Requirements for safe and secure information systems

Transcription

1 Requirements for safe and secure information systems Christian Raspotnig Dissertation for the degree of Philosophiae Doctor (PhD) Department of Information Science and Media Studies University of Bergen

2 2

3 Scientific Environment The University of Bergen (UiB) is the organisation where this PhD has been conducted. The PhD has also been a part of the Requirements for Security (ReqSec) project, which included the UiB and the Norwegian University of Science and Technology (NTNU) as partners, with the latter university as project owner. The project was financed by the Norwegian Research Council (NFR) under the FRITEK program, for the period Much of the research has been conducted with support from the Institute of energy technology (IFE), and is related to the research project Halden Reactor Project (HRP). IFE has been the main working environment for this PhD. Department of Information Science and Media Studies, University of Bergen, Norway. Department of Computer and Information Science, Norwegian University of Science and Technology, Norway. Risk and Dependability section, Department of Software Engineering, Institute of energy technology/halden Reactor Project, Norway. The research has been undertaken in collaboration with several Air Traffic Management organisations: the ATM company network (ATM BN) sponsored by Inovation Norway and the Norwegian ATM industry; the Norwegian Air Navigation Service Provider (ANSP) Avinor; the European Organisation for the Safety of Air Navigation EUROCONTROL. A three month periode from September to December 2011 was spent at the Tokyo Institute of Technology (TITech), where I exchanged research ideas and did data analysis, and arranged a meeting with the Japan Manned Space Systems Corporation (JAMSS). Since January 2012 I have collaborated with Électricité de France Research & Development (EDF R&D) and École Centrale Paris, and I had a short research stay at EDF R&D at Clamart Paris in the fall 2012.

4 ii Scientific Environment

5 Acknowledgements Prof. Andreas L. Opdahl has been a paramount supervisor for me. Without his excellent advices and support in both writing and dealing with difficult matters, this thesis would not have been finished or in its current state. I have enjoyed the supervision meetings with him at the University of Bergen very much; it has always been a pleasure and I now bring with me valuable knowledge for further research. I would like to thank Peter Karpati, who always is positive, for good collaboration during our time in the RecSeq project. Prof. Guttorm Sindre managed the ReqSec project very well, and I would like to thank him for always taking time to supervise me during my stays at the Norwegian University of Science and Technology. From the Institute of energy technology (IFE) I would especially like to thank Vikash Katta for all the excellent discussions, sharing ideas and the office, and support in difficult times. I have enjoyed collaborating with you and look forward for the future work together. Bjørn Axel Gran, previously employed at IFE as department head, saw the value of the PhD education and I would like to thank him for making this PhD possible. Furthermore, I would like to thank my colleagues at the Risk and Dependability section, IFE, for support and an enjoyable time. The Norwegian Research Council has enabled the ReqSec project through the FRITEK program, and I would like to thank them for their financial support for my PhD. From the ATM domain, I would like to thank Harald Roen and Kjersti Disen at Avinor. Your support in the initial stages of the PhD ment a lot for the final result. I would also like to thank Linda Lavik at Indra Navia, who has followed up on my research and shared her practical experience. In general, I would like to thank the Air Traffic Management community in Norway, for being open to new ideas and my research. It has been a true motivation to know that there is a practical interest and need for the research conducted. There has also been a French connection during my PhD research period, which I have enjoyed very much and hope to continue. First of all, I would like to thank Ludovic Piètre-Cambacédès from EDF for the initiative to establish the connection and always keeping it alive with good discussions and pointing out opportunities. Siwar Kriaa and Marc Bouissou from Ecole Centrale Paris/EDF have been very nice collaboration partners, and I hope to be able return your efforts when Siwar will finish her PhD. First of all, I would like to thank Prof. Motoshi Saeki, for arranging my stay at the Saeki Lab, Tokyo Institute of Technology, and always taking time to discuss both professional and personal matters. I would also like to thank PhD Shinpei Hayashi for making my stay at Saeki Lab interesting and introducing me to Japanese culture and food. Furthermore, I would like to thank all the employees and students at the Saeki Lab for a good time.

6 iv Acknowledgements I would like to thank my dear wife, May Helén Norevik, for all patience, support and sharing the incredible experience of Japan together with me. My nieces, Marie and Ingrid Raspotnig, also deserve many thanks for making my stays in Bergen a great joy, just as my sister Margrethe Raspotnig and my brother in law Kyrre Reiakvam, who always gave me a warm welcome. Finally, I would like to thank my parents, Magnhild and Hans-Peter Raspotnig, for shaping me into who I am and providing me with the foundation that I am building on.

