Towards Efficiently Checking Compliance Against Automotive Security and Safety Standards

Conference Paper · October 2017with 34 Reads
DOI: 10.1109/ISSREW.2017.33
Conference: The 7th IEEE International Workshop on Software Certification-WoSoCer
Abstract
The growing connectivity of the systems that we rely on e.g. transportation vehicles is pushing towards the introduction of new standards aimed at providing a baseline to address cybersecurity besides safety. If the interplay of the two normative spaces is not mastered, compliance management might become more time consuming and costly, preventing engineers from dedicating their energies to system engineering. In this paper, we build on top of previous work aimed at increasing efficiency and confidence in compliance management. More specifically, we contribute to building a terminological framework needed to enable the systematization of commonalities and variabilities within ISO 26262 and SAE J3061. Then, we focus our attention on the requirements for software design and implementation and we use defeasible logic to prove compliance. Based on the compliance checking results, we reveal reuse opportunities. Finally, we draw our conclusions and sketch future research directions.

Do you want to read the rest of this conference paper?

Request full-text
Request Full-text Paper PDF
  • ... To claim compliance with ISO 26262 from a process perspective, necessary pieces of evidence are: the safety plan, which is used to manage the execution of safety activities, as well as the corresponding confirmation review, which includes the compliance checking of planned processes against safety requirements. In [3,4], we have identified that automatic compliance checking of safety processes involves the definition of a finite state model of the process, where normative safety requirements provides the permissible states of the process elements. This task can be supported with available on the shelf tools. ...
    ... Once a complete catalogue of safety compliance patterns embracing ISO 26262 is ready, we plan to facilitate their instantiation by providing more elaborated guidelines. Our work on safety compliance patterns is expected to be combined with previously achieved results [3,4] regarding the provision of a framework to increase efficiency and confidence in process compliance management. ...
    Conference Paper
    Full-text available
    ISO 26262 demands a confirmation review of the safety plan, which includes the compliance checking of planned processes against safety requirements. Formal Contract Logic (FCL), a logic-based language stemming from business compliance, provides means to formalize normative requirements enabling automatic compliance checking. However, formalizing safety requirements in FCL requires skills, which cannot be taken for granted. In this paper, we provide a set of ISO 26262-specific FCL compliance patterns to facilitate rules formalization. First, we identify and define the patterns, based on Dwyer' et al.'s specification patterns style. Then, we instantiate the patterns to illustrate their applicability. Finally, we sketch conclusions and future work.
  • Chapter
    Since 2014 ISoLA has been hosting a Doctoral Symposium as a scientific and networking event specifically targeted at young academics, complementing the different thematically focused research tracks of the main symposium.
  • Article
    Full-text available
    Currently, the automotive industry is in a phase of reorientation and reorganization regarding security risks and hazards of in-car electronic systems. So far, security risks in the electronics development for automobiles were largely confined to configuration protection, e.g. preventing the manipulation of speedometers or disabling of power limitations. Now, the introduction of wireless information and communication technologies in vehicles leads to new challenges for the development and protection of the entire vehicle electronics. In this contribution a comparison of safety and security standards, on the example of ISO 26262 and ISO 15408, is presented and both standards are discussed regarding their industrial applicability and compatibility. A coordination scheme for security and safety engineering processes is proposed.
  • Conference Paper
    Full-text available
    Traceable documentation management represents a mandatory activity according to ISO 26262. This activity is also essential for the creation of an ISO 26262-compliant safety case, which is defined as a compilation of work products. OSLC represents a promising integration framework for enabling tool interoperability and thus seamless traceability and documentation management, including safety case creation and management. In this paper, we present a step related to our work aimed at offering an OSLC-based infrastructure enabling the automatic generation of safety case fragments. Our step consists of the identification, representation and shaping of resources needed to create the safety case. Finally, conclusion and perspectives for future work are also drawn.
  • Conference Paper
    For the purpose of certification, manufactures of nowadays highly connected safety-critical systems are expected to engineer their systems according to well-defined engineering processes in compliance with safety and security standards. Certification is an extremely expensive and time-consuming process. Since safety and security standards exhibit a certain degree of commonality, certification-related artifacts (e.g., process models) should to some extent be reusable. To enable systematic reuse and customization of process information, in this paper we further develop security-informed safety-oriented process line engineering (i.e., engineering of sets of processes including security and safety concerns). More specifically, first we consider three tool-supported approaches for process-related commonality and variability management and we apply them to limited but meaningful portions of safety and security standards within airworthiness. Then, we discuss our findings. Finally, we draw our conclusions and sketch future work.
