Figure - uploaded by Pao-Ann Hsiung
Content may be subject to copyright.
Source publication
Critical systems have very stringent requirements on both security and safety. Recent mishaps such as the missing MH370 aircraft and the sunk Korean Sewol ferry go to show that our technology in safety and security risk assessment still need a more integrated approach. Nuclear plant meltdown in the recent Fukushima accident is also a typical exampl...
Citations
... For example, Abdo et al. [25] developed a comprehensive methodology based on a combination of bowtie analysis and attack trees and illustrated it with IndustrialControl System (ICS) case study. Chen et al.[26] address risk assessment, including both safety and security, applied to a core flooder in a nuclear power plant. For this purpose, they propose using a nine-step risk assessment method similar to the one outlined in the NIST 800-30 document[27]. ...
In the process of designing safety systems, an integrated approach in safety and cybersecurity analysis is necessary. The paper describes a new technique of increasing resilience through integrated analysis of functional safety and cybersecurity. It is a modeling methodology based on the combination of the multifactor method utilizing modified risk graphs, used previously for Safety Integrity Level (SIL) assessment, and the Non-Functional Requirements (NFR) approach. The NFR approach, based on the analysis of graphical representation of conceptual and physical components of the system, contributes a technique to include cybersecurity through the Softgoal Interdependency Graph. The assessment methodology is outlined in detail and applied to a case study involving an industrial control system. The analysis turns out to be effective in both aspects: confirming the findings of the multifactor approach based on modified risk graphs and complementing the traditional analysis to increase resilience in discovering and mitigating security vulnerabilities for SIL assessment by the use of NFR.
... 69,83,104,120,126 Nuclear systems were mentioned in four studies. 37,66,69,91 Business systems have been used as an evaluation domain in three publications. The use of business systems, mainly enterprise resource planning systems, has been mentioned in previous studies. ...
This article presents a systematic mapping study on the model‐driven engineering of safety and security concerns in software systems. Combined modeling and development of both safety and security concerns is an emerging field of research as both concerns affect one another in unique ways. Our mapping study provides an overview of the current state of the art in this field. This study carefully selected 143 publications out of 27,259 relevant papers through a rigorous and systematic process. This study then proposes and answers questions such as frequently used methods and tools and development stages where these concerns are typically investigated in application domains. Additionally, we identify the community's preference for publication venues and trends. The discussion on obtained results also features the gained insights and future research directions. This article presents a systematic mapping study on the model‐driven engineering of safety and security concerns in software systems. This study answers research questions such as frequently used methods and tools, development stages, and application domains. An overview of the overlapping between evaluation domains, development stages, and employed methods and tools within the safety and security software systems
... In the ICS industry, SCADA facilities have been facing challenges from security threats, such as the power generation interruption incident, due to Stuxnet (Iranian nuclear facility, 2004), or the cyber-attack against a Korean nuclear power plant (2014), and they are endeavoring to establish higher security measures. It will be appropriate to refer to such security models when establishing a security policy for the other ICS areas [26][27][28][29][30][31]. ...
... The risk can be estimated statistically for frequent events [1]. However, for rare events that happen with low frequency, risk is the result of a calculation or estimation using a theoretical model [2]. The risk is estimated with a certain degree of uncertainty and depends on the data quality and models. ...
The paper presents a risk-based model to coordinate the generators preventive maintenance of an isolated
distributed Power System with wind generation presence. The model coordinates preventive maintenance
minimizing the risk of loss of load probability in the Power System. The risk is estimated with a sequential
Markov Chain Monte Carlo (MCMC) simulation model. In this paper, the preventive maintenance scheduling
(PMS) of the generating units is a non-linear stochastic optimization problem and it is efficiently solved with the
algorithms Particle Swarm Optimization (PSO) and Genetic Algorithms (GA). The model allows Power System
operators to obtain a maintenance schedule that minimizes the risk of loss of load probability, as much as
possible in the Power System; as well as establishing the desired level of risk. The model is applied in a Cuban
Power System isolated from the main national power grid constituting a distributed system, and has the presence
of a wind farm in its energetic matrix. The paper demonstrates the proposed model effectiveness in this real
Power System.
... Each control action is reviewed under a set of a different conditions and guidewords to identify loss scenarios. The approach allows us [13] build upon extending the NIST 800-30 [14] methodology to consider safety aspects contributing to risk assessment by establishing a functional relationship between vulnerabilities, threats, and hazards. Hazards occurrence levels are assigned depending on a value of a hazard-threat conditional probability. ...