7 Abstract Safety and security are important to consider when developing information systems that are part of the critical infrastructure or services in the society. The trend is to interconnect the information systems to a larger extend, to make services and infrastructure more efficient. However, the negative part is more vulnerable systems and more effort required to prove that these critical systems are both safe and secure. The research presented in this thesis is about how safety and security can be modelled during the early requirements activities in the development of information systems. The research has been a part of the ReqSec project, a joint project between the University of Bergen and the Norwegian University of Science and Technology, financed by the Norwegian Research Council. The thesis presents research that is based on existing modelling techniques from the early phases of the development life cycle and investigates how these can be further developed and specialised to security and safety. The result has been evaluated with industrial partners within the air traffic management industry, exploring how new modelling techniques can enhance or replace existing parts of the mandatory safety and security analyses. Traditional techniques for analysing the safety of information systems during development are mainly based on using models of the system as input. However, there are few techniques that actually model how the system can fail and thus lead to hazardous situations. The techniques that model this only offer a loose relation back to the models of the system. Within the security domain there is, however, a trend that one does not only model the system to be developed, but also the system s vulnerabilities, how these can be exploited in an attack and what steps that can mitigate them. As part of ReqSec project, the research presented by this thesis also looks at similarities and differences between the safety and security fields in terms of what these two fields can learn from each other. The outcome of this work is a new modelling technique for safety and a new combined modelling method, which allows stakeholders to assess both safety and safety aspects in the development of information systems. Furthermore, the thesis provides theoretical contributions of the safety and security fields, their similarities, but also their differences, and when and how they can be combined.

8 vi Abstract

9 List of Papers Main papers: 1. Christian Raspotnig and Andreas L. Opdahl, Comparing Risk Identification Techniques for Safety and Security Requirements, Journal of Systems and Software (JSS), 86, 4, , Christian Raspotnig and Andreas L. Opdahl, Supporting Failure Mode and Effect Analysis: A Case Study with Failure Sequence Diagrams, In Requirements Engineering: Foundation for Software Quality (REFSQ), B. Regnell and D. Damian, Eds., vol of Lecture Notes in Computer Science. Springer Berlin Heidelberg, pp , Christian Raspotnig and Andreas L. Opdahl, Improving Security and Safety Modelling with Failure Sequence Diagrams, International Journal of Secure Software Engineering (IJSSE) 1, 3, 20-36, Christian Raspotnig, Peter Karpati and Vikash Katta, A Combined Process for Elicitation and Analysis of Safety and Security Requirements, In Enterprise, Business- Process and Information Systems Modeling (EMMSAD), I. Bider, T. Halpin, J. Krogstie, S. Nurcan, E. Proper, R. Schmidt, P. Soffer, and S. Wrycza, Eds., vol. 113 of Lecture Notes in Business Information Processing. Springer Berlin Heidelberg, pp , Christian Raspotnig, Peter Karpati and Andreas L. Opdahl, An Evaluation of CHASSIS with Two Air Traffic Management Suppliers, Manuscript to be submitted, Siwar Kriaa, Christian Raspotnig, Marc Bouissou, Ludovic Piètre-Cambacédès, Peter Karpati, Yoran Halgand, Vikash Katta, Comparing Two Approaches to Safety and Security Modelling: BDMP Technique and CHASSIS Method, In proceedings of Enlarged Halden Group Meeting (EHPG), Christian Raspotnig and Vikash Katta, Applying a Security Conceptual Model for Coverage Analysis, In proceedings of IFAC Conference on Manufacturing Modelling, Management, and Control (MIM), Christian Raspotnig, Vikash Katta, Peter Karpati and Andreas Opdahl, Enhancing CHASSIS: A Method for Combined Safety and Security Assessments, Tobe published in proceedings of 8th International Conference on Availability, Reliability and Security (ARES), 2013

10 viii List of Papers Supporting papers: 1. Christian Raspotnig, Comparative study on threat identification techniques for dependability requirements, Fast abstract paper in proceedings of 20th International Symposium on Software Reliability Engineering (ISSRE), Christian Raspotnig, Vikash Katta, Harald Roen and Kjersti Disen, Challenges of Improving Safety for ATM Software Intensive System, In proceedings of 28th International System Safety Conference (ISSC), International System Safety Society, Vikash Katta, Peter Karpati, Andreas L. Opdahl, Christian Raspotnig and Guttorm Sindre, Comparing two techniques for intrusion visualization, In The Practice of Enterprise Modeling (PoEM), P. Bommel, S. Hoppenbrouwers, S. Overbeek, E. Proper, J. Barjis, W. Aalst, J. Mylopoulos, M. Rosemann, M. J. Shaw, and C. Szyperski, Eds., vol. 68 of Lecture Notes in Business Information Processing. Springer Berlin Heidelberg, pp. 1-15, Vikash Katta, Christian Raspotnig, Bjørn Axel Gran, Andreas L. Opdahl, Tor Stålhane and Guttorm Sindre, Collaborative research within requirements engineering and risk assessment, In proceedings of Enlarged Halden Group Meeting (EHPG), Silvia Henriksdottir, Christian Raspotnig, Vikash Katta and Rune Fredriksen, HWR-1054, Requirements Elicitation Completeness, Traceability, and Automation, Halden Work Report in proceedings of Enlarged Halden Group Meeting (EHPG), Vikash Katta, Christian Raspotnig, Peter Karpati and Tor Stålhane, Requirements management in a combined process for safety and security assessments, Tobe published in proceedings of 8th International Conference on Availability, Reliability and Security (ARES), Vikash Katta, Tor Stålhane and Christian Raspotnig, Presenting a traceabilitybased approach for safety argumentation, To be published in proceedings of Conference on European Safety and Reliability (ESREL), 2013

