[SystemSafety] Does "reliable" mean "safe" and or "secure" or neither? [No Classification]

Steve Tockey Steve.Tockey at construx.com
Fri Apr 22 19:28:13 CEST 2016


Peter Bishop wrote:

"In a cyber-based system, assuring the security is no longer a one-off,
but becomes a constant battle against continuously changing threats."

I disagree, to an extent. The Web Applications Security Consortium
(http://www.webappsec.org) has published a pretty comprehensive Threat
Classification:

http://projects.webappsec.org/w/page/13246978/Threat%20Classification

Some of the threats are specific to web applications, many are relevant to
essentially all software.

The majority of these threats--specifically, the ones that are design and
coding-related and not installation/operations-related--are the direct
result of poor software development practices. For example: SQL injection,
buffer overrun, null byte injection, etc. In my experience, so-called
"security updates" aren't intended to protect the system from previously
unknown threat vectors, they are simply a patch to close a previously
unknown weakness in the code.

Had the design and code been developed in an intelligent way from the
start, there wouldn't be a need for a majority (IMHO) of the security
updates we see.


-- steve




-----Original Message-----
From: systemsafety <systemsafety-bounces at lists.techfak.uni-bielefeld.de>
on behalf of Peter Bishop <pgb at adelard.com>
Date: Friday, April 22, 2016 1:12 AM
To: "systemsafety at lists.techfak.uni-bielefeld.de"
<systemsafety at lists.techfak.uni-bielefeld.de>
Subject: Re: [SystemSafety] Does "reliable" mean "safe" and or "secure" or
neither? [No Classification]

Perhaps I put it badly.
I agree that a system must be secure to be safe.

And in fact Adelard have done a considerable number of
"security-informed" safety assessments on safety-critical systems that
identify potential cyber attacks on the system, their impact on safety
and recommended countermeasures.

What I meant to point out is that that in older, non-cyber, systems
safety could be assessed against a fairly predictable set of threats.
So you could do a safety assessment, design, verify and approve the
system and not touch it again unless you have to.

In a cyber-based system, assuring the security is no longer a one-off,
but becomes a constant battle against continuously changing threats.
So the system is subject to continuous change and the challenge is to
show the whole system is safe over the entire lifetime of the system -
i.e. that the security updates do not affect the primary functions of
the safety-related system and the safety case is updated to take account
of the changes, etc.

Peter Bishop

On 21/04/2016 16:29, Barnes, Robert A (NNPPI) wrote:
> This message has been marked as No Classification by Barnes, Robert A
> (NNPPI)
> 
> 
> Is it really appropriate to deal with safety and security as
> disparate, alien issues that have irreconcilable differences?  It is
> my belief that, in any system important to safety they are
> intertwined and cannot be dealt with separately.  If I have a safety
> function, then I will want a degree of confidence that my safety
> function works, and part of that confidence will be related to how
> difficult it is for the wicked or curious to interfere with the
> safety-integrity of that function.
> 
> A flaw that I see in safety cases at the moment is an assumption that
> principals interacting with a safety system, internal and external to
> an organisation, will do so with positive intent.  Hidden in this
> assumption is a security requirement, but it is very rarely expressed
> as such.  Instead, safety is a continuing source of constraints
> rather than functional security requirements!  Can we realistically
> argue that a system is safe if it is not protected against
> interference?
> 
> So does 'reliable' mean 'safe', 'secure' or 'neither'?  I'd argue
> that it's neither as something can be reliable and unsafe, or
> reliable and insecure, but cannot be safe and insecure.
> 
> Robert Barnes Future EC&I Information Assurance Lead Rolls-Royce plc,
> PO Box 2000, Derby DE21 7XX
> 
> Tel: +44(0)1332 622834 (internal: 52834) Email:
> robert.barnes2 at rolls-royce.com Mail code: RAY-W1.11
> 
> 
> 
> Animo concipere non possum quo palto hoc pervease exeat.
> 
> 


> 
> 
> -----Original Message-----
> From: systemsafety
>[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
>Peter Bishop
> Sent: 21 April 2016 08:35
> To: systemsafety at lists.techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] Does "reliable" mean "safe" and or "secure"
>or neither?
> 
> On 20/04/2016 17:30, Peter Bernard Ladkin wrote:
> 
>>
>> A key technical point comes out of this, which we will address at the
>> German standards authority on May 4, along with German colleagues
>> active in ICS safety+security and NPP safety+security within the IEC.
>> And that is that the requirements for updating safety-critical
>> software conflict with the usual update cycle for security and nobody
>> - nobody - I have talked to knows how to solve that problem. Roger is
>> very aware of it. The recent IEC offerings on safety+security gloss
>> over it. We've gotta solve it somehow. (For Bertrand, I mentioned this
>> also to Gilles Deleuze. I know now that the French, the Brits and the
>> Germans are all interested in a solution. Of course, being interested
>> in one and getting one are two different things.)
>>
>> PBL
> 
> I agree this clash between safety and security is a significant problem
>in the systems I have looked at.
> 
> For safety you don't want to changed your approved/accepted system
>unless you really have to. For security you have to update all the time
>to deal with new attacks / vulnerabilities.
> 
> PB
> 

-- 

Peter Bishop
Chief Scientist
Adelard LLP
Exmouth House, 3-11 Pine Street, London,EC1R 0JH
http://www.adelard.com
Recep:  +44-(0)20-7832 5850
Direct: +44-(0)20-7832 5855

Registered office: Stourside Place, Station Road, Ashford, Kent TN12 1PP
Registered in England & Wales no. OC 304551. VAT no. 454 489808

This e-mail, and any attachments, is confidential and for the use of
the addressee only. If you are not the intended recipient, please
telephone 020 7832 5850. We do not accept legal responsibility for
this e-mail or any viruses.
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE



More information about the systemsafety mailing list