Prof. Dr. Jens Braband (Siemens AG) Risk Assessment in IT Security for Functional Safety



Similar documents
Ein einheitliches Risikoakzeptanzkriterium für Technische Systeme

Funktionale Sicherheit IEC & IEC 62443

Cryptography and Network Security Chapter 1

TeleTrusT Bundesverband IT-Sicherheit e.v.

Information System Security

Get Confidence in Mission Security with IV&V Information Assurance

Security Levels in ISA-99 / IEC 62443

IT Security Management Risk Analysis and Controls

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. March 19, 2015

CSMS. Cyber Security Management System. Conformity Assessment Scheme

Looking at the SANS 20 Critical Security Controls

Chap. 1: Introduction

T.38 fax transmission over Internet Security FAQ

Safety Analysis based on IEC 61508: Lessons Learned and the Way Forward

Cryptography and Network Security

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Technical Bulletin. Understanding Servo Safety Functionality and SIL ratings

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

ITIL and Business Continuity (Service Perspective)

5SV Residual Current Protective Devices

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

white SECURITY TESTING WHITE PAPER

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

Chapter 8 Security Systems

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

CTR System Report FISMA

a Medical Device Privacy Consortium White Paper

SAFETY MANUAL SIL Switch Amplifier

Where Smart Data meets Data Security Siemens Cloud for Industry powered by SAP HANA. April 2015

SAFETY MANUAL SIL SMART Transmitter Power Supply

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

White Paper. From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards

A Structured Comparison of Security Standards

Is your current safety system compliant to today's safety standard?

Actuator-Sensor-Interface

Risk Management Guide for Information Technology Systems. NIST SP Overview

This is a preview - click here to buy the full publication

The rocky relationship between safety and security

IMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC IN A SMALL ORGANISATION

SIMATIC. Process Control System PCS 7 Configuration Symantec Endpoint Protection (V12.1) Preface 1. Virus scanner administration 2.

Threat Modeling. 1. Some Common Definition (RFC 2828)

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Secure Semantic Web Service Using SAML

CSCI 4541/6541: NETWORK SECURITY

Certification of a Scade 6 compiler

A STUDY OF THE APPLICABILITY OF ISO/IEC AND THE GERMAN BASELINE PROTECTION MANUAL TO THE NEEDS OF SAFETY CRITICAL SYSTEMS

>

Chapter 1: Information Security Fundamentals. Security+ Guide to Network Security Fundamentals Second Edition

Information Security for Modern Enterprises

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

ISA-99 Industrial Automation & Control Systems Security

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Information technology Security techniques Information security management systems Overview and vocabulary

With Great Power comes Great Responsibility: Managing Privileged Users

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

SAFETY CLASS, Program

How To Write A Train Control System

Operational Guidelines for Industrial Security

DEVELOPING A NETWORK SECURITY PLAN

Information Security is not an IT problem! Enterprise Risk & Security Management

CONFIGURABLE SAFETY RELAYS

Decision making in ITSM processes risk assessment

ISO/IEC JTC1/SC7 N4098

Cyber Security Governance in Open Distance Learning

Analyzing the Security Significance of System Requirements

Security all around. Industrial security for your plant at all levels. siemens.com/industrialsecurity. Answers for industry.

Test Management Tool for Risk-based Security Testing

Towards Continuous Information Security Audit

TECHNICAL SPECIFICATION

Which cybersecurity standard is most relevant for a water utility?

Lecture II : Communication Security Services

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

Nova Scotia EMO. Hazard Risk Vulnerability Assessment (HRVA) Model. Guidelines for Use. October, 2010

SAFETY MANUAL SIL RELAY MODULE

SERVICE DESCRIPTION Web Proxy

Basics of Internet Security

COSC 472 Network Security

More effective protection for your access control system with end-to-end security

IT Architecture Review. ISACA Conference Fall 2003

Introduction to Security

Network Security: A Critical Component to Any Business IT Plan.

Zak Khan Director, Advanced Cyber Defence

Controlling Risks Safety Lifecycle

FREQUENTLY ASKED QUESTIONS

Siemens Chemnitz Siemens AG Alle Rechte vorbehalten.

