Conference Paper

Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline

September 2014
Lecture Notes in Computer Science

DOI:10.1007/978-3-319-10506-2_22

Conference: International Conference on Computer Safety, Reliability, and Security

Authors:

Marc Bouissou

IMdR (Institut de la maîtrise des riques); formerly Électricité de France (EDF)

Show all 5 authorsHide

The digitalization of industrial control systems (ICS) raises several security threats that can endanger the safety of the critical infrastructures supervised by such systems. This paper presents an analysis method that enables the identification and ranking of risks leading to a safety issue, regardless of the origin of those risks: accidental or due to malevolence. This method relies on a modeling formalism called BDMP (Boolean logic Driven Markov Processes) that was initially created for safety studies, and then adapted to security. The use of the method is first illustrated on a simple case to show how it can be used to make decisions in a situation where security requirements are in conflict with safety requirements. Then it is applied to a realistic industrial system: a pipeline and its instrumentation and control system in order to highlight possible interactions between safety and security.

DODGE: Ontology-Aware Risk Assessment via Object-Oriented Disruption Graphs

Preprint

Full-text available

Dec 2024

When considering risky events or actions, we must not downplay the role of involved objects: a charged battery in our phone averts the risk of being stranded in the desert after a flat tyre, and a functional firewall mitigates the risk of a hacker intruding the network. The Common Ontology of Value and Risk (COVER) highlights how the role of objects and their relationships remains pivotal to performing transparent, complete and accountable risk assessment. In this paper, we operationalize some of the notions proposed by COVER - such as parthood between objects and participation of objects in events/actions - by presenting a new framework for risk assessment: DODGE. DODGE enriches the expressivity of vetted formal models for risk - i.e., fault trees and at- tack trees - by bridging the disciplines of ontology and formal methods into an ontology-aware formal framework composed by a more expressive modelling formalism, Object-Oriented Disruption Graphs (ODGs), logic (ODGLog) and an intermediate query language (ODGLang). With these, DODGE allows risk assessors to pose questions about disruption propagation, disruption likelihood and risk levels, keeping the fundamental role of objects at risk always in sight.

Model-based joint analysis of safety and security:Survey and identification of gaps

Article

Full-text available

Nov 2023

An Overview of Safety and Security Analysis Frameworks for the Internet of Things

Article

Full-text available

Jul 2023

The rapid progress of the Internet of Things (IoT) has continued to offer humanity numerous benefits, including many security and safety-critical applications. However, unlocking the full potential of IoT applications, especially in high-consequence domains, requires the assurance that IoT devices will not constitute risk hazards to the users or the environment. To design safe, secure, and reliable IoT systems, numerous frameworks have been proposed to analyse the safety and security, among other properties. This paper reviews some of the prominent classical and model-based system engineering (MBSE) approaches for IoT systems' safety and security analysis. The review established that most analysis frameworks are based on classical manual approaches, which independently evaluate the two properties. The manual frameworks tend to inherit the natural limitations of informal system modelling, such as human error, a cumbersome processes, time consumption, and a lack of support for reusability. Model-based approaches have been incorporated into the safety and security analysis process to simplify the analysis process and improve the system design's efficiency and manageability. Conversely, the existing MBSE safety and security analysis approaches in the IoT environment are still in their infancy. The limited number of proposed MBSE approaches have only considered limited and simple scenarios, which are yet to adequately evaluate the complex interactions between the two properties in the IoT domain. The findings of this survey are that the existing methods have not adequately addressed the analysis of safety/security interdependencies, detailed cyber security quantification analysis, and the unified treatment of safety and security properties. The existing classical and MBSE frameworks' limitations obviously create gaps for a meaningful assessment of IoT dependability. To address some of the gaps, we proposed a possible research direction for developing a novel MBSE approach for the IoT domain's safety and security coanalysis framework.

Dependability of the Internet of Things: Current Status and Challenges

Conference Paper

Nov 2022

The advances in the Internet of Things (IoT) have substantially contributed to the automation of modern societies by making physical things around us more interconnected and remotely controlled over the internet. This technological progress has inevitably created an intelligent society where various mechatronic systems are becoming increasingly efficient, innovative, and convenient. Undoubtedly, the IoT paradigm will continue to impact human life by providing efficient control of the environment with minimum human intervention. However, despite the ubiquity of IoT devices in modern society, the dependability of IoT applications remains a crucial challenge. Accordingly, this paper systematically reviews the current status and challenges of IoT dependability frameworks. Based on the review, existing IoT dependability frameworks are mainly based on informal reliability models. However, these models are unable to effectively evaluate the unified treatment safety faults and cyber-security threats of IoT systems. Additionally, the existing frameworks are also unable to deal with the conflicting interaction between colocated IoT devices and the dynamic features of self-adaptive, reconfigurable, and other autonomous IoT systems. To this end, this paper suggested the design of a novel model-based dependability framework for quantifying safety faults and cyber-security threats as well as interdependencies between safety and cyber-security in IoT ecosystems. Additionally, robust approaches dealing with conflicting interactions between co-located IoT systems and the dynamic behaviours of IoT systems in reconfigurable and other autonomous systems are required.

AFMT: Maintaining the safety-security of industrial control systems

Article

Full-text available

Dec 2021
COMPUT IND

Modern day industrial control systems are overwhelmingly complex. These systems feature intricate interactions between the cyber and the physical components. At the same time, they need to be trustworthy and deliver their services continuously. Underpinning, a crucial industrial activity to ensure the dependability of such critical systems is through timely maintenance, inspections and repairs. Several strategies exist here: "fix it when it breaks" (reactive maintenance), monitor and maintain a system in pre-established time intervals (preventive maintenance), preventive action based upon detected symptoms of failures condition-based maintenance (CBM), etc. In literature, the question of optimal maintenance frequency have been a subject of intense study. However, most papers, do not take information security aspects into account. This paper provides an automated tool-supported quantitative risk analysis framework, Attack-Fault-Maintenance Trees, AFMTs, that will enable practitioners to make informed choice on: (a) identifying the critical component(s) necessary for uninterrupted systems; (b) a decision support system that will provide informed choices on policy measures, countermeasures and safeguards that will reduce the disruptions; (c) run the "what-if" scenarios to find the optimal trade-offs between system attributes (safety, security, us-ability and maintenance). The front-end of the tool is a domain-specific language geared to represent the system architecture using graphical-constructs. The back-end of the framework remains hidden to the practitioner. It consists of a mathematical engine based on statistical model-checking techniques. A case study of oil-pipeline is used to demonstrate the efficacy of our framework.

The Marriage Between Safety and Cybersecurity: Still Practicing

Chapter

Full-text available

Aug 2021
Lect Notes Comput Sci

Emerging technologies, like self-driving cars, drones, and the Internet-of-Things must not impose threats to people, neither due to accidental failures (safety), nor due to malicious attacks (security). As historically separated fields, safety and security are often analyzed in isolation. They are, however, heavily intertwined: measures that increase safety often decrease security and vice versa. Also, security vulnerabilities often cause safety hazards, e.g. in autonomous cars. Therefore, for effective decision-making, safety and security must be considered in combination. This paper discusses three major challenges that a successful integration of safety and security faces: (1) The complex interaction between safety and security (2) The lack of efficient algorithms to compute system-level risk metrics (3) The lack of proper risk quantification methods. We will point out several research directions to tackle these challenges, exploiting novel combinations of mathematical game theory, stochastic model checking, as well as the Bayesian, fuzzy, and Dempster-Schafer frameworks for uncertainty reasoning. Finally, we report on early results in these directions.

