A Data Focussed Approach to Mapping Security Issues to Safety Impacts Dr Robert Oates Private – Rolls-Royce Proprietary Information

Talk Overview Motivation Safety and Security Interactions and Constraints Integrated Development Processes Our solution Example Technologies Limitations and a call to arms! Private – Rolls-Royce Proprietary Information

Mobile Oil Drilling Platform US Coastguard statement Private – Rolls-Royce Proprietary Information

Safety and Security - Risk Supplier Legal Process Quality escape Corrective Action Supplier Supplier End User Legal Process Private – Rolls-Royce Proprietary Information

Safety and Security - Risk Private – Rolls-Royce Proprietary Information

A Note on Risk Driven Development Identify Risks Analyse Risks Generate Risk Treatment Plan Mitigate Define Mitigations as Requirements Avoid Transfer Accept Quality Process Private – Rolls-Royce Proprietary Information

Risk Driven Design Processes Inputs: i) Organisation: ->What’s our risk appetite? ii) Functional Requirements -> What are we making? Initial Design to Design Principles Threat Intelligence Technical Risk Assessment Risk Treatment Plan Are risks acceptable? Identify Mitigations Update Design Next phase yes no Private - Rolls-Royce Proprietary Information

Safety and Security - Impact Spoofing Misinformation Tampering Faulty Assumptions Causes of Incidents Impacts of Cyber-Attack Repudiation Uncontrolled Change Information Disclosure Unqualified Personnel Denial of Service Uncertainty Escalation of Privilege Private – Rolls-Royce Proprietary Information

Integrated Development Processes Ref: ED202A Private – Rolls-Royce Proprietary Information

Threat Risk model Private – Rolls-Royce Proprietary Information

Threat Risk Model Private – Rolls-Royce Proprietary Information

Mapping Impact Properties for a For every data artefact: What happens if I lose the property of… Properties for a cyber security assessment (Microsoft SDL) Properties for a data safety assessment (SCSC) Integrity Completeness Consistency Format Accuracy Resolution Traceability Timeliness Verifiability Availability Fidelity / Representation Priority Confidentiality Integrity Availability Non-repudiation Authorisation Authentication Disposability / Deletability Sequencing Intended Destination/Usage Accessibility Suppression History Lifetime Private – Rolls-Royce Proprietary Information

Impact Assessment Example Self Reproducing Banking Malware Confidentiality Availability Control Signal Resolution US Coastguard statement Integrity Consistency Accuracy Sequencing Timeliness Availability Fidelity / Representation Private – Rolls-Royce Proprietary Information

Trade-off Example Intended destination/usage Accessibility Traceability Disposability / Deletability Suppression Cryptography Sequencing Timeliness Availability Priority Lifetime Confidentiality Integrity Completeness Consistency Format Accuracy Resolution Sequencing Fidelity / Representation History Integrity Availability Authentication/Authorisation Timeliness Lifetime Private – Rolls-Royce Proprietary Information

Limitations Lack of validation of bridge Data safety scalability No replacement for common sense Private – Rolls-Royce Proprietary Information

Conclusions Potentially useful for elucidating security requirements that conserve safety properties Protecting key properties Mitigations that don’t erode key properties Help! Data Safety Working Group Security informed safety case working group Review the bridge Private – Rolls-Royce Proprietary Information