Abstract
A growing threat to the cyber-security of embedded safety-critical systems calls for a new look at the development methods for such systems. One alternative to address security and safety concerns jointly is to use the perspective of modeling using system theory. Systems-Theoretic Process Analysis (STPA) is a new hazard analysis technique based on an accident causality model. NIST SP 800-30 is a well-known framework that has been largely employed to aid in identifying threats event/source and vulnerabilities, determining the effectiveness security control, and evaluating the adverse impact of risks. Safety and security analyses, when performed independently, may generate conflicts of design constraints that result in an inconsistent design. This paper reports a novel integrated approach for safety analysis and security analysis of systems. In our approach, safety analysis is conducted with STPA while security analysis employs NIST SP800-30. It builds on a specification of security and safety constraints and outlines a scheme to automatically analyze and detect conflicts between and pairwise reinforcements of various constraints. Preliminary results show that the approach allows security and safety teams to perform a more efficient analysis.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Johnson C.: Why we cannot (yet) ensure the cyber-security of safety-critical systems. http://eprints.gla.ac.uk/130822/1/130822.pdf. Accessed 2017/05/14
Leveson, N.: Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Cambridge (2011)
Leveson, N.: An STPA Primer:What is STPA? http://sunnyday.mit.edu/STPA-Primer-v0.pdf. Accessed 12 May 2017
Young, W., Leveson, N.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014)
Friedberg, I., McLaughlin, K., Smith, P., Laverty, D., Sezer, S.: STPA-SafeSec: safety and security analysis for cyber-physical systems. J. Inf. Secur. Appl. 34, 183–196 (2016)
National Institute of Standards and Technology: NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments (2012)
RTCA DO-326A: Airworthiness security process specification. RTCA (2014)
Oates, R., Foulkes, D., Herries, G., Banham, D.: Practical extensions of safety critical engineering processes for securing industrial control systems. In: 8th IET International System Safety Conference incorporating the Cyber Security Conference Proceedings, pp. 1–6. IET, Cardiff (2013)
Subramanian, N., Zalewski, J.: Quantitative assessment of safety and security of system architectures for cyberphysical systems using the NFR approach. IEEE Syst. J. 10(2), 397–409 (2016)
Nostro, N., Bondavalli, A., Silva, N.: Adding security concerns to safety critical certification. In: IEEE International Symposium on Software Reliability Engineering Workshops Proceedings, Naples (2014)
Thomas, J.: Extending and automating a systems-theoretic hazard analysis for requirements generation and analysis. MIT Ph.D. dissertation, Cambridge (2013)
Troubitsyna, E.: An integrated approach to deriving safety and security requirements from safety cases. In: IEEE 40th Annual Computer Software and Applications Conference Proceedings, Atlanta (2016)
Katta, V., Raspotnig, C., Karpati, P., Stålhane, T.: Requirements management in a combined process for safety and security assessments. In: International Conference on Availability, Reliability and Security, Regensburg (2013)
Netkachova, K., Müller, K., Paulitsch, M., Bloomfield, R.: Security-informed safety case approach to analysing MILS systems. In: International Workshop on MILS: Architecture and Assurance for Secure Systems, Amsterdam (2015)
Egyed, A., Grunbacher, P.: Identifying requirements conflicts and cooperation: how quality attributes and automated traceability can help. IEEE Softw. 21(6), 50–58 (2004)
Tabassum, M., Siddik, M., Shoyaib, M., Khaled, S.: Determining interdependency among non-functional requirements to reduce conflict. In: International Conference on Informatics, Electronics & Vision (ICIEV), Dhaka (2014)
Hu, H., Ma, Q., Zhang, T., Tan, Y., Xiang, H., Fu, C., Feng, Y.: Semantic modelling and automated reasoning of non-functional requirement conflicts in the context of softgoal interdependencies. IET Softw. 9(6), 145–156 (2015)
Sadana, V., Liu, X.: Analysis of conflicts among non-functional requirements using integrated analysis of functional and non-functional requirements. In: 31st Annual International Computer Software and Applications Conference Proceedings, Beijing (2007)
Salado, A., Nilchiani, R.: The concept of order of conflict in requirements engineering. IEEE Syst. J. 10(1), 25–35 (2016)
Pereira, D., Hirata, C., Pagliares, R., De Lemos, F.: STPA-Sec for security of flight management system. In: 2017 STAMP Workshop (2017). http://psas.scripts.mit.edu/home/2017-stamp-presentations/. Accessed 12 May 2017
Acknowledgements
The work of the last author was supported by the national projects on aeronautics (NFFP6-00917) and the research centre on Resilient Information and Control Systems (www.rics.se). The work of the second author was supported by the Conselho Nacional de Desenvolvimento Científico e Tecnológico under grant number Universal 01/2016 403921/2016-3.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Pereira, D., Hirata, C., Pagliares, R., Nadjm-Tehrani, S. (2017). Towards Combined Safety and Security Constraints Analysis. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security . SAFECOMP 2017. Lecture Notes in Computer Science(), vol 10489. Springer, Cham. https://doi.org/10.1007/978-3-319-66284-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-66284-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66283-1
Online ISBN: 978-3-319-66284-8
eBook Packages: Computer ScienceComputer Science (R0)