by Christoph Schmittner, Zhendong Ma and Thomas Gruber
Networked cyber-physical systems introduce new challenges for safety, security, and dependability of such systems. Addressing them requires unified approaches towards safety and security co-analysis, design, implementation and verification in a holistic way. The researchers and engineers at the Austrian Institute of Technology develop concepts, techniques and tools for combining safety and security engineering for different domains.
Interconnected embedded systems integrated into the physical surroundings are known as Cyber-physical Systems (CPS). CPS are the driving force for many technological innovations to improve efficiency, functionality, and reliability of products, services, and infrastructures. Consequently, our society is becoming dependent on these ‘intelligent’ or ‘smart’ systems; from smart home appliance to industrial control, smart city, and intelligent transport. Owing to the scale, complexity, and connectivity of these systems, it is very challenging to ensure their safety, security, and resilience. Faults and malfunctions as well as malicious attacks can cripple a system and lead to devastating consequences in the physical world, eliminating all the advantages technology brings. Since system features increasingly depend on computation, network, and information processing, safety and security become tightly coupled in CPS. Safety cannot be guaranteed without security, and security is only as long as system safety holds. Many CPS are open systems, which are the target of cyberattacks. Interconnectivity removes boundaries and the need for physical presence to gain access. Complexity and time-to-market lead to the introduction of vulnerabilities and flaws and new ways of failure that can be very hard to analyse and cannot be easily addressed in development.
Figure 1: Connected critical systems.
In the past, safety and security were treated as separate issues. Different methodologies, techniques, processes, certifications, and standards exist for system safety and security. Technological development and the challenges facing CPS require a combined approach. In a continuous effort with its partners, the Austrian Institute of Technology (AIT) has conducted research on safety and security co-engineering in the context of a series of EU projects including ARROWHEAD, EMC², and CARONTE in domains such as connected industrial systems, automotive, railway, and land transport. The research includes safety and security co-analysis, co-design, verification and validation, and certification.
One outcome of this research, ‘Failure Mode, Vulnerabilities and Effect Analysis’ (FMVEA) , is a combined analysis of failures and attacks and their effects on system dependability. The method has been applied to interconnected industrial, automotive  and railway systems. A system is divided into subsystems and parts. Potential failure and threat modes for each part are identified, and the consequences on a local and system level are determined. Through a semi-quantitative approach, the likelihood for the threat modes is determined. Results are safety motivated security goals and an improved coordination between safety and security goals.
To include safety and security considerations and to coordinate their interactions at each phase of the development lifecycle, a combined development lifecycle is proposed . Based on lifecycle models in existing standards and best practices, the approach is a unified lifecycle with a balanced set of measures for mitigating both safety and security risks during development. In the requirement specification, security effects to ensure safety are considered during the Hazard, Risks and Threat analysis. At the beginning of the design phase, a consolidation is made for the definition of safety and security goals. In the development phase, safety and security measures are considered to fulfil the design goals. For example, the design can use tamper-resistant hardware for robustness against environmental influences. In the implementation/realization phase, safety coding standards that restrict the usage of dynamic elements can reduce the number of buffer overflow exploits. Safety and security development should be a continuous process beyond the release. As a part of the incident response, new vulnerabilities require the re-consideration of the safety and security concept and an impact analysis on other system quality attributes. Besides maintaining the necessary safety levels during a decommission process, one needs also to consider if potential attackers can gain insight about potential vulnerabilities from the disposed system.
To deepen the impact of our research results, AIT is actively involved in standardization activities to foster safety and security co-engineering and to promote joint approaches in the evolving editions of IEC 61508 and ISO 26262. AIT is a member of the recently founded ad hoc group 1 of IEC TC65 on “Framework towards coordination of safety and security”. AIT is also a member of IEC TC65 WG 10 and the national counterpart, which works jointly with ISA 99 to develop IEC 62443 “Industrial communication networks - Network and system security - Security for industrial automation and control systems”, a standard as a reference for cybersecurity in industrial systems and several other functional safety standards.
 C. Schmittner et al.: “Security application of failure mode and effect analysis (FMEA),” in Computer Safety, Reliability, and Security, Sep. 2014, Springer, pp. 310–325.
 C. Schmittner et al.: “A Case Study of FMVEA and CHASSIS as Safety and Security Co-Analysis Method for Automotive Cyber-physical Systems”, in proc. of 1st ACM Workshop on Cyber-Physical System Security, 2015, pp. 69-80.
 C. Schmittner, Z. Ma, E. Schoitsch: “Combined Safety and Security Development Lifecylce”, in IEEE INDIN, July 2015, IEEE (to appear).
Christoph Schmitter, Ma Zhendong, Thomas Gruber, AIT, Austrian Institute of Technology, Austria