Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCSC April 2018 A model for including cyber threat in safety cases

Published byJulius Cannon Modified over 5 years ago

Similar presentations

Presentation on theme: "SCSC April 2018 A model for including cyber threat in safety cases"— Presentation transcript:

1 SCSC April 2018 A model for including cyber threat in safety cases
Andrew Eaton 2018

2 The Civil Aviation Authority
The CAA is the UK's specialist aviation regulator. Its regulatory activities range from making sure that the aviation industry meets the highest technical and operational safety standards to preventing holidaymakers from being stranded abroad or losing money because of tour operator insolvency.

3 Andrew Eaton Safety critical systems engineer with the United Kingdom Civil Aviation Authority in the Intelligence, Strategy and Policy division. Focused on Regulatory Models, Models of Regulation, Regulatory Risk, Risk Assessment & Mitigation techniques, Safety Case Development and Safety Case Evaluation for CNS/ATM services and systems. Innovation, Strategy and Policy 2W Aviation House, Gatwick Airport South, West Sussex, RH6 0YR.

4 Motivation European Law requires:
Risk based objective safety cases that argue that the behaviour of the services that they provide are tolerably safe Safety cases have to be produced for any change in the context in which the service is provided the system providing the service the service provided Cyber threat constitutes part of the operational context of a service can modify the system providing a service can change the service being provided

5 Essential features of change safety case
“A Safety Case is a structured argument, supported by evidence, intended to justify that a system is acceptably safe for a specific application in a specific operating environment.” The Change Safety Case (CSC) is a behavioural prediction of safety that Defines what is ‘safe’ safety performance Predicts what will be actual safety performance Compares the two (objectively) Claims results show safety will be achieved Does this for all states of the system Service oriented - the system being changed or being influenced by a change produces a service

6 The expected scope of a change safety case
The safety of: The change to the service being made The activities being undertaken to make the change Any support services required to keep the changed service running Any external services bought in to make the service run

7 Safety perspective of cyber threat (1)
In a CSC, we are interested in safety risk Safety risk = f(harm to people and probability) due to behaviour of the functional system that provides the service Cyber threats are just another potential cause of aberrant behaviour in/of the functional system Just like random and systematic faults, EMC-induced failures etc Therefore concerned with the behaviour that may arise from cyber threats Expressed in changes to the ‘Parts of the Operational and Support Systems’ (POSS) specifications These changes stem from redefining the operational context to include Cyber threats

8 Safety perspective of cyber threat (2)
Persistent malevolent actor(s) therefore can deliberately involve simultaneous actions to bypass safeguards – defeating safety architecture insider-threat, introducing modifications to functional system Cyber threats (with above caveat) do not introduce new accidents or hazards Can increase probability of existing hazards Can make incredible hazards possible (both previously imagined and unimagined) need enhanced HAZOPS techniques Can increase probability of an accident arising from a hazard

9 Consequently….. Safety cases need to be informed by cyber security assurance measures and analysis to be considered valid. They need additional cyber induced behaviour to be identified and evaluated for its potential impact on the system the safety of the service to be demonstrated in the presence of any cyber-induced behaviour to take into account responses to cyber induced behaviour when detected (CSOC). The amount of cyber protection provided by a service provider is at its discretion and will result in a delicate balance of cost of protection against the cost of assuring the additional behaviour created by potential cyber activity. If the cyber threat evolves so that it is outside that considered by the safety case, a new safety case will be needed

10 Cyber Threat-Induced Behaviour Identification (CTIBI) analysis (1)
An analysis that establishes the environmental cyber threat, and determines the potential effects on the functional system, in terms of potential behaviour of the POSSs within the scope of the change. The analysis takes account of the functional system architecture, including the mitigations provided by the cyber and physical security controls and the activities of the SOC (defined in its procedures). The analysis should address threats attacking the existing system and its interfaces, and threats involving physical modification (e.g. an insider fits a USB device with malware, or enables a new communications link). The analysis needs to be conducted according to a procedure that must be justified, either directly or by prior approval for it to be admissible in the safety case.