Model-based Joint Analysis of Safety and Security: Survey and Identification of Gaps

Preprint

Full-text available

Jun 2021

We survey the state-of-the-art on model-based formalisms for safety and security joint analysis, where safety refers to the absence of unintended failures, and security to absence of malicious attacks. We conduct a thorough literature review and - as a result - we consider fourteen model-based formalisms and compare them with respect to several criteria: (1) Modelling capabilities and Expressiveness: which phenomena can be expressed in these formalisms? To which extent can they capture safety-security interactions? (2) Analytical capabilities: which analysis types are supported? (3) Practical applicability: to what extent have the formalisms been used to analyze small or larger case studies? Furthermore, (1) we present more precise definitions for safety-security dependencies in tree-like formalisms; (2) we showcase the potential of each formalism by modelling the same toy example from the literature and (3) we present our findings and reflect on possible ways to narrow highlighted gaps. In summary, our key findings are the following: (1) the majority of approaches combine tree-like formal models; (2) the exact nature of safety-security interaction is still ill-understood and (3) diverse formalisms can capture different interactions; (4) analyzed formalisms merge modelling constructs from existing safety- and security-specific formalisms, without introducing ad hoc constructs to model safety-security interactions, or (5) metrics to analyze trade offs. Moreover, (6) large case studies representing safety-security interactions are still missing.

Diagnosing accidental and malicious events in industrial control systems

Thesis

Jun 2020

Edwin Bourget

The convergence of information and industrial systems triggered a paradigm shift in the management of malicious and accidental events.Safety and security must now interact and it changes the perimeters and the issues of diagnosis. After defining this new perimeter, this thesis provides an analysis of existing models that provide necessary informations for diagnosis. It then proposes PROS²E, a new event model upon which safety and security diagnosis can be performed in industrial systems. It was specificaly designed to exploit experience already present in the fields of safety and security management. PROS²E is then improved to represent more complex incidents and provide more accurate information. Several examples illustrate the diagnosis capacities of the model.

Model-driven Engineering of Safety and Security Systems: A Systematic Mapping Study

Preprint

Apr 2020

This paper presents a systematic mapping study on the model-driven engineering of safety and security concerns in systems. Integrated modeling and development of both safety and security concerns is an emerging field of research. Our mapping study provides an overview of the current state-of-the-art in this field. Through a rigorous and systematic process, this study carefully selected 95 publications out of 17,927 relevant papers published between 1992 and 2018. This paper then proposes and answers several relevant research questions about frequently used methods, development stages where these concerns are typically investigated in, or application domains. Additionally, we identify the community's preference for publication venues and trends.

Safety and Security Co-Analyses: A Systematic Literature Review

Article

Dec 2018

Latest technological trends lead toward systems connected to public networks even in critical domains. Bringing together safety and security work is becoming imperative, as a connected safety-critical system is not safe if it is not secure. The main objective of this study is to investigate the current status of safety and security co-analysis in system engineering by conducting a systematic literature review. The steps of the review are the following: the research questions identification; agreement upon a search string; applying the search string to chosen databases; a selection criterion formulation for the relevant publications filtering; selected papers categorization and analysis. We focused on the early system development stages and identified 33 relevant publications categorized as follows: combined safety and security approaches that consider the mutual influence of safety and security; safety-informed security approaches that consider influence of safety on security; and security-informed safety approaches that consider influence of security on safety. The results showed that a number of identified approaches are driven by needs in fast developing application areas, e.g., automotive, while works focusing on combined analysis are mostly application area independent. Overall, the study shows that safety and security co-analysis is still a developing domain.

Towards Interdependent Safety Security Assessments using Bowties

Preprint

Full-text available

Aug 2022

We present a way to combine security and safety assessments using Bowtie Diagrams. Bowties model both the causes leading up to a central failure event and consequences which arise from that event, as well as barriers which impede events. Bowties have previously been used separately for security and safety assessments, but we suggest that a unified treatment in a single model can elegantly capture safety-security interdependencies of several kinds. We showcase our approach with the example of the October 2021 Facebook DNS shutdown, examining the chains of events and the interplay between the security and safety barriers which caused the outage.

A Novel System-Theoretic Matrix-Based Approach to Analysing Safety and Security of Cyber-Physical Systems

Article

Full-text available

Dec 2021

Cyber-Physical Systems (CPSs) are getting increasingly complex and interconnected. Consequently, their inherent safety risks and security risks are so intertwined that the conventional analysis approaches which address them separately may be rendered inadequate. STPA (Systems-Theoretic Process Analysis) is a top-down hazard analysis technique that has been incorporated into several recently proposed integrated Safety and Security (S&S) analysis methods. This paper presents a novel methodology that leverages not only STPA, but also custom matrices to ensure a more comprehensive S&S analysis. The proposed methodology is demonstrated using a case study of particular commercial cloud-based monitoring and control system for residential energy storage systems.

A goal‐driven approach for the joint deployment of safety and security standards for operators of essential services

Article

Mar 2021

Designing safety‐critical software in domains ensuring essential services like transportation, energy, or health requires high assurance techniques and compliance with domain specific standards. As a result of the global interconnectivity and the evolution toward cyber‐physical systems, the increasing exposure to cyber threats calls for the adoption of cyber security standards and frameworks. Although safety and security have different cultures, both fields share similar concepts and tools and are worth being investigated together. This paper provides the background to understand emerging co‐engineering approaches. It advocates for the use of a model‐based approach to provide a sound risk‐oriented process and to capture rationales interconnecting top‐level standards/directives to concrete safety/security measures. We show the benefits of adopting goal‐oriented analysis that can be transposed later to domain‐specific frameworks. Both qualitative and quantitative reasoning aspects are analyzed and discussed, especially to support trade‐off analysis. Our work is driven by a representative case study in drinking water utility in the scope of the NIS regulation for operator of essential services.

A new safety and security risk analysis framework for industrial control systems

Article

Full-text available

Apr 2018

The migration of modern industrial control systems toward information and communication technologies exposes them to cyber-attacks that can alter the way they function, thereby causing adverse consequences on the system and its environment. It has consequently become crucial to consider security risks in traditional safety risk analyses for industrial systems controlled by modern industrial control system. We propose in this article a new framework for safety and security joint risk analysis for industrial control systems. S-cube (for supervisory control and data acquisition safety and security joint modeling) is a new model-based approach that enables, thanks to a knowledge base, formal modeling of the physical and functional architecture of cyber-physical systems and automatic generation of a qualitative and quantitative analysis encompassing safety risks (accidental) and security risks (malicious). We first give the principle and rationale of S-cube and then we illustrate its inputs and outputs on a case study.

