Towards Combined Safety and Security Constraints Analysis
2017 (English)In: Proceedings of the 5th International Workshop on Assurance Cases for Software-Intensive Systems (SAFECOMP workshops) / [ed] Stefano Tonetta, Erwin Schoitsch, Springer, 2017, Vol. 10489, p. 70-80Conference paper, Published paper (Refereed)
Abstract [en]
A growing threat to the cyber-security of embedded safety-critical systems calls for a new look at the development methods for such systems. One alternative to address security and safety concerns jointly is to use the perspective of modeling using system theory. Systems-Theoretic Process Analysis (STPA) is a new hazard analysis technique based on an accident causality model. NIST SP 800-30 is a well-known framework that has been largely employed to aid in identifying threats event/source and vulnerabilities, determining the effectiveness security control, and evaluating the adverse impact of risks. Safety and security analyses, when performed independently, may generate conflicts of design constraints that result in an inconsistent design. This paper reports a novel integrated approach for safety analysis and security analysis of systems. In our approach, safety analysis is conducted with STPA while security analysis employs NIST SP800-30. It builds on a specification of security and safety constraints and outlines a scheme to automatically analyze and detect conflicts between and pairwise reinforcements of various constraints. Preliminary results show that the approach allows security and safety teams to perform a more efficient analysis.
Place, publisher, year, edition, pages
Springer, 2017. Vol. 10489, p. 70-80
Series
Lecture Notes in Computer Science, ISSN 1611-3349
Keywords [en]
Safety Analysis, Security Analysis, STPA, NIST SP800-30
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:liu:diva-141781DOI: 10.1007/978-3-319-66284-8_7Scopus ID: 2-s2.0-85029470017OAI: oai:DiVA.org:liu-141781DiVA, id: diva2:1147456
Conference
ASSURE 2017: 5th International Workshop on Assurance Cases for Software-intensive Systems, Trento, Italy, September 12, 2017
Projects
RICSNFFP62017-10-052017-10-052018-08-14Bibliographically approved