nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

Devil’s in the Detail: Through-Life Safety and Security Co-assurance Using SSAF

verfasst von : Nikita Johnson, Tim Kelly

Erschienen in: Computer Safety, Reliability, and Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Regulatory bodies, industry and academia present a plethora of approaches for risk analysis and engineering for safety and security. However, few standards and approaches discuss the management of both safety and security risks. Fewer yet provide detail on how the two attributes interact within a given system. In this paper, the Safety-Security Assurance Framework (SSAF) is presented as a candidate solution to many of the extant challenges of attribute co-assurance. It is a holistic approach, based on the concept of independent co-assurance, that considers both the technical risk impact and the socio-technical impact on assurance. The Framework’s Technical Risk Model (TRM) is applied and evaluated against a case study of an insulin pump. It is argued that SSAF TRM is not only a plausible and practical approach, but also more effective for co-assurance than many existing approaches alone.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Towards Trusted Security Context Exchange Protocol for SDN Based Low Latency Networks

Industrial experience at BAE Systems, research literature, and workshop results.

Social science approaches: Grounded Theory [10] and Yin-style Case Studies [37].

AlTawy, R., Youssef, A.M.: Security tradeoffs in cyber physical systems: a case study survey on implantable medical devices. IEEE Access 4, 959–979 (2016)CrossRef

Association for the Advancement of Medical Instrumentation: AAMI TIR57:2016 Principles for medical device security - Risk management. Technical report, June 2016

Bostrom, R.P., Heinen, J.S.: MIS problems and failures: a socio-technical perspective part I: the causes. MIS Q. 1, 17–32 (1977)CrossRef

Camara, C., Peris-Lopez, P., Tapiador, J.E.: Security and privacy issues in implantable medical devices: a comprehensive survey. J. Biomed. Inform. 55, 272–289 (2015)CrossRef

Chen, Y., Lawford, M., Wang, H., Wassyng, A.: Insulin pump software certification. In: Gibbons, J., MacCaull, W. (eds.) FHIES 2013. LNCS, vol. 8315, pp. 87–106. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-53956-5_7CrossRef

Despotou, G., Alexander, R., Kelly, T.: Addressing challenges of hazard analysis in systems of systems. In: 2009 3rd Annual IEEE Systems Conference, pp. 167–172. IEEE (2009)

Firesmith, D.G.: Common concepts underlying safety security and survivability engineering. Software Engineering Institute, Carnegie-Mellon University, Pittsburgh PA, Technical report (2003)

Food and Drug Administration (FDA): Infusion Pumps Total Product Life Cycle: Guidance for Industry and FDA Staff. Technical report, U.S. Department of Health and Human Services, December 2014

Friedberg, I., McLaughlin, K., Smith, P., Laverty, D., Sezer, S.: STPA-SafeSec: safety and security analysis for cyber-physical systems. J. Inf. Secur. Appl. 34, 183–196 (2017)

10.

Glaser, B.G., Strauss, A.L.: Discovery of Grounded Theory: Strategies for Qualitative Research. Routledge, New York (2017)CrossRef

11.

Hawkins, R., Habli, I., Kelly, T.: Principled construction of software safety cases. In: SAFECOMP 2013-Workshop SASSUR (Next Generation of System Assurance Approaches for Safety-Critical Systems) of the 32nd International Conference on Computer Safety, Reliability and Security (2013)

12.

Hawkins, R., Kelly, T., Knight, J., Graydon, P.: A new approach to creating clear safety arguments. In: Dale, C., Anderson, T. (eds.) Advances in Systems Safety, pp. 3–23. Springer, London (2011). https://doi.org/10.1007/978-0-85729-133-2_1CrossRef

13.

Hu, R., Li, C.: The design of an intelligent insulin pump. In: 2015 4th International Conference on Computer Science and Network Technology (ICCSNT), vol. 1, pp. 736–739. IEEE (2015)

14.

ISO 14971:2007 Medical devices - Application of risk management to medical devices. Standard, International Organization for Standardization, Geneva, CH, September 2007

15.

ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements. Standard, International Organization for Standardization, Geneva, CH, October 2013

16.

Johnson, N., Kelly, T.: Safety-security assurance framework (SSAF) in practice. In: 37th International Conference on Computer Safety, Reliability, & Security SAFECOMP2018 (Abstract Paper) (2018)

17.

