Prof. Dr. Jens Braband (Siemens AG)
Risk Assessment in
IT Security for Functional Safety
What’s rail automation about?
What’s in and what’s out …
Basic approach: IT security for functional safety
EN 50129 does not define security threats and countermeasures explicitly, but
requires addressing the prevention of unauthorized access in the safety case.
From a conceptual point of view, hazard and threat analyses are quite similar.
However, the methodology and target measures are different, e.g. SIL and SL.
Chapters of a technical safety report (EN50129)
…
4 Operation
w. external
influences
4.6 Access
protection
IT security
for safety
IEC 62443
…
Technical Safety report EN 50129
EN 50159
DIN VDE V
0831-102
Security
standardiization
activities
Basic approach for IT security risk assessment from IEC 62443
1.
2.
Breakdown of the system into zones and conduits, so that
•
the IT security requirements are coordinated in zones or conduits
•
each object is allocated to a zone or conduit
Assessment of the risk for each zone or conduit and each fundamental
requirement
identification and authentication control (IAC)
use control (UC)
system integrity (SI)
data confidentiality (DC)
restricted data flow (RDF)
timely response to events (TRE)
resource availability (RA)
Security levels in IEC 62443
Inheritance of safety principles
In the “IT security for safety” concept, the safety principles from Common Safety Methods
(CSM) Regulation 402/2013 can be applied to the IT security domain, such as
• broadly acceptable risk
• application of codes of practice
• comparison with reference systems
Only the principles for explicit risk analysis need to be adapted as SL is a qualitative
measure.
The quantification of IT security risks for safety is considered impossible as the likelihood
of an attack can not be estimated objectively (“likelihood trap”, see Moreaux, 2014).
Traditional IT security management – what’s the problem?
In IEC/ISO 27005, “likelihood is used instead of the term probability for risk estimation”.
It is used as a subjective probability. IEC/ISO 27005 states “its ease of understanding” as
an advantage, but “the dependence on subjective choice of scale” as a disadvantage.
Statistical or analytical modeling of threat likelihood is infeasible (Schäbe/Braband,
2014).
This means that, for safety certification, we cannot rely on likelihood estimation.
A glimpse into IT security risk assessment
2
3
4
Resources (R)
Low
Medium
Extended
Know-how (K)
Generic
System-specific
Sophisticated
Motivation (M)
Low
Limited
High
In a first step, R, K and M are evaluated for an attacker and combined into a preliminary
security level (PSL).
The evaluation is based on a complete discussion of all combinations, given that:
SL x is considered sufficient to thwart an attack of type (Rx, Kx, Mx).
If R > K, then the attacker could acquire know-how by his resources, so R = K.
2
3
4
R2
PS 2
PS 3
PS 3
R3
PS 3
PS 3
PS 4
R4
PS 4
PS 4
PS 4
* Means that the PSL may be reduced by 1 if motivation M equals 2.
Railway signaling-specific parameters
• For the parameters, specific tables have been elaborated (Schlehuber, 2013).
• According to another thesis (Spies, 2013), the following parameters should be
considered additionally in railway signaling:
• location of the attack (L)
• traceability and non-repudiation (T)
• potential (severity) of the attack (P)
• It can be argued that motivation M and L and T are not independent.
• If the attacker has to access railway tracks or buildings, the motivation is not “low”.
• If there is a realistic chance that the attacker is identified, the motivation is not “low”.
• So, we can delete the “*” in the PSL table if we take into account L and T.
• But L and T are not independent either.
Putting it all together …
L, T and P are proposed to be evaluated on a binary scale with
• L = 1 if the attacker has to access railway tracks or buildings
• T = 1 if the attack can very likely be traced and the attacker be identified
• P = 1 if the attack is targeted at a system which is protected by additional barriers or if
the consequences are not catastrophic
Formally, we can derive
SL = max{R, K }− I{R 2,K 4} − max{L, T , P}
Note that the SL does neither depend explicitly on the likelihood of the attack nor the
motivation of the attacker any more.
It is rather a decision of the asset owner which type of attacker he is assuming.
Conclusion and outlook
The “IT security for functional safety”
approach allows several different risk
assessment approaches.
For systems that have to undergo a
strict certification process, likelihoodbased IT security risk assessments are
not reasonable.
For explicit IT security risk assessment,
a new approach has been presented
which avoids the direct assessment of
likelihood and derives an SL according
to IEC 62443 which is suitable for
railway signaling.