Program

In this talk, we introduce an approach to performing integrated safety and cybersecurity analysis on Industrial Control Systems (ICS). We also demonstrate its application on a real ICS which is used in nuclear power plants (NPP). In this approach, sub-questions such as, (1) how to do the analysis completely (as far as we can, at a specific level) on the whole system, (2) how to know the system "well" for the analysis purpose, (3) how to identify the system hazards completely at a specific level, (4) how to improve the analysis efficiency of using this approach, are answered.

It is increasingly important to ensure that critical systems are appropriately secure and protected against malicious threats. In this work, we present a novel pattern for Security Assurance Cases that integrates security controls from the NIST-800-53 cyber security standard into a comprehensive argument about system security. Our framework uses Eliminative Argumentation to increase confidence that these controls have been applied correctly by explicitly considering and addressing doubts in the argument.

In this paper, we discuss challenges in utilising redundancy inherently present in the architectures of safety-critical system to enhance system security protection. We analyse several redundant architectures typically present in safety-critical systems and they ability to protect against cyberattack. We conclude that redundancy in combination with diversity has better potential to be reused for security protection.

Existing approaches to analyzing safety and security are often limited to a standalone viewpoint and lack a comprehensive mapping of the propagation of concerns, including unwanted (feared events like faults, failures, hazards, and attacks) and wanted ones (e.g., requirements, properties) and their interplay across different granular system representations. We take this problem to a novel combination of the Fault and Attack Trees (FATs) as Feared Events-Properties Trees (FEPTs) and propose an approach for analyzing safety and security interactions considering a multi-level model. The multi-level model facilitates identifying safety- and security-related feared events and associated properties across different system representation levels, viz. system, sub-system, information, and component. Likewise, FEPT allows modeling and analyzing the inter-dependencies between the feared events and properties and their propagation across these levels. We illustrate the use of this approach in a simple and realistic case of trajectory planning in an intersection point scenario regarding autonomous Connected-Driving Vehicles (CDVs) to address the potential interactions between safety and security.

Safety-critical infrastructures must operate safely and securely. Fault tree and attack tree analysis are widespread methods used to assess risks in these systems: fault trees (FTs) are required — among others — by the Federal Aviation Administration, the Nuclear Regulatory Commission, in the ISO26262 standard for autonomous driving and for software development in aerospace systems. Attack trees (ATs) are hierarchical diagrams that offer a flexible modelling language used to assess how systems can be attacked. ATs are widely employed both in industry and academia: they are referred to by many system engineering frameworks, e.g. UMLsec and SysMLsec, and are supported by industrial tools such as Isograph’s AttackTree. In this talk we will present advancements on logics for property specification on FTs and ATs. We will showcase BFL and PFL, two logics to reason about qualitative and quantitative properties on FTs, and ATM, a logic for quantitative security metrics on ATs. Finally, we will showcase how to combine these logics to specify joint safety-security properties on a model that combines FTs and ATs: fault trees with attacks.

Cyber-physical systems, like power plants, medical devices, and smart factories, have to meet high standards, both in terms of safety and security. Attack Fault Trees (AFTs), a formalism that marries fault trees (safety) and attack trees (security), is a formalism to analyze both safety and security.  We equip AFTs with stochastic model checking techniques, enabling a plethora of qualitative and quantitative analyses. Qualitative metrics pinpoint the root causes of the system failure, while quantitative metrics concern a disruption's likelihood, cost, and impact. There are a few translations from AFT to timed automata in this regard. Unfortunately, these translations are not flexible, and automata size grows exponentially with each additional basic event. Given AFTs equipped with stochastic model checking techniques, we translate them into game automata, which makes it possible to synthesize an optimal strategy for given metrics, and it has higher flexibility.