Addressing information security aspects in functional safety
Transcription
Addressing information security aspects in functional safety
Security aspects in safety engineering HEAVENS Project 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Rickard Svenningsson <[email protected]> HEAVENS HEAling Vulnerabilities to ENhance Software Security and Safety “We will identify security vulnerabilities in software-intensive automotive systems and define methodologies along with tools for performing software security testing. A common way of assessing security will improve the industry’s ability to deliver safe and secure vehicles.” HEAVENS Participation HEAVENS Project Goals Identify state-of-the-art, and needs and requirements Construct security models Define methods and identify tool support for security testing and evaluation Establish interplay of safety and security in the E/E architecture Demonstrate proof of concepts, automotive use cases Accomplished On-going activities HEAVENS Apr 2013 WP1 Startup Mar 2016 WP2 Security models WP1.1 Needs and requirements WP3 Security testing and evaluation WP4 Safety, security and E/E architecture WP5 Demonstrator WP3.1 Methods WP3.2 Tools WP1.2 State of the art study Accomplished WP3.3 Integration On-going activities WP10 Project management WP11 Exploitation and Dissemination HEAVENS Security Model What is a security model ? Provide threat analysis and risk assessment to facilitate deriving security requirements for a particular asset and/or a target of evaluation (TOE) by applying the HEAVENS methodology and tools. HEAVENS Security Model Automotive cybersecurity - HEAVENS HEAVENS Security Model Principles and Workflow HEAVENS Security Model Structured keyword-based method Threat analysis STRIDE Explanation Security attribute Spoofing attackers pretend to be someone or something else Authenticity, Freshness Tampering attackers change data in transit or in a data store Integrity Repudiation attackers perform actions that cannot be traced back to them Non-repudiation, Freshness Information disclosure attackers get access to data in transit or in a data store Confidentiality, Privacy Denial of service attackers interrupt a system’s legitimate operation Availability Elevation of privilege attackers perform actions they are not authorized to Authorization perform HEAVENS Security Model Risk Assessment – Security Levels Threat Level (TL) The probability of occurence of harm Impact Level (IL) The severity of that harm Security Level (SL) Measure of the needed strength of security mechanisms for a security relevant asset HEAVENS Security Model Threat Level (TL) Parameters TL parameters are primarily “attack/attacker” oriented and relatively “dynamic” in nature – may change drastically over time. HEAVENS Security Model Impact Level (IL) Parameters SAFTEY: ISO 26262 Road Vehicles – Functional Safety, 2011. FINANCIAL: BSI-Standard 100-4, Version 1.0, 2009, Federal Office for Information Security (BSI), Germany. OPERATIONAL: Automotive Industry Action Group (AIAG), “Potential Failure Mode and Effects Analysis (FMEA)”, 2008. PRIVACY: Privacy Impact Assessment Guideline, 2011, Federal Office for Information Security (BSI), Germany. HEAVENS Security Model Impact Level (IL) Parameters cont’d SAFTEY: ISO 26262 Road Vehicles – Functional Safety, 2011. HEAVENS Security Model Impact Level (IL) Parameters cont’d FINANCIAL: BSI-Standard 100-4, Version 1.0, 2009, Federal Office for Information Security (BSI), Germany. HEAVENS Security Model Impact Level (IL) Parameters cont’d OPERATIONAL: Automotive Industry Action Group (AIAG), “Potential Failure Mode and Effects Analysis (FMEA)”, 2008. HEAVENS Security Model Impact Level (IL) Parameters cont’d PRIVACY: Privacy Impact Assessment Guideline, 2011, Federal Office for Information Security (BSI), Germany. WP4 – Safety, security and E/E architecture One deliverable: ”D4 Interplay of safety and security in E/E architecture” Estimated for release in April 2015 and final release in April 2016. “The relationship between safety and security, and the impacts of safety and security mechanisms on each other will be addressed. Approaches of integrating safety and security mechanisms in the E/E architecture to improve the overall dependability.” Interplay of safety and security in embedded systems Similarities and differences between the two domains Requirement engineering – Threat and risk analysis Design Implementation V&V Activities An integrated lifecycle (V-model?) för safety and security Similarities between the two domains Risk oriented approach What can go wrong? How likely is it? What will the consequences be? (note: differences in probability estimations) Development process Safe and secure software is achieved by using a systematic development approach rather than reactive patching Quality of the development process and procedures is fundamental for the confidence in the final product Testing Comprehensive testing is essential for confidence in the final product Additivity and composability Double instances of safety/security mechnisms does not necessarily lead to double safety/security (cmp. two 8-character passwords instead of one 16-character or two CRC-8 instead of one CRC-16) Ultimate objective Achieving a sufficiently safe/secure product Culture and values Knowledgable, motivated and committed management and employees is a success factor for achieving safe and secure products Differences between the two domains Classification of consequences In safety typically divided into several levels (e.g. SIL/ASIL/DAL) In security quite binary, system is either compromised or not Threat- and riskanalysis In safety we have pretty wellknown, static fault models and fault assumptions In security threats changes regarding motivation, knowledge and attack vectors Non-experts understanding of threats In safety the consequences are easily understandable In security the threat models are often met with sceptisism and might be jugded as paranoid Exchange of experience In the safety domain there is a culture of discussion and sharing of experience In security, business actors tend to keep their experiences to themselves, thus efficiently slowing down the collective expertise Source of inspiration: L. Piétre-Cambacédès et. al: Reliability engineering and system safety, 2013 Thank you for your attention!