Abstract
Modern systems’ transition towards more connected, information and communication technologies (ICT) has increased the safety, capacity and reliability of systems such as transport systems (railways, automotive) and industrial systems but it has also exposed a big additional surface for cyber attackers which makes it necessary to take in consideration general IT security concerns. Cyber-physical systems need more effort to consider safety critical IT security concerns. The safety impact of security compromises is evaluated in a semiquantitative manner because it is a relatively new area so there is not enough real data available to analyse attack rates quantitatively and the attack-vulnerability scenario is constantly changing because of adversary intelligence. This paper proposes an approach for the quantification of vulnerabilities based on learning from data obtained by concrete pattern implementations in safety-critical systems. This will allow combined analysis of safety and security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10506-2_21
Whitt, W.: Continuous Time Markov Chains, Department of Industrial Engineering and Operations Research, Columbia University (2013)
Morant, A., Gustafson, A., Söderholm, P., Larsson-Kråik, P.O., Kumar, U.: Safety and availability evaluation of railway operation based on the state of signaling systems. Proc. Inst. Mech. Eng. Part F J. Rail Rapid Transit 231, 226–238 (2017)
Ryoo, J., Kazman, R., Anand, P.: Architectural analysis for security. IEEE Secur. Priv. 13(6), 52–59 (2015)
Bunke, M., Koschke, R., Sohr, K.: Organizing security patterns related to security and pattern recognition requirements. Int. J. Adv. Secur. 5, 46–67 (2012)
Satty, T.L.: The Analytical Hierarchy and Analytical Network Measurement Process: Applications to Decisions under Risk (2008)
Macher, G., Sporer, H., Armengaud, E., Kreiner, C.: SAHARA: A Security-Aware Hazard and Risk Analysis Method (2015)
Liu, Z., Liu, Y., Cai, B., Liu, X., Li, J., Tian, X., Ji, R.: RAMS Analysis of Hybrid Redundancy System of Subsea Blowout Preventer Based on Stochastic Petri Nets (2013)
Mustafiz, S., Sun, X., Kienzle, J., Vangheluwe, H.: Model-driven assessment of system dependability. Softw. Syst. Model. 7, 487–502 (2008)
Schumacher, M., Fernandez, E.B., Hybertson, D., Buscmann, F., Sommerlad, P.: Security Patterns : Integrating Security and System Engineering. Software Design Patterns. Wiley, Hoboken (2006)
Haldikis, S., Chatzigeorigou, A., Stephanides, G.: A practical evaluation of security patterns (2006)
Steel, C., Nagappan, R., Lai, R.: Core Security Patterns : Best Practices and strategies for J2EE : Web Services and Identity Management (2014)
Kienzle, D.M., Elder, M.C., Tyree, D., Edwards-Hewitt, J.: Security Patterns repository version 1.0 (2002)
Dougherty, C., Sayre, K., Seacord, R.C., Svoboda, D., Togashi, K.: Security Design Patterns (2009)
Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M.: Pattern-Oriented Software Architecture: A System of Patterns. Wiley, New York (1996)
Shi, N., Olsson, R.A.: Reverse engineering of design patterns from Java source code (2006)
Konrad, S., Cheng, B.H., Campbell, L.A., Wasserman, R.: Using security patterns to model and analyse security requirements (2003)
Rosado, D.G., Gutierrez, C., Fernandez-Medina, E., Piattini, M.: Security patterns related to security requirements (2006)
Washizaki, H., Fernandez, E.B., Maruyama, K., Kubo, A., Yoshioka, N.: Improving the classification of security patterns (2009)
Saridakis, T.: A system of patterns for fault tolerance. In: Proceedings of the EuroPLoP Conference (2002)
Buckley, I.A., Fernandez, E.B., Larrondo-Petrie, M.M.: Patterns combining reliability and security (2011)
Hamid, B.: Modelling of secure and dependable applications based on a repository of patterns : The SEMCO approach
Charlwood, M., Turner, S., Worsell, N.: A methodology for the assignment of SILs to safety-related control functions implemented by safety-related electrical, electronic and programmable electronic control system of machines : prepared by Innovation Electronics UK Ltd and Health and Safety Laboratory HSL (2004)
Stolte, T., Bagschik, G., Reschka, A., Maurer, M.: Hazard Analysis and Risk Assessment for an Automated Unmanned Protective Vehicle (2017)
Microsoft Corporation : The stride threat model (2005)
Reifer, D.J.: Software Failure Modes and Effects Analysis (1979)
Haapanen, P., Helminen, A.: Failure mode and effect analysis of software-based automation systems (2002)
ISO - International Organization for Standarization: ISO 26262 Road vehicles Functional Safety (2011)
Zhan, Z., Xu, M., Xu, S.: Predicting cyber attack rates with extreme values (2015)
IEC 62443 : Industrial communication networks - Network and system security (2010)
cwe.mitre.org: Common weakness enumeration view : Architectural Concepts (2018)
TimeNET : A software tool for the performability evaluation with stochastic and colored petri nets. https://timenet.tu-ilmenau.de/template/index
Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System (2007)
IEC- International Standards and Conformity Assessment for all electrical, electronic and related technologies. http://www.iec.ch/functionalsafety/standards/page3.htm
Flammini, F., Marrone, S., Valeria, V.: Petri Net Modelling of Physical Vulnerability (2013)
Pinna, B., Babykina, G., Brinzei, N., Petin, J-.F.: Using Coloured Petri Nets for integrated reliability and safety evaluations (2013)
Acknowledgements
The work published here is based on research in the AMASS project that has been funded by the ECSEL Joint Undertaking under Grant Agreement number 692474.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Verma, S., Gruber, T., Puschner, P., Schmittner, C., Schoitsch, E. (2018). A Quantitative Approach for the Likelihood of Exploits of System Vulnerabilities. In: Gallina, B., Skavhaug, A., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2018. Lecture Notes in Computer Science(), vol 11094. Springer, Cham. https://doi.org/10.1007/978-3-319-99229-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-99229-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99228-0
Online ISBN: 978-3-319-99229-7
eBook Packages: Computer ScienceComputer Science (R0)