Advertisement

Comparing Risk Identification in Hazard Analysis and Threat Analysis

  • Hideaki NishiharaEmail author
  • Kenji Taguchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11094)

Abstract

In the context of cyber-physical systems, safety and security have been discussed and dealt with separately in the past, since security was not a critical issue of safety and vice versa. They are similar in some points, and it is natural to try dealing with them in parallel or in a unified manner. This paper considers symmetrical treatment of safety and security, especially in identifying possible harms. We compare the result of hazard analysis and threat analysis for a single model of a small IoT system. It shows that identified harms have much overlaps, which indicates the two analyses can be unified.

Keywords

Hazard analysis Threat analysis Risk identification 

References

  1. 1.
    Scharl, A., Stottlar, K., Kady, R.: Functional Hazard Analysis(FHA) Methodology Tutorial. Technical report NSWCDD-MP-14-00380 (2014)Google Scholar
  2. 2.
    Derock, A., Hebrard, P., Vallee, F.: Convergence of the latest standards addressing safety and security for information technology. In: Embedded Real Time Software and Systems (ERTSS) (2010)Google Scholar
  3. 3.
    Chen, B., et al.: Security analysis of urban railway systems: the need for a cyber-physical perspective. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9338, pp. 277–290. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24249-1_24CrossRefGoogle Scholar
  4. 4.
    Raspotnig, C., Opdahl, A.: Comparing risk identification techniques for safety and security requirements. J. Syst. Softw. 86(4), 1124–1151 (2013)CrossRefGoogle Scholar
  5. 5.
    Raspotnig, C., Karpati, P., Katta, V.: A combined process for elicitation and analysis of safety and security requirements. In: Bider, I., et al. (eds.) BPMDS/EMMSAD -2012. LNBIP, vol. 113, pp. 347–361. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-31072-0_24CrossRefGoogle Scholar
  6. 6.
    Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-10506-2_21CrossRefGoogle Scholar
  7. 7.
    Ericson II., C.A.: Hazard Analysis Techniques for System Safety, 2nd edn. Wiley, Hoboken (2016)Google Scholar
  8. 8.
    Macher, G., Höller, A., Sporer, H., Armengaud, E., Kreiner, C.: A combined safety-hazards and security-threat analysis method for automotive systems. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9338, pp. 237–250. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24249-1_21CrossRefGoogle Scholar
  9. 9.
    ISO 31000. Risk management - Principles and guidelines (2009)Google Scholar
  10. 10.
    ISO/IEC 15408. Common Criteria for Information Technology Security Evaluation (2017)Google Scholar
  11. 11.
    ISO/IEC Guide 51. Safety aspects - Guidelines for their inclusion in standards (2014)Google Scholar
  12. 12.
    JASO TP15002. Guideline for Automotive Information Security Analysis (2015)Google Scholar
  13. 13.
    Taguchi, K., Souma, D., Nishihara, H.: Safe & sec case pattrens. In: SAFECOMP 2015 Workshops, pp. 27–37 (2015)Google Scholar
  14. 14.
    Piètre-Cambacédès, L., Chaudet, C.: The SEMA referential framework: avoiding ambiguities in the terms “security” and “safety”. Int. J. Crit. Infrastruct. Prot. 3(2), 55–66 (2010)CrossRefGoogle Scholar
  15. 15.
    Piètre-Cambacédès, L., Bouissou, M.: Cross-fertilization between safety and security engineering. Reliab. Eng. Syst. Saf. 110, 110–126 (2013)CrossRefGoogle Scholar
  16. 16.
    Bieber, P., Blanquart, J.-P., Descargues, G., Dulucq, M., Fourastier, Y., Hazane, E., Julien, M., Léonardon, L., Saroulille, G.: Security and safety assurance for aerospace embedded systems. In: Embedded Real-Time Software and Systems (ERTSS) (2012)Google Scholar
  17. 17.
    RTCA DO-326A. Airworthiness Security Process Specification (2014)Google Scholar
  18. 18.
    Plósz, S., Schmittner, C., Varga, P.: Combining safety and security analysis for industrial collaborative automation systems. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 187–198. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66284-8_16CrossRefGoogle Scholar
  19. 19.
    Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)Google Scholar
  20. 20.
    Stoneburner, G.: Toward a unified security-safety model. Computer 39(8), 96–97 (2006)CrossRefGoogle Scholar
  21. 21.
    Kawanishi, Y., Nishihara, H., Souma, D., Yoshida, H.: Detailed analysis of security evaluation of automotive systems based on JASO TP15002. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 211–224. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66284-8_18CrossRefGoogle Scholar
  22. 22.
    Guo, Z., Zeckzer, D., Liggesmeyer, P., Maeckel, O.: Identification of security-safety requirements for the outdoor robot RAVON using safety analysis techniques. In: ICSEA (2010)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Information Technology Research InstituteNational Institute of Advanced Industrial Science and Technology (AIST)OsakaJapan
  2. 2.CAV TechnologiesKyotoJapan

Personalised recommendations