Risk Management. Januari, 28/29th th CENTR Security Workshop Brussels Bert ten Brinke

Symphony Plus Cyber security for the power and water industries

Security Risk Assessment

S a f e t y & s e c u r i t y a l i g n m e n t b e n e f i t s f o r h i g h e r o p e r a t i o n a l i n t e g r i t y R A H U L G U P TA

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Transcription:

Prof. Dr. Jens Braband (Siemens AG) Risk Assessment in IT Security for Functional Safety

What s rail automation about?

What s in and what s out

Basic approach: IT security for functional safety EN 50129 does not define security threats and countermeasures explicitly, but requires addressing the prevention of unauthorized access in the safety case. From a conceptual point of view, hazard and threat analyses are quite similar. However, the methodology and target measures are different, e.g. SIL and SL. Chapters of a technical safety report (EN50129) 4 Operation w. external influences 4.6 Access protection Technical Safety report EN 50129 IT security for safety IEC 62443 EN 50159 DIN VDE V 0831-102 Security standardiization activities

Basic approach for IT security risk assessment from IEC 62443 1. Breakdown of the system into zones and conduits, so that the IT security requirements are coordinated in zones or conduits each object is allocated to a zone or conduit 2. Assessment of the risk for each zone or conduit and each fundamental requirement identification and authentication control (IAC) use control (UC) system integrity (SI) data confidentiality (DC) restricted data flow (RDF) timely response to events (TRE) resource availability (RA)

Security levels in IEC 62443

Inheritance of safety principles In the IT security for safety concept, the safety principles from Common Safety Methods (CSM) Regulation 402/2013 can be applied to the IT security domain, such as broadly acceptable risk application of codes of practice comparison with reference systems Only the principles for explicit risk analysis need to be adapted as SL is a qualitative measure. The quantification of IT security risks for safety is considered impossible as the likelihood of an attack can not be estimated objectively ( likelihood trap, see Moreaux, 2014).

Traditional IT security management what s the problem? In IEC/ISO 27005, likelihood is used instead of the term probability for risk estimation. It is used as a subjective probability. IEC/ISO 27005 states its ease of understanding as an advantage, but the dependence on subjective choice of scale as a disadvantage. Statistical or analytical modeling of threat likelihood is infeasible (Schäbe/Braband, 2014). This means that, for safety certification, we cannot rely on likelihood estimation.

A glimpse into IT security risk assessment 2 3 4 Resources (R) Low Medium Extended Know-how (K) Generic System-specific Sophisticated Motivation (M) Low Limited High In a first step, R, K and M are evaluated for an attacker and combined into a preliminary security level (PSL). The evaluation is based on a complete discussion of all combinations, given that: SL x is considered sufficient to thwart an attack of type (Rx, Kx, Mx). If R > K, then the attacker could acquire know-how by his resources, so R = K. 2 3 4 R2 PS 2 PS 3 PS 3 R3 PS 3 PS 3 PS 4 R4 PS 4 PS 4 PS 4 * Means that the PSL may be reduced by 1 if motivation M equals 2.

Railway signaling-specific parameters For the parameters, specific tables have been elaborated (Schlehuber, 2013). According to another thesis (Spies, 2013), the following parameters should be considered additionally in railway signaling: location of the attack (L) traceability and non-repudiation (T) potential (severity) of the attack (P) It can be argued that motivation M and L and T are not independent. If the attacker has to access railway tracks or buildings, the motivation is not low. If there is a realistic chance that the attacker is identified, the motivation is not low. So, we can delete the * in the PSL table if we take into account L and T. But L and T are not independent either.

Putting it all together L, T and P are proposed to be evaluated on a binary scale with L = 1 if the attacker has to access railway tracks or buildings T = 1 if the attack can very likely be traced and the attacker be identified P = 1 if the attack is targeted at a system which is protected by additional barriers or if the consequences are not catastrophic Formally, we can derive { R, K} I max{ L, T P} SL = max } { R 2, K 4, Note that the SL does neither depend explicitly on the likelihood of the attack nor the motivation of the attacker any more. It is rather a decision of the asset owner which type of attacker he is assuming.

Conclusion and outlook The IT security for functional safety approach allows several different risk assessment approaches. For systems that have to undergo a strict certification process, likelihoodbased IT security risk assessments are not reasonable. For explicit IT security risk assessment, a new approach has been presented which avoids the direct assessment of likelihood and derives an SL according to IEC 62443 which is suitable for railway signaling.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information