1. Merging safety and cybersecurity analysis in product design
- Author
-
Joshua E. Siegel, Dajiang Suo, Sanjay E. Sarma, Massachusetts Institute of Technology. Department of Mechanical Engineering, Sanjay E. Sarma, Suo, Dajiang, Siegel, Joshua E, and Sarma, Sanjay E
- Subjects
Functional safety ,050210 logistics & transportation ,Spoofing attack ,Exploit ,Product design ,Computer science ,Mechanical Engineering ,05 social sciences ,Cyber-physical system ,Attack tree ,Transportation ,02 engineering and technology ,Computer security ,computer.software_genre ,Identification (information) ,ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS ,0502 economics and business ,Threat model ,0202 electrical engineering, electronic engineering, information engineering ,020201 artificial intelligence & image processing ,Law ,computer ,General Environmental Science - Abstract
When developing cyber-physical systems such as automated vehicles, safety and cybersecurity analyses are often conducted separately. However, unlike in the IT world, safety hazards and cybersecurity threats converge in cyber-physical systems; a malicious party can exploit cyber-threats to create extremely hazardous situations, whether in autonomous vehicles or nuclear plants. We propose a framework for integrated system-level analyses for functional safety and cyber security. We present a generic model named Threat Identification and Refinement for Cyber-Physical Systems (TIRCPS) extending Microsoft’s six classes of threat modelling including Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-Service and Elevation Privilege (STRIDE). TIRCPS introduces three benefits for developing complex systems: first, it allows the refinement of abstract threats into specific ones as physical design information becomes available; Second, the approach provides support for constructing attack trees with traceability from high-level goals and hazardous events to threats. Third, TIRCPS formalizes the definition of threats such that intelligent tools can be built to automatically detect most of a system’s vulnerable components requiring protection. We present a case study on an automated-driving system to illustrate the proposed approach. The analysis results of a hierarchical attack tree with cyber threats traceable to highlevel hazardous events are used to design mitigation solutions.
- Published
- 2018