Abstract
We present a way to combine security and safety assessments using Bowtie Diagrams. Bowties model both the causes leading up to a central failure event and consequences which arise from that event, as well as barriers which impede events. Bowties have previously been used separately for security and safety assessments, but we suggest that a unified treatment in a single model can elegantly capture safety-security interdependencies of several kinds. We showcase our approach with the example of the October 2021 Facebook DNS shutdown, examining the chains of events and the interplay between the security and safety barriers which caused the outage.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
There are subtleties in different ways to treat OR gates with quantified safety or security risks, which will not be considered here.
References
Abdo, H., Kaouk, M., Flaus, J.M., Masse, F.: A safety/security risk analysis approach of industrial control systems: a cyber bowtie-combining new version of attack tree with bowtie analysis. Comput. Secur. 72, 175–195 (2018)
Arnaboldi, L., Czekster, R.M., Morisset, C., Metere, R.: Modelling load-changing attacks in cyber-physical systems. Electron. Notes Theor. Comput. Sci. 353, 39–60 (2020)
Arnaboldi, L., Morisset, C.: Quantitative analysis of DoS attacks and client puzzles in IoT systems. In: Livraga, G., Mitchell, C. (eds.) STM 2017. LNCS, vol. 10547, pp. 224–233. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68063-7_16
Bernsmed, K., Frøystad, C., Meland, P.H., Nesheim, D.A., Rødseth, Ø.J.: Visualizing cyber security risks with bow-tie diagrams. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 38–56. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_3
Budde, C.E., Kolb, C., Stoelinga, M.: Attack trees vs. fault trees: two sides of the same coin from different currencies. In: Abate, A., Marin, A. (eds.) QEST 2021. LNCS, vol. 12846, pp. 457–467. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-85172-9_24
De Dianous, V., Fievez, C.: Aramis project: a more explicit demonstration of risk control through the use of bow-tie diagrams and the evaluation of safety barrier performance. J. Hazard. Mater. 130(3), 220–233 (2006)
Denney, E., Pai, G., Whiteside, I.: Formal foundations for hierarchical safety cases. In: 2015 IEEE 16th International Symposium on High Assurance Systems Engineering, pp. 52–59. IEEE (2015)
Denney, E., Pai, G., Whiteside, I.: The role of safety architectures in aviation safety cases. Reliab. Eng. Syst. Saf. 191, 106502 (2019)
Eames, D.P., Moffett, J.: The integration of safety and security requirements. In: Felici, M., Kanoun, K. (eds.) SAFECOMP 1999. LNCS, vol. 1698, pp. 468–480. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48249-0_40
Fila, B., Wideł, W.: Exploiting attack-defense trees to find an optimal set of countermeasures. In: 2020 IEEE 33rd Computer Security Foundations Symposium (CSF), pp. 395–410. IEEE (2020)
Gallina, B., Montecchi, L., de Oliveira, A.L., Bressan, L.P.: Multiconcern dependability-centered assurance via qualitative and quantitative coanalysis. IEEE Softw. 39(4), 39–47 (2022)
Pettersen Gould, K., Bieder, C.: Safety and security: the challenges of bringing them together. In: Bieder, C., Pettersen Gould, K. (eds.) The Coupling of Safety and Security. SAST, pp. 1–8. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-47229-0_1
Guldenmund, F., Hale, A., Goossens, L., Betten, J., Duijm, N.J.: The development of an audit technique to assess the quality of safety barrier management. J. Hazard. Mater. 130(3), 234–241 (2006)
Haider, Z., Gallina, B., Carlsson, A., Mazzini, S., Puri, S.: ConcertoFLA-based multi-concern assurance for space systems. ADA USER 40(1), 35 (2019)
Janardhan, S.: Update about the October 4th outage (2021). https://engineering.fb.com/2021/10/04/networking-traffic/outage/
Janardhan, S., Janardhan, S.: More details about the October 4 outage (2021). https://engineering.fb.com/2021/10/05/networking-traffic/outage-details/
Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18467-8_23
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6
Kriaa, S., Bouissou, M., Colin, F., Halgand, Y., Pietre-Cambacedes, L.: Safety and security interactions modeling using the BDMP formalism: case study of a pipeline. In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 326–341. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10506-2_22
Kriaa, S., Pietre-Cambacedes, L., Bouissou, M., Halgand, Y.: A survey of approaches combining safety and security for industrial control systems. Reliab. Eng. Syst. Saf. 139, 156–178 (2015)
Martinho, C.: Understanding how Facebook disappeared from the Internet (2021). https://blog.cloudflare.com/october-2021-facebook-outage/
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_17
Nielsen, D.S.: The cause/consequence diagram method as a basis for quantitative accident analysis. Risø National Laboratory (1971)
Ren, H., Chen, X., Chen, Y.: Fault tree analysis for composite structural damage. In: Reliability Based Aircraft Maintenance Optimization Applications, pp. 115–131. Academic (2017)
de Ruijter, A., Guldenmund, F.: The bowtie method: a review. Saf. Sci. 88, 211–218 (2016)
Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)
Shahriar, A., Sadiq, R., Tesfamariam, S.: Risk analysis for oil & gas pipelines: a sustainability assessment approach using fuzzy based bow-tie analysis. J. Loss Prev. Process Ind. 25(3), 505–523 (2012)
Steiner, M., Liggesmeyer, P.: Combination of safety and security analysis-finding security problems that threaten the safety of a system. In: DECS: ERCIM/EWICS Workshop on Dependable Embedded and Cyber-Physical Systems (2013)
Stoelinga, M., Kolb, C., Nicoletti, S.M., Budde, C.E., Hahn, E.M.: The marriage between safety and cybersecurity: still practicing. In: Laarman, A., Sokolova, A. (eds.) SPIN 2021. LNCS, vol. 12864, pp. 3–21. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84629-9_1
Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F.: Fault Tree Handbook. Tech. Rep. NUREG-0492, Nuclear Regulatory Commission Washington DC (1981)
Acknowledgements
We’re grateful to Ewen Denney for suggesting to us to investigate bowtie diagrams for safety-security assessments, as well as comments on an early draft. This work was funded by the AISEC grant under EPSRC number EP/T027037/1.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Arnaboldi, L., Aspinall, D. (2022). Towards Interdependent Safety Security Assessments Using Bowties. In: Trapp, M., Schoitsch, E., Guiochet, J., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2022 Workshops . SAFECOMP 2022. Lecture Notes in Computer Science, vol 13415. Springer, Cham. https://doi.org/10.1007/978-3-031-14862-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-14862-0_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-14861-3
Online ISBN: 978-3-031-14862-0
eBook Packages: Computer ScienceComputer Science (R0)