Figure 1 - uploaded by Andrew J Kornecki
Content may be subject to copyright.
Source publication
The Next Generation Air Traffic Management system (NextGen) is a blueprint of the future National Airspace System. Supporting NextGen is a nation-wide Aviation Simulation Network (ASN), which allows integration of a variety of real-time simulations to facilitate development and validation of the NextGen software by simulating a wide range of operat...
Context in source publication
Context 1
... original report of the ASNG [4] elaborates that the system should be secured from external interference. The reason for such operational requirements is that the RTDS uses User Datagram Protocol (UDP) sockets with different communication channels, depending on the message type (state vs. route). Each channel uses a port defined in a configuration file when launching RTDS. If an attacker were to connect to the network, and listen to the channel ports, he could also send messages from the gateway. In the same way, the attacker could produce misleading state or route messages that the gateway would then send to ASN. The gateway is responsible for passing the data to-and-from and, thus, it is a vital component of the air traffic monitoring and control system. If the gateway fails to transfer correct information or a command to a flight, in the best case, the flight may be delayed; in the worst case, there is a risk of a mid-air collision. Additionally, if the gateway is not well protected, the system may be put at risk (e.g., under attack from malevolent organizations). Therefore, relevant safety/security issues must be considered during the gateway development. At its current state, the system is just a simulated real-life environment. However, the system includes also HITL components (the ERAU RTDS includes an interface with live pilots and air traffic controllers). Ultimately, the decisions regarding development of the NextGen operational software will be based on these simulations. It is thus necessary to include and analyze safety/security requirements for the gateway project based on hazards and threats related to such ultimate implementation. Safety or security requirements specify policies and establish goals of achieving a specified level of target safety or security. The objective is to reduce or eliminate risks due to either hazards (safety) or threats (security). In turn, hazards may result in accidents, while threats may result in attacks. Thus, effectively, safety hazards are equivalent to security threats, and the accidents associated with these hazards are equivalent to security attacks related to the threats. Either accidents or attacks may eventually cause harm to the system assets (in terms of people, property, environments or services). Due to the above commonalities, the process of safety and security engineering can be combined, as illustrated in Figure 1. Each of the presented activities provides input to a subsequent activity, which in turn may require modification of the preceding activity, as shown by the feedback arrows. It should be noted that safety and security issues/concerns are an integral part of the system quality, and they are not totally separate. For instance, accidents (the realm of safety) can result in security vulnerabilities that can be exploited by attacks, at which time their consequences fall within the realm of security. On the other hand, attacks may cause safety hazards that in turn may cause accidents ...
Similar publications
Air traffic control (ATC) radar has been the main sensor for the detection and monitoring of commercial aircrafts for air traffic management. Typical modern ATC radar consists of a primary radar and secondary radar which is limited by high acquisition, installation and maintenance cost. Automatic Dependent Surveillance-Broadcast (ADS-B) system is t...
Citations
... Building a system reliability model is essential in reliability design [7,8]. Currently, fault tree analysis (FTA) [9,10], reliability block diagram (RBD) [11,12], failure mode and effect analysis (FMEA) [13,14], event tree (ET) [15], the minimum cut set method [16,17], dynamic fault tree (DFT) [18,19], and Markov chain (MC) [20,21] have mature theoretical foundations. These are the primary technical means of aircraft system reliability evaluation both domestically and internationally. ...
Reliability is an inherent attribute of a system through optimal system design. However, during the aircraft system development process, the reliability evaluation and system function design efforts are often disconnected, leading to a divide between reliability experts and system designers in their work schedule. This disconnect results in an inefficient aircraft system reliability optimization process, known as the “two-skin” phenomenon. To address this issue, a three-state space model is proposed. Firstly, an analysis was conducted on the relationship between the system function architecture developed by the system designers and the reliability evaluation performed by the reliability experts. Secondly, based on the principle of function flow, the state of failure was categorized into “physical failure” and “non-physical failure”. Additionally, a new state of “function loss” was introduced as the third state for the system, in addition to the traditional states of “normal” and “faulty”. Thirdly, through the state of “Function loss”, an effective integration of system fault modes and function modes was achieved, leading to an optimized system reliability model. A three-state space modeling method was then developed by transforming the system function architecture into a system reliability model. Finally, this new model was applied to an aircraft’s rudder and fly-by-wire control system. The results demonstrate that the function architecture at the design stage of the system can be accurately transformed into the new three-state space model. The structure aligns closely with the function architecture and can be effectively utilized in quantitative system reliability calculations. In this way, the process of ensuring system reliability can be seamlessly integrated into the system optimization design process. This integration alleviates the issue of disjointed work between reliability experts and system designers, leading to a more streamlined and efficient aircraft system optimization process.