A Concept Enabling Cybersecurity for a Self-Adaptive Avionics Platform With Respect to RTCA DO-326 And RTCA DO-356

Conference Paper

Oct 2023

The aircraft development process ensures safe and secure flight. Due to more frequent advances in technology as well as the need to be economically efficient aircraft manufacturer strive to make aircraft and aircraft systems more customizable as well as reusable. Aircraft concepts of the future will be even more autonomous, customizable, use more Commercial off-the-shelf (COTS) components, and will have more open networks. Focus of our research is the idea of using a self-adaptive avionics platform to address some of those goals. An exemplary implementation of future concepts are the so-called Plug&Fly Avionics (PAFA), which are developed at the University of Stuttgart. PAFA are capable of discovering connected devices, autonomously configure redundancies to meet the safety requirements and confirm its compliance to the safety requirements by an autonomous safety assessment. However, the methods for the topology discovery, self-configuration as well as the communication throughout the platform are not implemented cyber-secure. Cybersecurity assessment for aircraft systems is suggested by the RTCA DO-326 and RTCA DO-356. Consequently, the question arises how to make self-adaptive avionics platforms cyber-secure and how the standards apply to them. Therefore, this paper will determine what needs to be addressed to make a self-adaptive avionics platform, like the PAFA, cyber-secure. An examination on cybersecurity fundamentals and current methods and architectures is conducted. From that a concept enabling cybersecurity for self-adaptive avionics is derived. The concept is based on communication policies to evaluate network traffic. Those policies are derived from the PAFA knowledge about the topology, failure conditions and cybersecurity specific properties. Based on those policies a rule-based software-solution the so-called First Contact Engine (FCE) ensures that the network traffic complies to the policies. The concept is assessed with respect to the current aviation cybersecurity standards RTCA DO-326 and RTCA DO-356.

ICS-IDS: application of big data analysis in AI-based intrusion detection systems to identify cyberattacks in ICS networks

Article

Full-text available

Nov 2023
J SUPERCOMPUT

The growing volume of data, especially in cases of imbalanced datasets, has posed significant challenges in the classification process, particularly when it comes to identifying cyberattacks on industrial control systems (ICS) networks, which have been a source of concern due to the significant destructive impact of viruses such as Slammer, worms, Stuxnet, Duqu, Seismic Net, and Flame on critical infrastructures in various countries. The key challenge is constructing the intrusion detection system (IDS) framework to deal with imbalanced datasets. Many researchers work especially on binary classification, but multi-classification is a more challenging and still active research area. To deal with the multi-class imbalanced classification problem, we outline an instance-based intrusion detection technique named ICS-IDS, for intrusion detection in ICS systems specific to SCADA networks. The developed technique consists of two core components, the data preparation component, and the detection component. The data preparation component uses the normalization, Fisher Discriminant Analysis, and k-neighbor’s method to scale the data, reduce the dimensionality, and resample the dataset, respectively. To learn the latent representations and discern harmful vectors from attacked data, the detection/recognition component leverages an efficient instance-based learner. The proposed ICS-IDS model outperforms existing attractive methods in detecting sophisticated attack vectors in ICS data, achieving 99% accuracy and 99% detection rates (DR) on an industrial network dataset. This proves the methodology's practicality for implementing security in real-world ICS networks.

ICS‑IDS: application of big data analysis in AI‑based intrusion detection systems to identify cyberattacks in ICS networks

Article

Nov 2023
J SUPERCOMPUT

The growing volume of data, especially in cases of imbalanced datasets, has posed significant challenges in the classification process, particularly when it comes to identifying cyberattacks on industrial control systems (ICS) networks, which have been a source of concern due to the significant destructive impact of viruses such as Slammer, worms, Stuxnet, Duqu, Seismic Net, and Flame on critical infrastructures in various countries. The key challenge is constructing the intrusion detection system (IDS) framework to deal with imbalanced datasets. Many researchers work especially on binary classification, but multi-classification is a more challenging and still active research area. To deal with the multi-class imbalanced classification problem, we outline an instance-based intrusion detection technique named ICS-IDS, for intrusion detection in ICS systems specific to SCADA networks. The developed technique consists of two core components, the data preparation component, and the detection component. The data preparation component uses the normalization, Fisher Discriminant Analysis, and k-neighbor’s method to scale the data, reduce the dimensionality, and resample the dataset, respectively. To learn the latent representations and discern harmful vectors from attacked data, the detection/recognition component leverages an efficient instance-based learner. The proposed ICS-IDS model outperforms existing attractive methods in detecting sophisticated attack vectors in ICS data, achieving 99% accuracy and 99% detection rates (DR) on an industrial network dataset. This proves the methodology’s practicality for implementing security in real-world ICS networks.

Timed automata as a formalism for expressing security: A survey on theory and practice

Preprint

Jun 2022

Timed automata are a common formalism for the verification of concurrent systems subject to timing constraints. They extend finite-state automata with clocks, that constrain the system behavior in locations, and to take transitions. While timed automata were originally designed for safety (in the wide sense of correctness w.r.t. a formal property), they were progressively used in a number of works to guarantee security properties. In this work, we review works studying security properties for timed automata in the last two decades. We notably review theoretical works, with a particular focus on opacity, as well as more practical works, with a particular focus on attack trees and their extensions. We derive main conclusions concerning open perspectives, as well as tool support.

Model‐driven engineering of safety and security software systems: A systematic mapping study and future research directions

Article

Full-text available

May 2022

This article presents a systematic mapping study on the model‐driven engineering of safety and security concerns in software systems. Combined modeling and development of both safety and security concerns is an emerging field of research as both concerns affect one another in unique ways. Our mapping study provides an overview of the current state of the art in this field. This study carefully selected 143 publications out of 27,259 relevant papers through a rigorous and systematic process. This study then proposes and answers questions such as frequently used methods and tools and development stages where these concerns are typically investigated in application domains. Additionally, we identify the community's preference for publication venues and trends. The discussion on obtained results also features the gained insights and future research directions. This article presents a systematic mapping study on the model‐driven engineering of safety and security concerns in software systems. This study answers research questions such as frequently used methods and tools, development stages, and application domains. An overview of the overlapping between evaluation domains, development stages, and employed methods and tools within the safety and security software systems

Cyber LOPA: An Integrated Approach for the Design of Dependable and Secure Cyber Physical Systems

Article

Full-text available

Apr 2022

Safety risk assessment is an essential process to ensure a dependable Cyber-Physical System (CPS) design. Traditional risk assessment considers only physical failures. For modern CPS, failures caused by cyber attacks are on the rise. The focus of latest research effort is on safety-security lifecy-cle integration and the expansion of modeling formalisms for risk assessment to incorporate security failures. The interaction between safety and security lifecycles and its impact on the overall system design, as well as the reliability loss resulting from ignoring security failures are some of the overlooked research questions. This paper addresses these research questions by presenting a new safety design method named Cyber Layer Of Protection Analysis (CLOPA) that extends existing LOPA framework to include failures caused by cyber attacks. The proposed method provides a rigorous mathematical formulation that expresses quantitatively the trade-off between designing a highly-reliable versus a highly-secure CPS. We further propose a co-design lifecycle process that integrates the safety and security risk assessment processes. We evaluate the proposed CLOPA approach and the integrated lifecycle on a practical case study of a process reactor controlled by an industrial control testbed, and provide a comparison between the proposed CLOPA and current LOPA risk assessment practice.