  • Conference Paper
    Full-text available
    Modern vehicles are increasingly software intensive and connected. The potential hazards and economic losses due to cyberattacks have become real and eminent in recent years. Consequently, cybersecurity must be adequately addressed among other dependability attributes such as safety and reliability in the automotive domain. J3061, officially published in January 2016 by SAE International, is a much anticipated standard for cybersecurity for the automotive industry. It fills an important gap which is previously deemed irrelevant in the automotive domain. In this paper, we report our activities of applying J3061 to security engineering of an automotive Electronic Control Unit (ECU) as a communication gateway. As an ongoing work, we share our early experience on the concept phase of the process, with a focus on the part of Threat Analysis and Risk Assessment (TARA). Based on our experience, we propose improvements and discuss its link to ISO 26262.
  • Conference Paper
    Traditionally, safety and security have been treated as separate disciplines, but this position is increasingly becoming untenable and stakeholders are beginning to argue that if it’s not secure, it’s not safe. In this paper we present some of the work we have been doing on “security-informed safety”. Our approach is based on the use of structured safety cases and we discuss the impact that security might have on an existing safety case. We also outline a method we have been developing for assessing the security risks associated with an existing safety system such as a large-scale critical infrastructure.
  • Conference Paper
    ISO 26262 is a recently introduced automotive functional safety standard. This standard imposes new requirements that must be fulfilled for conformance purposes. Thus, companies used to develop safety-related E/E systems in compliance with either only Automotive SPICE (ASPICE) or a combination of ASPICE and IEC 61508 have to quickly perform a gap analysis in order to introduce adequate changes in their way of working. Implementing such changes in a visionary way with expectations of a long-term payback is an urgent open issue. To contribute to addressing such issue, in this paper, we introduce a safety-oriented process line-based methodological framework to model commonalities and variabilities (changes) between the standards to enable reuse and flexible process derivation. To show the usefulness of our approach, we apply it to model a process-phase line for the development of safety-critical control units. Finally, we provide our lessons learned and concluding remarks.
  • Article
    Full-text available
    By definition, regulatory rules (in legal context called norms) intend to achieve specific behaviour from business processes, and might be relevant to the whole or part of a business process. They can impose conditions on different aspects of process models, e.g., control-flow, data and resources etc. Based on the rules sets, norms can be classified into various classes and sub-classes according to their effects. This paper presents an abstract framework consisting of a list of norms and a generic compliance checking approach on the idea of (possible) execution of processes. The proposed framework is independent of any existing formalism, and provides a conceptually rich and exhaustive ontology and semantics of norms needed for business process compliance checking. Apart from the other uses, the proposed framework can be used to compare different compliance management frameworks (CMFs).
  • Chapter
    Nowadays, the engineering of (software) systems has to comply with different standards, which often exhibit common requirements or at least a significant potential for synergy. Compliance management is a delicate, time-consuming, and costly activity, which would benefit from increased confidence, automation, and systematic reuse. In this paper, we introduce a new approach, called SoPLE&Logic-basedCM. SoPLE&Logic-basedCM combines (safety-oriented) process line engineering with defeasible logic-based approaches for formal compliance checking. As a result of this combination, SoPLE&Logic-basedCM enables automation of compliance checking and systematic reuse of process elements as well as compliance proofs. To illustrate SoPLE&Logic-basedCM, we apply it to the automotive domain and we draw our lessons learnt.
  • Conference Paper
    Safety standards define development processes by indicating the set of partially ordered tasks that have to be executed to achieve acceptably safe systems. Process compliance constitutes a fundamental ingredient in safety argumentation for certification purposes. Certification is a very expensive, time-consuming and quality demanding activity. To increase quality and reduce time and cost, reuse-based approaches are being investigated. In this paper, we adopt process line approach in the framework of safety processes. This means that we treat a family of processes as a product line, and we identify commonalities and variabilities between them. The resulting information guides developers in reusing parts of the process, the system and safety case, e.g. which parts to make more generic, isolating changes in others to avoid ripple effects etc.