11 Author s Contributions As for most research projects, the research and publications presented by this thesis are results of good collaboration among many researchers. In the following, a percentage for each of the main papers is given as an indication of my contribution with the planning, execution, analysis and publication of the research: 1. Christian Raspotnig and Andreas L. Opdahl, Comparing risk identification techniques for safety and security requirements - 90 %. Raspotnig s contribution includes most of the planning, execution, analysis and publication. 2. Christian Raspotnig and Andreas L. Opdahl, Supporting Failure Mode and Effect Analysis: A Case Study with Failure Sequence Diagrams - 90 %. Raspotnig s contribution includes most of the planning, execution, analysis and publication. 3. Christian Raspotnig and Andreas L. Opdahl, Improving Security and Safety Modelling with Failure Sequence Diagrams - 90 %. Raspotnig s contribution includes most of the planning, execution, analysis and publication. 4. Christian Raspotnig, Peter Karpati and Vikash Katta, A combined process for elicitation and analysis of safety and security requirements - 50 %. Raspotnig s contribution includes most of the planning, and parts of the execution, analysis and publication. 5. Christian Raspotnig, Peter Karpati and Andreas L. Opdahl, An Evaluation of CHASSIS with Two Air Traffic Management Suppliers - 60 %. Raspotnig s contribution includes parts of the planning and execution, and most of the analysis and publication. 6. Siwar Kriaa, Christian Raspotnig, Marc Bouissou, Ludovic Piètre-Cambacédès, Peter Karpati, Yoran Halgand and Vikash Katta, Comparing two approaches to safety and security modelling: BDMP technique and CHASSIS method - 40 %. Raspotnig s contribution includes parts of the planning, execution, analysis and publication. 7. Christian Raspotnig and Vikash Katta, Applying a Security Conceptual Model for Coverage Analysis - 50 %. Raspotnig s contribution includes parts of the planning, execution, analysis and publication. 8. Christian Raspotnig, Vikash Katta, Peter Karpati and Andreas Opdahl,Enhancing CHASSIS: A Method for Combined Safety and Security Assessments - 75 %. Raspotnig s contribution includes most of the planning, execution, analysis and publication.

12 x Author s Contributions The authors, hereby, acknowledge Christian Raspotnig s contributions to the main papers listed on the previous page: Andreas L. Opdahl, for paper # 1, 2, 3, 5 and 8 - Peter Karpati, for paper # 4, 5, 6 and 8 - Vikash Katta, for paper # 4, 6, 7 and 8 - Siwar Kriaa, for paper#6- Marc Bouissou, for paper # 6 - Ludovic Piètre-Cambacédès, for paper#6- Yoran Halgand, for paper#6-

13 Abbreviation List Abbreviation Description Explanation AADL Architecture Analysis & Design Language Modelling language ANSP Air Navigation Service Provider Organisation providing ATM services AT Attack Tree Security technique ATC Air Traffic Control Generic aviation term ATCO Air Traffic Control Officer Generic aviation term ATM Air Traffic Management Generic aviation term ATM BN ATM Company Network Project BACS Building Automation and Control Systems Generic term BDMP Boolean-logic Driven Markov Processes Safety and security technique CC Common Criteria Security standard CFIT Controlled Flight Into Terrain Generic aviation term CFT Component Fault Trees Safety technique CHASSIS Combined Harm Assessment for Safety and Safety and security method Security of Information Systems CIA Confidentiality Integrity Availability Generic security term CNS Communication, Navigation and Surveillance Generic aviation term System CORAS No abbreviation Security process D-MUC Diagrammatical-MUC Part of MUC D-UC Diagrammatical-UC Part of UC DA-chart Dependability Assessment Chart Safety technique DAM Dependability Analysis Model Safety model DEF STAN Defence Standards Publication system of UK defence DRBFM Design Review Based on Failure Mode Safety technique EAL Evaluation Assurance Level Part of CC EBNF Extended Backus-Naur Form Notation technique ED EUROCAE Documents Publication system of EUROCAE EDF Électricité de France Organisation EEA Electric and Electronic Architecture Modelling language EFT Extended Fault Tree Safety and security technique ESARR European Safety Assessment Regulatory Requirements Safety standard ET Event Tree Part of ETA ETA Event Tree Analysis Safety technique EUC Equipment Under Control A type of computer-based system EUROCAE European Organisation for Civil Aviation Organisation Equipment F(I)MEA Failure (Intrusion) Mode and Effect Analysis Security technique

14 xii Abbreviation List FFA Functional Failure Analysis Safety technique FHA Functional Hazard Assessment/Analysis Safety technique FMEA Failure Mode and Effect Analysis Safety technique FMECA Failure Mode Effect and Criticality Analysis Safety technique FRITEK Free project support for technology Research program FSD Failure Sequence Diagram Safety technique FSM Finite State Machine Modelling technique related to UML FT Fault Tree Part of FTA FTA Fault Tree Analysis Safety technique GCM Generic Conceptual Model Safety and security model HALT Highly Accelerated Life Testing System development technique HAZOP Hazard and Operability study Safety technique HiP-HOPS Hierarchically Performed Hazard Origin & Safety technique Propagation Studies HRP Halden Reactor Project Research project HSIA Hardware-Software Interaction Analysis Safety technique ICT Information and Communication Technology Generic term IEC International Electrotechnical Commission Organisation IEEE Institute of Electrical and Electronics Engineers Organisation IFE Institute for energy technology Organisation IMEA Intrusion Mode and Effect Analysis Security technique IMSSE Information model for safety and security engineering Safety and security model IRP Integrated Risk Picture Safety model IS Information System A type of computer-based system ISO International Organization for Standardization Organisation ISSRM IS Security Risk Management Security technique IT Information Technology Generic term JAMSS Japan Manned Space Systems Corporation Organisation KAOS Keep All Objectives Satisfied/Knowledge Acquisition RE technique in automated Specification KAOS SE KAOS Security Extension Security technique MUC Misuse Case Security technique MUSD Misuse Sequence Diagram Security technique NextGen Next Generation Organisation/research program NFR Norwegian Research Council Organisation NIST National Institute of Standards and Technology Organisation NTNU Norwegian University of Science and Technology Organisation OMG Object Management Group Organisation PHA Preliminary Hazard Assessment/Analysis Safety technique PP Protection Profile Part of CC PSSA Preliminary System Safety Assessment Safety method part of SAM R&D Research & Development Generic term RAE Requirements Analysis and Elicitation RE technique

15 xiii RAMS Reliability Availability Maintainability and Generic safety term Safety RE Requirements Engineering Generic development term ReqSec Requirements for Security Research project Risk OMT Risk Organisation, Man, Technology Safety method RO Research Objective Generic term RQ Research Question Generic term SafSec Safety and Security Generic term SAM Safety Assessment Methodology Safety method developed by Eurocontrol SCADA Supervisory Control And Data Acquisition A type of computer-based system SD Sequence Diagram Modelling technique related to UML SEAL Security Evidence Assurance Level Security concept SeCM Security Conceptual Model Security model SecRAM Security Risk Assessment Method Security method developed by SESAR SecReq Security Requirements Security process SEMA System Environment Malicious Accidental Safety and security framework SESAR Single European Sky ATM Research Organisation/research program SHARD Software Hazard Analysis and Resolution in Safety technique Design SIL Security Importance Level Security concept SIL Safety Integrity Level Part of IEC standard SP Special Publication Publication system of NIST SQUARE Security QUAlity Requirements Engineering Security process SREF Security Requirements Engineering Framework Security process SREP Security Requirements Engineering Process Security process SSA System Safety Assessment Safety method part of SAM ST Security Target Part of CC SWFMEA Software FMEA Safety technique SysML System Modelling Language Language developed by OMG T-MUC Textual-MUC Part of MUC T-UC Textual-UC Part of UC TAM Technology Acceptance Model Research technique TCAS Traffic Collision Avoidance System Aircraft safety system TEA Threat Effects Analysis Security technique TITech Tokyo Institute of Technology Organisation TOE Target Of Evaluation Part of CC TT Threat Tree Security technique UC Use Case Modelling technique related to UML UiB University of Bergen Organisation UBSAM UML Based Severity Analysis Methodology Safety method UML Unified Modeling Language Language developed by OMG VIA Vulnerability Identification and Analysis Security technique Table 1: Abbreviation list

16 xiv Abbreviation List

17 Contents Scientific Environment Acknowledgements Abstract List of Papers Author s Contributions Abbreviation List i iii v vii ix xi 1 Introduction Context and Motivation Background Research Objective and Research Questions Approach Contributions Theory - Safety and Security The Theory of Safety The Theory of Security The Combination of Safety and Security Accidental and Malicious Threats Severity and Impact Dependability Safety and Development of Information Systems Safety Processes Safety Products Relation of Safety Process and Product Security and the Development of Information Systems Risk Assessment Process Security Evaluation Process Security Standards Security Product Combining Safety and Security Processes The Theory of Requirements Engineering The Requirements Engineering Process... 34

18 xvi CONTENTS Requirement Types Requirements Modelling Safety Requirements Engineering Security Requirements Engineering Security Requirements Engineering Based on Standards A Security Process Based on Generic Requirements Engineering Security Requirements Engineering Framework Safety and Security Requirements Engineering Non-Functional Requirements Safety and Security Requirements Information Model Safety Techniques Fault and Event Tree Analysis Hazard and Operability Study Failure Mode and Effect Analysis Functional Hazard Assessment Safety Assessment Methods Security Modelling Techniques Agent and Goal Oriented Techniques Techniques Based on Tree Structures UML Based Techniques Security Assessment Methods Safety and Security Techniques Cross-Fertilisation Techniques Combining Safety and Security Research Research Questions Overview of the Research Framework and Methods Chosen Information System Design Research Framework Environment IS Research Knowledge Base Relationship of Behavioural and Design Science Design Science Research Followed in this Thesis Environment for the Thesis The Business Needs Identified Contributions to the IS Design Research Knowledge Base Relevant for This Thesis Resulting Artefacts and Theoretical Contributions Theory of Risk Identification Techniques The Relevance of Comparing the Techniques Risk Identification Techniques Selected and Assessed Framework for Comparing Risk Identification Techniques Comparison Results and Conclusion The Artefact Failure Sequence Diagrams Supporting Traditional Safety Assessments...143

