Erwin Schoitsch

Security Application of Failure Mode and Effect Analysis (FMEA)

Increasingly complex systems lead to an interweaving of security, safety, availability and reliability concerns. Most dependability analysis techniques do not include security aspects. In order to include security, a holistic risk model for systems is needed. In our novel approach, the basic failure cause, failure mode and failure effect model known from FMEA is used as a template for a vulnerability cause-effect chain, and an FMEA analysis technique extended with security is presented. This represents a unified model for safety and security cause-effect analysis. As an example the technique is then applied to a distributed industrial measurement system.

The Need for Safety and Cyber-Security Co-engineering and Standardization for Highly Automated Automotive Vehicles

A key long-term trend is towards highly automated vehicles and autonomous driving. This has a huge impact, besides comfort and enabling people not able or allowed to drive, on sustainability of environmental-friendly urban road transport because the number of vehicles and parking space could considerably be reduced if called on command and left behind after use for the next call. This requires a considerable amount of functionality, sensors, actuators and control, situation awareness etc., and the integration into a new type of critical infrastructure based on communication between vehicles and vehicles and infrastructure for regional traffic management. Both, safety and security aspects have to be handled in a coordinated manner, affecting co-engineering, co-certification and standardization.

A Case Study of FMVEA and CHASSIS as Safety and Security Co-Analysis Method for Automotive Cyber-physical Systems

The increasing integration of computational components and physical systems creates cyber-physical system, which provide new capabilities and possibilities for humans to control and interact with physical machines. However, the correlation of events in cyberspace and physical world also poses new safety and security challenges. This calls for holistic approaches to safety and security analysis for the identification of safety failures and security threats and a better understanding of their interplay. This paper presents the application of two promising methods, i.e. Failure Mode, Vulnerabilities and Effects Analysis (FMVEA) and Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS), to a case study of safety and security co-analysis of cyber-physical systems in the automotive domain. We present the comparison, discuss their applicabilities, and identify future research needs.

Modular certification support — the DECOS concept of generic safety cases

The integrated EU-project DECOS (dependable embedded components and systems) developed an integrated architecture for safety critical embedded systems. To reduce the effort for the certification of DECOS based applications it provides support for modular certification based on generic safety cases. This means that a safety case of a DECOS based application only contains the application-specific issues and reuses the safety arguments of the generic safety cases of the DECOS platform. The concept of safety cases was complemented by trust cases which tackle further aspects such as security.

Validation and certification of safety-critical embedded systems: the DECOS test bench

The integrated EU-project DECOS (Dependable Embedded Comp-onents and Systems) aims at developing an integrated architecture for embedded systems to reduce life-cycle costs and to increase dependability of embedded applications. To facilitate the certification process of DECOS-based applications, the DECOS Test Bench constitutes a framework to support Validation & Verification. By implementing a modular approach, an application safety case merely contains the application-specific issues and re-uses the safety arguments of the “generic” safety cases of the DECOS platform. The Test Bench covers the complete life cycle from the platform-independent models to deployment, including model validation and transformations. The safety cases are based on validation-plans (v-plans) comprising the steps to validate the safety requirements. The Test Bench provides a methods/tools repository, guidelines to generate and execute v-plans, and integration of tools and of remotely distributed test beds.

Towards Trust Assurance and Certification in Cyber-Physical Systems

We are currently witnessing a 3rd industrial revolution, driven by ever more interconnected distributed systems of systems, running under the umbrella term of cyber-physical systems (CPS). In the context of this paradigm, different types of computer-based systems from different application domains collaborate with each other in order to render higher level services that could not be rendered by single systems alone. However, the tremendous potential of CPS is inhibited due to significant engineering challenges with respect to the systems safety and security. Traditional methodologies are not applicable to CPS without further ado and new solutions are therefore required. In this paper, we present potential solution ideas that are currently investigated by the European EMC² research project.

European Perspectives on Teaching, Education and Training for Dependable Embedded and Cyber-physical Systems

The paper provides a short introduction to the European perspectives on the role of teaching, education and training in context of achieving a sustainable innovation eco-system as e.g. the European Technology Platform ARTEMIS is aiming at. Studies and examples from different European projects are discussed, including the ARTEMIS Strategic Research Agenda and Multi-annual Strategic Plan and the ARTEMIS Working Group on Education and Training, the ideas of three ARTEMIS projects (R3-COP, MBAT and SafeCer) to deliver supporting training material to promote more widespread use of the outcomes of the projects, the study (report) performed within the FP6 European Integrated Project DECOS, and experiences with the European Master in Embedded Computing Systems (EMECS).

The DECOS Concept of Generic Safety Cases - A Step towards Modular Certification

The integrated EU-project DECOS (Dependable Embedded Components and Systems) developed an integrated architecture and the corresponding tool chain which supports, besides model-based development, a modular validation and certification process based on so-called generic safety cases: a safety case for a DECOS-based application only contains the application-specific issues and re-uses the safety arguments of the generic safety cases of the DECOS platform. The generic safety case is based on the architectural claims and was completed by adding the evidence from a series of validations for all major DECOS artefacts. The safety cases were complemented by a trust case using the trust-case tool of TU Gdansk, which tackles the aspect of security impact on safety for the DECOS SoC (NoC) concept. The V&V and certification process is supported by the Generic Test Bench.

Combined safety and security development lifecylce

The evolution of Cyber-physical Systems and their often critical roles in many application domains such as automotive, aeronautics, energy, and railway make it necessary to address safety and security issues equally throughout the entire system lifecycle. In the past, safety and security development has been mostly performed independently. With increasing complexity and connectivity, this separation is no longer justifiable. This paper proposes a combined safety and security development lifecycle. We review existing standards in order to identify safety and security core activities. Based on the results, a combined lifecycle is introduced that integrates both safety and security considerations and activities in a coordinated way. Finally the feasibility of the approach is demonstrated by case studies.

Safety Requirements for a Cooperative Traffic Management System: The Human Interface Perspective

Traffic management systems are complex networks integrating sensors, actors, communication on different levels and humans as active part, consisting of road-side infrastructure coupled with advanced driver assistance systems and on-board data collection facilities. COOPERS1 has the objective of co-operative traffic management by implementing intelligent services interfacing vehicles, drivers, road infrastructure and highway operators. These services have different levels of criticality and safety impact, and involve different types of smart systems and wireless communications. In the initial phase of the COOPERS project a RAMSS2 analysis was carried out on road traffic scenarios, services and communications. The analysis yielded that the HMI (Human Machine Interface) is one of the major threats to reliability. After a short overview on COOPERS and the RAMSS analysis, this paper describes the risks of the HMI and human factors in the specific situation of a driver and gives concrete recommendations for the OBU (On-Board Unit) user interface.