Validation and Verification (V&V): Safety vs Security.

When conducting Verification & Validation activities to ensure cybersecurity compliance for Railway products or systems, companies often mistakenly assign Safety Engineers/Validators to execute the associated tasks. This incorrect approach is typically driven by the fact that the Product Development Lifecycle for cybersecurity and RAMS appears quite similar. Of course, Safety Engineers are familiar with the V&V process defined by EN50126, and when it comes to cybersecurity, the assumption is that there should be no difference. Consequently, some believe there is no need to hire or develop cybersecurity experts for these "similar" activities.??

But is this really the case? Let me expline.

The devil is in the details...

Typically, a Railway product (component or system) must comply with cybersecurity requirements from IEC 62443, as well as national regulations (like CRA, the NIS2 Directive or others) and contractual obligations. These requirements differ from those found in safety standards such as EN 50126, which outlines RAMS requirements.?

While the System Development Lifecycles for RAMS and cybersecurity are indeed similar, and cybersecurity borrows a lot from EN 50126, the activities conducted in each phase are very different, requiring distinct levels of knowledge, expertise, and awareness in the cybersecurity domain. Yes, even the methodologies are very close, but there’s a crucial difference: cybersecurity addresses different types of threats, threat sources, vectors, and, as a result, requires other countermeasures. For example, preventing network intrusion requires more than just applying physical security measures or avoiding equipment misconfiguration. Reading, by a System Engineer, of the IEC 62443-3-3 alone is not enough (especially since it can be cryptic sometimes ??). Similarly, a Cybersecurity Engineer cannot address safety threats as a Safety Engineer does. These two domains, safety and cybersecurity, have differences that, as always, are hidden in the details, and one cannot replace the other.

Let people do their work!

Assign Safety Engineers to do RAMS and Cybersecurity Engineers to do cybersecurity. These two roles cannot replace each other but need to work together to improve the overall quality, safety, and security of your system!?

If you still believe that safety and cybersecurity V&V are similar after reading the above, let's dive deeper ??.?

The main objectives of cybersecurity testing conducted during V&V activities are to ensure:?

• Implementation and effectiveness of cybersecurity requirements: Cybersecurity requirements and countermeasures, resulting from the system’s Detailed Risk Assessment, are effective and successfully implemented. Threat mitigation: threats identified in the system’s Threat Landscape are effectively addressed, with associated Risks reduced to an acceptable level based on the project’s Risk Acceptance Criteria; unmitigated risks are effectively handled as well.?
• Vulnerability disclosure and remediation: all known vulnerabilities are confirmedeid, appropriate remediation measures (where applicable) are implemented, and the system is assured to be out of unhandeled vulnerabilities.?
• System resilience: the system is resilient to cyberattacks that might occur during its real-life operation?

Based on these, IEC 62443 (and TS 50701 for Railways) require four specific types of security testing activities:?

• Security requirements testing: ensures that the system meets the defined cybersecurity requirements, that all of them are correctly implemented, and that error scenarios and invalid inputs are handled properly without affecting cybersecurity objectives defined for the system.?

• Threat mitigation testing: ensures that cybersecurity countermeasures implemented within the system effectively mitigate associated cyber threats and are resilient to them.?

• System vulnerability testing: identifies and confirms all known vulnerabilities in the system and ensures they are addressed effectively. Additionally, it uncovers any unknown vulnerabilities with the aim of defining appropriate mitigation strategies.?

• Penetration testing: simulates real-world attacks to identify methods for circumventing the system;s security features and demonstrates its resilience in a real-life operational environment.?

Typically, for penetration testing activities, which require a high level of independence according to IEC 62443, external companies specialized in cybersecurity are contracted to ensure the correctness and quality. For other testing activities, it is common for internal employees to be involved. However, when Safety Engineers are assigned to perform cybersecurity V&V, how can they ensure the effectiveness and correctness? This, of course, is written not to downplay the importance of Safety Engineers, but to emphasize that cybersecurity work requires cybersecurity experts, just as a neurologist cannot perform heart surgery.?

We hope this quick overview helps explain why it is crucial to separate safety and cybersecurity activities for your systems. At the same time, there is no safety on the track without cybersecurity, so both domains should work closely together without any doubts!?

So, what is next?

To conclude, what is the right strategy to execute your V&V activities correctly with respect to cybersecurity? As a minimum, we recommend the following:?

1. Define a proper verification and validation strategy for your system, specifying what exactly needs to be done, by whom, and what the outcomes of these activities should be.?
2. Define relevant roles and the required level of knowledge to manage cybersecurity for your system. For example, a Project Manager does not need to know how to identify vulnerabilities in firmware of your system, but he should at least understand what a vulnerability is. Meanwhile, a Security Tester performing vulnerability testing should be able to define the appropriate methodology and tools, set up the testing environment, and understand the collected results.?
3. Ensure proper traceability when conducting V&V activities. Document all findings, steps taken, and remediation activities for your system to avoid duplication, have a clear picture of achieved security posture, and to successfully pass an external audit or certification.?
4. Lastly, in most cases, it is cheaper and faster to request external support from experts who specialize in cybersecurity. Just be sure to choose the right ones ??.?

We hope the time you spent reading this article was worth it, and that the brief insights have helped you navigate the complex tapestry of cybersecurity validation. If you would like to discuss this in more detail, the experts at CYBERSHIELD are just a click away!?

If you would like to discuss in details, let's have a quick talk: https://outlook.office365.com/book/[email protected]/

For direct connection mail us on [email protected]