19 CONTENTS xvii FSD Notation and Features Industry Case Study with FSD and FMEA FSD and the Results of Combining It with FMEA Theory of Safety and Security Requirements Modelling Relevance of Improving Safety and Security Modelling Aligning FSD and MUSD Theorising Experiences of Safety Modelling Ideas for Combining Safety and Security Modelling Design Iterations and Theory for CHASSIS First Evaluation of CHASSIS Second Evaluation of CHASSIS Third Evaluation of CHASSIS Fourth Evaluation of CHASSIS Design of a Conceptual Model for Security The Need for Defining Security Concepts The SeCM Security Standard Analysis SeCM Applied to CHASSIS Discussion Main Results A Harm Assessment Process Failure Sequence Diagrams for Identifying and Analysing Hazards, Failures and Mitigations CHASSIS - the Combined Harm Assessment Method Two Conceptual Models and the Concepts Behind CHASSIS Use of UML and SysML in Safety Assessments Trade-Off Analysis Summarising the CHASSIS Method Answering the Research Questions Further Discussion on Safety and Security Comparison of Safety and Security Safety versus Security Difference in Safety and Security Requirements Engineering Safety versus Security Products Reflections on the Research Objective, Framework and Methods Used The Research Objective and Research Questions Alternative Research Frameworks Reflections on the Studies in This Thesis Research Methods Applied Threats to Validity and Reliability of This Thesis Conclusion and Further Work 373

20 xviii CONTENTS

21 List of Figures 1.1 Integrating requirements elicitation and risk identification The CHASSIS process diagram An example of SEMA for the nuclear power industry from [162] Overall safety lifecycle defined by IEC from [97] Safety and development artefacts in the context of system development process From faults to mishap The information security risk management process from [105] The evaluation concepts and relationships from [208] The Security Target contents from [208] Security standard processes with their steps and phases From faults to misuse A unified model for security and safety from [204] A dependability process from [52] Frameworks for combining safety and security The RE represented by a spiral model from [217] Security framework processes with their steps Conflict management process from [217] A taxonomy of non-functional requirements from [217] Information model for safety and security engineering from [75] From faults to mishap related to safety techniques HAZOP process with related safety and development artefacts FMEA process with related safety and development artefacts Different versions of FMEA with their failures, effects and causes of a system to be analysed from [15] The information system research framework from [88] Relating behavioural science and design science IS design research framework for this thesis Hierarchical overview of regulations, standards and guidelines in the ATM domain, from [168] IS design research artefacts and theoretical contributions, the evaluation and justification, and related publications The case study process, from [223] The notation for failure sequence diagrams The first CHASSIS process diagram...192

22 xx LIST OF FIGURES 4.3 The enhanced CHASSIS process diagram The Security Conceptual Model from [98] From faults to harm The CHASSIS method and its techniques related to the harm assessment and the development processes The threat package of the Dependability Analysis Model (DAM) from [20] An example from ATM of FSD and how it relates to FMEA FMEA versions related to a vehicle system level and down to the SW and HW levels of the transmission An example from ATM of FSD used at the system level to represent a hazardous situation An example of FSD decomposition A UML Based Severity Analysis Methodology from [86] A use case diagram extended with safety and reliability handlers from [142] An example of using SD and STAIRS for representing hacker and asset interaction from [29] SysML diagrams with comparison to UML diagrams from [152] The inputs and outputs of Phase 2 of the AORDD security solution trade-off analysis from [90] The development of the CHASSIS method and guideline...354

23 Chapter 1 Introduction 1.1 Context and Motivation In the early phases of developing information systems 1 the requirements elicitation activity is undertaken in order to establish the foundation from which the information system will be built. Depending on the size and purpose of the information system, this activity includes various stakeholders and addresses many aspects of the system. One central aspect is what the information system should do, which more often is elicited as functional requirements from stakeholders, such as users and managers. Other aspects, i.e., characterising the information system without specifying what it should do, are elicited as non-functional requirements. As information systems are being developed and used in many areas of our modern society today, they more often have to address either of the aspects safety or security. An increasing trend of interconnecting such information systems also increases the need to consider both aspects for the same systems. While safety can be defined as the freedom from accidental harm, security can be described as the freedom from malicious harm. Traditionally, information systems that address safety aspects have been kept isolated from public networks and the interrelation to security aspects has mainly been limited to physical security measures. Security aspects in information systems have until recently been more concerned with harm towards the information related to confidentiality, integrity or availability. However, some security incidents through the last decade, e.g., Stuxnet in Iran [3] or the cyber security attack at the Maroochy Water Services [1], have shown that security can be violated in a physical way through cyber space. Furthermore, these attacks on SCADA systems present a new era, as it has become evident that safety can be compromised by breaches in the systems security. Recently, USA s president Obama stated Computer systems in critical sectors of our economy including the nuclear and chemical industries are being increasingly targeted [150]. He points out that foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day and stresses the need to face the emerging cyber threats. Although USA has not experienced any major successful cyber attack with physical or safety consequences, it is worth noticing that they are taking a proactive approach to secure more traditional safety systems from cyber threats. 1 The term information system is in this thesis used in its widest meaning.