11 Cyber Threat-Induced Behaviour Identification (CTIBI) analysis (2)
The CTIBI results in: the potential cyber threat-induced behaviour, which is included into the POSS specifications (the CTIBI is the supporting evidence for these specification elements) a record to support an argument that the CTIBI has been carried out completely and correctly by competent personnel.

12 Consequences of this view
Delineates safety engineering responsibilities from cyber security responsibilities. In that it enables: the cyber team to establish the environmental cyber threat, and determine the potential effects on the functional system, in terms of potential behaviour of the POSSs within the scope of the change. the safety team to address the consequences of this behaviour without having cyber expertise So you don’t need safety experts that understand cyber security or vice versa

13 Cyber security issues in safety case
The Security Operations Centre (SOC)* A POSS representing the SOC (if new or changed/impacted) Threat monitoring Incident detection and response Changes to operational mode Patches and configuration changes (within scope of safety case) Instigation of changes * Either the safety case or a separate cyber assessment needs to demonstrate the adequacy of: the security analysis method to identify and verify ‘new’ behaviour in POSSs the operations of the SOC.

14 Thank you

15 Cyber security issues in safety case (Descriptions and justifications variously)
Rationale for extent to which cyber security has been addressed for this change Additional system description - major security features Additional behaviour in POSS specifications (incl for supplied services)* Additional considerations when the scope of the change was established Additions to safety models Additional requirement for resources (spares & prepared parts) to be uncompromised Additional evidence supporting the specifications

Download ppt "SCSC April 2018 A model for including cyber threat in safety cases"

Similar presentations

1 Documentation Legal Framework Air Navigation Orders Guidelines ATS Manual Airport Manual Safety Management Manual ICAO Annexes Licenses / Certificates.

1 Documentation Legal Framework Air Navigation Orders Guidelines ATS Manual Airport Manual Safety Management Manual ICAO Annexes Licenses / Certificates.
Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
1 Welcome Safety Regulatory Function Handbook April 2006.

1 Welcome Safety Regulatory Function Handbook April 2006.
1 Regulation. 2 Organisational separation 3 Functional Separation.

1 Regulation. 2 Organisational separation 3 Functional Separation.
Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS 1 1 1.

Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS
The Relationship between Nuclear Safety, Security and Safeguards

The Relationship between Nuclear Safety, Security and Safeguards
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Total System, Safety Management Systems and Performance Based Oversight; How do all these concepts fit together to deliver safety? Michael Gadd Continued.

Total System, Safety Management Systems and Performance Based Oversight; How do all these concepts fit together to deliver safety? Michael Gadd Continued.
Institute of Municipal Finance Officers & Related Professions

Institute of Municipal Finance Officers & Related Professions
1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.

1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Www.dmp.wa.gov.au/ResourcesSafety Please read this before using presentation This presentation is based on content presented at the Industry Forum on Reducing.

Please read this before using presentation This presentation is based on content presented at the Industry Forum on Reducing.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
What SMS means for an Operator’s relationship with the CAA

What SMS means for an Operator’s relationship with the CAA
ISO 9001:2000 Intro Presented By: Brad D. Agenda Overview of QMS Fundamentals ISO 9001:2000 Overview & Requirements.

ISO 9001:2000 Intro Presented By: Brad D. Agenda Overview of QMS Fundamentals ISO 9001:2000 Overview & Requirements.
Runway Safety Teams (RSTs) Description and Processes Session 5 Presentation 1.

Runway Safety Teams (RSTs) Description and Processes Session 5 Presentation 1.
Protection Against Occupational Exposure

Protection Against Occupational Exposure
Introduction to Network Defense

Introduction to Network Defense
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.

Similar presentations

Ads by Google