Johnson, N., Kelly, T.: An assurance framework for independent co-assurance of safety and security. In: Muniak, C. (ed.) Journal of System Safety. International System Safety Society (January 2019), presented at: the 36th International System Safety Conference (ISSC), Arizona, USA, August 2018

18.

Jones, L.G., Lattanze, A.J.: Using the architecture tradeoff analysis method to evaluate a wargame simulation system: a case study. Technical report, Carnegie Mellon University; Software Engineering Institute (SEI), Pittsburg, PA, USA (2001)

19.

Kazman, R., Klein, M., Barbacci, M., Longstaff, T., Lipson, H., Carriere, J.: The architecture tradeoff analysis method. In: Proceedings Fourth IEEE International Conference on Engineering of Complex Computer Systems (Cat. No. 98EX193), pp. 68–78. IEEE (1998)

20.

Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6CrossRef

21.

Lange, R., Burger, E.W.: Long-term market implications of data breaches, not. J. Inf. Priv. Secur. 13(4), 186–206 (2017)

22.

Lazenbatt, A., Elliott, N., et al.: How to recognise a ‘quality’ grounded theory research study. Aust. J. Adv. Nurs. 22(3), 48 (2005)

23.

Leveson, N.G.: A new approach to hazard analysis for complex systems. In: International Conference of the System Safety Society (2003)

24.

Li, C., Raghunathan, A., Jha, N.K.: Hijacking an insulin pump: security attacks and defenses for a diabetes therapy system. In: 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services, pp. 150–156. IEEE (2011)

25.

Luckett, P., McDonald, J.T., Glisson, W.B.: Attack-graph threat modeling assessment of ambulatory medical devices. In: Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

26.

Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp. 621–624. EDA Consortium (2015)

27.

OMG Unified Modeling Language. Standard, Object Management Group, December 2017. https://www.omg.org/spec/UML/About-UML/

28.

Piggin, R.: Cybersecurity of medical devices: addressing patient safety and the security of patient health information. Technical report, BSI Group ANZ Pty Ltd. (2017)

29.

Radcliffe, J., Beardsley, T.: R7–2016-07: Multiple vulnerabilities in animas OneTouch ping insulin pump. Technical report, Rapid7, October 2016. https://blog.rapid7.com/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump/

30.

Rathore, H., Mohamed, A., Al-Ali, A., Du, X., Guizani, M.: A review of security challenges, attacks and resolutions for wireless medical devices. In: 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 1495–1501. IEEE (2017)

31.

RTCA: RTCA DO-326: Revision A Airworthiness Security Process Specification. Technical report, Washington, DC, USA, August 2014

32.

SAE International: SAE ARP4754: Rev A Guidelines for Development of Civil Aircraft and Systems. Technical report, December 2010

33.

U.S. Cybersecurity and Infrastructure Security Agency (CISA): Advisory (ICSMA-16-279-01): Animas OneTouch Ping insulin pump vulnerabilities. Technical report, National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, October 2016

34.

U.S. Cybersecurity and Infrastructure Security Agency (CISA): Advisory (ICSMA-18-219-02): Medtronic MiniMed 508 insulin pump. Technical report, National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, August 2018. https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02

35.

U.S. Food & Drug Administration (FDA): Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff. Technical report, Center for Devices & Radiological Health, December 2016

36.

Wu, F., Eagles, S.: Cybersecurity for medical device manufacturers: ensuring safety and functionality. Biomed. Instrum. Technol. 50(1), 23–34 (2016)CrossRef

37.

Yin, R.K.: Case Study Research and Applications: Design and Methods. Sage publications, Thousand Oaks (2017)

38.

Young, W., Leveson, N.G.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014)CrossRef

39.

Zhang, Y., Jones, P.L., Jetley, R.: A hazard analysis for a generic insulin infusion pump. J. Diabetes Sci. Technol. 4(2), 263–283 (2010)CrossRef

Titel: Devil’s in the Detail: Through-Life Safety and Security Co-assurance Using SSAF
verfasst von: Nikita Johnson
Tim Kelly
Verlag: Springer International Publishing
Buch: Computer Safety, Reliability, and Security
Print ISBN: 978-3-030-26600-4

Electronic ISBN: 978-3-030-26601-1

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-26601-1_21

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner