SCSC April 2018 A model for including cyber threat in safety cases

Slides:

Advertisements

Similar presentations

1 Documentation Legal Framework Air Navigation Orders Guidelines ATS Manual Airport Manual Safety Management Manual ICAO Annexes Licenses / Certificates.

Advertisements

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

1 Welcome Safety Regulatory Function Handbook April 2006.

1 Regulation. 2 Organisational separation 3 Functional Separation.

Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS

The Relationship between Nuclear Safety, Security and Safeguards

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Total System, Safety Management Systems and Performance Based Oversight; How do all these concepts fit together to deliver safety? Michael Gadd Continued.

Institute of Municipal Finance Officers & Related Professions

1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.

The Australian/New Zealand Standard on Risk Management

Please read this before using presentation This presentation is based on content presented at the Industry Forum on Reducing.

Computer Security: Principles and Practice

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

What SMS means for an Operator’s relationship with the CAA

ISO 9001:2000 Intro Presented By: Brad D. Agenda Overview of QMS Fundamentals ISO 9001:2000 Overview & Requirements.

Runway Safety Teams (RSTs) Description and Processes Session 5 Presentation 1.

Protection Against Occupational Exposure

Introduction to Network Defense

Control environment and control activities. Day II Session III and IV.

Codex Guidelines for the Application of HACCP

Safety Regulation Group FISA-2003 Slide 1 ATSSD SRG CAA (UK) Experience with Goal Based Regulations Andrew Eaton National Requirements & Strategy Specialist.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

QUALITY MANAGEMENT SYSTEM ACCORDING TO ISO

AICT5 – eProject Project Planning for ICT. Process Centre receives Scenario Group Work Scenario on website in October Assessment Window Individual Work.

Basics of OHSAS Occupational Health & Safety Management System

SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.

ISO 9001:2000 QUALITY MANAGEMENT SYSTEM REQUIREMENTS

ISO 9001:2008 to ISO 9001:2015 Summary of Changes

Hazards Identification and Risk Assessment

© 2001 Change Function Ltd USER ACCEPTANCE TESTING Is user acceptance testing of technology and / or processes a task within the project? If ‘Yes’: Will.

The Audit as a Management Tool Vermont State Auditor’s Office – April 2009.

Programme Objectives Analyze the main components of a competency-based qualification system (e.g., Singapore Workforce Skills) Analyze the process and.

FACILITATOR Prof. Dr. Mohammad Majid Mahmood Art of Leadership & Motivation HRM – 760 Lecture - 25.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Specific Safety Requirements on Safety Assessment and Safety Cases for Predisposal Management of Radioactive Waste – GSR Part 5.

IAEA International Atomic Energy Agency Methodology and Responsibilities for Periodic Safety Review for Research Reactors William Kennedy Research Reactor.

International Atomic Energy Agency Regulatory Review of Safety Cases for Radioactive Waste Disposal Facilities David G Bennett 7 April 2014.

The common structure and ISO 9001:2015 additions

Remodelling COMAH \\ Changing the way we regulate major hazards Sarah Shore Programme Manager the Competent Authority.

1 FAA Update The Civil Aviation Authority  The CAA is the UK's specialist aviation regulator. Its regulatory activities range from making sure.

Ensuring the Safety of Future Developments

Revision N° 11ICAO Safety Management Systems (SMS) Course01/01/08 Module N° 9 – SMS operation.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

ISO 9001:2015 Subject: Quality Management System Clause 8 - Operation

WORKSHOP ON ACCREDITATION OF BODIES CERTIFYING MEDICAL DEVICES INT MARKET TOPIC 9 CH 8 ISO MEASUREMENT, ANALYSIS AND IMPROVEMENT INTERNAL AUDITS.

DARSHANA RAGHU MANAGEMENT. Risk Management Risk management is the identification, assessment, and prioritization of risks followed by coordinated and.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

Risk Assessment: A Practical Guide to Assessing Operational Risk

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

 Planning an audit of cost statements, records and other related documents is considered necessary to ensure achievement of audit objectives with available.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

Risk Management Dr. Clive Vlieland-Boddy. Managements Responsibilities Strategy – Hopefully sustainable! Control – Hopefully maximising profits! Risk.

Pipeline Safety Management Systems

DOE Accelerator Safety Workshop 2017 Bob Lowrie

An Overview on Risk Management

Software Quality Assurance

Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.

Regulation (EU) No 2015/1136 on CSM Design Targets (CSM-DT)

HSE Case: Risk Based Approach.

NRC Cyber Security Regulatory Overview

ISA Working Group Maximising the value of your ISA A systematic process for change safety case assessment Andrew Eaton & Stephen Barker 24th November.

The Hazard Analysis Critical Control Point

The Hazard Analysis Critical Control Point

Leadership and Management for Safety

Enhanced alerting and collaborative incident management

Strategic Environmental Assessment (SEA)

IS Risk Management Framework Overview

12 Safe Maintenance Rules

AICT5 – eProject Project Planning for ICT

Presentation transcript:

SCSC April 2018 A model for including cyber threat in safety cases Andrew Eaton 2018

The Civil Aviation Authority The CAA is the UK's specialist aviation regulator. Its regulatory activities range from making sure that the aviation industry meets the highest technical and operational safety standards to preventing holidaymakers from being stranded abroad or losing money because of tour operator insolvency.

