[SystemSafety] IEC TR 63069

Peter Bernard Ladkin ladkin at causalis.com
Thu Jan 10 06:33:22 CET 2019

On 2019-01-09 21:59 , Matthew Squair wrote:
> So,
> Are the authors assuming in the third dot point that there are absolutely no negative interactions between countermeasures of the security environment and the safety properties of the system being secured? 
I would say yes, they did ignore that point. But I believe they are going to have to confront it.

Indeed, I wrote this yesterday about the matter to the Task Group in the IEC 61508 MTs concerned
with modifications apropos cybersecurity. Here I am responding to the contention that security
analysis and safety analysis can be completely separated. See the sentence starting "One main reason..."

[begin quote]

Separation of concerns is well and good, as far as it goes, but, as Einstein is reported to have
said, no further. A thought experiment. Safety is one global characteristic of systems. So is
cybersecurity. So is availability. Integrity. Confidentiality. And so on, all global
characteristics. So we could have availability engineers; integrity engineers, confidentiality
engineers, and so on. And we could say: they all work quasi-independently, each with their separate
concerns. And we'll be OK, won't we? The answer is a resounding No. One main reason is that the
different characteristics have in part contradictory requirements. Say you are an availability
engineer. If the vending machines are to be maximally available, this leads to a requirement that
airport terminal is open 7/24. Now say you are a security engineer. This leads to a requirement that
the airport terminal is only open when a guard, or several, is on duty. So where is the place, where
is the standard, where it says that the availability requirements and the security requirements must
be compared and contradictions resolved?

Back to our current situation: where is the place where it says safety requirements and
cybersecurity requirements must be compared and contradictions resolved? Can this be achieved by
saying security analysis and requirements shall be completely separated from safety analysis and
requirements? Obviously not.

[end quote]


Prof. Peter Bernard Ladkin, Bielefeld, Germany
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20190110/e2f8fac4/attachment.sig>

More information about the systemsafety mailing list