... In aviation, FTA has been used for a variety of purposes, including risk assessment [26], development of safety and security requirements [27], and identification of diagnostics [28]. Similarly, FMEA has different uses in the aviation industry, including the analysis of the failure modes of aircraft fuel system parts [28] and the assessment of aviation safety risk factors [29]. ...
Air transport is considered to be the safest means of transport. However, if an accident occurs, it often ends in catastrophe. Thus, significant efforts have been paid to sustain successful operations in aviation. Several studies have been carried out to understand the underlying reasons for accidents. This study used Fault Tree Analysis (FTA), Failure Mode and Effects Analysis (FMEA) and Causal Analysis based on Systems Theory (CAST) methods to analyse Tenerife aircraft accident and to compare the findings of different methods. The findings showed that while all three methods provided some overlapping findings, the CAST method led to the identification of all causes that were identified by other methods. Considering the nature of the causal factors, FMEA provided more causal factors that are related to organisation and technology than FTA. This study indicates that CAST has a significant value to identify all causes that can be identified by the use of traditional methods.
... It means that both terms deal with risk, however, the origin of risk allows a clear distinction between safety and security [20]. Security risk is intentional, while safety risk is unintentional. ...
... Security risk is intentional, while safety risk is unintentional. Safety considers hazards, e.g., system failures or other accidental conditions, while security considers threats and potential attacks [20]. The nature of risk consequences differs as well [21]. ...
Background:
The popularity of DevSecOps is on the rise because it promises to integrate a greater degree of security into software delivery pipelines. However, there is also an unacceptable risk related to safety that cannot be overlooked, given the importance of this aspect in many industries.
Objective:
The objective of this study is to provide an overview of the safety aspects reported in the literature on DevSecOps. This study also characterizes such aspects and identifies the gaps that may lead to future research work.
Method
A systematic literature review was conducted using five well-known academic databases. The search was executed in September 2021 and March 2022 to identify relevant studies.
Results:
The search returned 114 academic studies. After the screening process, five primary studies published between 2019 and 2021 were selected. These studies were analyzed thoroughly to identify the safety aspects. Then, we categorized them into three main groups: (i) risk-related safety aspects, (ii) human-related aspects, and (iii) management aspects.
Conclusion:
Safety is an important characteristic that is becoming more critical as the number of critical systems grows. This review reveals that only a scarce number of studies are focusing on safety in DevSecOps. However, those studies gave us some insights into this topic. Therefore, our main observation is that this topic has not yet been completely explored in the academic literature. This review can encourage reflection and discussion between the safety and security communities.
... The engineering process [57] is proposed to combine safety and cybersecurity risk analysis. It can be accomplished in six subsequent steps, which each step may necessitate a modification of the previous step. ...
Risk analysis is an essential element for regulatory decision-making related to industrial systems with a high level of risks. The first law was created in France on December 31, 1991, presenting the general principles of risk assessment and prevention. Over time, a decree has been established which obliges the employer in an industrial system to create and keep a document transcribing the results of the risk assessment. Therefore, there has been a strong interest in the development of risk analysis approaches dealing with safety and the functioning of critical industrial systems.INERIS (direction of accidental risks) carries out the different types of studies that cover the entire process of controlling the accidental risks related to the classified installations. Therefore, their studies on risk analysis generally aim to prevent the major accidents for industrial installations subject to the environmental code and to relate specifically to the risks for people and the environment. Recently, cybersecurity has emerged as a critical issue for industrial sites: they are becoming increasingly vulnerable to cyberattacks due to their increasing digitization and connectivity and the use of IT technologies in control systems (OT) of the industrial systems.The risk analysis approaches and the tools of preventing the accidental risks are not suitable for dealing with and analyzing the risks related to cybersecurity, and the latter risks are rarely assessed and when they are, are assessed in processes and studies separated from the analysis of the accidental risks. Therefore, INERIS wishes to integrate cybersecurity issues into the various stages of the control of the risks on industrial installations that can have harm on people and the environment.For these reasons, a new risk analysis approach integrating the risks related to cybersecurity with the accidental risks in the same process is developed. The process of the approach makes it possible to create guides for the generic vulnerabilities that may exist on industrial systems and meta-models to represent the different attack scenarios that may be encountered on industrial sites. In addition, it makes it possible to automatically generate and search for the attack scenarios that may exist on a case study, based on a list of data collected from industrial installation, and to combine them with accidental risks extracted from a classical safety risks analysis in the same Bow-Tie called Cyber Bow-Tie.In addition, the evaluation of the combined risks in terms of the severity level and the likelihood value represents an important step to determine the level of criticality of the risk scenario and to put in place safety and cybersecurity measures and barriers in order to reduce or eliminate the unacceptable risks. For this reason, in the developed risk analysis approach, the steps of the evaluation and treatment of the combined risks are taken into consideration. The combined risks likelihoods are evaluated according to a two-dimensional vector representing respectively the likelihood of cybersecurity events and safety events since there are different concepts to define the likelihood related to safety and cybersecurity. Combining safety and cybersecurity risks in a single Bow-Tie and evaluating the levels of different types of risk scenarios provides a comprehensive representation and an exhaustive analysis of risk scenarios in terms of safety and cybersecurity.
