Structured Reasoning for Socio-Technical Factors of Safety-Security Assurance
Current research presents several approaches to safety-security technical risk analysis. Indeed, many safety standards now have the requirement that security must be considered. However, with greater knowledge of what makes assuring both attributes in an industrial context difficult, it becomes clear that it is not just the technical assurance that is challenging. It is the entirety of the socio-technical system that supports assurance. In this paper, the second part of the Safety-Security Assurance Framework - the Socio-Technical Model (SSAF STM) is presented as one way of reasoning about these wider issues that make co-assurance difficult.
KeywordsSafety Security Assurance Socio-technical factors
Research and development of SSAF supported by the University of York, the Assuring Autonomy International Programme (AAIP), BAE Systems, and the UK EPSRC (Award Ref: iCASE 1515047).
- 1.Association for the Advancement of Medical Instrumentation: AAMI TIR57:2016 Principles for medical device security - Risk management. Technical report, June 2016Google Scholar
- 3.ISO 14971:2007 Medical devices - Application of risk management to medical devices. Standard, International Organization for Standardization, Geneva, CH, September 2007Google Scholar
- 4.Johnson, N., Kelly, T.: Safety-security assurance framework (SSAF) in practice. In: 37th International Conference on Computer Safety, Reliability, & Security SAFECOMP2018 (Abstract Paper) (2018)Google Scholar
- 5.Johnson, N., Kelly, T.: An assurance framework for independent co-assurance of safety and security. In: Muniak, C. (ed.) International System Safety Society (January 2019), Presented at: the 36th International System Safety Conference (ISSC), Arizona, USA, August 2018. J. Syst. SafGoogle Scholar
- 6.Johnson, N., Kelly, T.: Devil’s in the detail: through-life safety and security co-assurance using SSAF. In: International Conference on Computer Safety, Reliability, and Security. Springer (2019)Google Scholar
- 8.Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp. 621–624. EDA Consortium (2015)Google Scholar
- 9.Safety Assessment Principles for Nuclear Facilities. Standard, Office for Nuclear Regulation, Merseyside, UK, November 2014Google Scholar
- 10.Security Assessment Principles for the Civil Nuclear Industry. Standard, Office for Nuclear Regulation, Merseyside, UK, March 2017Google Scholar
- 11.Reason, J.: Managing the Risks of Organizational Accidents. Ashgate, Farnham (1997)Google Scholar
- 12.RTCA: RTCA DO-326: Revision A Airworthiness Security Process Specification. Technical report, Washington, DC, USA, August 2014Google Scholar
- 13.SAE International: SAE ARP4754: Rev A Guidelines for Development of Civil Aircraft and Systems. Technical report, December 2010Google Scholar
- 14.U.S. Cybersecurity and Infrastructure Security Agency (CISA): Alert (IR-ALERT-H-16-056-01): Cyber-attack against Ukrainian critical infrastructure. Technical report, National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, February 2016. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01