Andrew Eaton Safety critical systems engineer with the United Kingdom Civil Aviation Authority in the Intelligence, Strategy and Policy division. Focused on Regulatory Models, Models of Regulation, Regulatory Risk, Risk Assessment & Mitigation techniques, Safety Case Development and Safety Case Evaluation for CNS/ATM services and systems. Innovation, Strategy and Policy 2W Aviation House, Gatwick Airport South, West Sussex, RH6 0YR. andrew.eaton@caa.co.uk

Motivation European Law requires: Risk based objective safety cases that argue that the behaviour of the services that they provide are tolerably safe Safety cases have to be produced for any change in the context in which the service is provided the system providing the service the service provided Cyber threat constitutes part of the operational context of a service can modify the system providing a service can change the service being provided

Essential features of change safety case “A Safety Case is a structured argument, supported by evidence, intended to justify that a system is acceptably safe for a specific application in a specific operating environment.” The Change Safety Case (CSC) is a behavioural prediction of safety that Defines what is ‘safe’ safety performance Predicts what will be actual safety performance Compares the two (objectively) Claims results show safety will be achieved Does this for all states of the system Service oriented - the system being changed or being influenced by a change produces a service

The expected scope of a change safety case The safety of: The change to the service being made The activities being undertaken to make the change Any support services required to keep the changed service running Any external services bought in to make the service run

Safety perspective of cyber threat (1) In a CSC, we are interested in safety risk Safety risk = f(harm to people and probability) due to behaviour of the functional system that provides the service Cyber threats are just another potential cause of aberrant behaviour in/of the functional system Just like random and systematic faults, EMC-induced failures etc Therefore concerned with the behaviour that may arise from cyber threats Expressed in changes to the ‘Parts of the Operational and Support Systems’ (POSS) specifications These changes stem from redefining the operational context to include Cyber threats

Safety perspective of cyber threat (2) Persistent malevolent actor(s) therefore can deliberately involve simultaneous actions to bypass safeguards – defeating safety architecture insider-threat, introducing modifications to functional system Cyber threats (with above caveat) do not introduce new accidents or hazards Can increase probability of existing hazards Can make incredible hazards possible (both previously imagined and unimagined) need enhanced HAZOPS techniques Can increase probability of an accident arising from a hazard

Consequently….. Safety cases need to be informed by cyber security assurance measures and analysis to be considered valid. They need additional cyber induced behaviour to be identified and evaluated for its potential impact on the system the safety of the service to be demonstrated in the presence of any cyber-induced behaviour to take into account responses to cyber induced behaviour when detected (CSOC). The amount of cyber protection provided by a service provider is at its discretion and will result in a delicate balance of cost of protection against the cost of assuring the additional behaviour created by potential cyber activity. If the cyber threat evolves so that it is outside that considered by the safety case, a new safety case will be needed

Cyber Threat-Induced Behaviour Identification (CTIBI) analysis (1) An analysis that establishes the environmental cyber threat, and determines the potential effects on the functional system, in terms of potential behaviour of the POSSs within the scope of the change. The analysis takes account of the functional system architecture, including the mitigations provided by the cyber and physical security controls and the activities of the SOC (defined in its procedures). The analysis should address threats attacking the existing system and its interfaces, and threats involving physical modification (e.g. an insider fits a USB device with malware, or enables a new communications link). The analysis needs to be conducted according to a procedure that must be justified, either directly or by prior approval for it to be admissible in the safety case.

Cyber Threat-Induced Behaviour Identification (CTIBI) analysis (2) The CTIBI results in: the potential cyber threat-induced behaviour, which is included into the POSS specifications (the CTIBI is the supporting evidence for these specification elements) a record to support an argument that the CTIBI has been carried out completely and correctly by competent personnel.

Consequences of this view Delineates safety engineering responsibilities from cyber security responsibilities. In that it enables: the cyber team to establish the environmental cyber threat, and determine the potential effects on the functional system, in terms of potential behaviour of the POSSs within the scope of the change. the safety team to address the consequences of this behaviour without having cyber expertise So you don’t need safety experts that understand cyber security or vice versa

Cyber security issues in safety case The Security Operations Centre (SOC)* A POSS representing the SOC (if new or changed/impacted) Threat monitoring Incident detection and response Changes to operational mode Patches and configuration changes (within scope of safety case) Instigation of changes * Either the safety case or a separate cyber assessment needs to demonstrate the adequacy of: the security analysis method to identify and verify ‘new’ behaviour in POSSs the operations of the SOC.

Thank you

Cyber security issues in safety case (Descriptions and justifications variously) Rationale for extent to which cyber security has been addressed for this change Additional system description - major security features Additional behaviour in POSS specifications (incl for supplied services)* Additional considerations when the scope of the change was established Additions to safety models Additional requirement for resources (spares & prepared parts) to be uncompromised Additional evidence supporting the specifications