Professional Documents
Culture Documents
A Case Study of FMVEA and CHASSIS As Saf PDF
A Case Study of FMVEA and CHASSIS As Saf PDF
ABSTRACT 1. INTRODUCTION
The increasing integration of computational components and Cyber-physical systems (CPS) are systems with interact-
physical systems creates cyber-physical system, which pro- ing computational components and physical systems. CPS
vide new capabilities and possibilities for humans to control provide many new capabilities and possibilities for humans
and interact with physical machines. However, the correla- to control and interact with physical machines. Besides
tion of events in cyberspace and physical world also poses application domains such as energy, industrial control and
new safety and security challenges. This calls for holistic healthcare, CPS have also made evolutionary changes in mo-
approaches to safety and security analysis for the identifi- bility, especially automobiles. Automotive cyber-physical
cation of safety failures and security threats and a better systems transform vehicles from electromechanical systems
understanding of their interplay. This paper presents the into intelligent means of transport for improved road safety,
application of two promising methods, i.e. Failure Mode, traffic efficiency, and human convenience. Automotive cyber-
Vulnerabilities and Effects Analysis (FMVEA) and Com- physical systems in modern vehicles are complex, with up
bined Harm Assessment of Safety and Security for Infor- to 100 Electronic Control Units (ECUs) [1] and multiple
mation Systems (CHASSIS), to a case study of safety and internal networks connecting intelligent sensor nodes with
security co-analysis of cyber-physical systems in the auto- control units and actuators. Such connectivity and cooper-
motive domain. We present the comparison, discuss their ation enable vehicles to connect with other road users and
applicabilities, and identify future research needs. the infrastructure systems, such that the drivers can react
more quickly and correctly to their environment. Current
Categories and Subject Descriptors projection shows that the vehicles of the future will be a
part of intelligent transportation systems characterized by
C.4 [Performance of Systems]: Design studies, Model- seamless interaction and cooperative mobility among multi-
ing techniques; C.3 [Special-purpose and Application- ple road vehicles and other modes of transport. Embedded
based Systems]: Real-time and embedded systems; D.2.1 systems such as computation devices, sensors, real-time con-
[Software Engineering]: Requirements/Specifications— trol systems, and communication networks enable vehicles
Methodologies for many advanced maneuvers and functions, e.g. driverless
cars, vehicle-to-vehicle (V2V) and vehicle-to-infrastructure
Keywords (V2I) communication. This allows highly automated driv-
ing and cooperative response to road and traffic conditions
Safety and Security Co-analysis; Cyber-physical system; Sys-
on local as well as regional basis.
tems engineering; Automotive
However, the increased interactivity between cyber and
physical systems and connectivity also gives rise to new
safety and security challenges. Since attacks in cyberspace
can lead to devastating consequences in the physical world,
ensuring safety and security in the engineering process are
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
two equally important aspects for developing systems with
for profit or commercial advantage and that copies bear this notice and the full cita- high availability, reliability, and dependability. Due to the
tion on the first page. Copyrights for components of this work owned by others than tight interplay between safety and security, combining safety
ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- and security in the engineering process for CPS has become
publish, to post on servers or to redistribute to lists, requires prior specific permission a new interesting research topic in recent years [2], [3].
and/or a fee. Request permissions from permissions@acm.org.
CPSS’15, April 14, 2015, Singapore.
Copyright is held by the owner/author(s). Publication rights licensed to ACM.
ACM 978-1-4503-3448-8/15/04 ...$15.00.
http://dx.doi.org/10.1145/2732198.2732204.
This paper investigates an integral part of the safety & Safety analysis normally includes the potentially affected
security co-engineering approach called safety & security co- system element, the way how the element fails, possible
analysis, which aims to identify and analyze safety and se- causes, local as well as system-global consequences, exist-
curity risk in a holistic approach. We focus on the methods ing and necessary detection, protection and mitigation mea-
that enable the assessment of safety effects from security sures, and the likelihood of the failure. For stochastic hard-
threats and vice versa. In [4], we presented a Failure Mode ware faults, the latter can be taken from statistical data.
and Effect Analysis approach which extends safety analysis Software faults and systematic hardware faults can be widely
to include security. We applied the method to the analysis eliminated by high-quality development processes and rigor-
of a vehicle system in [5]. In this paper, we further evalu- ous verification and validation leaving the residual system-
ate another promising approach, i.e. the Combined Harm atic failure rate below the critical threshold. With respect
Assessment of Safety and Security for Information Systems to security analysis, however, likelihood is one of the issues
(CHASSIS) [6], and compare it with FMVEA. As a work which make a common and comparable safety and security
in progress for establishing a holistic safety & security co- analysis difficult.
