Considering Change: Understanding the Impact of Security Weaknesses in Safety-Critical Systems
Nikita Johnson
Product Cyber Security Engineer, Rolls Royce
A key difference between safety and security in high integrity systems is the level of certainty about risk and its acceptability. Safety arguments can have evidence-based claims about the structure of the system design, process and reliability of physical parts. However, for security, due to the presence of an intelligent adversary, there may be exploitable vulnerabilities in the system which increase uncertainty and undermine the security controls.
To address some of these challenges, this presentation gives a detailed view of a Vulnerability Management approach for safety-critical systems using real-world illustrative cases. The approach was developed in the Aerospace sector under the HICLASS programme, but likely has wider application in any sector with an objective- or risk-based approach to safety and security assurance.
The approach consists of an iterative process with several steps, decision points and output artefacts. The process steps are based on identifying, triaging, detailed analysis and treatment of vulnerabilities considering on their criticality. An important part of Vulnerability Management for high integrity systems is developing auditable evidence for claims relating to the impact on risk acceptability and assurance confidence.
The decision points are therefore an important component of the Vulnerability Management process. They are analogous to gated systems development processes with key entry and exit criteria. These allow for engineering judgement and rationale to be captured in a systematic way. This data can be used as evidence to auditors, regulators and customers who require this. The decision information also serves as a useful starting point to evaluate the criticality of change based on previous decisions.
It is important to note that vulnerability management is an ongoing process, and vulnerabilities must be continually monitored and managed to ensure the ongoing integrity of the system. Regular vulnerability scans and penetration testing can help identify new vulnerabilities as they emerge, and proactive measures can be taken to mitigate them before they can be exploited. Additionally, regular training and education for system administrators and operators can help raise awareness of potential vulnerabilities and promote best practices for managing them.
Vulnerabilities are dynamic and likely to change in response to a number of factors such as attacker capability, technology availability, information disclosure and system exposure to risk. It is impractical to have a static security argument based on unchangeable likelihoods. This Vulnerability Management approach provides a systematic way of incorporating new security information throughout the lifetime of the system.
About Nikita Johnson
Nikita Johnson bio: Nikita is a Product Cyber Security Engineer at Rolls Royce who is tackling the cyber threat challenges on multiple fronts within Aerospace and other safety-related sectors. Her work involves active contribution to several national and international standards and regulation bodies such as Eurocae's WG-72 and NCSC's Supply Chain Security Community of Interest (COI). Part of her role also involves the day-to-day detail of technical risk assessments and cyber assurance for legacy systems that were not designed with cyber security in mind. Previously, Nikita developed the Safety-Security Assurance Framework (SSAF) as part of her PhD with BAE Systems. She has since continued affiliation with several research groups and projects with the primary goal of improving safety and security argumentation and assurance in industry.