... Their aims are to increase safety and efficiency and reduce costs by 2025. These systems would improve the current ATM systems and work with surveillance and satellite images to have a more visual ATC, with simulations conducted on how it would predict collisions and prevent them from occurring [25] [26]. ...
studies show that most aviation accidents occur during take-off and landing phases, with some notable accidents occurring during taxiing, such as the Tenerife Disaster. The causes of these issues are primarily human error, due to poor management, but in modern-day aviation, more automation is implemented to prevent accidents from occurring to minimise these errors.
A risk analysis was conducted on the systems used to prevent accidents during landing, taxiing, and take-off, which makes up an airport mission which includes turnaround time. This was to see if the new systems make a difference. The systems included were aircraft systems, air traffic control (ATC) systems, and airport systems, which ensures the aircraft moves safely. This relates to air traffic management (ATM), which uses systems to ensure aircraft move safely throughout the mission, but surveillance, navigation and communication systems are the three
main components.
A qualitative analysis (failure mode, effects, and criticality analysis (FMECA)) and
quantitative analysis (fault tree analysis (FTA)) were conducted to analyse the systems used in ATM to prevent issues and disrupt the airport mission. It was found that, as predicted, human error had some of the highest risk, but safety net systems, which back up ATC and pilot errors, also contributed to this risk. Other risks, with the highest probability, were checklist failures, which is a standard procedure of checking if essential equipment is functional and that it complies with the minimum equipment list (MEL) of the aircraft, which determines if the aircraft can fly or not (airworthiness). The analysis showed more failures occur during the
revealed failure event, due to single event failures, disrupting the mission.
Mitigations of these failures were discussed by simulating ATC and minimising human error risk. This simulation considered an autopilot function during taxiing, which would create a defined path to the aircraft stand with further work required to prove it is feasible.
... 52,58,60 The use of STPA-Sec is mentioned in previous studies. 110,111,116,117,133 The use of STPA-SafeSec is mentioned in Friedberg et al. 120 Failure analysis is the process of collecting and analyzing data to determine the cause of a possible failure 87 An approach very similar to failure analysis is hazard analysis (e.g., HAZOP and CHASSIS). ...
This article presents a systematic mapping study on the model‐driven engineering of safety and security concerns in software systems. Combined modeling and development of both safety and security concerns is an emerging field of research as both concerns affect one another in unique ways. Our mapping study provides an overview of the current state of the art in this field. This study carefully selected 143 publications out of 27,259 relevant papers through a rigorous and systematic process. This study then proposes and answers questions such as frequently used methods and tools and development stages where these concerns are typically investigated in application domains. Additionally, we identify the community's preference for publication venues and trends. The discussion on obtained results also features the gained insights and future research directions. This article presents a systematic mapping study on the model‐driven engineering of safety and security concerns in software systems. This study answers research questions such as frequently used methods and tools, development stages, and application domains. An overview of the overlapping between evaluation domains, development stages, and employed methods and tools within the safety and security software systems
... Moreover, there also seems to be a trend towards developing integrated techniques to conduct the safety risk assessment and the cybersecurity risk assessment. For example, Kornecki et al. proposed an integrated technique based on FTA for air traffic management system [22]; Schmittner [23] proposed another one based on FMEV and illustrated it in the context of an Industrial Control and Automation System (ICAS); Abdo [24] proposed a technique to deal with uncertainties in a risk assessment combining safety and security. ...
Nowadays, safety and cybersecurity are some of the most important issues involving the development of Unmanned Aircraft System (UAS) operations. For safety, the lawmakers and aviation authorities have a lot of efforts to establish an adequate safety level for UAS operations within the current airspace system. One of them is the Specific Operation Risk Assessment (SORA) methodology developed by Joint Authorities for Rulemaking on Unmanned Aircraft System (JARUS). This methodology provides a guide to conduct risk assessments for UAS operations under the Specific Category. However, the methodology supports only some problems related to safety. In this paper, we introduce our approach to extend the SORA methodology toward cybersecurity. We illustrate this approach by extending the methodology to cover the privacy problem - an aspect related to cybersecurity. Besides that, we also introduce our supporting tool in the form of a web application that helps users conduct automatic risk assessments.
... The incorporation of security and safety aspects has received massive attention worldwide [4,5]. Recent research shows that safety, especially cybersecurity, share interdependencies in many products, especially cyber-physical systems (CPS) [6]. ...
