Prof. Dr. Jens Braband (Siemens AG) Risk Assessment in IT Security for Functional Safety

Size: px

Start display at page:

Download "Prof. Dr. Jens Braband (Siemens AG) Risk Assessment in IT Security for Functional Safety"

Clyde Beasley
10 years ago
Views:

1 Prof. Dr. Jens Braband (Siemens AG) Risk Assessment in IT Security for Functional Safety

2 What s rail automation about?

3 What s in and what s out

4 Basic approach: IT security for functional safety EN does not define security threats and countermeasures explicitly, but requires addressing the prevention of unauthorized access in the safety case. From a conceptual point of view, hazard and threat analyses are quite similar. However, the methodology and target measures are different, e.g. SIL and SL. Chapters of a technical safety report (EN50129) 4 Operation w. external influences 4.6 Access protection Technical Safety report EN IT security for safety IEC EN DIN VDE V Security standardiization activities

However, the methodology and target measures are different, e.g. SIL and SL. Chapters of a technical safety report (EN50129) 4 Operation w.

5 Basic approach for IT security risk assessment from IEC Breakdown of the system into zones and conduits, so that the IT security requirements are coordinated in zones or conduits each object is allocated to a zone or conduit 2. Assessment of the risk for each zone or conduit and each fundamental requirement identification and authentication control (IAC) use control (UC) system integrity (SI) data confidentiality (DC) restricted data flow (RDF) timely response to events (TRE) resource availability (RA)

object is allocated to a zone or conduit 2.

6 Security levels in IEC 62443

7 Inheritance of safety principles In the IT security for safety concept, the safety principles from Common Safety Methods (CSM) Regulation 402/2013 can be applied to the IT security domain, such as broadly acceptable risk application of codes of practice comparison with reference systems Only the principles for explicit risk analysis need to be adapted as SL is a qualitative measure. The quantification of IT security risks for safety is considered impossible as the likelihood of an attack can not be estimated objectively ( likelihood trap, see Moreaux, 2014).

reference systems Only the principles for explicit risk analysis need to be adapted as SL is a qualitative measure.

8 Traditional IT security management what s the problem? In IEC/ISO 27005, likelihood is used instead of the term probability for risk estimation. It is used as a subjective probability. IEC/ISO states its ease of understanding as an advantage, but the dependence on subjective choice of scale as a disadvantage. Statistical or analytical modeling of threat likelihood is infeasible (Schäbe/Braband, 2014). This means that, for safety certification, we cannot rely on likelihood estimation.

9 A glimpse into IT security risk assessment Resources (R) Low Medium Extended Know-how (K) Generic System-specific Sophisticated Motivation (M) Low Limited High In a first step, R, K and M are evaluated for an attacker and combined into a preliminary security level (PSL). The evaluation is based on a complete discussion of all combinations, given that: SL x is considered sufficient to thwart an attack of type (Rx, Kx, Mx). If R > K, then the attacker could acquire know-how by his resources, so R = K R2 PS 2 PS 3 PS 3 R3 PS 3 PS 3 PS 4 R4 PS 4 PS 4 PS 4 * Means that the PSL may be reduced by 1 if motivation M equals 2.

The evaluation is based on a complete discussion of all combinations, given that: SL x is considered sufficient to thwart an attack of type (Rx, Kx, Mx).

10 Railway signaling-specific parameters For the parameters, specific tables have been elaborated (Schlehuber, 2013). According to another thesis (Spies, 2013), the following parameters should be considered additionally in railway signaling: location of the attack (L) traceability and non-repudiation (T) potential (severity) of the attack (P) It can be argued that motivation M and L and T are not independent. If the attacker has to access railway tracks or buildings, the motivation is not low. If there is a realistic chance that the attacker is identified, the motivation is not low. So, we can delete the * in the PSL table if we take into account L and T. But L and T are not independent either.

non-repudiation (T) potential (severity) of the attack (P) It can be argued that motivation M and L and T are not independent.

11 Putting it all together L, T and P are proposed to be evaluated on a binary scale with L = 1 if the attacker has to access railway tracks or buildings T = 1 if the attack can very likely be traced and the attacker be identified P = 1 if the attack is targeted at a system which is protected by additional barriers or if the consequences are not catastrophic Formally, we can derive { R, K} I max{ L, T P} SL = max } { R 2, K 4, Note that the SL does neither depend explicitly on the likelihood of the attack nor the motivation of the attacker any more. It is rather a decision of the asset owner which type of attacker he is assuming.

or if the consequences are not catastrophic Formally, we can derive { R, K} I max{ L, T P} SL = max } { R 2, K 4, Note that the SL does neither depend

12 Conclusion and outlook The IT security for functional safety approach allows several different risk assessment approaches. For systems that have to undergo a strict certification process, likelihoodbased IT security risk assessments are not reasonable. For explicit IT security risk assessment, a new approach has been presented which avoids the direct assessment of likelihood and derives an SL according to IEC which is suitable for railway signaling.

For systems that have to undergo a strict certification process, likelihoodbased IT security risk assessments are

Ein einheitliches Risikoakzeptanzkriterium für Technische Systeme

ETCS Prüfcenter Wildenrath Interoperabilität auf dem Korridor A Ein einheitliches Risikoakzeptanzkriterium für Technische Systeme Siemens Braunschweig, Oktober 2007 Prof. Dr. Jens Braband Page 1 2007 TS