Anomaly detection in substation networks

Article

Oct 2020

Fundamental components of the distribution systems of electric energy are primary and secondary substation networks. Considering the incorporation of legacy communication infrastructure in these systems, they often have in- herent cybersecurity vulnerabilities. Moreover, traditional intrusion defence strategies for IT systems are often not applicable. With the aim to improve cybersecurity in substation networks, in this paper we present two methods for monitoring SCADA system: the first one exploiting neural networks, while the second one is based on formal methods. To evaluate the effective- ness of the proposed methods, we conducted experiments on a real test bed representing the substation domain as close to real-world as possible. From this test bed we collect data during normal operation and during situations where the system is under attack. To this end several different types of attack are conducted. The data collected is used to test two versions of the mon- itoring system: one based on machine learning with a neural network and one using a model-checking approach. Moreover, the two proposed models are tested with new data to evaluate their performance. The experiments demonstrate that both methods obtain an accuracy greater than 90%. In particular, the methodology based on formal methods achieves better per- formance if compared to the one based on neural networks.

Formalising the Impact of Security Attacks on IoT Safety

Chapter

Sep 2020
Lect Notes Comput Sci

Modern safety-critical systems become increasingly networked and interconnected. Often the communication between the system components utilises the protocols similar to the standard Internet Protocol (IP). In particular, such protocols are used for communication between smart sensors and controller. While offering advanced capabilities such as remote diagnostics and maintenance, this also make safety-critical systems susceptible to the attacks implementable against IP-based systems. In this paper, we propose an approach to specifying a generic IP-based networked control system and formalising its security properties. We use the Event-B framework to formally analyse the impact of security attacks on safety properties of the system.

An efficient behaviour specification and bidirectional Gated Recurrent Units based intrusion detection method for industrial control systems

Article

Full-text available

Jan 2020
ELECTRON LETT

Intrusion detection is a prevailing area of research for several years, and numerous intrusion detection systems have been proposed for industrial control systems (ICS). In recent ages, the attacks like seismic net, duqu and flame against ICS infrastructures have instigated great harm to nuclear infrastructures and precarious facilities in several nations. The authors outline an approach to detect intrusions/anomalies in ICS. A method is presented to detect intrusions in real‐time and automatically. The existing techniques are normally designed for open systems and protocols, that lacks adequate generalisation and resistance to acclimate to other networks, and they have either short detection rate or tall rate of false positive. This Letter presents a network packet contents behaviour and bidirectional Gated Recurrent Units‐based method to detect intrusions in a timely and efficient manner. The method has proven a robust method of classifying intrusions/anomalies in a proficient way. Through extensive evaluation on an actual huge scale dataset spawned from SCADA‐based gas pipeline network, the proposed method shows significant performance enhancement and outclasses the standard state‐of‐the‐art methods with 98.68% rate of accuracy. Moreover, it is also able to detect zero‐day (unseen) attacks.

Security Analysis for CBTC Systems under Attack–Defense Confrontation

Article

Full-text available

Sep 2019

Communication-based train controls (CBTC) systems play a major role in urban rail transportation. As CBTC systems are no longer isolated from the outside world but use other networks to increase efficiency and improve productivity, they are exposed to huge cyber threats. This paper proposes a generalized stochastic Petri net (GSPN) model to capture dynamic interaction between the attacker and the defender to evaluate the security of CBTC systems. Depending on the characteristics of the system and attack–defense methods, we divided our model into two phases: penetration and disruption. In each phase, we provided effective means of attack and corresponding defensive measures, and the system state was determined correspondingly. Additionally, a semiphysical simulation platform and game model were proposed to assist the GSPN model parameterization. With the steady-state probability of the system output from the model, we propose several indicators for assessing system security. Finally, we compared the security of the system with single defensive measures and multiple defensive measures. Our evaluations indicated the significance of the defensive measures and the seriousness of the system security situation.

HML-IDS: A Hybrid-Multilevel Anomaly Prediction Approach for Intrusion Detection in SCADA Systems

Article

Full-text available

Jul 2019

Critical infrastructures, for example, electricity generation and dispersal networks, chemical processing plants and gas distribution are governed and monitored by Supervisory Control and Data Acquisition Systems (SCADA). Detecting intrusion is a prevalent area of study for numerous years, and several intrusion detection systems have been suggested in the literature for cyber-physical systems and industrial control system (ICS). In recent years, the virus seismic net, duqu and flame against ICS attacks have caused tremendous damage to nuclear facilities and critical infrastructure in some countries. These intensified attacks have sounded the alarm for the security of the industrial control system in many countries. The challenge in constructing an intrusion detection framework is to deal with unbalanced intrusion datasets, i.e. when one class is signified by a lesser amount of instances (minority class). To this end, we outline an approach to deal with this issue and propose an anomaly detection method for ICS. Our propose approach uses a hybrid model that takes advantage of the anticipated and consistent nature of communication patterns that occur amongst ground devices in ICS setups. First, we applied some preprocessing techniques to standardize and scale the data. Second, dimensionality reduction algorithms are applied to improve the process of anomaly detection. Third, we employed Edited Nearest-Neighbor rule algorithm to balance the dataset. Forth, by using Bloom filter, a signature database is created by noting the system for a specific period lacking the occurrence of abnormalities. Finally, to detect new attacks we combined our package contents level detection with another instance-based learner to make a hybrid method for anomaly detection. Experimental results with a real large scale dataset generated from a gas pipeline SCADA system shows that the propose approach HML-IDS outperforms the benchmark models with an accuracy rate of 97%.

Safety and Security Risk Assessment in Cyber-Physical Systems

Article

Full-text available

Apr 2019

The term cyber physical systems (CPS) refers to a new generation of systems with integrated computational and physical capabilities through computation, communication, and control. In the past decades, related techniques for CPS have been well studied and developed, and are widely applied in the fields such as industrial automation, smart transportation, aerospace, environment monitoring, and smart grids. However, with the expansion of CPS complexity and the enhancement of the system openness, most of CPS become not only safety-critical but also security-critical since deeply involving both physical objects and computer networks. In the last decade, it is no longer rare to see safety incidents and security attacks happening in industries. Safety and security issues are increasingly converging on CPS, leading to new situations in which these two closely interdependent issues should now be considered together, rather than separately or in sequence. This paper reviews the existing approaches of risk assessment and management from the perspective of safety, security, and their integration. The comparisons of these approaches are summarised with their pros and cons before the technical gaps between the demand and the current situation of safety and security issues in CPS are identified.

Deriving and Formalising Safety and Security Requirements for Control Systems: 37th International Conference, SAFECOMP 2018, Västerås, Sweden, September 19-21, 2018, Proceedings

Chapter

Jan 2018
Lect Notes Comput Sci

Towards an Integrated Model for Safety and Security Requirements of Cyber-Physical Systems

Conference Paper

Jul 2017

Increasing interest in cyber-physical systems with integrated computational and physical capabilities that can interact with humans can be identified in research and practice. Since these systems can be classified as safety- and security-critical systems the need for safety and security assurance and certification will grow. Moreover, these systems are typically characterized by fragmentation, interconnectedness, heterogeneity, short release cycles, cross organizational nature and high interference between safety and security requirements. These properties combined with the assurance of compliance to multiple standards, carrying out certification and re-certification, and the lack of an approach to model, document and integrate safety and security requirements represent a major challenge. In order to address this gap we developed a domain agnostic approach to model security and safety requirements in an integrated view to support certification processes during design and run-time phases of cyber-physical systems.