... Remarkably, the decision supporting the regulation of the utmost probable root cause for evident problems is not available. In these conditions, Bayesian networks (BNs) could be helpful to solve this problem, mainly cybersecurity and safety applications [4][5][6][7]. In BNs, both qualitative and quantitative components are included, such as the directed acyclic graph (DAG) and conditional probability table (CPT), for each node in the DAG, respectively [8]. ...
In recent times, security and safety are, at least, conducted in safety-sensitive or critical sectors. Nevertheless, both processes do not commonly analyze the impact of security risks on safety. Several scholars are focused on integrating safety and security risk assessments, using different methodologies and tools in critical infrastructures (CIs). Bayesian networks (BN) and graph theory (GT) have received much attention from academia and industries to incorporate security and safety features for different CI applications. Hence, this study aims to conduct a systematic literature review (SLR) for co-engineering safety and security using BN or GT. In this SLR, the preferred reporting items for systematic reviews and meta-analyses recommendations (PRISMA) are followed. Initially, 2295 records (acquired between 2011 and 2020) were identified for screening purposes. Later on, 240 articles were processed to check eligibility criteria. Overall, this study includes 64 papers, after examining the pre-defined criteria and guidelines. Further, the included studies were compared, regarding the number of required nodes for system development, applied data sources, research outcomes, threat actors, performance verification mechanisms, implementation scenarios, applicability and functionality, application sectors, advantages, and disadvantages for combining safety, and security measures, based on GT and BN. The findings of this SLR suggest that BN and GT are used widely for risk and failure management in several domains. The highly focused sectors include studies of the maritime industry (14%), vehicle transportation (13%), railway (13%), nuclear (6%), chemical industry (6%), gas and pipelines (5%), smart grid (5%), network security (5%), air transportation (3%), public sector (3%), and cyber-physical systems (3%). It is also observed that 80% of the included studies use BN models to incorporate safety and security concerns, whereas 15% and 5% for GT approaches and joint GT and BN methodologies, respectively. Additionally, 31% of identified studies verified that the developed approaches used real-time implementation, whereas simulation or preliminary analysis were presented for the remaining methods. Finally, the main research limitations, concluding remarks and future research directions, are presented
... It also shows elaborated forms of attack targeting security or safety counter-measures like taking control over the QA system. This contrasts with other approaches, generally taking a safety as first paradigm and enhancing it for security, e.g. through security-informed safety cases 81 or including security hazards during the standard fault tree analyses 82 . ...
Designing safety‐critical software in domains ensuring essential services like transportation, energy, or health requires high assurance techniques and compliance with domain specific standards. As a result of the global interconnectivity and the evolution toward cyber‐physical systems, the increasing exposure to cyber threats calls for the adoption of cyber security standards and frameworks. Although safety and security have different cultures, both fields share similar concepts and tools and are worth being investigated together. This paper provides the background to understand emerging co‐engineering approaches. It advocates for the use of a model‐based approach to provide a sound risk‐oriented process and to capture rationales interconnecting top‐level standards/directives to concrete safety/security measures. We show the benefits of adopting goal‐oriented analysis that can be transposed later to domain‐specific frameworks. Both qualitative and quantitative reasoning aspects are analyzed and discussed, especially to support trade‐off analysis. Our work is driven by a representative case study in drinking water utility in the scope of the NIS regulation for operator of essential services.
... The primary purpose of attack trees is to model security threats, represent attacks against a system, and analyze attack vectors. Some researchers have demonstrated [11][12][13][14] that attack trees can be used as a supportive tool in the fields of defense and vulnerability detection. Attack trees are also successfully used in information security risk analysis [15], and design processes of security and defense systems [16] and their analysis [17]. ...
Information technology (IT) security risk analysis preventatively helps organizations in identifying their vulnerable systems or internal controls. Some researchers propose expert systems (ES) as the solution for risk analysis automation since risk analysis by human experts is expensive and timely. By design, ES need a knowledge base, which must be up to date and of high quality. Manual creation of databases is also expensive and cannot ensure stable information renewal. These facts make the knowledge base automation process very important. This paper proposes a novel method of converting attack trees to a format usable by expert systems for utilizing the existing attack tree repositories in facilitating information and IT security risk analysis. The method performs attack tree translation into the Java Expert System Shell (JESS) format, by consistently applying ATTop, a software bridging tool that enables automated analysis of attack trees using a model-driven engineering approach, translating attack trees into the eXtensible Markup Language (XML) format, and using the newly developed ATES (attack trees to expert system) program, performing further XML conversion into JESS compatible format. The detailed method description, along with samples of attack tree conversion and results of conversion experiments on a significant number of attack trees, are presented and discussed. The results demonstrate the high method reliability rate and viability of attack trees as a source for the knowledge bases of expert systems used in the IT security risk analysis process.