24 2 Introduction 1.2 Background The opposite to a proactive approach is the reactive approach, which is the foundation for safety and security work. We learn from our mistakes by analysing them and creating barriers in order to avoid them reoccurring in the future. In our society the learning-based knowledge from the reactive approach is structured, generalised and collected into procedures, guidelines, standards and regulations. They lay the basis for safety and security assessment processes, in order to avoid harm. However, much experience is also gathered by individuals who complement the generic knowledge with specific experiences. These individuals are often referred to as subject matter experts, and can be particular experienced with, e.g., a system, an aspect of the system (safety or security) or an activity for developing the system. They play important roles in the proactive part of safety and security assessment processes. As security and safety are both concerned with ensuring the freedom from harm, these two aspects are treated in similar proactive processes during the development of information systems. Both processes aim by dedicated activities to identify, analyse, evaluate and mitigate the potential harm associated with the system, often referred to as safety and security assessments. Total freedom of harm is, however, utopia, and mitigating harm will have to be done according to a reasonable level, i.e., expressed by risk through severity and likelihood. The activity of identifying harm is fundamental as it forms the foundation of successive activities. In this way it resembles the requirements elicitation activity, and these two activities should be closely related and partly integrated. Although the harm identification activities for safety and for security are similar, the harms identified are not necessarily so. A simple example is a prison, where harm to security could be identified as prisoners escaping. However, from a safety aspect, harm could be identified as prisoners and staff personel not being able to escape the prison in case of a fire. The mitigations for the two identified harms are likely to antagonise each other. Thus, identifying the harms early and analysing them together in order to reveal antagonism is important. In such cases it is also of particular importance to perform trade-off analysis, to find the right mitigation that satisfies both safety and security aspects. The mitigations are not necessarily antagonising each other, but can also mutually reinforce each other, be dependent or independent. These four categories of interdependency are defined in [159]. Furthermore, the requirements elicitation and analysis activities have to facilitate interdependency identification and trade-off analysis between functional and non-functional requirements. This further strengthens the argument for harmonising the development and harm assessment processes. Techniques for modelling information systems have become an integral part of the development process. One popular modelling language is the Unified Modeling Language (UML) [151, 219], which allows developers to model different views of the system under development. There are two main categories collecting the UML techniques into either a structural view or behavioural view. The techniques from the latter category are popular for visualising the dynamic behaviour of the system through specific diagrams, which eases the communication between stakeholders with different backgrounds [219]. One of the techniques, use cases, is specialised in visualising functional behaviour required of the system under development, which has proven helpful in supporting the elicitation of functional requirements. Use case diagrams can also be supported by templates [36], which further supports the elicitation of functional re-

25 1.3 Research Objective and Research Questions 3 quirements. Misuse Cases (MUC) is a technique that takes advantage of use cases for identifying threats towards a system, relating its functionality with possible threats and mitigations [193]. This does not only facilitate the elicitation of security requirements, but also relates, and partly integrates, harm identification with requirements elicitation, as MUC can be used both for security and safety aspects [190]. Although it can be used by both aspects, there has been no attempt to combine those two aspects with the same technique until now. In general, there are few techniques that combine safety and security, even if these two aspects are close in nature and treated similarly during safety and security assessment processes. Use cases are closely related to other techniques from UML [151]. In particular, use cases can be combined with techniques offering to complement the functional behaviour view. UML contains more techniques for representing interaction behaviour view, e.g., sequence diagrams and activity diagrams [151]. These two techniques can complement use cases. To further explore the idea of relating and integrating modelling techniques with security requirements engineering, the ReqSec project was created in order to develop and evaluate methodology and tool support for security requirements engineering, integrated with mainstream software development methods [173]. Prior to the project, mal-activity diagrams was developed based on activity diagrams [191], so one of the first activities in the ReqSec project was to investigate further sequence diagrams as the other technique for representing interaction behaviours. As a result, the technique misuse sequence diagrams was developed [114]. 1.3 Research Objective and Research Questions The objective of this PhD research has been to find an effective mean to combine safety and security requirements elicitation by taking advantage of modelling to facilitate the involvement of different stakeholders taking part in the process. The context for this objective is the development of safety relevant information systems, which have both security and safety aspects that have to be identified and analysed during the development. Important aspects, such as safety and security, should be addressed as early as possible in the development lifecycle, as considering them at later stages is very costly [23, 24]. Thus, the context has been narrowed to the requirements elicitation stage of the development lifecycle. However, the following stages are also concerned. A mean in the context of safety and security requirements elicitation has to be realised through a technique or method, in order for developers to conduct the activity efficiently with stakeholders to elicit domain knowledge. Figure 1.1 shows an integrated view of requirements elicitation and risk identification activities. When developing information systems with safety and security aspects, these aspects have to be addressed both in the perspective of negative impacts and the system response to keep the system safe and secure. Both perspectives will have to be considered when specifying the system to be developed. Stakeholders, such as domain and system experts, are crucial for this activity, as their knowledge will form the foundation for developing the right system. However, other stakeholders, e.g., system and software engineers, will also have to be considered for the later phases of the development lifecycle. As design, analysis and implementation, just to mention a few, build upon the elicited requirements, these requirements have to be documented in such a way that the stakeholders will end up

