Advertisement

A Survey on the Applicability of Safety, Security and Privacy Standards in Developing Dependable Systems

  • Lijun Shan
  • Behrooz SangchoolieEmail author
  • Peter Folkesson
  • Jonny Vinter
  • Erwin Schoitsch
  • Claire Loiseaux
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11699)

Abstract

Safety-critical systems are required to comply with safety standards. These systems are increasingly digitized and networked to an extent where they need to also comply with security and privacy standards. This paper aims to provide insights into how practitioners apply the standards on safety, security or privacy (Sa/Se/Pr), as well as how they employ Sa/Se/Pr analysis methodologies and software tools to meet such criteria. To this end, we conducted a questionnaire-based survey within the participants of an EU project SECREDAS and obtained 21 responses. The results of our survey indicate that safety standards are widely applied by product and service providers, driven by the requirements from clients or regulators/authorities. When it comes to security standards, practitioners face a wider range of standards while few target specific industrial sectors. Some standards linking safety and security engineering are not widely used at the moment, or practitioners are not aware of this feature. For privacy engineering, the availability and usage of standards, analysis methodologies and software tools are relatively weaker than for safety and security, reflecting the fact that privacy engineering is an emerging concern for practitioners.

Keywords

Safety Security Privacy Standards Dependable systems 

Notes

Acknowledgements

This work was partly supported by the SECREDAS project with the JU Grant Agreement number 783119, and the partners national funding authorities.

References

  1. 1.
    IEC61508:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems. Standard, International Electrotechnical Commission (IEC) (2010)Google Scholar
  2. 2.
    SECREDAS project. http://secredas.eu. Accessed 03 Apr 2019
  3. 3.
    SAE J3061-2016 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. Standard, Society of Automotive Engineers (SAE) (2016)Google Scholar
  4. 4.
    Henniger, O., Ruddle, A., Seudié, H., Weyl, B., Wolf, M., Wollinger, T.: Securing vehicular on-board IT systems: the EVITA project. In: VDI/VW Automotive Security Conference, p. 41 (2009)Google Scholar
  5. 5.
    ETSI TS 102 165-1 V5.2.3 (2017-10) CYBER; Methods and protocols; Part 1: Method and proforma for Threat, Vulnerability, Risk Analysis (TVRA). Standard, European Telecommunications Standards Institute (ETSI) (2017)Google Scholar
  6. 6.
    Alberts, C.J., Dorofee, A.: Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)Google Scholar
  7. 7.
    HEAling Vulnerabilities to ENhance Software Security and Safety (HEAVENS) project. https://research.chalmers.se/en/project/5809. Accessed 03 Apr 2019
  8. 8.
    ISO 25119:2018 Tractors and machinery for agriculture and forestry – Safety-related parts of control systems. Standard, International Organization for Standardization (ISO) (2018)Google Scholar
  9. 9.
    ISO/SAE CD 21434 Road Vehicles – Cybersecurity engineering. Standard, International Organization for Standardization (ISO), under developmentGoogle Scholar
  10. 10.
    GlobalPlatform Specifications. https://globalplatform.org/specs-library/. Accessed 03 Apr 2019
  11. 11.
    ETSI TS 101 733 V2.2.1 (2013-04) Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES). Standard, European Telecommunications Standards Institute (ETSI) (2013)Google Scholar
  12. 12.
    ETSI TS 101 903 V1.4.1 (2009-06) XML Advanced Electronic Sig- natures (XAdES). Standard, European Telecommunications Standards Institute (ETSI) (2009)Google Scholar
  13. 13.
    IEC 62443:2018 Security for industrial automation and control systems. Standard, International Electrotechnical Commission (IEC) (2018)Google Scholar
  14. 14.
    ETSI TS 102 204 V1.1.4 (2003-08) XML Advanced Mobile Commerce (M-COMM); Mobile Signature Service; Web Service Interface. Standard, European Telecommunications Standards Institute (ETSI) (2003)Google Scholar
  15. 15.
    ISO/IEC 27000 family - Information security management systems. Standard, International Organization for Standardization (ISO) (2018)Google Scholar
  16. 16.
    eIDAS: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Regulation, The European Parliament and the Council of the European Union (2014)Google Scholar
  17. 17.
    ISO/IEC 15408:2009 Information technology – Security techniques – Evaluation criteria for IT security. Standard, International Organization for Standardization (ISO) (2015)Google Scholar
  18. 18.
    RFCs Internet cryptographic standards. Standard, Federal Information Processing Standards (FIPS)Google Scholar
  19. 19.
    NIST Special Publication 800-series. Standard, National Institute of Standards and Technology (NIST) (2018)Google Scholar
  20. 20.
    Trusted Information Security Assessment Exchange (TISAX). Standard, German Association of the Automotive Industry (VDA) (2017)Google Scholar
  21. 21.
    ETSI TS 103 532 V1.1.1(2018-03) CYBER; Attribute Based Encryption for Attribute Based Access Control. Standard, European Telecommunications Standards Institute (ETSI) (2018)Google Scholar
  22. 22.
    BSI IT-Grundschutz. Standard, German Federal Office for Information Security (BSI) (2015)Google Scholar
  23. 23.
    GlobalPlatform Privacy Framework v1.0. Standard, GlobalPlatform (2017)Google Scholar
  24. 24.
    ISO/IEC 29100:2011 Information technology – Security techniques – Privacy framework. Standard, International Organization for Standardization (ISO) (2011)Google Scholar
  25. 25.
    ISO/IEC 19286:2018 Identification cards – Integrated circuit cards – Privacy-enhancing protocols and services. Standard, International Organization for Standardization (ISO) (2018)Google Scholar
  26. 26.
    ISO/IEC PDTR 27550: Information technology – Security techniques – Privacy engineering. Standard, International Organization for Standardization (ISO), under developmentGoogle Scholar
  27. 27.
    General Data Protection Regulation (GDPR): Regulation, European Parliament and Council of the European Union (2018)Google Scholar
  28. 28.
    Standard Data Protection Model (SDP Model): Standard, German Federal and State Commissioners (2017)Google Scholar
  29. 29.
    IEC TR 63069 ED1: Industrial-process measurement, control and automation - Framework for functional safety and security. Standard, International Electrotechnical Commission (IEC), under developmentGoogle Scholar
  30. 30.
    ISO 26262:2018 Road vehicles – Functional safety. Standard, International Organization for Standardization (ISO) (2018)Google Scholar
  31. 31.
    Draft Recommendation on Cyber Security of the Task Force on Cyber Security and Over-the-air issues of UNECE WP.29 GRVA. Standard, United Nations Economic Commission for Europe (UNECE) (2018)Google Scholar
  32. 32.
    Stamatis, D.H.: Failure Mode and Effect Analysis: FMEA from Theory to Execution. ASQ Quality Press, Milwaukee (2003)Google Scholar
  33. 33.
    Ericson, C.A.: Fault tree analysis. In: System Safety Conference, Orlando, Florida,vol. 1, pp. 1–9 (1999)Google Scholar
  34. 34.
    Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)Google Scholar
  35. 35.
    Common Criteria. https://www.commoncriteriaportal.org. Accessed 03 Apr 2019

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Lijun Shan
    • 1
  • Behrooz Sangchoolie
    • 2
    Email author
  • Peter Folkesson
    • 2
  • Jonny Vinter
    • 2
  • Erwin Schoitsch
    • 3
  • Claire Loiseaux
    • 1
  1. 1.Internet of TrustParisFrance
  2. 2.RISE Research Institutes of SwedenBoråsSweden
  3. 3.Austrian Institute of TechnologyViennaAustria

Personalised recommendations