Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Towards Zero Alarms in Sound Static Analysis of Finite State Machines Read chapter Read first chapter

2019 | OriginalPaper | Chapter

Devil’s in the Detail: Through-Life Safety and Security Co-assurance Using SSAF

Authors : Nikita Johnson, Tim Kelly

Published in: Computer Safety, Reliability, and Security

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

Regulatory bodies, industry and academia present a plethora of approaches for risk analysis and engineering for safety and security. However, few standards and approaches discuss the management of both safety and security risks. Fewer yet provide detail on how the two attributes interact within a given system. In this paper, the Safety-Security Assurance Framework (SSAF) is presented as a candidate solution to many of the extant challenges of attribute co-assurance. It is a holistic approach, based on the concept of independent co-assurance, that considers both the technical risk impact and the socio-technical impact on assurance. The Framework’s Technical Risk Model (TRM) is applied and evaluated against a case study of an insulin pump. It is argued that SSAF TRM is not only a plausible and practical approach, but also more effective for co-assurance than many existing approaches alone.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter Towards Trusted Security Context Exchange Protocol for SDN Based Low Latency Networks
Footnotes
1
Industrial experience at BAE Systems, research literature, and workshop results.
 
2
Social science approaches: Grounded Theory [10] and Yin-style Case Studies [37].
 
Literature
1.
AlTawy, R., Youssef, A.M.: Security tradeoffs in cyber physical systems: a case study survey on implantable medical devices. IEEE Access 4, 959–979 (2016)CrossRef
2.
Association for the Advancement of Medical Instrumentation: AAMI TIR57:2016 Principles for medical device security - Risk management. Technical report, June 2016
3.
Bostrom, R.P., Heinen, J.S.: MIS problems and failures: a socio-technical perspective part I: the causes. MIS Q. 1, 17–32 (1977)CrossRef
4.
Camara, C., Peris-Lopez, P., Tapiador, J.E.: Security and privacy issues in implantable medical devices: a comprehensive survey. J. Biomed. Inform. 55, 272–289 (2015)CrossRef
5.
6.
Despotou, G., Alexander, R., Kelly, T.: Addressing challenges of hazard analysis in systems of systems. In: 2009 3rd Annual IEEE Systems Conference, pp. 167–172. IEEE (2009)
7.
Firesmith, D.G.: Common concepts underlying safety security and survivability engineering. Software Engineering Institute, Carnegie-Mellon University, Pittsburgh PA, Technical report (2003)
8.
Food and Drug Administration (FDA): Infusion Pumps Total Product Life Cycle: Guidance for Industry and FDA Staff. Technical report, U.S. Department of Health and Human Services, December 2014
9.
Friedberg, I., McLaughlin, K., Smith, P., Laverty, D., Sezer, S.: STPA-SafeSec: safety and security analysis for cyber-physical systems. J. Inf. Secur. Appl. 34, 183–196 (2017)
10.
Glaser, B.G., Strauss, A.L.: Discovery of Grounded Theory: Strategies for Qualitative Research. Routledge, New York (2017)CrossRef
11.
Hawkins, R., Habli, I., Kelly, T.: Principled construction of software safety cases. In: SAFECOMP 2013-Workshop SASSUR (Next Generation of System Assurance Approaches for Safety-Critical Systems) of the 32nd International Conference on Computer Safety, Reliability and Security (2013)
12.
13.
Hu, R., Li, C.: The design of an intelligent insulin pump. In: 2015 4th International Conference on Computer Science and Network Technology (ICCSNT), vol. 1, pp. 736–739. IEEE (2015)
14.
ISO 14971:2007 Medical devices - Application of risk management to medical devices. Standard, International Organization for Standardization, Geneva, CH, September 2007
15.
ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements. Standard, International Organization for Standardization, Geneva, CH, October 2013