26 4 Introduction Figure 1.1: Integrating requirements elicitation and risk identification developing the system right. The following research questions were deduced from the objective: 1. How can software developers integrate different requirement modelling languages with models for security and safety requirements in such a way that it improves the elicitation of domain knowledge from stakeholders who are not ICT experts? 2. How can the models for security and safety requirements be used together with hazard identification in order to both improve the elicitation of the negative system effects and impacts and to stimulate elicitation of responses to keep the system secure and safe? 3. How can requirements (both functional, and security and safety) be specified after the elicitation, so that they allow analyses that consider and address the precedence of responses? 4. How can the models and requirements be integrated with further development and risk assessment of the system, enabling documented knowledge of the system to be reused in the later phases of the development lifecycle? The third research question was changed during the research project. This is further explained in Chapter 3. To answer the research questions, Hevner s framework for information system (IS) design research has been used [88]. The framework promotes an iterative approach of building and evaluating artefacts, and developing and justifying theories for IS. The artefacts and theories are being created based on knowledge from a base, and aim at satisfying needs expressed in an environment.

27 1.4 Approach Approach With reference to the IS design research framework, the approach to answer the research questions has been to build a theoretical foundation of safety and security assessments, with particular focus on the requirements elicitation. The first theoretical contribution was developed, as a systematic literature review concerning techniques for risk identification was conducted, also covering the conceptual aspects of safety and security. The characteristics of 11 risk identification techniques were studied, of which five techniques were from the safety field and six from the security field [170]. Moreover, this theoretical basis was used to create the first artefact, a technique that adapted concepts from the security to the safety field, motivated by the adaptation of MUC for safety requirements elicitation [190]. More concretely, the transformation of Misuse Sequence Diagrams (MUSD) towards safety was investigated, which resulted in the technique Failure Sequence Diagrams (FSD). The FSD was evaluated for its capabilities to support traditional failure analysis, by combining it with the traditional Failure Mode and Effect Analysis (FMEA) in an industrial case study [169]. The results of the evaluation and experiences from the industrial application of FSD was used to develop the second theoretical contribution, when comparing MUSD and FSD [171]. In this theory the idea of combining MUC, FSD and MUSD was also discussed. The second artefact was built with inspiration from this idea, and integrated the three techniques together with the Hazard and Operability (HAZOP) study in a method for Combined Harm Assessment of Safety and Security for Information Systems (CHAS- SIS) [167], i.e., combining both the safety and security techniques into a method for harm assessment. This artefact was also evaluated through a case study, further refined and evaluated in a field experiment and through an expert evaluation. To better understand and situate the method, more theoretical work was conducted in a study comparing the method to another method for combined safety and security assessments. Based on the practical and theoretical experiences with combining safety and security concepts, a security conceptual model (SeCM) was built as the third and final artefact in the context of this thesis. It was evaluated as it was applied to the second artefact developed, the CHASSIS method [98]. 1.5 Contributions Based on the approach taken for this thesis, the research contributions can be summarised with the following: Review of techniques relevant for security and safety requirements elicitation in a risk identification context, resulting in; a comparison of the techniques towards important criteria for requirements elicitation; a comparison of the safety and security requirements elicitation activities; ideas for reinforcement of techniques between the safety and security fields; ideas for combining individual techniques and the two fields.

28 6 Introduction The technique Failure Sequence Diagrams, which has features for; integrating views of normal system interaction with abnormal interaction; identifying and visualising hazards and failures of system components; identifying and visualising error propagation in a system; identifying and visualising mitigations to hazards and failures. Identifying an effective combination of a highly visualised technique, i.e., FSD, with a traditional template-based technique, i.e., FMEA, by; exploring different combinations of visualising and textualizing safety information; investigating an optimal combination of visualising and textualizing safety information for failure analysis; investigating how it relates to security information and vulnerability analysis. The method Combined Harm Assessment of Safety and Security of Information Systems, which has features for; integrating views of normal system behaviour with abnormal behaviour for both safety and security; identifying, visualising and documenting harm towards of system functions and components; identifying, visualising and documenting mitigations to harm; analysing mitigations for trade-offs with particular focus on interdependencies between safety and security. The Security Conceptual Model that provides; a definition of artefacts and their relations belonging to development and security assessment processes; a conceptual model for investigating the coverage of the CHASSIS method; a model that is harmonised with a corresponding safety conceptual model, defining the relations between the safety assessment, security assessment and development processes. Figure 1.2 shows the process diagram for the CHASSIS method. The main activity of CHASSIS is eliciting safety and security requirements by use of the techniques: Misuse cases - Diagrammatical Misuse Cases (D-MUC) 2 and Textual Misuse Cases (T-MUC) used for safety and security requirements elicitation from a functional view. Failure Sequence Diagrams (FSD) used for safety requirements elicitation from a system interaction view. 2 The D-MUC uses guidewords from the HAZOP technique for identification of hazards and threats.

