Christian Raspotnig

A Combined Process for Elicitation and Analysis of Safety and Security Requirements

The aim of safety and security assessments are very similar since they both consider harm during system development. However, they apply different means for it and are performed in separated processes. As security and safety areas are merging in new systems that are critical, and more openly interconnected, there is a need to relate the different processes during the development. A combined assessment process could save resources compared to separated safety and security assessments, as well as support the understanding of mutual constraints and the resolution of conflicts between the two areas. We suggest a combined method covering the harm identification and analysis part of the assessment process using UML-based models. The process is applied on a case from the Air Traffic Management domain. Experts’ opinions about the results have also been collected for feedback.

Comparing Two Techniques for Intrusion Visualization

Various techniques have been proposed to model attacks on systems. In order to understand such attacks and thereby propose efficient mitigations, the sequence of steps in the attack should be analysed thoroughly. However, there is a lack of techniques to represent intrusion scenarios across a system architecture. This paper proposes a new technique called misuse sequence diagrams (MUSD). MUSD represents the sequence of attacker interactions with system components and how they were misused over time by exploiting their vulnerabilities. The paper investigates MUSD in a controlled experiment with 42 students, comparing it with a similar technique called misuse case maps (MUCM). The results suggest that the two mostly perform equally well and they are complementary regarding architectural issues and temporal sequences of actions though MUSD was perceived more favourably.

Supporting failure mode and effect analysis: a case study with failure sequence diagrams

[Context and motivation] In air traffic management (ATM) safety assessments are performed with traditional techniques such as failure mode and effect analysis (FMEA). [Question/problem] As system modelling is becoming an increasingly important part of developing ATM systems, techniques that integrate safety aspects and modelling are needed. [Principal ideas/results] This paper proposes an approach for thorough failure analysis of ATM systems that consist of several interacting components and similar systems. The new technique is called failure sequence diagrams (FSD) and supports FMEA in modelling failures and their effects through interactions between system components. FSD has been used in a case study by safety and system engineers in three different ways. [Contribution] The study suggests that FSD was easy to use and supported FMEA well, but did not cover its weakness in analysing multiple failures.

Enhancing CHASSIS: A Method for Combining Safety and Security

Safety and security assessments aim to keep harm away from systems. Although they consider different causes of harm, the mitigations suggested by the assessments are often interrelated and affect each other, either by strengthening or weakening the other. Considering the relations and effects, a combined process for safety and security could save resources. It also improves the reliability of the system development when compared to having two independent processes whose results might contradict. This paper extends our previous research on a combined method for security and safety assessment, named CHASSIS, by detailing the process in a broader context of system development with the help of feedback from a safety expert. The enhanced CHASSIS method is discussed based on a case from the Air Traffic Management domain.

Improving Security and Safety Modelling with Failure Sequence Diagrams

While security assessments of information systems are being increasingly performed with support of security modelling, safety assessments are still undertaken with traditional techniques such as Failure Mode and Effect Analysis (FMEA). As system modelling is becoming an increasingly important part of developing more safety critical systems, the safety field can benefit from security techniques that integrate system modelling and security aspects. This paper adapts an existing security modelling technique, Misuse Sequence Diagrams, to support failure analysis. The resulting technique, called Failure Sequence Diagrams, is used to support Failure Mode and Effect Analysis in an industrial setting. Based on the experiences, the authors suggest improvements both to traditional safety techniques and to security and safety modelling. DOI: 10.4018/jsse.2012010102 International Journal of Secure Software Engineering, 3(1), 20-36, January-March 2012 21 Copyright

