Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline

Kriaa, Siwar; Bouissou, Marc; Colin, Frédéric; Halgand, Yoran; Piètre-Cambacédès, Ludovic

doi:10.1007/978-3-319-10506-2_22

Cited by 44 publications

(53 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Using safety approaches to address cyber security concerns had been explored previously [23] [24] [25] [26]. In [27], the authors briefly claim that the STAMP methodology can be used both after an event to prevent future such events and before any such event to anticipate threats and mitigate them.…”

Section: System Theoretical Accident Model and Process (Stamp)mentioning

confidence: 99%

A Systems Theoretic Approach to the Security Threats in Cyber Physical Systems Applied to Stuxnet

Nourian

Madnick

2018

IEEE Trans. Dependable and Secure Comput.

144

View full text Add to dashboard Cite

Cyber Physical Systems (CPSs) are increasingly being adopted in a wide range of industries such as smart power grids. Even though the rapid proliferation of CPSs brings huge benefits to our society, it also provides potential attackers with many new opportunities to affect the physical world such as disrupting the services controlled by CPSs. Stuxnet is an example of such an attack that was designed to interrupt the Iranian nuclear program. In this paper, we show how the vulnerabilities exploited by Stuxnet could have been addressed at the design level. We utilize a system theoretic approach, based on prior research on system safety, that takes both physical and cyber components into account to analyze the threats exploited by Stuxnet. We conclude that such an approach is capable of identifying cyber threats towards CPSs at the design level and provide practical recommendations that CPS designers can utilize to design a more secure CPS. Index TermsCPS security design, Stuxnet analysis, CPS, STAMP, Security and safety analysis.

show abstract

Section: System Theoretical Accident Model and Process (Stamp)mentioning

confidence: 99%

A Systems Theoretic Approach to the Security Threats in Cyber Physical Systems Applied to Stuxnet

Nourian

Madnick

2018

IEEE Trans. Dependable and Secure Comput.

144

View full text Add to dashboard Cite

show abstract

“…Compared with generic approaches, model-based approaches analyse security and safety in detail by means of formal representations and tools (Piètre-Cambacédès and Bouissou 2010; Kriaa et al 2014;Bloomfield et al 2013;Sun et al 2009). Bloomfield et al (2013) investigate the security impact on safety assessment in the context of critical infrastructure, based on ClaimsArguments-Evidence (CAE).…”

Section: Related Workmentioning

confidence: 99%

“…Such an approach offers (i) a tree-like representation to present the hierarchical relations between events and states, (ii) a quantitative analysis based on Markov processes by associating leaf events with estimated probabilities, and (iii) special "trigger" relations are designed to capture the interactions between events and states. This approach is also demonstrated with a case study in Kriaa et al (2014). The work provides a way to model and analyse the interdependency between security and safety, but it is not clear how conflicting relations between them can be detected and evaluated.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Model-based Approach to Interdependency between Safety and Security in ICS

Hankin

2015

Electronic Workshops in Computing

View full text Add to dashboard Cite

Wide use of modern ICT technologies brings not only communication efficiency, but also security vulnerabilities into industrial control systems. Traditional physically-isolated systems are now required to take cyber security into consideration, which might also lead to system failures. However, integrating security and safety analysis has always been a challenging issue and the various interdependencies between them make it even more difficult, because they might mutually enhance, or undermine. The paper proposes an integrating framework to (i) formalise the desired and undesired properties to be safe(unsafe) or secure(insecure), including the dependencies between them, (ii) evaluate if a query state reaches a safe(unsafe) or secure(insecure) state, and further quantify how safe or secure the state is. In this way, we can accurately capture the benign and harmful relations between safety and security, particularly detecting and measuring conflicting impacts on them. Finally, this framework is implemented by answer set programming to enable automatic evaluation, which is demonstrated by a case study on pipeline transportation.

show abstract

“…However, many of these works focus on qualitative aspects, or handle fewer risk metrics than we do, or support only independent quantitative annotations of attributes on the leaves. Related to AFTs are Booleandriven Markov processes (BDMPs, [37], [38]). However, there are several important differences: whereas our approach is compositional, BDMPs are monolithic, i.e.…”

Section: B Related Workmentioning

confidence: 99%

Quantitative Security and Safety Analysis with Attack-Fault Trees

Kumar

Stoelinga

2017

2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE)

View full text Add to dashboard Cite

Abstract-Cyber physical systems, like power plants, medical devices and data centers have to meet high standards, both in terms of safety (i.e. absence of unintentional failures) and security (i.e. no disruptions due to malicious attacks).This paper presents attack fault trees (AFTs), a formalism that marries fault trees (safety) and attack trees (security). We equip AFTs with stochastic model checking techniques, enabling a rich plethora of qualitative and quantitative analyses. Qualitative metrics pinpoint to root causes of the system failure, while quantitative metrics concern the likelihood, cost, and impact of a disruption. Examples are: (1) the most likely attack path; (2) the most costly system failure; (3) the expected impact of an attack. Each of these metrics can be constrained, i.e., we can provide the most likely disruption within time t and/or budget B. Finally, we can use sensitivity analysis to find the attack step that has the most influence on a given metric. We demonstrate our approach through three realistic cases studies.

show abstract

Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline

Cited by 44 publications

References 12 publications

A Systems Theoretic Approach to the Security Threats in Cyber Physical Systems Applied to Stuxnet

A Systems Theoretic Approach to the Security Threats in Cyber Physical Systems Applied to Stuxnet

A Model-based Approach to Interdependency between Safety and Security in ICS

Quantitative Security and Safety Analysis with Attack-Fault Trees

Contact Info

Product

Resources

About