Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline

The digitalization of industrial control systems (ICS) raises several security threats that can endanger the safety of the critical infrastructures supervised by such systems. This paper presents an analysis method that enables the identification and ranking of risks leading to a safety issue, regardless of the origin of those risks: accidental or due to malevolence. This method relies on a modeling formalism called BDMP (Boolean logic Driven Markov Processes) that was initially created for safety studies, and then adapted to security. The use of the method is first illustrated on a simple case to show how it can be used to make decisions in a situation where security requirements are in conflict with safety requirements. Then it is applied to a realistic industrial system: a pipeline and its instrumentation and control system in order to highlight possible interactions between safety and security.

[1]  Ludovic Piètre-Cambacédès,et al.  Cross-fertilization between safety and security engineering , 2013, Reliab. Eng. Syst. Saf..

[2]  Ludovic Piètre-Cambacédès,et al.  Modeling the Stuxnet attack with BDMP: Towards more formal risk assessments , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[3]  Ludovic Piètre-Cambacédès,et al.  Attack and Defense Modeling with BDMP , 2010, MMM-ACNS.

[4]  Peter Liggesmeyer,et al.  Combination of Safety and Security Analysis - Finding Security Problems That Threaten The Safety of a System , 2013, DECS@SAFECOMP.

[5]  Jason Smith,et al.  Security as a Safety Issue in Rail Communications , 2003, SCS.

[6]  Marc Bouissou,et al.  Attack and defense dynamic modeling with BDMP - Extended version Modélisation dynamique d'attaques et de défenses avec les BDMP - Version longue , 2010 .

[7]  Carl A. Gunter,et al.  Addressing Safety and Security Contradictions in Cyber-Physical Systems , 2009 .

[8]  Ludovic Piètre-Cambacédès,et al.  Modeling safety and security interdependencies with BDMP (Boolean logic Driven Markov Processes) , 2010, 2010 IEEE International Conference on Systems, Man and Cybernetics.

[9]  Silvano Chiaradonna,et al.  Case Study on Critical Infrastructures: Assessment of Electric Power Systems , 2012, Resilience Assessment and Evaluation of Computing Systems.

[10]  Ludovic Piètre-Cambacédès,et al.  The SEMA referential framework: Avoiding ambiguities in the terms "security" and "safety" , 2010, Int. J. Crit. Infrastructure Prot..

[11]  Katinka Wolter,et al.  Resilience Assessment and Evaluation of Computing Systems , 2012 .

[12]  Mark-Alexander Sujan,et al.  Computer Safety, Reliability, and Security , 2014, Lecture Notes in Computer Science.

[13]  Igor Nai Fovino,et al.  Integrating cyber attacks within fault trees , 2009, Reliab. Eng. Syst. Saf..

[14]  Marc Bouissou,et al.  Security Modeling with BDMP: From Theory to Implementation , 2011, 2011 Conference on Network and Information Systems Security.

[15]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[16]  Ludovic Piètre-Cambacédès,et al.  Beyond Attack Trees: Dynamic Security Modeling with Boolean Logic Driven Markov Processes (BDMP) , 2010, 2010 European Dependable Computing Conference.

[17]  Marc Bouissou,et al.  A new formalism that combines advantages of fault-trees and Markov models: Boolean logic driven Markov processes , 2003, Reliab. Eng. Syst. Saf..

[18]  Thomas Novak,et al.  Safety- and Security-Critical Services in Building Automation and Control Systems , 2010, IEEE Transactions on Industrial Electronics.

[19]  Andrew J. Kornecki,et al.  Studying interrelationships of safety and security for software assurance in cyber-physical systems: Approach based on bayesian belief networks , 2013, 2013 Federated Conference on Computer Science and Information Systems.

[20]  Jonathan D. Moffett,et al.  The Integration of Safety and Security Requirements , 1999, SAFECOMP.