Abstract
Component fault trees that contain safety basic events as well as security basic events cannot be analyzed like normal CFTs. Safety basic events are rated with probabilities in an interval [0,1], for security basic events simpler scales such as {low, medium, high} make more sense. In this paper an approach is described how to handle a quantitative safety analysis with different rating schemes for safety and security basic events. By doing so, it is possible to take security causes for safety failures into account and to rate their effect on system safety.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
IEC 61882: Hazard and operability studies (HAZOP studies) – Application guide (2001)
IEC 60300-3-1: Dependability management - Part 3–1: Application guide; Analysis techniques for dependability; Guide on methodology, May 2005
IEC 61025: Fault tree Analysis (FTA) (2006)
Arney, D., Jetley, R., Zhang, Y., Jones, P., Sokolsky, O., Lee, I., Ray, A.: The generic patient controlled analgesia pump model. Website (2009). http://rtg.cis.upenn.edu/gip.php3
Casals, S.G., Owezarski, P., Descargues, G.: Risk assessment for airworthiness security. In: Ortmeier, F., Lipaczewski, M. (eds.) SAFECOMP 2012. LNCS, vol. 7612, pp. 25–36. Springer, Heidelberg (2012)
Fovino, I.N., Masera, M., Cian, A.D.: Integrating cyber attacks within fault trees. Reliab. Eng. Syst. Saf. 94, 1394–1402 (2009)
Förster, M., Schwarz, R., Steiner, M.: Integration of modular safety and security models for the analysis of the impact of security on safety. Technical Report, Fraunhofer IESE, Technische Universität Kaiserslautern (2010). http://publica.fraunhofer.de/dokumente/N-151512.html
Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Uncover security design flaws using the stride approach. MSDN Magazine, November 2006. http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
IEC/TC 56 Reliability and maintainability: IEC 60812: Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA), January 2006
Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008)
Kaiser, B., Liggesmeyer, P., Mäckel, O.: A new component concept for fault trees. In: 8th Australian Workshop on Safety Critical Systems and Software. Canberra, October 2003. http://dl.acm.org/citation.cfm?id=1082051.1082054
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)
Scherschel, F.: Root-Shell im Krankenhaus: Hospira-Infusionspumpe mit Telnet-Lücke. Website (2015). http://heise.de/-2633529
Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Heidelberg (2014)
Schneier, B.: Attack trees. Dr. Dobb’s Journal, December 1999. http://www.schneier.com/paper-attacktrees-ddj-ft.html
Steiner, M., Liggesmeyer, P.: Combination of safety and security analysis - finding security problems that threaten the safety of a system. In: ROY, M. (ed.) Proceedings of Workshop DECS (ERCIM/EWICS Workshop on Dependable Embedded and Cyber-physical Systems) of the 32nd International Conference on Computer Safety, Reliability and Security (2013). http://hal.archives-ouvertes.fr/hal-00848604
Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: NSPW 2009: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, pp. 37–50. ACM, New York, NY, USA (2009)
Vesely, W., Goldberg, F., Roberts, N., Haasl, D.: Fault Tree Handbook. U.S, Nuclear Regulatory Commission (1981)
Acknowledgement
The research leading to these results has received funding from the ARTEMIS Joint Undertaking under grant agreement n\(^\text {o}\) 621429 (project EMC\(^2\)) and from the respective national funding authorities.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Steiner, M., Liggesmeyer, P. (2015). Qualitative and Quantitative Analysis of CFTs Taking Security Causes into Account. In: Koornneef, F., van Gulijk, C. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2014. Lecture Notes in Computer Science(), vol 9338. Springer, Cham. https://doi.org/10.1007/978-3-319-24249-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-24249-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24248-4
Online ISBN: 978-3-319-24249-1
eBook Packages: Computer ScienceComputer Science (R0)