Christoph Schmittner

Security Application of Failure Mode and Effect Analysis (FMEA)

Increasingly complex systems lead to an interweaving of security, safety, availability and reliability concerns. Most dependability analysis techniques do not include security aspects. In order to include security, a holistic risk model for systems is needed. In our novel approach, the basic failure cause, failure mode and failure effect model known from FMEA is used as a template for a vulnerability cause-effect chain, and an FMEA analysis technique extended with security is presented. This represents a unified model for safety and security cause-effect analysis. As an example the technique is then applied to a distributed industrial measurement system.

The Need for Safety and Cyber-Security Co-engineering and Standardization for Highly Automated Automotive Vehicles

A key long-term trend is towards highly automated vehicles and autonomous driving. This has a huge impact, besides comfort and enabling people not able or allowed to drive, on sustainability of environmental-friendly urban road transport because the number of vehicles and parking space could considerably be reduced if called on command and left behind after use for the next call. This requires a considerable amount of functionality, sensors, actuators and control, situation awareness etc., and the integration into a new type of critical infrastructure based on communication between vehicles and vehicles and infrastructure for regional traffic management. Both, safety and security aspects have to be handled in a coordinated manner, affecting co-engineering, co-certification and standardization.

A Case Study of FMVEA and CHASSIS as Safety and Security Co-Analysis Method for Automotive Cyber-physical Systems

The increasing integration of computational components and physical systems creates cyber-physical system, which provide new capabilities and possibilities for humans to control and interact with physical machines. However, the correlation of events in cyberspace and physical world also poses new safety and security challenges. This calls for holistic approaches to safety and security analysis for the identification of safety failures and security threats and a better understanding of their interplay. This paper presents the application of two promising methods, i.e. Failure Mode, Vulnerabilities and Effects Analysis (FMVEA) and Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS), to a case study of safety and security co-analysis of cyber-physical systems in the automotive domain. We present the comparison, discuss their applicabilities, and identify future research needs.

Limitation and Improvement of STPA-Sec for Safety and Security Co-analysis

Safety-critical Cyber-physical Systems (CPS) in vehicles are becoming more and more complex and interconnected. There is a pressing need for holistic approaches for safety and security analysis to address the challenges. System-Theoretic Process Analysis (STPA) is a top-down safety hazard analysis method, based on systems theory especially aimed at such systems. In contrast to established approaches, hazards are treated as a control problem rather than a reliability problem. STPA-Sec extends this approach to also include security analysis. However, when we applied STPA-Sec to real world use cases for joint safety and security analysis, a Battery Management System for a hybrid vehicle, we observed several limitations of the security extension. We propose improvements to address these limitations for a combined safety and security analysis. Our improvements lead to a better identification of high level security scenarios. We evaluate the feasibility of the improved co-analysis method in a self-optimizing battery management system. We also discuss the general applicability of STPA-Sec to high level safety and security analysis and the relation to automotive cybersecurity standards.

Security analysis of urban railway systems: The need for a cyber-physical perspective

Urban railway systems are increasingly relying on information and communications technologies (ICT). This evolution makes cybersecurity an important concern, in addition to the traditional focus on reliability, availability, maintainability and safety. In this paper, we examine two examples of cyber-intensive systems in urban railway environments—a communications-based train control system, and a mobile app that provides transit information to commuters—and use them to study the challenges for conducting security analysis in this domain. We show the need for a cyber-physical perspective in order to understand the cross-domain attack/defense and the complicated physical consequence of cyber breaches. We present security analysis results from two different methods that are used in the safety and ICT security engineering domains respectively, and use them as concrete references to discuss the way to move forward.

Using SAE J3061 for Automotive Security Requirement Engineering

Modern vehicles are increasingly software intensive and connected. The potential hazards and economic losses due to cyberattacks have become real and eminent in recent years. Consequently, cybersecurity must be adequately addressed among other dependability attributes such as safety and reliability in the automotive domain. J3061, officially published in January 2016 by SAE International, is a much anticipated standard for cybersecurity for the automotive industry. It fills an important gap which is previously deemed irrelevant in the automotive domain. In this paper, we report our activities of applying J3061 to security engineering of an automotive Electronic Control Unit (ECU) as a communication gateway. As an ongoing work, we share our early experience on the concept phase of the process, with a focus on the part of Threat Analysis and Risk Assessment (TARA). Based on our experience, we propose improvements and discuss its link to ISO 26262.

FMVEA for Safety and Security Analysis of Intelligent and Cooperative Vehicles

Safety and security are two important aspects in the analysis of cyber-physical systems (CPSs). In this short paper, we apply a new safety and security analysis method to intelligent and cooperative vehicles, in order to examine attack possibilities and failure scenarios. The method is based on the FMEA technique for safety analysis, with extensions to cover information security. We examine the feasibility and efficiency of the method, and determine the next steps for developing the combined analysis method.

A Lightweight Authentication Mechanism for M2M Communications in Industrial IoT Environment

In the emerging industrial Internet of Things (IIoT) era, machine-to-machine (M2M) communication technology is considered as a key underlying technology for building IIoT environments, where devices (e.g., sensors, actuators, and gateways) are enabled to exchange information with each other in an autonomous way without human intervention. However, most of the existing M2M protocols that can be also used in the IIoT domain provide security mechanisms based on asymmetric cryptography resulting in high computational cost. As a consequence, the resource-constrained IoT devices are not able to support them appropriately and thus, many security issues arise for the IIoT environment. Therefore, lightweight security mechanisms are required for M2M communications in IIoT in order to reach its full potential. As a step toward this direction, in this paper, we propose a lightweight authentication mechanism, based only on hash and XOR operations, for M2M communications in IIoT environment. The proposed mechanism is characterized by low computational cost, communication, and storage overhead, while achieving mutual authentication, session key agreement, device’s identity confidentiality, and resistance against the following attacks: replay attack, man-in-the-middle attack, impersonation attack, and modification attack.

Towards a Framework for Alignment Between Automotive Safety and Security Standards

Modern automotive systems increasingly rely on software and network connectivity for new functions and features. Security of the software and communications of the on-board system of systems becomes a critical concern for the safety of new generation vehicles. Besides methods and tools, safety and security of automotive systems requires frameworks of standards for holistic process and assurance. As a part of our ongoing work, this paper investigates the possibility of a combined safety and security approach to standards in the automotive domain. We examine existing approaches in the railway and avionics domain with similar challenges and identify specific requirements for the automotive domain. We evaluate ISO 15408 as a potential candidate for a combined safety and security approach for complementing automotive safety standard ISO 26262, and discuss their points of alignment.

Combined safety and security development lifecylce

The evolution of Cyber-physical Systems and their often critical roles in many application domains such as automotive, aeronautics, energy, and railway make it necessary to address safety and security issues equally throughout the entire system lifecycle. In the past, safety and security development has been mostly performed independently. With increasing complexity and connectivity, this separation is no longer justifiable. This paper proposes a combined safety and security development lifecycle. We review existing standards in order to identify safety and security core activities. Based on the results, a combined lifecycle is introduced that integrates both safety and security considerations and activities in a coordinated way. Finally the feasibility of the approach is demonstrated by case studies.