Model-driven safety and security co-analysis: A systematic literature review

Article

Oct 2024
J SYST SOFTWARE

Where Do Safety and Security Mutually Reinforce? A Multi-level Model-Based Approach for a Consistent Interplay

Chapter

Sep 2024

Security and Safety in Urban Environments: Evaluating Threats and Risks of Autonomous Last-Mile Delivery Robots

Chapter

Sep 2024

Formal Analysis of Interactions Between Safety and Security Requirements

Chapter

Sep 2024

Elena Troubitsyna

Modern safety-critical control systems rely on networking to provide safety-critical functions. Network technologies not only offers a variety of benefits but also introduces cybersecurity threats. Exploiting security vulnerabilities might result in a loss of control and situation awareness as well as directly threaten safety. Therefore, the development of safety-critical systems should encompass a systematic analysis of the impact of potential cyberattacks on safety and explicit identification of security requirements early in the system development life cycle. In this paper, we propose a formal approach to modelling networked safety-critical systems within Event-B framework. We demonstrate how modelling and refinement in Event-B can systematically identify mutual interdependencies between safety and security and facilitate deriving explicit security requirements necessary for achieving system safety.

CIDF:Combined Intrusion Detection Framework in Industrial Control Systems based on Packet Signature and Enhanced FSFDP

Conference Paper

Jul 2024

Integrating security in hazard analysis using STPA-Sec and GSPN: A case study of automatic emergency braking system

Article

May 2024
COMPUT SECUR

Hazard analysis is a vital step in developing intelligent connected vehicles, aiming to eliminate or control hazards in the initial stages of system development and to provide theoretical support for the system's safety design. However, conventional hazard analysis methods, such as Fault Tree Analysis and Failure Mode and Effects Analysis, suffer from two shortcomings: they do not account for the impact of cybersecurity factors on system safety and do not provide sufficient quantification of hazard scenarios. To this end, we propose a quantifiable hazard analysis method with security consideration, which integrates System Theoretic Process Analysis for Security (STPA-Sec) and Generalized Stochastic Petri Net (GSPN), supporting the extraction, modeling, and quantification of hazards. Specifically, we employ STPA-Sec for qualitative analysis to identify causal scenarios, safety requirements, security requirements, and the corresponding mitigations. Then, based on the identified causal scenarios, a GSPN model is established to quantify system-level hazards. A case study on a real open-source test vehicle demonstrates that the proposed method not only offers a comprehensive analysis of hazards but also provides a quantitative assessment. Comparative assessments suggest that the proposed method exhibits an advantage in terms of analysis processes (integrating security) and results (quantification).

A New Dataset for Intrusion Detection in Industrial Control System: A Gas Pipeline Testbed Study

Conference Paper

Dec 2023

Querying Fault and Attack Trees: Property Specification on a Water Network

Conference Paper

Jan 2024

Don’t Panic! Analysing the Impact of Attacks on the Safety of Flight Management Systems

Conference Paper

Oct 2023

Analyzing Origins of Safety and Security Interactions Using Feared Events Trees and Multi-level Model

Chapter

Sep 2023
Lect Notes Comput Sci

Existing approaches to analyzing safety and security are often limited to a standalone viewpoint and lack a comprehensive mapping of the propagation of concerns, including unwanted (feared events like faults, failures, hazards, and attacks) and wanted ones (e.g., requirements, properties) and their interplay across different granular system representations. We take this problem to a novel combination of the Fault and Attack Trees (FATs) as Feared Events-Properties Trees (FEPTs) and propose an approach for analyzing safety and security interactions considering a multi-level model. The multi-level model facilitates identifying safety- and security-related feared events and associated properties across different system representation levels, viz. system, sub-system, information, and component. Likewise, FEPT allows modeling and analyzing the inter-dependencies between the feared events and properties and their propagation across these levels. We illustrate the use of this approach in a simple and realistic case of trajectory planning in an intersection point scenario regarding autonomous Connected-Driving Vehicles (CDVs) to address the potential interactions between safety and security.

Which Attacks Lead to Hazards? Combining Safety and Security Analysis for Cyber-Physical Systems

Article

Jan 2023

Cyber-Physical Systems (CPS) are exposed to a plethora of attacks and their attack surface is only increasing. However, whilst many attack paths are possible, only some can threaten the system's safety and potentially lead to loss of life. Identifying them is of essence. We propose a methodology and develop a tool-chain to systematically analyse and enumerate the attacks leading to safety violations. This is achieved by lazily combining threat modelling and safety analysis with formal verification and with attack graph analysis. We also identify the minimum sets of privileges that must be protected to preserve safety. We demonstrate the effectiveness of our methodology to discover threat scenarios by applying it to a Communication Based Train Control System. Our design choices emphasise compatibility with existing safety and security frameworks, whilst remaining agnostic to specific tools or attack graphs representations.

Safety and Security Issues in the IoT Domain

Article

Full-text available

Jul 2023

Towards Interdependent Safety Security Assessments Using Bowties

Chapter

Sep 2022
Lect Notes Comput Sci

Enhancing IIoT networks protection: A robust security model for attack detection in Internet Industrial Control Systems

Article

Jul 2022
AD HOC NETW

Industrial Internet of Things (IIoT) networks involves heterogeneous technological and manufacturing services and devices. The communication and data exchange characteristics of IIoT systems and their associated networks make them susceptible to cyberattacks. Delivering IIoT systems with vigorous safety and speedy attack discovery is therefore vital. Intrusion detection systems (IDS) have been widely employed to detect cyber-attack events from Internet Industrial Control Systems (IICS) and their networks. Most recently, various attacks, such as flame, duqu and seismic attacks, against IICS setups have prompted excessive damage to nuclear and critical infrastructures in numerous countries. The existing intrusion detection methods generally lack sufficient generalization, misclassification errors and have high false alarm rates. To this end, this paper presents a deep-autoencoder based IDS to distinguish malicious actions from IIoT driven IICS networks in real-time. The proposed model is based on LSTM auto-encoder design to identify invasive events from the IICS networks. The experimental results of proposed IDS on two benchmark datasets, that is, the gas pipeline and UNSWNB-15 datasets demonstrates the superiority of proposed model as compared to other compelling ones by achieving accuracy rate of 97.95% and 97.62% for gas pipeline data and UNSW-NB15 dataset respectively.

