Both system safety and security are critical goals, but they are not always compatible. You have to consider safety – security relations when developing a system assurance case. A solution to this problem, a Safety-Security Assurance Framework (SSAF), has been proposed by the latest publication of the SCSC Security Informed Safety Working Group. The main idea is to explicitly specify synchronization points between safety and security assurance.
SSAF framework covers technical and socio-technical risks related to safety and security in the whole system life cycle. It’s a broad topic and we will focus on assurance cases. Shorty, the guidance recommends developing three argument legs in the system assurance case: one that considers safety risk, one that considers security risk, and one that considers the risks of their interactions. The diagram below, derived from the SCSC document, illustrates this concept of a Safety-Security Co-Assurance Case.
All branches of the argument are supported by evidence demonstrating requirements satisfaction. There are three sets of requirements: those supporting system safety, system security and safety-security co-assurance. These requirements are created at each phase of the system life cycle, from the concept phase, through design, implementation, testing to the operation. Regardless of the system life cycle used, each phase must include safety and security synchronization. In each phase of the life cycle, activities are performed according to the following steps:
1. Planning including establishing the shared context, terminology and synchronization points. It’s not necessary to agree on the complete context and terminology of safety and security, but on shared elements only.
2. Engineering actions specific for a given phase performed separately for safety and security, exchanging risk related information at agreed synchronization points.
3. Development of the assurance case argument increment for the implemented phase actions separately for safety and security.
4. Development of the co-assurance argument and completing safety and security synchronization for a given phase in the system life cycle. This includes verification and validation of the phase results.
5. Co-assurance impact propagation. Update of the safety and security models, artefacts and goals based on the synchronization results. The co-assurance argument is also updated accordingly.
The process should be performed according to six SSAF Core Principles that ensure development of clear and convincing safety and security co-assurance argument. One of the Core Principles says that explicit synchronization points are to be defined to support interdependent safety and security co-assurance. This is the key point. All interdependencies are to be explicitly specified and managed in the co-assurance argument.
The framework proposed by SCSC is pragmatic and offers great chances for effective safety and security co-assurance. Safety and security engineers work independently in their areas and communicate with each other at specific synchronization points in each phase of the system life cycle. The synchronization results are documented in the co-assurance argument. The success of the entire project depends on the way the synchronization is organized and on the cooperation of involved parties. The adopted principle of explicit specification or safety and security interdependencies offers great chances for the effectiveness of the approach in practice.
You will find full description of Safety-Security Assurance Framework (SSAF) in SCSC document “Through-Life Co-Assurance of System Safety and Cyber Security” (SCSC-173).