[SystemSafety] Safety and Cybersecurity: A Dispute

DREW Rae d.rae at griffith.edu.au
Mon Dec 19 12:40:09 CET 2016


Without in any way endorsing it, the argument appears similar to the more
naive formal methods community responses to safety. "Safety is nothing
special - we'll just prove that all of the requirements are met, and safety
requirements are just requirements".

"Why mix security and safety - we'll just make sure there are no external
disruptions to the system environment, so you don't need to worry which
ones are safe or unsafe".

Both arguments have an understandable but naive view that systems behave
either correctly or incorrectly, and that safety is just a matter of making
sure that the "correct" behavior is properly specified.

I've always been unsatisfied with the idea of drawing a sharp line between
"safety" and "operational functions". It's a misleading categorisation even
for the control systems it arose from, and it helps perpetuate the idea
that you can put a neat box around "safety" and then divorce safety
analysis from cybersecurity, project management, software implementation,
human resources, maintenance schedules, or any of the many "not the
business of safety" messy details that end up in accident reports.

My safety podcast: disastercast.co.uk
My mobile: 0450 161 361

On 19 December 2016 at 21:18, Martyn Thomas <martyn at thomas-associates.co.uk>
wrote:

> Security has always been regarded as part of safety. That's why there
> are security fences around high hazard sites, guards, alarms, and
> security screening of personnel who have access to sensitive control
> systems. It's why we require hazardous chemicals and explosives to be
> kept in secure storage. There are many other examples of security
> considerations in the management of safety. Cybersecurity is a subset of
> security that has growing importance, so of course it has to be
> considered as part of the overall system safety engineering and safety
> management.
>
> Herr Laible appears to be arguing that  safety experts should rely on
> cybersecurity experts to provide assurance that cyber attacks cannot
> affect the system environment in any way that affects safety. It is
> impractical to partition the work this way because the safety experts
> and security experts need to work together to understand all the ways in
> which cybersecurity vulnerabilities could affect safety, and then to
> mitigate the risks and to provide enough evidence to support the
> required safety assurance.
>
> You cannot separate the concerns, because the security analyst needs to
> understand what assets have to be protected and to what level of
> assurance, and the safety analyst needs evidence that all the possible
> attack vectors have been considered and that the residual risks have
> been appropriately mitigated. That involves cybersecurity and all
> aspects of physical security too.
>
> How can this be controversial?
>
>
> Martyn
>
>
>
> On 19/12/2016 08:19, Peter Bernard Ladkin wrote:
> > The German electrotechnical standardisation organisation has just
> produced formal guidance (called
> > an "application rule") on safety and security for IACS, in which it says
> that cybersecurity measures
> > to protect safety functions and cybersecurity measures to protect
> operational functionality should
> > be distinguished: that protection of safety functions is paramount even
> if operational functionality
> > is compromised, but that protection of operational functionality may not
> compromise safety
> > functionality.
> >
> > You may think that is all obvious. But it turns out to be controversial.
> For example, see the
> > comment by the German engineer Holger Laible here:
> > http://conference.vde.com/fs/2017/Seiten/Expertenmeinungen.aspx  My
> translation follows. Notice
> > particularly his first sentence: Herr Laible thinks that considering
> cybersecurity as part of safety
> > will be counterproductive!
> >
> > [begin quote]
> >
> > The current increasing trend to consider cybersecurity as a part of
> safety, and to exhibit analogies
> > and connections between the two fields, will be counterproductive in the
> long term. Safety is
> > founded upon an intact [system] environment (including cybersecurity),
> so that valid physical
> > methods and concepts can be applied. In contrast, cyberattacks are
> neither calculable nor
> > predictable. Security experts ensure appropriately that the environment
> remains intact. Safety
> > experts contribute to the understanding about cybersecurity in the
> [system] environment.
> >
> > [end quote]
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20161219/0b9e9986/attachment.html>


More information about the systemsafety mailing list