Timed Automata as a Formalism for Expressing Security: A Survey on Theory and Practice

Article

May 2022

APT attacks on industrial control systems: A tale of three incidents

Article

Apr 2022

Modern-day industries are complex socio-technical entities. Understanding the risks associated with the operation of such systems requires proper consideration of budget constraints, security expertise and evaluating the effects of legacy services. A relatively newer and unorthodox form of cyber-attacks against such systems are Advanced Persistent Threats (APTs). APTs are resourceful and strategic, aiming at maximum damage by stalling critical services and stealing sensitive information. In this article, we demonstrate how attack trees can be used as a common language to model APT attacks in a practitioner-friendly manner. We do so by modelling three prominent APT attacks, namely Stuxnet, Blackenergy and Triton. Each attack is described in a systematic and structured way following the attack tree modelling language. We show that, because attack trees are compositional models, one can reuse them to model other complex attack scenarios. We illustrate this compositional feature by modelling attacks on an industrial oil-pipeline.

Formalizing Security and Safety Requirements by Mapping Attack-Fault Trees on Obstacle Models with Constraint Programming Semantics

Conference Paper

Aug 2020

Deriving Implicit Security Requirements in Safety-Explicit Formal Development of Control Systems

Chapter

Jan 2021

Nowadays, safety-critical control systems are becoming increasingly open and interconnected. Therefore, while engineering a safety-critical system, we should guarantee that the system safety is not jeopardised by the security attacks. However, often the security requirements are not uncovered until the late design stages. Hence, there is a clear need for the modelling techniques that enable a formal reasoning about safety and security interdependencies at the early stages of the system development. In this work, we present a formal approach that allows the designers to uncover the implicit security requirements that are implied by the explicit system-level safety goals. We rely on modelling and refinement in Event-B to systematically uncover mutual interdependencies between safety and security and derive the constraints that should be imposed on the system to guarantee its safety in the presence of accidental and malicious faults.

Cybersecurity and Safety Co-Engineering of Cyberphysical Systems—A Comprehensive Survey

Article

Full-text available

Apr 2020

Safeguarding both safety and cybersecurity is paramount to the smooth and trustworthy operation of contemporary cyber physical systems, many of which support critical functions and services. As safety and security have been known to be interdependent, they need to be jointly considered in such systems. As a result, various approaches have been proposed to address safety and cybersecurity co-engineering in cyber physical systems. This paper provides a comprehensive survey of safety and cybersecurity co-engineering methods, and discusses relevant open issues and research challenges. Despite the extent of the existing literature, several aspects of the subject still remain to be fully addressed.

Pattern-Based Formal Approach to Analyse Security and Safety of Control Systems

Chapter

Oct 2019
Lect Notes Comput Sci

Increased openness and interconnectedness of safety-critical control systems calls for techniques enabling an integrated analysis of safety and security requirements. Often safety and security requirements have intricate interdependencies that should be uncovered and analysed in a structured and rigorous way. In this paper, we propose an approach that facilitates a systematic derivation and formalisation of safety and security requirements. We propose the specification and refinement patterns in Event-B that allow us to specify and verify system behaviour and properties in the presence of both accidental faults and security attacks and analyse interdependencies between safety and security requirements.

Truth or Dare: Quantitative security risk analysis using attack trees

Thesis

Full-text available

Oct 2018

Rajesh Kumar

Cyber breaches have grown exponentially over the years, both in the number of incidents and in damage. Examples of such damaging attacks are numerous, with WannaCry ransomware, DigiNotar hack, Code Red virus and Equifax data breach to name a few. At the same time, enterprises themselves have grown ever complex, with an interplay of IT systems, physical infrastructure and human actors, resulting in so-called socio-technical systems. Adversaries ranging from unskilled to sophisticated, from script-kiddies to government agencies, target this complexity, exploit multiple component failures, software and hardware vulnerabilities, and combine these with social engineering techniques to launch sophisticated attacks. An impressive example of such socio-technical attack is the attack on the Supervisory Control and Data Acquisition (SCADA) system, via the Stuxnet virus, allegedly targeting the Iran's nuclear facilities. Current information security risk management techniques are based on evaluator experience, or on checklists, brainstorming, compliance standards, etc. Due to the informal nature of eliciting the security risks using these techniques, often-important attack scenarios, such as multi-step attack scenario, are missed. Additionally, due to the lack of quantitative analysis frameworks, sometimes too-many security mechanisms are implemented, which interfere with system safety and usability. To address these challenges, in this thesis, we propose automated tools/techniques, to aid security practitioners understand their cyber-risks by quantifying them, thereby making the cyber-security investment decisions more objective and transparent. To do so, we provide a multi-faceted security analysis framework that is capable of answering a rich set of security questions such as cost-optimal attack scenarios for attackers, time-dependent attack probabilities, etc. Our work relies on attack trees as the modelling formalism and uses model-checking technique for analysis. Attack trees are graphical models, which provide a systematic representation of attack scenarios. Owing to their graphical format to elicit security risks, they are easy to use and hence very popular in security engineering. However, classical attack tree analysis techniques lack support for modelling the temporal dependencies between the attack tree components. Analytically, they are limited to single attribute computation such as probability of an attack, cost of an attack, etc. Furthermore, the traditional attack tree analysis technique of single attribute bottom-up computation is applicable only under the strong and unrealistic assumption of non-shared nodes. In this thesis, we alleviate all the aforementioned limitations of classical attack tree analysis techniques and propose novel methods using the automata theoretic framework and relying on stochastic and statistical model checking. In particular, in Part II of this thesis, we provide a multi-parametric and time dynamic analysis of attack trees, taking into account temporal dependencies, attacker proles and accidental component failures, which otherwise cannot be analysed using state-of-the-art techniques. We augment the attack tree formalism with two new gates: the sequential-AND gate and the sequential-OR gate, which allows modeling the temporal dependencies between the attack tree components. Analytically, we provide compositional analysis framework for attack trees, by translating them into suitable priced/stochastic timed automata. By doing so, we combine several attack tree attributes (possibly functionally dependent) in a mathematical precise manner. In Part III of this thesis, we look into security goals. For this, we develop a taxonomy for security goals based on a survey of top 30 highly cited papers in information security literature from 1995-2016. We represent our taxonomy using a feature diagram, which enables us to represent commonalities, variabilities and interrelationships between the deterrent security goal concepts. By mapping security goals collected from the aforementioned papers to our taxonomy, we provide critical insights into trends, omissions and focus of security goals in the literature. In the same part, we develop a property specification language LOCKS to express both quantitative and qualitative security goals. The security goals in locks are expressed as queries over an attack model, namely the structural attack model SAM. As most prominent threat models, such as attack trees and attack graphs, can be translated to generic structures of SAMs, our proposed language can express security goals over all these frameworks. Practically, we demonstrate our analysis framework with many case studies taken from literature. To support our methods in an automated manner, we develop two tools: ATCalc to obtain the probability of attack over time and ATTop to systematically translate attack trees into automata and derive results using the principles of model-driven engineering.