29 1.5 Contributions 7 Figure 1.2: The CHASSIS process diagram Misuse Sequence Diagrams (MUSD) used for security requirements elicitation from a system interaction view. Eliciting safety and security requirement is shown as the middle swimlane in Figure 1.2, including the performance of trade-off analysis. The purpose of this analysis is to investigate requirements for interdependencies, in particular between security and safety requirements. The left swimlane represents the activity of eliciting functional requirements by utilising the techniques use cases (D-UC and T-UC) and sequence diagrams (SD). The right hand swimlane represents the specification of the elicited safety and security requirements, where a HAZOP table is used to summarise the relevant information for the safety and security requirements.

30 8 Introduction

31 Chapter 2 Theory - Safety and Security In this chapter the current theory of safety and security in the development of Information Systems (IS) is presented, along with the foundations that the research of this thesis is based on. For this thesis, the term IS will be used in its most extensive meaning, i.e., including most types of computer-based systems. 2.1 The Theory of Safety Safety is defined as the condition of being protected from or unlikely to cause danger, risk, or injury [154]. The definition is not explicit with to whom or what the danger, risk or injury could be directed. Detailing danger - the possibility of suffering harm or injury, risk - a situation involving exposure to danger or injury - an instance of being injured does not provide the answer, but most examples given are directed towards humans [154]. Another well-known definition of safety is the freedom from accidents or losses, where accident is an undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of loss [127]. Accident is further explained as unintentional and that the level of loss must be some type of damage to life, property, or the environment. Although the two latter types of loss are not explicitly directed towards humans, they might affect humans in some way. The level of loss is often classified differently for domains in the society, referred to as severity classification. Table 2.1 and 2.2 show the severity classifications for the railway application and Air Traffic Management (ATM). The classification for railway has four levels of severity and relates it to persons, environment and system. For European ATM, there are five 1 classes of severity that relate to accidents (class 1) and incidents (class 2-4) with aircrafts, including their operations and the provision of Air Traffic Control (ATC). Although Communication, Navigation and Surveillance (CNS) systems are mentioned for class 4, this class is not described as damage toward these systems as such. The description focuses on the degradation of the functional capabilities of this system, which is a concern when developing systems for the ATM domain. The severity classification is used for grading the level of loss within a particular domain, stating how safety can be compromised. Even though accidents and incidents should be avoided, they cannot be avoided in all cases. The safest way to operate ATC would be without aircrafts, which would neither be acceptable to the society nor make 1 Class 5 has been removed from the table as it states: No immediate effect on safety.

32 10 Theory - Safety and Security Severity level Consequence to Person or Environment Consequence to Service Catastrophic Fatalities and/or multiple severe injuries and/or major damage to the environment Critical Single fatality and/or severe injury and/or Loss of a major system significant damage to the environment Marginal Minor injury and/or significant threat to the Sever system(s) damage environment Insignificant Possible minor injury Minor system damage Table 2.1: Severity classification according to EN 50126:1999 [66] Severity class Effect on Operations Examples of effects on operations Accidents Serious incidents Major incidents Significant incidents one or more catastrophic accidents, one or more midair collisions, one or more collisions on the ground between two aircraft one or more Controlled Flight Into Terrain total loss of flight control. No independent source of recovery mechanism, such as surveillance or ATC and/or flight crew procedures can reasonably be expected to prevent the accident(s). large reduction in separation (e.g., a separation of less than half the separation minima), without crew or ATC fully controlling the situation or able to recover from the situation. one or more aircraft deviating from their intended clearance, so that abrupt manoeuvre is required to avoid collision with another aircraft or with terrain (or when an avoidance action would be appropriate). large reduction (e.g., a separation of less than half the separation minima) in separation with crew or ATC controlling the situation and able to recover from the situation. minor reduction (e.g., a separation of more than half the separation minima) in separation without crew or ATC fully controlling the situation, hence jeopardising the ability to recover from the situation (without the use of collision or terrain avoidance manoeuvres). increasing workload of the air traffic controller or aircraft flight crew, or slightly degrading the functional capability of the enabling CNS system. minor reduction (e.g., a separation of more than half the separation minima) in separation with crew or ATC controlling the situation and fully able to recover from the situation. Table 2.2: Severity classification according to ESARR4 [60]