Latest technological trends lead toward systems connected to public networks even in critical domains. Bringing together safety and security work is becoming imperative, as a connected safety-critical system is not safe if it is not secure. The main objective of this study is to investigate the current status of safety and security co-analysis in system engineering by conducting a systematic literature review. The steps of the review are the following: the research questions identification; agreement upon a search string; applying the search string to chosen databases; a selection criterion formulation for the relevant publications filtering; selected papers categorization and analysis. We focused on the early system development stages and identified 33 relevant publications categorized as follows: combined safety and security approaches that consider the mutual influence of safety and security; safety-informed security approaches that consider influence of safety on security; and security-informed safety approaches that consider influence of security on safety. The results showed that a number of identified approaches are driven by needs in fast developing application areas, e.g., automotive, while works focusing on combined analysis are mostly application area independent. Overall, the study shows that safety and security co-analysis is still a developing domain.
... Although the field is not new [22], trying to combine safety and security has gained a lot of attention over the past few years given the current evolution towards CPS. A number of methods have been proposed, some more generic [20][29] [23] while others target specific domains like automotive [19][26] [27], nuclear industry [6] [21], railways [5][9] [10]. Most approaches use some form of analysis based on improved and/or combined version tree-based analysis that have been defined in each field (e.g. ...
Design for safety-critical software intended for domains like transportation or medical systems is known to be difficult but is required to give a sufficient level of assurance that the system will not harm or kill people. To add to the difficulty, systems have now become highly connected and are turning into cyber-physical systems. This results in the need to address intentional cyber security threats on top of risks related to unintentional software defects. Different approaches are being defined to co-engineer both software security and safety in a consistent way. This paper aims at providing a deeper understanding of those approaches and the evolution of related standards by analysing them using a sound goal-oriented framework that can model both kind of properties and also reason on them in a risk-oriented way. In the process interesting co-design patterns are also identified and discussed. The approach is driven by a real world open specification from the railways.
... Safety risks Security risks [CCHC14] with respect to risk identification, risk analysis and risk evaluation. The author in this paper concluded that all the aforementioned methods are useful in performing integral safety-security analysis, however following points still remain unaddressed: ...
Cyber breaches have grown exponentially over the years, both in the number of incidents and in damage. Examples of such damaging attacks are numerous, with WannaCry ransomware, DigiNotar hack, Code Red virus and Equifax data breach to name a few. At the same time, enterprises themselves have grown ever complex, with an interplay of IT systems, physical infrastructure and human actors, resulting in so-called socio-technical systems. Adversaries ranging from unskilled to sophisticated, from script-kiddies to government agencies, target this complexity, exploit multiple component failures, software and hardware vulnerabilities, and combine these with social engineering techniques to launch sophisticated attacks. An impressive example of such socio-technical attack is the attack on the Supervisory Control and Data Acquisition (SCADA) system, via the Stuxnet virus, allegedly targeting the Iran's nuclear facilities.
Current information security risk management techniques are based on evaluator experience, or on checklists, brainstorming, compliance standards, etc. Due to the informal nature of eliciting the security risks using these techniques, often-important attack scenarios, such as multi-step attack scenario, are missed. Additionally, due to the lack of quantitative analysis frameworks, sometimes too-many security mechanisms are implemented, which interfere with system safety and usability.
To address these challenges, in this thesis, we propose automated tools/techniques, to aid security practitioners understand their cyber-risks by quantifying them, thereby making the cyber-security investment decisions more objective and transparent. To do so, we provide a multi-faceted security analysis framework that is capable of answering a rich set of security questions such as cost-optimal attack scenarios for attackers, time-dependent attack probabilities, etc. Our work relies on attack trees as the modelling formalism and uses model-checking technique for analysis. Attack trees are graphical models, which provide a systematic representation of attack scenarios. Owing to their graphical format to elicit security risks, they are easy to use and hence very popular in security engineering. However, classical attack tree analysis techniques lack support for modelling the temporal dependencies between the attack tree components. Analytically, they are limited to single attribute computation such as probability of an attack, cost of an attack, etc. Furthermore, the traditional attack tree analysis technique of single attribute bottom-up computation is applicable only under the strong and unrealistic assumption of non-shared nodes.