  • Conference Paper
    Full-text available
    Weproposeacomputationallyorientednon-monotonicmulti-modal logicarisingfromthecombinationoftemporalisedagencyandtem- poralised normative positions. We argue about the defeasible na- ture of these notions and then we show how to represent and reason with them in the setting of Defeasible Logic. 1. MOTIVATION AND LAYOUT An increasing number of works on agents assume that in artifi- cial societies normative concepts may play a decisive role, allow- ing for the flexible co-ordination of autonomous agents (5, 20, 15). In particular, it seems crucial to model organisations of agents in terms of policy-based normative systems; accordingly an organi- sation should be characterised by specifying the normative posi- tions relevant to design its structure. These positions include du- ties, permissions, but also powers, as for instance powers of cre- ating further normative positions on the head of other agents. In this paper we will develop a formal machinery to account for sev- eral fundamental concepts that are required to model policy-based normative systems. These concepts will be embedded in a non- monotonic and computationally-oriented framework based on De- feasible Logic (DL). From the conceptual standpoint, it is well known that the basic deontic qualifications (obligatory, forbidden, permitted and faculta- tive) are not sufficient to capture all fundamental normative notions, such as the concepts of rights and power. For this reason, we will first provide an account in DL of the notion of other-directed oblig- ation (14) to express, e.g., the first Hohfeldian set of fundamental concepts: duty, right, noright, and privilege. Second, we shall focus on different kinds of normative conditionals. This will enable us to characterise also the idea of normative power and articulate many potestative concepts such as the second Hohfeldian set of concepts: power, liability (or, subjection, to avoid confusion with the notion of liability, as used in tort law), disability, and immunity.
  • Article
    Full-text available
    This history column article provides a tour of the main software development life cycle (SDLC) models. (A lifecycle covers all the stages of software from its inception with requirements definition through to fielding and maintenance.) System development lifecycle models have drawn heavily on software and so the two terms can be used interchangeably in terms of SDLC, especially since software development in this respect encompasses software systems development. Because the merits of selecting and using an SDLC vary according to the environment in which software is developed as well as its application, I discuss three broad categories for consideration when analyzing the relative merits of SDLC models. I consider the waterfall model before the other models because it has had a profound effect on software development, and has additionally influenced many SDLC models prevalent today. Thereafter, I consider some of the mainstream models and finish with a discussion of what the future could hold for SDLC models.
  • Article
    Full-text available
    It is a typical scenario that many organisations have their business processes specified independently of their business obligations (which includes contractual obligations to business partners, as well as obligations a business has to fulfil against regulations and industry standards). This is because of the lack of guidelines and tools that facilitate derivation of processes from contracts but also because of the traditional mindset of treating contracts separately from business processes. This chapter will provide a solution to one specific problem that arises from this situation, namely the lack of mechanisms to check whether business processes are compliant with business contracts. The chapter begins by defining the space for business process compliance and the eco-system for ensuring that process are compliant. The key point is that compliance is a relationship between two sets of specifications: the specifications for executing a business process and the specifications regulating a business. The central part of the chapter focuses on a logic based formalism for describing both the semantics of normative specifications and the semantics of compliance checking procedures.
  • Article
    Full-text available
    Although several definitions of "software architecture" have been presented, none of them to date enable a reviewer confronted with a complex of diagrams and symbols to determine whether it is an architecture for a system or not. We present a definition of "software system architecture" which provides a set of criteria for making this determination. It is based on making the architectural rationale a first-class citizen in the definition, and on requiring the rationale to ensure that the architecture's components, connections, and constraints define a system that will satisfy a set of defined stakeholder needs for the system. 1. Introduction The term software architecture has been defined in many different ways. Intuitively people think of and apply the general term architecture from their human experience. People walk through houses, buildings, and along city streets. From this experience they associate architecture with physical structures and the physical arrangement of the struct...
  • Article
    Full-text available
    The importance of transformations and normal forms in logic programming, and generally in computer science, is well documented. This paper investigates transformations and normal forms in the context of Defeasible Logic, a simple but efficient formalism for nonmonotonic reasoning based on rules and priorities. The transformations described in this paper have two main benefits: on one hand they can be used as a theoretical tool that leads to a deeper understanding of the formalism, and on the other hand they have been used in the development of an efficient implementation of defeasible logic.
  • The foundations: Logic and Proofs
    • K H Rosen