Means-ends and whole-part traceability analysis of safety requirements

Safety is a system property, hence the high-level safety requirements are incorporated into the implementation of system components. In this paper, we propose an optimized traceability analysis method which is based on the means-ends and whole-part concept of the approach for cognitive systems engineering to trace these safety requirements. A system consists of hardware, software, and humans according to a whole-part decomposition. The safety requirements of a system and its components are enforced or implemented through a means-ends lifecycle. To provide evidence of the safety of a system, the means-ends and whole-part traceability analysis method will optimize the creation of safety evidence from the safety requirements, safety analysis results, and other system artifacts produced through a lifecycle. These sources of safety evidence have a causal (cause-consequence) relationship between each other. The failure mode and effect analysis (FMEA), the hazard and operability analysis (HAZOP), and the fault tree analysis (FTA) techniques are generally used for safety analysis of systems and their components. These techniques cover the causal relations in a safety analysis. The causal relationships in the proposed method make it possible to trace the safety requirements through the safety analysis results and system artifacts. We present the proposed approach with an example, and described the usage of TRACE and NuSRS tools to apply the approach.

Requirements Management in a Combined Process for Safety and Security Assessments

Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS) method defines a unified process for safety and security assessments to address both the safety and security aspects during system development process. CHASSIS applies techniques from safety and security fields-e.g. misuse case and HAZOP-to identify and model hazards, threats and mitigations to a system. These mitigations, which are generally specified as safety and security requirements, are interrelated. Defining and maintaining the interdependencies between these requirements are vital to, among other things, estimate how a requirement impacts other requirements and artefacts. In this paper, we present our approach for providing trace ability to CHASSIS in order to capture the interdependencies between the safety and security requirements and to demonstrate the history and rational behind their elicitation. The approach, called Satrap, constitutes a process model defining what type of artefacts are generated during development and assessment activities, what type of relations between the artefacts should be captured, and how to extract traces. The trace ability approach together with its supporting prototype tool was applied on an Air Traffic Management remote tower example which was assessed for safety and security risks using CHASSIS.

Applying a Security Conceptual Model for Coverage Analysis

Abstract In areas important to security or safety, the development of computer-based systems follows more complex processes for developing the system and achieving the needed safety or security assurance. As security and safety aspects are merging in new systems that are critical, but more openly interconnected, there is a need to relate the three different processes: development, safety and security. This paper proposes a conceptual model for security, which consist of artefacts belonging to development and security assessment processes. The security conceptual model can be used as a stand alone model to understand and address how security aspects should be integrated during the development of computer-based systems, or can be combined with safety models to address both safety and security aspects in a more harmonised manner. The model is applied on a newly developed method for unifying the safety and security assessments. The security conceptual model is however only based on a particular standard, and further work is needed to evaluate the model.

Combined Assessment of Software Safety and Security Requirements: An Industrial Evaluation of the CHASSIS Method

Safety is a fundamental concern in modern society, and security is a precondition for safety. Ensuring safety and security of complex integrated systems requires a coordinated approach that involve different stakeholder groups going beyond safety and security experts and system developers. The authors have therefore proposed CHASSIS (Combined Harm Assessment of Safety and Security for Information Systems), a method for collaborative determination of requirements for safe and secure systems. In this article, the authors evaluate CHASSIS through industrial case studies of two smallto-medium sized suppliers to the air-traffic management (ATM) sector. The results suggest that CHASSIS is easy to use, and that handling safety and security together provides benefits because techniques, information, and knowledge can be reused. The authors conclude that further exploration and development of CHASSIS is worthwhile, but that better documentation is needed—including more detailed process guidelines—to support elicitation of security and safety requirements and to systematically relate them to functional requirements.

Investigating fulfilment of traceability requirements in a combined process for safety and security assessments

Combined harm assessment of safety and security for information systems CHASSIS method defines a unified process for safety and security assessments. CHASSIS applies techniques from safety and security fields - e.g., misuse case and HAZOP - to identify and model hazards, threats, safety and security requirements to a system. Ensuring traceability between safety and security requirements as well as other artefacts is one of the important tasks required to provide safety and security assurance. In this paper, we present an approach for traceability, called SaTrAP, which was used to provide traceability support to CHASSIS. We discuss the application of SaTrAp and CHASSIS with the help of an ATM remote tower example. We evaluate whether CHASSIS together with SaTrAp fulfils the traceability requirements set by standards. In this regard, we have analysed regulations/standards from ATM domain for requirements on traceability. We also analysed how security has been addressed by these standards.