ABSTRACT
Safety-critical system engineering and traditional safety analyses have for decades been focused on problems caused by natural or accidental phenomena. Security analyses, on the other hand, focus on preventing intentional, malicious acts that reduce system availability, degrade user privacy, or enable unauthorized access. In the context of safety-critical systems, safety and security are intertwined, e.g., injecting malicious control commands may lead to system actuation that causes harm. Despite this intertwining, safety and security concerns have traditionally been designed and analyzed independently of one another, and examined in very different ways. In this work we examine a new hazard analysis technique---Systematic Analysis of Faults and Errors (SAFE)---and its deep integration of safety and security concerns. This is achieved by explicitly incorporating a semantic framework of error "effects" that unifies an adversary model long used in security contexts with a fault/error categorization that aligns with previous approaches to hazard analysis. This categorization enables analysts to separate the immediate, component-level effects of errors from their cause or precise deviation from specification.
This paper details SAFE's integrated handling of safety and security through a) a methodology grounded in---and adaptable to---different approaches from the literature, b) explicit documentation of system assumptions which are implicit in other analyses, and c) increasing the tractability of analyzing modern, complex, component-based software-driven systems. We then discuss how SAFE's approach supports the long-term goals of of increased compositionality and formalization of safety/security analysis.
- D. Arney, S. Fischmeister, J. M. Goldman, I. Lee, and R. Trausmuth. Plug-and-play for medical devices: Experiences from a case study. Biomedical Instrumentation & Technology, 43(4):313--317, 2009.Google ScholarCross Ref
- D. Arney, M. Pajic, J. M. Goldman, I. Lee, R. Mangharam, and O. Sokolsky. Toward patient safety in closed-loop medical device systems. In ICCPS, 2010. Google ScholarDigital Library
- A. Avižienis, J.-C. Laprie, B. Randell, and C. Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing (TDSC), 1(1):11--33, 2004. Google ScholarDigital Library
- D. Challener. Trusted platform module. In Encyclopedia of Cryptography and Security, pages 1308--1310. Springer US, 2011.Google ScholarCross Ref
- D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198--208, 1983. Google ScholarDigital Library
- I. Friedberg, K. McLaughlin, P. Smith, D. Laverty, and S. Sezer. STPA-SafeSec: Safety and security analysis for cyber-physical systems. Journal of Information Security and Applications, 2016.Google Scholar
- J. Hatcliff, A. King, I. Lee, A. MacDonald, A. Fernando, M. Robkin, E. Vasserman, S. Weininger, and J. M. Goldman. Rationale and architecture principles for medical application platforms. In ICCPS, 2012. Google ScholarDigital Library
- J. Hatcliff, E. Vasserman, S. Weininger, and J. Goldman. An overview of regulatory and trust issues for the integrated clinical environment. In HCMDSS, 2011.Google Scholar
- J. Hatcliff, A. Wassyng, T. Kelly, C. Comar, and P. Jones. Certifiably safe software-dependent systems: challenges and directions. In Future of Software Engineering Conference, 2014. Google ScholarDigital Library
- J. Herzog. A computational interpretation of Dolev-Yao adversaries. Theoretical Computer Science, 340(1):57--81, 2005. Google ScholarDigital Library
- R. W. Hicks, V. Sikirica, W. Nelson, J. R. Schein, and D. D. Cousins. Medication errors involving patient-controlled analgesia. American Journal of Health-System Pharmacy, 65(5):429--440, 2008.Google ScholarCross Ref
- N. Leveson. Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, 2011.Google Scholar
- N. G. Leveson. Safeware: System safety and Computers. Addison-Wesley Publishing Company, Inc., 1995. Google Scholar
- R. Pelánek. Fighting state space explosion: Review and evaluation. In FMICS, 2009.Google ScholarDigital Library
- C. Ponikwar, H. Hof, S. Gopinath, and L. Wischhof. Beyond the Dolev-Yao model: Realistic application-specific attacker models for applications using vehicular communication. In SECURWARE, 2016.Google Scholar
- S. Procter. A Development and Assurance Process for Medical Application Platform Apps. PhD thesis, Kansas State University, 2016.Google Scholar
- S. Procter, J. Hatcliff, S. Weininger, and A. Fernando. Error type refinement for assurance of families of platform-based systems. In SAFECOMP, 2015.Google ScholarCross Ref
- J. Rushby. Composing safe systems. In FACS, 2012.Google ScholarCross Ref
- SAE AS-2C Architecture Description Language Subcommittee. SAE Architecture Analysis and Design Language (AADL) Annex Volume 3: Annex E: Error Model Language. Technical report, SAE Aerospace, June 2014.Google Scholar
- C. Salazar. A security architecture for medical application platforms. Master's thesis, Kansas State University, 2014.Google Scholar
- C. Schmittner, Z. Ma, and P. Puschner. Limitation and improvement of STPA-Sec for safety and security co-analysis. In SAFECOMP Workshops, 2016.Google ScholarCross Ref
- S. Sheard, M. Konrad, C. Weinstock, and W. Nichols. Definition and measurement of complexity in the context of safety assurance. Technical Report CMU/SEI-2016-TR-013, Software Engineering Institute, Carnegie Mellon University, 2016.Google Scholar
- J. Thomas and N. Leveson. Performing hazard analysis on complex, software-and human-intensive systems. In ISSC Conference about System Safety, 2011.Google Scholar
- C. J. Walter and N. Suri. The customizable fault/error model for dependable distributed systems. Theoretical Computer Science, 290(2):1223--1251, 2003. Google ScholarDigital Library
- W. Young and N. Leveson. Systems thinking for safety and security. In Annual Computer Security Applications Conference, 2013. Google ScholarDigital Library
- W. Young and N. G. Leveson. An integrated approach to safety and security based on systems theory. Communications of the ACM, 57(2):31--35, 2014. Google ScholarDigital Library
Index Terms
- SAFE and Secure: Deeply Integrating Security in a New Hazard Analysis
Recommendations
Comparison of the FMEA and STPA safety analysis methods---a case study
As our society becomes more and more dependent on IT systems, failures of these systems can harm more and more people and organizations. Diligently performing risk and hazard analysis helps to minimize the potential harm of IT system failures on the ...
Certifiably safe software-dependent systems: challenges and directions
FOSE 2014: Future of Software Engineering ProceedingsThe amount and impact of software-dependence in critical systems impinging on daily life is increasing rapidly. In many of these systems, inadequate software and systems engineering can lead to economic disaster, injuries or death. Society generally ...
Building safer robots: Safety driven control
In recent years there has been a concerted effort to address many of the safety issues associated with physical human-robot interaction (pHRI). However, a number of challenges remain. For personal robots, and those intended to operate in unstructured ...
Comments