the health sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

References and endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Cyber safety and resiliencestrengthening the digital systems that support the modern economy

© 2017 ADELARD LLP

CURRENT PROJECTS

Slide 28

© 2017 ADELARD LLP

SECURITY INFORMED SAFETY CASES – COMMUNICATION AND REASONING

• Safety justification triangle • CAE framework• Concepts• CAE Blocks• Guidance

Slide 29

Property-based approach

Standards compliance

Vulnerability assessment

Safety justification

Claim

Sub-Claim

Argument

Evidence

© 2017 ADELARD LLP

7 STEPS – SECURITY INFORMED SAFETY CASES

Case study Risk assessment Development lifecycle Assurance artefacts

Phase 1 Step 1 – Establish system context and scope of assessment

Requirements and specification

Requirements and Policy Assurance caseStep 2 – Configure risk assessment

Step 3 – Analyse policies and requirements

Phase 2 Step 4 – Preliminary risk analysis Design and implementation

System Safety case

Step 5 – Identify specific attack scenarios

Step 6 – Focused risk analysis

Step 7 – Finalise risk assessment

Slide 30

© 2017 ADELARD LLP

SECURITY AND SAFETY - CODE OF PRACTICE AND PAS

What we are doing:

• Developed a fast track British Standard (PAS Code of Practice) on automotive eco-system security and safety

• Developing a Code of Practice for railways security informed safety

• Sponsored by the UK CPNI with close involvement of industry

• Principle based approach in keeping with UK outcome focused regulation

Slide 31

© 2017 ADELARD LLP

TOP-LEVEL PRINCIPLES (COMMON)

Security policy, organization and culture

Security-aware lifecycle

Maintaining effective defences

Incident management

Secure and safe design

Contributing to a safe and secure world

© 2017 ADELARD LLP

“GOOD CITIZEN” PRINCIPLE

• Detailed recommendations(automotive guidance)

• Explanatory notes

• Supporting rationale

© 2017 ADELARD LLP

SUPPORTING ANNEXES

• Examples from the Rail CoP

• The annexes are informative and are designed to support the recommendations in the main body of the CoP

35

PAS 11281:2018

© The British Standards Institution 2018

Annex D (informative) Approaching safety and security integration

D.1 IntroductionThis PAS deals with many different aspects of considering security in the context of the safety of an automotive ecosystem. One of the most challenging areas is where safety and security interact, particularly in cases where their aims contradict or where there are unintended consequences. Interactions can stem from

a) overlapping requirements;

b) overlapping functionality;

c) the use of shared resources or platforms;

d) information flow; and

e) misuse or abuse.

In general, these safety and security interactions might present the opportunity to make decisions that could result in trade-offs between safety and security. In some cases, they could result in direct conflicts between safety and security that cannot be easily resolved. For example, consider an access system that remains in a locked state if it fails. Such a system is fail-secure, in that an attacker cannot gain access, but is not fail-safe, in that personnel cannot escape in the event of, e.g. fire. The interactions between a security policy and the safety requirements need to be assessed and any trade-offs identified. In some circumstances, increased security might reduce safety so it is essential to consider these holistically.

For safety, the most important considerations are ensuring that systems provide the required functionality with a given level of reliability (comprising integrity and availability). When the security perspective is included, confidentiality also becomes a concern. In this PAS we have recommended measures to protect the confidentiality of information that could be used by a threat agent to identify vulnerabilities or conduct an attack. The privacy of individuals is outside the scope, but there might be situations in which personal data could be used to inform an attack, or where the disclosure of sensitive data leads to non-physical harm.

Figure D.1, taken and generalized from Netkachova et al, “Investigation into a Layered Approach to Architecting Security-Informed Safety Cases” [60], shows different scenarios where security and safety interact:

a) In the bottom left corner is an area of maximum operational benefit, where with low levels of threat and no significant safety challenge, it is relatively straightforward to satisfy both aspects.

b) In the bottom right there is an area where security concerns might dominate due to the threat level. (e.g. with a need to restrict access to the device). In this case, the safety analysis must show that these constraints are acceptably safe even if they do cause higher workload or operational complexities.

c) A corresponding zone in the top left corner, where safety issues dominate and the security policy is the same or weakened. In this case, the security analysis must show that identified security threats are satisfactorily mitigated by other means during this time.

d) The top right hand corner is a very uncertain area where some special capabilities might be needed, e.g. in the form of a manual override to security policy.

