Safe and Secure? Combining Safety and Security

With the growth in complex and interconnected systems the question of how does OT security impact safety and safety impact security has become ever more important.? Safety information is now able to be sent over the air and safety systems are interaction in ways which were not seen 10 years ago.

How do the two relate?? Are the two concepts fundamentally contradictory or can they co-exist?

One room or two?

Exploring this at the highest level we must first look at a simple model.? A fire door to a server room.

Two requirements:

·??????? Safety – Door must open outwards easily to allow people to leave the server room.

·??????? Security – Door must not allow people into the server room under any circumstance.

If the door were to fail shut there is a dangerous failure.? If the door were to fail open there is a security breach.? If the door were to open under safety conditions, this could also be a security breach.? If the security system holds the door closed in an emergency this is a dangerous failure.

The classic safety and security model is shown below.

?

Care should be taken here as this implies that security measures protect safety measures.? This may be referred to as the ante room model below.

To enter the safety room one must first pass through the security room.? Each room represents the environment, with the doors the measures taken.? If we go back to our scenario then, this model implies that safety measures cannot cause a security breach, as the safety system cannot compromise security and that security measures may add an overall layer of protection to the safety measured.? Our fire door scenario tells lie to this and suggests a room structure more like the below.

The safety and security domains are contained in conjoined rooms with a failure in one causing a route to failing the other.? In this model there is an overall system integrity which is a combination of the safety and security domains and compromise of one affects the other. In this model safety measures being compromised can cause a security breach and the system security can compromise the system safety. This model fits the descriptions in our fire escape well.

We must therefore conclude that the two measures are inextricably linked at the system level and that all measures and countermeasures may have an impact on both domains.

System level approach.

If we take the conjoined room model as the best representation then safety and security are two sides of the overall system integrity.? They represent a whole system assurance framework.? As such it is not valid to say that any safety measure cannot have a security impact and vice versa.

We therefore have to take a whole system approach to assessing the two domains.? When the system is specified the system goals must include both safety and security targets.? This drives first the functional requirements then the realisation requirements.

Both these requirements sets needs the application of safety and security principles to assure that system level goals are met.? Where contradictions are found these must be resolved by revision of the requirements until a final set are met.? There is no priority here as both are dependent on the other.

At a practical level both sets of requirements will be fleshed out in initial concepts.? Safety focusses initially on the functional requirements (functional safety) to drive the realisation requirements.? Security focusses on refining the realisation requirements to refine the functional requirements.? These approaches lend themselves to an iterative approach.

System goals should be achievable.? If a system goal cannot be achieved then the system may not be realisable in its current form and a re-appraisal is required.? It is best to look at the minimum requirement at build up rather than attempt a gold standard and compromise.? The latter approach sets no base limit for the goals and risks slow degradation below a tolerable level.

Do it right, do it again.

A key principle in both fields is that of Plan, Do Check Act.? The process of assessment of risk and threat is dynamic.? The more complexity a system has, the more risks and threat vectors the more a system will change in time.? As a system progresses through its life the changes in operating principle, and personnel should be monitored and where needed the original assumptions tested and confirmed or modified.? An irrelevant safety and security approach is almost worse than no approach as there is a false sense of security built.

To Conclude

This introduction shows that at the top level safety and security are aspects of overall system integrity. One cannot exist without the other and the two aspects have to be considered together in an iterative approach through the system development and lifecycle.

Potential conflicts between requirements for safety and security should be rare but have to be resolved with reference to the system goals. compromise is not an option unless the overall system goals are changed. It is better to start from a minimum viable integrity level and add increased integrity than to creep down from a gold standard.