[SystemSafety] Safety and Cybersecurity: A Dispute

Drew Rae d.rae at griffith.edu.au
Tue Dec 20 01:12:06 CET 2016 

Thierry,
Even land-based transportation systems don’t have a static safe state. There are situations where a stopped train is not safe (when it is undetected in the path of another vehicle, when it is in a tunnel, when it is on fire and needs to offload passengers, …) and even the system as a whole is not safe in its “failsafe” state, because operational pressures are likely to cause a restart in a less-protected mode if the protected mode insists on shutting things down. 

Most of the publicly known cyber-attacks have involved denial of service. The safety function knows that it is either faulty or under attack, so drops to fail-safe mode, inhibiting the operational systems. There are a number of plausible scenarios where this just a step in a cyber attack causing the overall system to run in an unsafe way, and even scenarios where the denial of operations alone is enough to make the system unsafe. 

Your “it depends” may be true, but I suspect that the more each case gets examined, the fewer cases there are where you can separate the two.

———

After some off-list traffic, I apologise to the list for my off-hand remarks about formal methods in this discussion. If I was going to draw a parallel, I should have drawn it more carefully and not in a way that generalised my experiences to a whole community of practice. I also shouldn’t have risked derailing the current discussion with an old argument. It has been rightfully pointed out to me that there are many in the formal methods community trying to address the exact same problems I’m concerned about. 

Drawing overly-sharp category boundaries and mistaking them for truths is a problem in safety, but it isn’t a problem that comes from any particular community or practice group (and we’re all guilty of it at times). 

———

Drew



* This message is from my work email
* I can also be contacted on andrew at ajrae.com
* My mobile number is 0450 161 361
* My desk phone is 07 37359764
* My safety podcast is DisasterCast.co.uk





> On 20 Dec. 2016, at 5:36 am, Coq, Thierry <Thierry.Coq at dnvgl.com> wrote:
> 
> Hi
> 
> For your information, in the French language (as translated in the IEC 61508 standard):
> "Functional Safety"= "Sureté de fonctionnement"
> "Security" = "sécurité"
> There are no ambiguities in the technical documents, but there are common sense use which may be ambiguous if one does not have the context.
> However, there is the same ambiguity in the English language. For example, this English dictionary states (http://www.dictionary.com/browse/security )
> Security : 1° freedom from risk, danger, ie : safety;
> Only in 3° comes protection and defense.
> 
> ...
> 
> As to PBL's question, my answer would be : "It depends". In some cases (land-based transportation systems), where there is a static safe-state, it seems a rational solution to have separate and distinct operational systems and safety systems, and have therefore distinct security systems for each.
> However, for systems where the safe  state is dynamic and depends on the correct performance of the operational systems (for example, aircraft flying, cooling pumps in a nuclear power plant, even shut-down), it seems the distinction between safety systems and operational systems is not so useful.
> Like it was said otherwise, a systems engineering approach should lead to the right definition for each, depending on the risks and safe states.
> For 61508, as the mother of all safety (and security) standards, I suggest refraining from making requirements which are POV dependent, or allowing several approaches depending on the need. For industry-specific standards such as 61511 then a separation should be mandatory, where shutdown is the usual safe-state, and security of the safety systems should be separate from the security of the operational systems.
> 
> In any case, safety without security does not seem enough. Some time ago, someone asked a question for the maritime business :
> "Is a ship riddled with virus seaworthy"? (cf. http://www.securitynewsdesk.com/seaworthiness-cyber-security-the-hidden-threat-to-shipping/ )
> 
> This means that the safety case must include an argument about the quality of the security of the safety function. And due to the dynamic nature of the threat and mitigation, this safety case is going to have to be more dynamic than ever before.
> 
> Best regards,
> Thierry Coq
> (PS. The opinions expressed here are my own, not necessarily those of my employer).
> 
> -----Original Message-----
> From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Alexander.Much at elektrobit.com
> Sent: lundi 19 décembre 2016 19:17
> To: systemsafety at techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] Safety and Cybersecurity: A Dispute
> 
> Hi Peter, *,
> 
> [...]
>> So what do people here think? I have examples (e.g., my blog posts) to
>> demonstrate that cybersecurity issues have to be considered
>> essentially when devising safety requirements. The DKE formal guidance
>> says that cybersecurity measures concerning safety functions and those
>> concerning operational functionality have to be treated differently.
>> And there is a lobby which says that this is "counterproductive". Can
>> safety and cybersecurity for IACS effectively be separated, or are they intevitably intertwined?
>> 
> Since you asked for an opinion, here's mine.
> 
> There are people who are praising the English language for having two distinct words: "safety" and "security".
> Other languages / cultures don't see the need to separate these two (German: Sicherheit, French: Securité, etc.).
> 
> IMHO:
> - "safety without security" is not a thing
> - "security without safety" may be a thing
> 
> Alex
> 
> --
> Alexander Much
> Chief Expert - Head of Software Systems Engineering, Car Infrastructure
> 
> EB - Driving the Future of Software
> P +49 9131 7701 6384
> M +49 172 7479804
> E alexander.much at elektrobit.com
> 
> Elektrobit Automotive GmbH, Am Wolfsmantel 46, 91058 Erlangen, Germany Managing Directors: Alexander Kocher, Gregor Zink; Register Court Fürth HRB 4886
> 
> 
> 
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
> 
> **************************************************************************************
> This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited.
> **************************************************************************************
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20161220/117894b4/attachment-0001.html>

More information about the systemsafety mailing list