Abstract
Safety-critical systems are required to comply with safety standards. These systems are increasingly digitized and networked to an extent where they need to also comply with security and privacy standards. This paper aims to provide insights into how practitioners apply the standards on safety, security or privacy (Sa/Se/Pr), as well as how they employ Sa/Se/Pr analysis methodologies and software tools to meet such criteria. To this end, we conducted a questionnaire-based survey within the participants of an EU project SECREDAS and obtained 21 responses. The results of our survey indicate that safety standards are widely applied by product and service providers, driven by the requirements from clients or regulators/authorities. When it comes to security standards, practitioners face a wider range of standards while few target specific industrial sectors. Some standards linking safety and security engineering are not widely used at the moment, or practitioners are not aware of this feature. For privacy engineering, the availability and usage of standards, analysis methodologies and software tools are relatively weaker than for safety and security, reflecting the fact that privacy engineering is an emerging concern for practitioners.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The questionnaire could be found at:
References
IEC61508:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems. Standard, International Electrotechnical Commission (IEC) (2010)
SECREDAS project. http://secredas.eu. Accessed 03 Apr 2019
SAE J3061-2016 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. Standard, Society of Automotive Engineers (SAE) (2016)
Henniger, O., Ruddle, A., Seudié, H., Weyl, B., Wolf, M., Wollinger, T.: Securing vehicular on-board IT systems: the EVITA project. In: VDI/VW Automotive Security Conference, p. 41 (2009)
ETSI TS 102 165-1 V5.2.3 (2017-10) CYBER; Methods and protocols; Part 1: Method and proforma for Threat, Vulnerability, Risk Analysis (TVRA). Standard, European Telecommunications Standards Institute (ETSI) (2017)
Alberts, C.J., Dorofee, A.: Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)
HEAling Vulnerabilities to ENhance Software Security and Safety (HEAVENS) project. https://research.chalmers.se/en/project/5809. Accessed 03 Apr 2019
ISO 25119:2018 Tractors and machinery for agriculture and forestry – Safety-related parts of control systems. Standard, International Organization for Standardization (ISO) (2018)
ISO/SAE CD 21434 Road Vehicles – Cybersecurity engineering. Standard, International Organization for Standardization (ISO), under development
GlobalPlatform Specifications. https://globalplatform.org/specs-library/. Accessed 03 Apr 2019
ETSI TS 101 733 V2.2.1 (2013-04) Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES). Standard, European Telecommunications Standards Institute (ETSI) (2013)
ETSI TS 101 903 V1.4.1 (2009-06) XML Advanced Electronic Sig- natures (XAdES). Standard, European Telecommunications Standards Institute (ETSI) (2009)
IEC 62443:2018 Security for industrial automation and control systems. Standard, International Electrotechnical Commission (IEC) (2018)
ETSI TS 102 204 V1.1.4 (2003-08) XML Advanced Mobile Commerce (M-COMM); Mobile Signature Service; Web Service Interface. Standard, European Telecommunications Standards Institute (ETSI) (2003)
ISO/IEC 27000 family - Information security management systems. Standard, International Organization for Standardization (ISO) (2018)
eIDAS: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Regulation, The European Parliament and the Council of the European Union (2014)
ISO/IEC 15408:2009 Information technology – Security techniques – Evaluation criteria for IT security. Standard, International Organization for Standardization (ISO) (2015)
RFCs Internet cryptographic standards. Standard, Federal Information Processing Standards (FIPS)
NIST Special Publication 800-series. Standard, National Institute of Standards and Technology (NIST) (2018)
Trusted Information Security Assessment Exchange (TISAX). Standard, German Association of the Automotive Industry (VDA) (2017)
ETSI TS 103 532 V1.1.1(2018-03) CYBER; Attribute Based Encryption for Attribute Based Access Control. Standard, European Telecommunications Standards Institute (ETSI) (2018)
BSI IT-Grundschutz. Standard, German Federal Office for Information Security (BSI) (2015)
GlobalPlatform Privacy Framework v1.0. Standard, GlobalPlatform (2017)
ISO/IEC 29100:2011 Information technology – Security techniques – Privacy framework. Standard, International Organization for Standardization (ISO) (2011)
ISO/IEC 19286:2018 Identification cards – Integrated circuit cards – Privacy-enhancing protocols and services. Standard, International Organization for Standardization (ISO) (2018)
ISO/IEC PDTR 27550: Information technology – Security techniques – Privacy engineering. Standard, International Organization for Standardization (ISO), under development
General Data Protection Regulation (GDPR): Regulation, European Parliament and Council of the European Union (2018)
Standard Data Protection Model (SDP Model): Standard, German Federal and State Commissioners (2017)
IEC TR 63069 ED1: Industrial-process measurement, control and automation - Framework for functional safety and security. Standard, International Electrotechnical Commission (IEC), under development
ISO 26262:2018 Road vehicles – Functional safety. Standard, International Organization for Standardization (ISO) (2018)
Draft Recommendation on Cyber Security of the Task Force on Cyber Security and Over-the-air issues of UNECE WP.29 GRVA. Standard, United Nations Economic Commission for Europe (UNECE) (2018)
Stamatis, D.H.: Failure Mode and Effect Analysis: FMEA from Theory to Execution. ASQ Quality Press, Milwaukee (2003)
Ericson, C.A.: Fault tree analysis. In: System Safety Conference, Orlando, Florida,vol. 1, pp. 1–9 (1999)
Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)
Common Criteria. https://www.commoncriteriaportal.org. Accessed 03 Apr 2019
Acknowledgements
This work was partly supported by the SECREDAS project with the JU Grant Agreement number 783119, and the partners national funding authorities.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Shan, L., Sangchoolie, B., Folkesson, P., Vinter, J., Schoitsch, E., Loiseaux, C. (2019). A Survey on the Applicability of Safety, Security and Privacy Standards in Developing Dependable Systems. In: Romanovsky, A., Troubitsyna, E., Gashi, I., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2019. Lecture Notes in Computer Science(), vol 11699. Springer, Cham. https://doi.org/10.1007/978-3-030-26250-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-26250-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26249-5
Online ISBN: 978-3-030-26250-1
eBook Packages: Computer ScienceComputer Science (R0)