[SystemSafety] Does "reliable" mean "safe" and or "secure" or neither? [No Classification]

Pekka Pihlajasaari pekka at data.co.za
Sat Apr 23 13:46:22 CEST 2016


The ongoing change in the threat environment in software systems is determined by the existence of an active attacker. This is where these systems differ from more traditional systems.

If we instead investigated systems that traditionally had active attackers (those explicitly responsible for security) we see an arms race similar to that experienced in cyber-systems. To extend this, what have, and currently do, the developers of modern security systems such as access control do to manage the environmental change they experience?

While we already know from the published failures that their security model is largely based on obscurity, there may be lessons that can be learnt from the responses the large electronic lock manufacturers make to the very public failures of their systems. Of course, their responses are substantially different to the software industry due to the extremely high cost of updating widely distributed, individually low-cost, components.

It would be interesting to review the incident history of a system similar to the Tokeneer case study to see how the leap-frogging of exploit and defence takes place.

Regards
Pekka Pihlajasaari
--
pekka at data.co.za	Data Abstraction (Pty) Ltd	+27 11 484 9664

-----Original Message-----
From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Peter Bishop
Sent: 22 April 2016 10:13
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] Does "reliable" mean "safe" and or "secure" or neither? [No Classification]

Perhaps I put it badly.
I agree that a system must be secure to be safe.

And in fact Adelard have done a considerable number of "security-informed" safety assessments on safety-critical systems that identify potential cyber attacks on the system, their impact on safety and recommended countermeasures.

What I meant to point out is that that in older, non-cyber, systems safety could be assessed against a fairly predictable set of threats.
So you could do a safety assessment, design, verify and approve the system and not touch it again unless you have to.

In a cyber-based system, assuring the security is no longer a one-off, but becomes a constant battle against continuously changing threats.
So the system is subject to continuous change and the challenge is to show the whole system is safe over the entire lifetime of the system - i.e. that the security updates do not affect the primary functions of the safety-related system and the safety case is updated to take account of the changes, etc.

Peter Bishop


More information about the systemsafety mailing list