[SystemSafety] Safety and Cybersecurity: A Dispute
Coq, Thierry
Thierry.Coq at dnvgl.com
Mon Dec 19 20:36:00 CET 2016
Hi
For your information, in the French language (as translated in the IEC 61508 standard):
"Functional Safety"= "Sureté de fonctionnement"
"Security" = "sécurité"
There are no ambiguities in the technical documents, but there are common sense use which may be ambiguous if one does not have the context.
However, there is the same ambiguity in the English language. For example, this English dictionary states (http://www.dictionary.com/browse/security )
Security : 1° freedom from risk, danger, ie : safety;
Only in 3° comes protection and defense.
...
As to PBL's question, my answer would be : "It depends". In some cases (land-based transportation systems), where there is a static safe-state, it seems a rational solution to have separate and distinct operational systems and safety systems, and have therefore distinct security systems for each.
However, for systems where the safe state is dynamic and depends on the correct performance of the operational systems (for example, aircraft flying, cooling pumps in a nuclear power plant, even shut-down), it seems the distinction between safety systems and operational systems is not so useful.
Like it was said otherwise, a systems engineering approach should lead to the right definition for each, depending on the risks and safe states.
For 61508, as the mother of all safety (and security) standards, I suggest refraining from making requirements which are POV dependent, or allowing several approaches depending on the need. For industry-specific standards such as 61511 then a separation should be mandatory, where shutdown is the usual safe-state, and security of the safety systems should be separate from the security of the operational systems.
In any case, safety without security does not seem enough. Some time ago, someone asked a question for the maritime business :
"Is a ship riddled with virus seaworthy"? (cf. http://www.securitynewsdesk.com/seaworthiness-cyber-security-the-hidden-threat-to-shipping/ )
This means that the safety case must include an argument about the quality of the security of the safety function. And due to the dynamic nature of the threat and mitigation, this safety case is going to have to be more dynamic than ever before.
Best regards,
Thierry Coq
(PS. The opinions expressed here are my own, not necessarily those of my employer).
-----Original Message-----
From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Alexander.Much at elektrobit.com
Sent: lundi 19 décembre 2016 19:17
To: systemsafety at techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] Safety and Cybersecurity: A Dispute
Hi Peter, *,
[...]
> So what do people here think? I have examples (e.g., my blog posts) to
> demonstrate that cybersecurity issues have to be considered
> essentially when devising safety requirements. The DKE formal guidance
> says that cybersecurity measures concerning safety functions and those
> concerning operational functionality have to be treated differently.
> And there is a lobby which says that this is "counterproductive". Can
> safety and cybersecurity for IACS effectively be separated, or are they intevitably intertwined?
>
Since you asked for an opinion, here's mine.
There are people who are praising the English language for having two distinct words: "safety" and "security".
Other languages / cultures don't see the need to separate these two (German: Sicherheit, French: Securité, etc.).
IMHO:
- "safety without security" is not a thing
- "security without safety" may be a thing
Alex
--
Alexander Much
Chief Expert - Head of Software Systems Engineering, Car Infrastructure
EB - Driving the Future of Software
P +49 9131 7701 6384
M +49 172 7479804
E alexander.much at elektrobit.com
Elektrobit Automotive GmbH, Am Wolfsmantel 46, 91058 Erlangen, Germany Managing Directors: Alexander Kocher, Gregor Zink; Register Court Fürth HRB 4886
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
**************************************************************************************
This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited.
**************************************************************************************
More information about the systemsafety
mailing list