Figure D.1 – A schematic showing how security and safety interact in different scenarios

Safe

ty r

isks

Security threat level

Integrated policyand benefits

Safety dominates Resolutionof conflicts

Securitydominates

© 2017 ADELARD LLP

AVAILABILITY

•Rail• Draft for industry consultation• Currently under review• Plan to release guidance Q1

2019

•Automotive• BSI publication December 2018• BSI PAS 11281

© 2017 ADELARD LLP

RESEARCH PROJECTS

Slide 36

© 2017 ADELARD LLP

Slide 37

ASSURED AUTONOMY

“Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS”(TIGARS)

Page | 1 / 30

AssuringAutonomyInternationalProgrammeExpressionofInterestForm–Call01

Towards Identifying and closing Gaps in Assurance of

autonomous Road vehicleS (TIGARS)

Enclosure2

Slide 38

Tigars - Aims & Challenges

Engineering PracticesIdentify current autonomous systems engineering approaches and assess the current state of software engineering development practice.

Assurance GapsAssess the feasibility of deploying current state-of-the-art static analysis, verification, and testing techniques.

Verification & ValidationAddress assurance gaps with new approaches• static analysis of machine learning,• simulation and test strategies• defence in depth.

Standards & PoliciesRecommendations to regulatory and policy organisations• principles-based framework to

address autonomy• near-term interpretation of

existing standards.

39

OVERVIEW

Multi infrastructure stochastic models

PIA FARA

Communication modelsTrade offs, decision support

Assurance Case to explain and justify decision

Explanation of decision based on Claims,

Arguments, Evidence

Assurance Case to justify trust in models

Claim “safety risk tolerable including cyber issues”

Adversary models

More detailed CAE

© 2017 ADELARD LLP

RITICS ROADMAPPING – SHORT TERM

• With Dr Peter Popov

• Landscape and road mapping• Identify issues with practitioners– Transport, Nuclear,– Resilience community

• Develop issues– Breadth and selective depth

• Combine – Technology and threat awareness

• Develop short R&D roadmap

• Help and interest welcome!

• Structure of issues from• RAEng Cyber Safety + PAS + IAEA• Autonomy from Tigars and AAIP• Resilienceshift (Arup) and NIC

40

© 2017 ADELARD LLP

DISCUSSION – THE YES BUT…

Slide 41

© 2017 ADELARD LLP

WHY IT MIGHT BE EASIER THAN FEARED

• Success of dependability engineering• Automotive engineering

• Air and rail transportation

• Finance system

• Nuclear power

• Consumer products

Succeed through initial high quality, fault tolerance, failure management and recovery

Already address

• Safety cases and myriad sources of risk

• Competency and culture

• Incident response and organisational learning

• Updates to system and recertification

• Defence in depth and systemic risk

• Supply chains already managed

• Dependability built in

Slide 42

© 2017 ADELARD LLP

BUT ACHIEVING DEPENDABLE SYSTEMS IS HARD

• Automotive engineering• Yet Toyota, VW

• Air and rail transportation• Yet Spanish crash, Nimrod

• Finance system• Yet crashes, $400M bug

• Nuclear power• Yet Fukushima, QA fraud

• Consumer products• Yet recalls and data loss

• Medical systems• Yet avoidable deaths

“Normal business”, achieving dependable conventional digital systems is hard

© 2017 ADELARD LLP

DISCUSSION – THE YES BUT…

• The impact of security on safety now known in general and have techniques for identifying this and detailing it further:• Security policy, organization and culture• Security-aware lifecycle• Maintaining effective defences• Incident management• Secure and safe design• Contributing to a safe and secure world

• Known and very significant impact

Slide 44

© 2017 ADELARD LLP

YES BUT…

• Security will have a major impact on all aspects of organisation, governance, requirements, architecture, development, assurance• Management of institutional and regulatory change• Legacy and long lived systems• Systems engineering and systems thinking• Technologies and architectures• Assurance strategies

• Security, like quality, intrinsic to everything – need to address security mindedness

• Political, social and threat context is changing

• Technology and systems are changing• AI,ML, IoT

Slide 45

© 2017 ADELARD LLP

CONCLUSIONS

• Security will impact on all aspects of organisation, governance, requirements, architecture, development, assurance• Security policy, organization and

culture• Security-aware lifecycle• Maintaining effective defences• Incident management• Secure and safe design• Contributing to a safe and secure

world

• “Normal business” achieving dependable conventional digital systems is hard

• A way forward• Industry implement objectives of PAS• Government and NGO address RAEng

and social policy issues• Research needed to support this

• Awareness of • Political, social and threat context is

changing• Technology and systems are changing• Need for holistic approach

• Provides opportunities not just problems

• Innovate and integrate!!

Slide 46

© 2017 ADELARD LLP

Slide 47

FURTHER READING

Bloomfield, R. E., Bendele, M., Bishop, P. G., Stroud, R. & Tonks, S. (2016). The risk assessment of ERTMS-based railway systems from a cyber security perspective: Methodology and lessons learned. Paper presented at the First International Conference, RSSRail 2016, 28-30 Jun 2016, Paris, France.

IEEE Computer June 2016

© 2018 ADELARD LLP

Slide 48

Documents

SECURITY INFORMED SAFETY WHY ITS EASY, WHY ITS HARD€¦ · • Safety systems with one mission • Shut down, stop • Security systems with one mission • Access control, CCTV