Abstract
A range of common software components are gradually being integrated into the infrastructures that support safety critical systems. These include network management tools, operating systems especially Linux, Voice Over IP (VOIP) communications technologies, and satellite based augmentation systems for navigation/timing data etc. The increasing use of these common components creates concerns that bugs might affect multiple systems across many different safety related industries. It also raises significant security concerns. Malware has been detected in power distribution, healthcare, military and transportation infrastructures. Most previous attacks do not seem to have deliberately targeted critical applications. However, there is no room for complacency in the face of increasing vulnerability to cyber attacks on safety-related systems. This paper illustrates the threat to air traffic management infrastructures and goes on to present a roadmap to increase our resilience to future CyberSafety attacks. Some components of this proposal are familiar concepts from Security Management Systems (SecMS), including a focus on incident reporting and the need for improved risk assessment tools. Other components of the roadmap focus on structural and organizational problems that have limited the effectiveness of existing SecMS; in particular there is a need to raise awareness amongst regulators and senior management who often lack the technical and engineering background to understand the nature of the threats to safety-critical software.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abrams M, Weiss J (2008) Malicious control system cyber security attack case study – Maroochy Water Services, Australia. NIST/Mitre Corporation, NIST Industrial Control System Security Project. http://csrc.nist.gov/sec-cert/ics/index.html. Accessed 14 September 2011
Anderson R (2008) Security engineering: a guide to building dependable distributed systems. Wiley, Indianapolis, USA
DoT (2009) Report on review of web applications security and intrusion detection in air traffic control systems. FAA Report Number FI-2009-049. US Department of Transport, Washington DC, USA
EUROCONTROL (2004) European manual of personnel licensing - air traffic controllers. Edn 2.0. EUROCONTROL, Brussels, Belgium
GAO (1998) Air traffic control: weak computer security practices jeopardize flight safety. Letter Report, 05/18/98, GAO/AIMD-98-155. US General Accounting Office
Haley C, Laney R, Moffett J, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34:133–153
Johnson CW (2011) Using assurance cases and Boolean logic driven Markov processes to formalise cyber security concerns for safety-critical interaction with global navigation satellite systems. In Bowen J, Reeves S (eds) Proc 4th Form Methods for Interact Syst Workshop, Limerick, Ireland
Johnson CW, Atencia Yepez A (2011) Mapping the impact of security threats on safety-critical global navigation satellite systems. In: Proc 29th Int Conf Syst Saf, Las Vegas, USA. International Systems Safety Society, Unionville, VA, USA
Johnson CW, Holloway CM (2011) A roadmap for safer systems engineering. IET Syst Saf Conf, The IET, London
Johnson CW, Shea C, Holloway CM (2008) The role of trust and interaction in GPS related accidents: a human factors safety assessment of the global positioning system (GPS). In: Simmons RJ, Mohan DJ, Mullane M (eds) Proc 26th Int Conf Syst Saf, Vancouver, Canada. International Systems Safety Society, Unionville, VA, USA
Maddalon JM, Miner PS (2003) An architectural concept for intrusion tolerance in air traffic networks. NASA Langley Technical Report, Integrated Communication Navigation and Surveillance (ICNS), Annapolis, Maryland
Mather T, Kumaraswamy S, Latif S (2009) Cloud security and privacy: an enterprise perspective on risks and compliance. O’Reilly Media, California, USA
Pederson P, Dudenhoeffer D, Hartley S, Permann M (2006) Critical infrastructure interdependency modelling: a survey of U.S. and international research. Technical Report INL/EXT-06- 11464, Idaho National Laboratory, US Department of Energy
Theoharidoua M, Kokolakisb S, Karydaa M, Kiountouzisa E (2005) The insider threat to information systems and the effectiveness of ISO 17799. Comput & Secur 24:472–484
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag London Limited
About this paper
Cite this paper
Johnson, C. (2012). CyberSafety: CyberSecurity and Safety-Critical Software Engineering. In: Dale, C., Anderson, T. (eds) Achieving Systems Safety. Springer, London. https://doi.org/10.1007/978-1-4471-2494-8_8
Download citation
DOI: https://doi.org/10.1007/978-1-4471-2494-8_8
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-4471-2493-1
Online ISBN: 978-1-4471-2494-8
eBook Packages: Computer ScienceComputer Science (R0)