16.
Johnson, N., Kelly, T.: Safety-security assurance framework (SSAF) in practice. In: 37th International Conference on Computer Safety, Reliability, & Security SAFECOMP2018 (Abstract Paper) (2018)
17.
Johnson, N., Kelly, T.: An assurance framework for independent co-assurance of safety and security. In: Muniak, C. (ed.) Journal of System Safety. International System Safety Society (January 2019), presented at: the 36th International System Safety Conference (ISSC), Arizona, USA, August 2018
18.
Jones, L.G., Lattanze, A.J.: Using the architecture tradeoff analysis method to evaluate a wargame simulation system: a case study. Technical report, Carnegie Mellon University; Software Engineering Institute (SEI), Pittsburg, PA, USA (2001)
19.
Kazman, R., Klein, M., Barbacci, M., Longstaff, T., Lipson, H., Carriere, J.: The architecture tradeoff analysis method. In: Proceedings Fourth IEEE International Conference on Engineering of Complex Computer Systems (Cat. No. 98EX193), pp. 68–78. IEEE (1998)
20.
21.
Lange, R., Burger, E.W.: Long-term market implications of data breaches, not. J. Inf. Priv. Secur. 13(4), 186–206 (2017)
22.
Lazenbatt, A., Elliott, N., et al.: How to recognise a ‘quality’ grounded theory research study. Aust. J. Adv. Nurs. 22(3), 48 (2005)
23.
Leveson, N.G.: A new approach to hazard analysis for complex systems. In: International Conference of the System Safety Society (2003)
24.
Li, C., Raghunathan, A., Jha, N.K.: Hijacking an insulin pump: security attacks and defenses for a diabetes therapy system. In: 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services, pp. 150–156. IEEE (2011)
25.
Luckett, P., McDonald, J.T., Glisson, W.B.: Attack-graph threat modeling assessment of ambulatory medical devices. In: Proceedings of the 50th Hawaii International Conference on System Sciences (2017)
26.
Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp. 621–624. EDA Consortium (2015)
27.
28.
Piggin, R.: Cybersecurity of medical devices: addressing patient safety and the security of patient health information. Technical report, BSI Group ANZ Pty Ltd. (2017)
29.
30.
Rathore, H., Mohamed, A., Al-Ali, A., Du, X., Guizani, M.: A review of security challenges, attacks and resolutions for wireless medical devices. In: 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 1495–1501. IEEE (2017)
31.
RTCA: RTCA DO-326: Revision A Airworthiness Security Process Specification. Technical report, Washington, DC, USA, August 2014
32.
SAE International: SAE ARP4754: Rev A Guidelines for Development of Civil Aircraft and Systems. Technical report, December 2010
33.
U.S. Cybersecurity and Infrastructure Security Agency (CISA): Advisory (ICSMA-16-279-01): Animas OneTouch Ping insulin pump vulnerabilities. Technical report, National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, October 2016
34.
35.
U.S. Food & Drug Administration (FDA): Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff. Technical report, Center for Devices & Radiological Health, December 2016
36.
Wu, F., Eagles, S.: Cybersecurity for medical device manufacturers: ensuring safety and functionality. Biomed. Instrum. Technol. 50(1), 23–34 (2016)CrossRef
37.
Yin, R.K.: Case Study Research and Applications: Design and Methods. Sage publications, Thousand Oaks (2017)
38.
Young, W., Leveson, N.G.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014)CrossRef
39.
Zhang, Y., Jones, P.L., Jetley, R.: A hazard analysis for a generic insulin infusion pump. J. Diabetes Sci. Technol. 4(2), 263–283 (2010)CrossRef
Metadata
Title
Devil’s in the Detail: Through-Life Safety and Security Co-assurance Using SSAF
Authors
Nikita Johnson
Tim Kelly
Copyright Year
2019
Book
Computer Safety, Reliability, and Security

Print ISBN: 978-3-030-26600-4

Electronic ISBN: 978-3-030-26601-1

Copyright Year: 2019

DOI
https://doi.org/10.1007/978-3-030-26601-1_21

Premium Partner

    Image Credits