A risk and threat assessment approaches overview in autonomous systems of systems

Conference Paper

Oct 2017

Aida Delic Causevic

Combination of Safety and Security Analysis - Finding Security Problems That Threaten The Safety of a System

Article

Full-text available

Sep 2013

Security and Safety Assurance for Aerospace Embedded Systems

Article

Full-text available

1.1 Context Recent trends in the design of avionics platform increase risks that accidental or intentional misuse of aircraft information may occur. New aircraft platforms have increased the interconnectivity of equipment both within the aircraft and with its environment (aircrafts, satellites, on-ground systems. Such a platform is made of a very wide range of software and hardware items: from highly critical items controlling the aircraft to low criticality items that inform and entertain the passengers through items that help the airline operating and maintaining its fleet. Consequently, the avionics platform could be the target of security issues that could have an impact on the aircraft safety. Airworthiness has to be ensured even in the presence of aircraft information misuse. In the past ten years, aircraft industry, airworthiness certification authorities and research organizations have been working to deal with this important matter. New functions were designed to protect avionics platforms, regulations addressing security were issued and joint working groups were established to build applicable standards. In particular, EUROCAE Working Group 72 has published in October 2010 the ED202 document [1] that defines a security process for airworthiness. In that context, partners of the SEISES project have investigated, from October 2008 to December 2011, assurance aspects of the development of secure and safe embedded aerospace systems. This paper details two outcomes of the project: a joint framework that groups and organizes security and safety assurance activities and the lessons learnt by applying this framework on three demonstrators.

Modeling the Stuxnet attack with BDMP: Towards more formal risk assessments

Conference Paper

Full-text available

Oct 2012

Attack modeling has recently been adopted by security analysts as a useful tool in risk assessment of cyber-physical systems. We propose in this paper to model the Stuxnet attack with BDMP (Boolean logic Driven Markov Processes) formalism and to show the advantages of such modeling. After a description of the architecture targeted by Stuxnet, we explain the steps of the attack and model them formally with a BDMP. Based on estimated values of the success probabilities and rates of the elementary attack steps, we give a quantification of the main possible sequences leading to the physical destruction of the targeted industrial facility. This example completes a series of papers on BDMP applied to security by modeling a real case study. It highlights the advantages of BDMP compared to attack trees often used in security assessment.

Studying interrelationships of safety and security for software assurance in cyber-physical systems: Approach based on bayesian belief networks

Conference Paper

Full-text available

Jan 2013

The paper discusses mutual relationships of safety and security properties in cyber-physical systems (CPS). Generally, safety impacts the system's environment while environment impacts security of a CPS. Very frequently, safety and security of a CPS interact with each other either synergistically or conflictingly. Therefore, a combined evaluation of safety and security that considers their interrelationships is required for proper assessment of a CPS. Bayesian Belief Networks (BBN) can be used for this evaluation where factors related to safety and security of a CPS are assumed to be randomly distributed. The result of this evaluation is an assessment that is non-deterministic in nature but gives a very good approximation of the actual extent of safety and security in a CPS. Using a case study of a SCADA system in an oil pipeline control, the authors present a BBN approach for assessing mutual impacts of security and safety violations. This approach is compared with the Non-Functional Requirements approach (NFR), used previously, which is largely qualitative in nature. This study demonstrates that the BBN approach can significantly complement other techniques for joint assessment of safety and security in CPS.

Security Modeling with BDMP: From Theory to Implementation

Conference Paper

Full-text available

Jun 2011

This paper discusses the implementation and use of the BDMP (Boolean logic Driven Markov Processes) formalism, recently adapted to graphical attack modeling. Theoretically, it offers an attractive trade-off between readability, scalability, modeling power and quantification capabilities. In practice, efficient model construction and analysis need complementary tools and enhancements. They have been developed only once the implementation and the first security studies have been realized. In particular, attack sequence filtering based on attacker profiles and sensitivity analysis provide a significant help. Perspectives include the addition of a security pattern library or the connection with other modeling frameworks.

Modeling safety and security interdependencies with BDMP (Boolean logic Driven Markov Processes)

Conference Paper

Full-text available

Nov 2010

Safety and security issues are increasingly converging on the same critical systems, leading to new situations in which these closely interdependent notions should now be considered together. Indeed, the related requirements, technical and organizational measures can have various interactions and side-effects ranging from mutual reinforcements to complete antagonisms. A better characterization of these interdependencies is needed to ensure a controlled level of risk for the systems concerned by such a convergence. This paper describes the state of the art on this open issue and presents a new approach based on BDMP (Boolean logic Driven Markov Processes), allowing graphical modeling and advanced characterization of safety and security interdependencies. A simple use-case is used through diverse modeling variants, illustrating the capabilities, the contributions but also the limits with respect to other works dealing with safety and security interdependencies. We believe the proposed approach constitutes an original and valuable tool which could find its place in the ongoing research aiming at tackling this open and challenging task.

Beyond Attack Trees: Dynamic Security Modeling with Boolean Logic Driven Markov Processes (BDMP)

Conference Paper

Full-text available

Jan 2010

Boolean logic Driven Markov Processes (BDMP) are a powerful modeling tool used in the reliability and safety domains. We propose to take advantage of their capabilities to go beyond the traditional techniques used to model attack scenarios. In particular we show how this new approach can be seen as preferable to attack trees and Petri net-based methods. Attack trees are inherently static and limited to independent events, whereas BDMP are dynamic and can take into account simple dependences. This allows the modeling of attack sequences, but also of defensive aspects such as detections. Petri net-based approaches are highly flexible but often lack readability and scalability; BDMP representations are close to attack trees, inheriting their readability and easy appropriation. Moreover, BDMP have mathematical properties leading to drastic reductions of combinatorial problems, allowing efficient scenarios processing and time dependent quantifications. Finally, limits and improvement perspectives are discussed.

Experimental Security Analysis of a Modern Automobile

Conference Paper

Full-text available

Jan 2010

Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver inputdash including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car's two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car's telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.

Attack and Defense Modeling with BDMP

Conference Paper

Full-text available

Sep 2010
Lect Notes Comput Sci

The BDMP (Boolean logic Driven Markov Processes) modeling formalism has recently been adapted from reliability engineering to security modeling. It constitutes an attractive trade-off in terms of readability, modeling power, scalability and quantification capabilities. This paper develops and completes the theoretical foundations of such an adaptation and presents new developments on defensive aspects. In particular, detection and reaction modeling are fully integrated in an augmented theoretical framework. Different use-cases and quantification examples illustrate the relevance of the overall approach.

Case Study on Critical Infrastructures: Assessment of Electric Power Systems

Chapter

Nov 2012

Critical Infrastructures (CI) are increasingly responsible for vital services our society relies on; therefore, assessing their resilience is of utmost importance for improving trustworthiness on their services. Given the many challenges and open issues involved, a number of initiatives have been ongoing in the last decade, researching methods and developing tools for resilience assessment of critical infrastructures. Moving from the major challenges posed by CI from the point of view of resilience assessment and assessment needs, this chapter overviews a modelling framework for the analysis of interdependencies in Electric Power Systems (EPS), adopting a state-based stochastic approach. First, it is shown how the selected approach deals with the interdependencies, complexity, heterogeneity and scalability dictated by the infrastructures involved in framework implementation are then discussed, and some illustrative examples of different typologies of analysis are provided on selected EPS scenarios.

Cross-fertilization between safety and security engineering

Article

Feb 2013
RELIAB ENG SYST SAFE

The purpose of this paper is to give a comprehensive view of methods, models, tools and techniques that have been created in safety engineering and transposed to security engineering, or vice versa. Since the concepts of safety and security can somewhat vary according to the context, the first section of the paper deals with the scope and definitions that will be used in the sequel. The similarities and differences between the two domains are analyzed. A careful screening of the literature (this paper contains 201 references) made it possible to identify cross-fertilizations in various fields such as architectural concepts (e.g. defense in depth, security or safety kernels), graphical formalisms (e.g. attack trees), structured risk analyses or fault tolerance and prevention techniques.

Addressing Safety and Security Contradictions in Cyber-Physical Systems

Article

Jan 2009

Modern cyber-physical systems are found in important domains such as automobiles, medical devices, building automation, avionics, etc.. Hence, they are increasingly prone to security violations. Often such vulnerabilities oc- cur as a result of contradictory requirements between the safety/real-time properties and the security needs of the sys- tem. In this paper we propose a formal framework that as- sists designers in detecting such conflicts early, thus in- creasing both, the safety and the security of the overall sys- tem.

Integrating cyber attacks within fault trees

Article

Sep 2009
RELIAB ENG SYST SAFE

In this paper, a new method for quantitative security risk assessment of complex systems is presented, combining fault-tree analysis, traditionally used in reliability analysis, with the recently introduced Attack-tree analysis, proposed for the study of malicious attack patterns. The combined use of fault trees and attack trees helps the analyst to effectively face the security challenges posed by the introduction of modern ICT technologies in the control systems of critical infrastructures. The proposed approach allows considering the interaction of malicious deliberate acts with random failures. Formal definitions of fault tree and attack tree are provided and a mathematical model for the calculation of system fault probabilities is presented.

Security as a safety issue in rail communications

Article

Oct 2003

Systems whose failure can lead to the damage of property or the environment, or loss of human life are regarded as safety-critical systems. It is no longer adequate to build safety-critical systems based on the control of errors and failures alone. Safety-critical systems must also deal with securing the data that is used in their operation. While safety and security engineering have evolved separately, there are a number of similarities. These similarities and efforts to integrate safety and security are identified. A project looking at securing safety-critical communications for the Australian rail network is also discussed.

The SEMA referential framework: Avoiding ambiguities in the terms "security" and "safety"

Article

Jun 2010

The meaning of the terms “security” and “safety” varies considerably from one context to another, leading to potential ambiguities. These ambiguities are very problematic in the critical infrastructure protection domain, which involves multiple actors and engineering disciplines. Avoiding misunderstandings caused by the ambiguities during the early stages of system design and risk assessment can save time and resources; it also helps ensure a more consistent and complete risk coverage. Based on a review of the existing definitions of security and safety, this paper identifies the main distinctions between the two notions. It proposes a referential framework called SEMA, which makes the latent differences underlying the use of the terms security and safety explicit. Three sectors are examined as use cases: The power grid, nuclear power generation, and telecommunications and data networks. Mapping the different sector definitions of security and safety in the SEMA framework makes their respective meanings explicit and reveals inconsistencies and overlaps.

A new formalism that combines advantages of fault-trees and Markov models: Boolean logic driven Markov processes

Article

Nov 2003
RELIAB ENG SYST SAFE

This paper introduces a modeling formalism that enables the analyst to combine concepts inherited from fault trees and Markov models in a new way. We call this formalism Boolean logic Driven Markov Processes (BDMP). It has two advantages over conventional models used in dependability assessment: it allows the definition of complex dynamic models while remaining nearly as readable and easy to build as fault-trees, and it offers interesting mathematical properties, which enable an efficient processing for BDMP that are equivalent to Markov processes with huge state spaces. We give a mathematical definition of BDMP, the demonstration of their properties, and several examples to illustrate how powerful and easy to use they are. From a mathematical point of view, a BDMP is nothing more than a certain way to define a global Markov process, as the result of several elementary processes which can interact in a given manner. An extreme case is when the processes are independent. Then we simply have a fault-tree, the leaves of which are associated to independent Markov processes.

Safety- and Security-Critical Services in Building Automation and Control Systems

Article

Dec 2010

A building automation and control system (BACS) is used to integrate different kinds of services into a single system to provide automated combined services and, consequently, ease maintenance and save costs. Typical services are heating, ventilation, and air conditioning, as well as lighting and shading. Later on, security-critical services and, in recent times, safety-critical ones have also been integrated into the BACS. Today, the two last-mentioned types of services are realized by closed subsystems as part of the BACS. Such an approach makes the management and maintenance of the BACS less efficient and does not allow combined security- and safety-critical (s&s) services. This paper presents a common approach on how to engineer a safety- and security-related building automation technology. It shall be the basis of a BACS that is able to provide combined s&s and standard services. Hence, closed subsystems in the BACS can be avoided, and new services can be offered. Such a new service is delineated, taking existing application standards into consideration.

The Integration of Safety and Security Requirements

Conference Paper

Oct 1999
Lect Notes Comput Sci

This paper investigates safety and security requirements specification methods, and proposed techniques for the integration of contrasting methodologies. The nature of interaction between safety and security requirements, and problems relating to their independent development, are discussed. The requirements specifications of an Air Traffic Control system are used to highlight the problems inherent in the independent approach to requirements development. From investigation of the literature and the case study, we identify several areas that can cause problems when we attempt to harmonize safety and security requirements techniques. The most important of these are: different system models used for safety and security; different documentation structures for the analyses and their results; the interaction of safety and security requirements; isolation of safety and security requirements processes.

Integrating safety and security into the system lifecycle

B Hunter

Hunter, B.: Integrating safety and security into the system lifecycle. In: Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, p. 147 (August 2009)

Attack and defense dynamic modeling with BDMP (extended version)

Jan 2010

L Pietre-Cambacedes
M Bouissou

Pietre-Cambacedes, L., Bouissou, M.: Attack and defense dynamic modeling with BDMP (extended version). Tech. rep., Technical Report, Telecom ParisTech (2010)

Security and safety assurance for aerospace embedded systems

Jan 2012
1-10

P Bieber
J P Blanquart
G Descargues
M Dulucq
Y Fourastier
E Hazane
M Julien
L Leonardon
G Sarouille

Bieber, P., Blanquart, J.P., Descargues, G., Dulucq, M., Fourastier, Y., Hazane, E., Julien, M., Leonardon, L., Sarouille, G.: Security and safety assurance for aerospace embedded systems. In: Proceedings of the 6th International Conference on Embedded Real Time Software and Systems, Toulouse, France, pp. 1-10 (2012)

The integration of safety and security requirements

Jan 1999
468-480

D P Eames
J D Moffett

Eames, D.P., Moffett, J.D.: The integration of safety and security requirements. In: Felici, M., Kanoun, K., Pasquini, A. (eds.) SAFECOMP 1999. LNCS, vol. 1698, pp. 468-480. Springer, Heidelberg (1999)

Addressing safety and security contradictions in cyber-physical systems

Jan 2009

M Sun
S Mohan
L Sha
C Gunter

Sun, M., Mohan, S., Sha, L., Gunter, C.: Addressing safety and security contradictions in cyber-physical systems. In: 1st Workshop on Future Directions in Cyber-Physical Systems Security (CPSS 2009), Newark, United States (2009)

Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline

Abstract

No full-text available

Recommended publications

Safety and security interactions modeling using the BDMP formalism: case study of a pipeline