In this thesis, we alleviate all the aforementioned limitations of classical attack tree analysis techniques and propose novel methods using the automata theoretic framework and relying on stochastic and statistical model checking. In particular, in Part II of this thesis, we provide a multi-parametric and time dynamic analysis of attack trees, taking into account temporal dependencies, attacker proles and accidental component failures, which otherwise cannot be analysed using state-of-the-art techniques. We augment the attack tree formalism with two new gates: the sequential-AND gate and the sequential-OR gate, which allows modeling the temporal dependencies between the attack tree components. Analytically, we provide compositional analysis framework for attack trees, by translating them into suitable priced/stochastic timed automata. By doing so, we combine several attack tree attributes (possibly functionally dependent) in a mathematical precise manner.
In Part III of this thesis, we look into security goals. For this, we develop a taxonomy for security goals based on a survey of top 30 highly cited papers in information security literature from 1995-2016. We represent our taxonomy using a feature diagram, which enables us to represent commonalities, variabilities and interrelationships between the deterrent security goal concepts. By mapping security goals collected from the aforementioned papers to our taxonomy, we provide critical insights into trends, omissions and focus of security goals in the literature. In the same part, we develop a property specification language LOCKS to express both quantitative and qualitative security goals. The security goals in locks are expressed as queries over an attack model, namely the structural attack model SAM. As most prominent threat models, such as attack trees and attack graphs, can be translated to generic structures of SAMs, our proposed language can express security goals over all these frameworks.
Practically, we demonstrate our analysis framework with many case studies taken from literature. To support our methods in an automated manner, we develop two tools: ATCalc to obtain the probability of attack over time and ATTop to systematically translate attack trees into automata and derive results using the principles of model-driven engineering.
... Chockalingam et al. [4] conducted a survey to identify the key characteristics and applications of integrated safety and security risk assessment methods to provide a base for future investigations and the development of more effective risk assessment methods and tools. Based on their inclusion criteria they evaluated seven methods [2,13,14,[17][18][19][20] and identified the issue that none of the methods take into account runtime system information to perform dynamic risk assessment. ...
... This scenario is exemplified in Figure 1(b), where the Test Execution Engine (1) triggers a cause, which should result in a failure mode and observable effects. (2) The Safe & Secure Self-Adaptive System observes these effects and (3) executes a Recovery Strategy after detection. (4) The Test Execution Engine again observes the SuD's reactions and finally (5) generates a report and recommendations. ...
Today's software and hardware technologies enable the expansion of Cyber-Physical Systems (CPSs) into the realms of mobility (car2x, autonomous driving), energy (power plants, smart grid) and healthcare (health monitoring), paving the way into a highly interlaced world. However, this also dramatically broadens the threat landscape for potential attacks on CPSs. The malfunction of these CPSs could threaten human life, cause environmental damage and major financial loss [5, 9, 16]. This drives the need for comprehensive methods that support the cross-domain design, development and implementation of safe and secure systems [3, 4]. In order to tackle these challenges, this paper proposes a method called INSpIRA, a method for INtegrating Security Into Risk Assessment, including a toolchain implementing the method. The envisioned method is supposed to be a holistic approach that supports the efficient cross-domain design, development, implementation and maintenance of dependable CPSs, where security and safety are a critical aspect that requires an in-depth risk assessment.
... Our analysis covering a recourse of research concerned with critical infrastructure and natural disasters also establishes the importance of natural hazards, which can be exploited by attackers, and even offer metrics and controls to assure information system security and critical infrastructure safety, e.g. "Probability of failure/ inundation due to natural hazard", [49], "List of hazard initiating events" [50] or "Wind storm occurrence" [51]. It seems that organizations would benefit from not only consulting NIST, but also these and other studies to support cybersecurity management practice in their continuous assessment duties. ...
... In the recent years, we have seen a transformation among the researchers of safety and security community to work together especially in risk management. As an example, there are developments of integrated safety and security risk assessment methods [4][5][6][7][8][9][10]. Risk assessment is one of the most crucial parts of the risk management process as it is the basis for making risk treatment decisions [11]. ...
... We included methods such as Failure Mode, Vulnerabilities, and Effect Analysis (FMVEA) [7], Extended Component Fault Tree (CFT) [9], and Extended Fault Tree (EFT) [10] from Kriaa et al. in our work as they satisfy our selection criteria. In addition, we included other methods that satisfy our selection criteria, such as Security-Aware Hazard Analysis and Risk Assessment (SAHARA) [4], Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS) [5], Failure-Attack-CountTermeasure (FACT) Graph [6], and Unified security and safety risk assessment [8]. ...
... FACT Graph [6], IV. FMVEA [7], V. Unified Security and Safety Risk Assessment [8], VI. Extended CFT [9], and VII. ...
Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future.
