A Model-based Approach to Interdependency between Safety and Security in ICS

Wide use of modern ICT technologies brings not only communication efficiency, but also security vulnerabilities into industrial control systems. Traditional physically-isolated systems are now required to take cyber security into consideration, which might also lead to system failures. However, integrating security and safety analysis has always been a challenging issue and the various interdependencies between them make it even more difficult, because they might mutually enhance, or undermine. The paper proposes an integrating framework to (i) formalise the desired and undesired properties to be safe(unsafe) or secure(insecure), including the dependencies between them, (ii) evaluate if a query state reaches a safe(unsafe) or secure(insecure) state, and further quantify how safe or secure the state is. In this way,we can accurately capture the benign and harmful relations between safety and security, particularly detecting and measuring conflicting impacts on them. Finally, this framework is implemented by answer set programming to enable automatic evaluation, which is demonstrated by a case study on pipeline transportation.

Content

Author and article information

Contributors

Tingting Li

Chris Hankin

Conference

Publication date: September 2015

Publication date (Print): September 2015

Pages: 31-41

Affiliations

[0001]Institute for Security Science and Technology

Imperial College London

London, UK

Article

DOI: 10.14236/ewic/ICS2015.4

SO-VID: b353dfd2-ec78-4a6b-b5bb-7bc8dd3cf817

Copyright statement: © Li et al. Published by BCS Learning & Development Ltd. Proceedings of the 3 ^rd International Symposium for ICS & SCADA Cyber Security Research 2015

License:

This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

Conference name: 3rd International Symposium for ICS & SCADA Cyber Security Research 2015 (ICS-CSR 2015)

Conference acronym: ICS-CSR

Conference number: 3

Conference location: Germany

Conference date: 17 - 18 September 2015

Conference sponsor: Electronic Workshops in Computing (eWiC)

Conference theme: Industrial Control System & SCADA Cyber Security Research (ICS-CSR)

Product

Product Information: 1477-9358BCS Learning & Development

Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2015.4

Self URI (journal page): https://ewic.bcs.org/

References

T Aven 2007 A unified framework for risk and vulnerability analysis covering both safety and security Reliability Eng. Syst. Safety 92 6 745 754
C Baral 2003 Knowledge representation, reasoning and declarative problem solving Cambridge, U.K Cambridge University Press
R BloomfieldK NetkachovaR Stroud, 2013 Security-informed safety: If its not secure, its not safe Software Engineering for Resilient Systems Berlin, Germany Springer 17 32
D. P EamesJ Moffett 1999 The integration of safety and security requirements Computer Safety, Reliability and Security Berlin, Germany Springer 468 480
M GebserR KaminskiB KaufmannM OstrowskiT SchaubM Schneider 2011 Potassco: The Potsdam answer set solving collection AI Commun 24 2 107 124
C HankinF NielsonH. R Nielson 2009 Advice from belnap policies IEEE 22nd Computer Security Foundations Symposium 234 247
S KriaaM BouissouF ColinY HalgandL Pietre-Cambacedes, 2014 Safety and security interactions modeling using the BDMP formalism: Case study of a pipeline Computer Safety, Reliability, and Security Berlin, Germany Springer 326 341
S KriaaL Pietre-CambacedesM BouissouY Halgand 2015 A survey of approaches combining safety and security for industrial control systems Reliability Eng. Syst. Safety 139 156 178
R Langer 2012 Robust control system networks how to achieve reliable control after stuxnet
Q NiE BertinoJ Lobo 2009 D-algebra for composing access control policy decisions Proceedings of the 4th International Symposium on Information, Computer, and Communications Security ACM 298 309
T NovakA TreytlP Palensky 2007 Common approach to functional safety and system security in building automation and control systems IEEE Conference Emerging Technologies and Factory Automation 1141 1148
L Piètre-Cambac édèsM Bouissou 2010 Modeling safety and security interdependencies with BDMP (boolean logic driven markov processes) IEEE International Conference Systems Man and Cybernetics (SMC) 2852 2861
L Piètre-Cambac édèsC Chaudet 2010 The SEMA referential framework: Avoiding ambiguities in the terms security and safety Int. J. Critical Infrastruct. Protection 3 2 55 66
M SunS MohanL ShaC Gunter 2009 Addressing safety and security contradictions in cyber-physical systems Proceedings of the 1st Workshop on Future Directions in Cyber-Physical Systems Security (CPSSW09)
C Woskowski 2014. C Woskowski 2014 A pragmatic approach towards safe and secure medical device integration Computer Safety, Reliability, and Security Berlin, Germany Springer 342 353

Comments

Comment on this article

[1] T Aven 2007 A unified framework for risk and vulnerability analysis covering both safety and security Reliability Eng. Syst. Safety 92 6 745 754

[2] C Baral 2003 Knowledge representation, reasoning and declarative problem solving Cambridge, U.K Cambridge University Press

[3] R BloomfieldK NetkachovaR Stroud, 2013 Security-informed safety: If its not secure, its not safe Software Engineering for Resilient Systems Berlin, Germany Springer 17 32

[4] D. P EamesJ Moffett 1999 The integration of safety and security requirements Computer Safety, Reliability and Security Berlin, Germany Springer 468 480

[5] M GebserR KaminskiB KaufmannM OstrowskiT SchaubM Schneider 2011 Potassco: The Potsdam answer set solving collection AI Commun 24 2 107 124

[6] C HankinF NielsonH. R Nielson 2009 Advice from belnap policies IEEE 22nd Computer Security Foundations Symposium 234 247

[7] S KriaaM BouissouF ColinY HalgandL Pietre-Cambacedes, 2014 Safety and security interactions modeling using the BDMP formalism: Case study of a pipeline Computer Safety, Reliability, and Security Berlin, Germany Springer 326 341

[8] S KriaaL Pietre-CambacedesM BouissouY Halgand 2015 A survey of approaches combining safety and security for industrial control systems Reliability Eng. Syst. Safety 139 156 178

[9] R Langer 2012 Robust control system networks how to achieve reliable control after stuxnet

[10] Q NiE BertinoJ Lobo 2009 D-algebra for composing access control policy decisions Proceedings of the 4th International Symposium on Information, Computer, and Communications Security ACM 298 309

[11] T NovakA TreytlP Palensky 2007 Common approach to functional safety and system security in building automation and control systems IEEE Conference Emerging Technologies and Factory Automation 1141 1148

[12] L Piètre-Cambac édèsM Bouissou 2010 Modeling safety and security interdependencies with BDMP (boolean logic driven markov processes) IEEE International Conference Systems Man and Cybernetics (SMC) 2852 2861

[13] L Piètre-Cambac édèsC Chaudet 2010 The SEMA referential framework: Avoiding ambiguities in the terms security and safety Int. J. Critical Infrastruct. Protection 3 2 55 66

[14] M SunS MohanL ShaC Gunter 2009 Addressing safety and security contradictions in cyber-physical systems Proceedings of the 1st Workshop on Future Directions in Cyber-Physical Systems Security (CPSSW09)

[15] C Woskowski 2014. C Woskowski 2014 A pragmatic approach towards safe and secure medical device integration Computer Safety, Reliability, and Security Berlin, Germany Springer 342 353