[SystemSafety] IEC TR 63069

Matthew Squair mattsquair at gmail.com
Thu Jan 10 06:58:19 CET 2019

For example if you have a white-list security function wouldn’t it need to have  the same functional assurance level as that of the safety function that it it is providing a whitelist for?

> On 10 Jan 2019, at 4:33 pm, Peter Bernard Ladkin <ladkin at causalis.com> wrote:
> On 2019-01-09 21:59 , Matthew Squair wrote:
>> So,
>> Are the authors assuming in the third dot point that there are absolutely no negative interactions between countermeasures of the security environment and the safety properties of the system being secured? 
> I would say yes, they did ignore that point. But I believe they are going to have to confront it.
> Indeed, I wrote this yesterday about the matter to the Task Group in the IEC 61508 MTs concerned
> with modifications apropos cybersecurity. Here I am responding to the contention that security
> analysis and safety analysis can be completely separated. See the sentence starting "One main reason..."
> [begin quote]
> Separation of concerns is well and good, as far as it goes, but, as Einstein is reported to have
> said, no further. A thought experiment. Safety is one global characteristic of systems. So is
> cybersecurity. So is availability. Integrity. Confidentiality. And so on, all global
> characteristics. So we could have availability engineers; integrity engineers, confidentiality
> engineers, and so on. And we could say: they all work quasi-independently, each with their separate
> concerns. And we'll be OK, won't we? The answer is a resounding No. One main reason is that the
> different characteristics have in part contradictory requirements. Say you are an availability
> engineer. If the vending machines are to be maximally available, this leads to a requirement that
> airport terminal is open 7/24. Now say you are a security engineer. This leads to a requirement that
> the airport terminal is only open when a guard, or several, is on duty. So where is the place, where
> is the standard, where it says that the availability requirements and the security requirements must
> be compared and contradictions resolved?
> Back to our current situation: where is the place where it says safety requirements and
> cybersecurity requirements must be compared and contradictions resolved? Can this be achieved by
> saying security analysis and requirements shall be completely separated from safety analysis and
> requirements? Obviously not.
> [end quote]
> Prof. Peter Bernard Ladkin, Bielefeld, Germany
> MoreInCommon
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319  www.rvs-bi.de

More information about the systemsafety mailing list