analysis method, we apply both approaches to a case study In addition, safety analyses can and should be performed
of automotive CPS. We compare the results and discuss the at early stages and during the system development. The
research challenges and gaps. results are valid as long as no changes to the system are
In the following, Section 2 reviews the existing work and made. Security analysis should continue while the system is
standardisation approaches for safety and security. Section deployed in the target environment and need to be updated
3.1 and Section 3.2 introduce FMVEA and CHASSIS, re- when new vulnerabilities are found.
spectively. Section 4 presents our comparison of the two
approaches, followed by the conclusion in Section 5. 2.2 Security Analysis
Several standards and guidelines exist today, which are ap-
2. STATE OF THE ART plicable to information security analysis. ISO/IEC 27000 se-
ries provide standards on information security and risk man-
Due to tight coupling between communication and com-
agement, and security controls. In general, these standards
puting systems and physical machines in CPS, events in cy-
focus on security policy and security management strategy.
berspace and physical world become increasingly correlated.
In NIST SP800-30 “Risk Management Guide for Informa-
Consequently, safety and security challenges arise in all do-
tion Technology Systems”, a methodology is proposed to
mains where CPS are used.
conduct risk assessment in nine sequential steps. From a
In the past, the safety and security communities devel-
security point of view, ISO/IEC 31010 is also relevant be-
oped quite differently and almost independently, and the
cause it provides information on risk assessment concepts,
resulting standards, guidelines and methods were also lim-
processes and the selection of risk assessment techniques.
ited to safety or security. With cyber-physical systems be-
Commonly used techniques in the practice include threat
coming ubiquitous, and their connectivity particularly over
modeling [13] and attack tree [14]. Threat modeling is pro-
“open” (i.e. wireless) channels predominant, a holistic view
posed by Microsoft as an integral part of its security de-
on the dependability of systems becomes essential, including
velopment lifecycle. It identifies threats and impacts in a
all the properties of safety, security, reliability, availability
system design. Attack tree is an extension of the Fault Tree
and maintainability [7].
Analysis. It uses a tree structure to identify potential attack
2.1 Safety Analysis steps and their inter-relations.
In the research community, attack graph [15] is method to
In literature, many risk analysis methods can be found identify security risks from network-based attacks. In attack
with varying level of details and for different degree of knowl- graph, a network is modeled as a finite state machine. The
edge about the system under consideration, for instance, for state space of the network is then enumerated to find the
the chemical process industry [8]. ISO/IEC 31010:2009 [9] network in a insecure state. CORSA [16] is a model-based
lists 31 risk analysis methods without making claims of be- security risk analysis method. First, a system is modeled
ing exhaustive. It contains short descriptions and provides using a modeling language such as UML. Security risks are
guidance on which technique is appropriate for obtaining identified in structured brainstorming, in which the target of
certain result values in a particular setting with specific in- analysis is viewed from different perspectives from different
fluencing factors (cf. tables A.1 and A.2 in [9]). Although it participants to ensure that a broad scope of security risks
states “This standard does not deal specifically with safety. are considered.
It is a generic risk management standard . . . ,” it is evident
that most of the methods described are primarily, if not only, 2.3 Security in Safety Standards
intended for safety analysis, and there is no guidance at all In the standardization community of IEC TC651 , aware-
how to deal with security vulnerabilities and threats. ness has risen that security is becoming a crucial factor for
Safety-oriented risk analysis methods are available for qual- these automation and control systems. It has to be man-
itative as well as quantitative analysis. In ISO/IEC 31010:2009, aged differently from the computing- and data center based
well-introduced and, if required, detailed quantitative safety approaches of the e.g. ISO 27000 series [17], and in a more
analysis can be found. Among them are established meth- holistic/system centered manner than by ISO/IEC 15408
ods like HAZard and OPerability study (HAZOP [10]), Fault (Common Criteria) [18].
Tree Analysis (FTA [11]), and Failure Modes and Effects
Analysis (FMEA [12]). The latter formed the basis on which
one of the two methods compared in this paper is based, 1
Industrial-process measurement, control and automation,
namely FMVEA. where most of the computer-based functional safety stan-
dards are developed.
End of October 2014, was the kick-off of a new Ad-Hoc of the challenges. The major challenges along the entire
Group of IEC TC65 on “Framework for co-ordination of development life cycle are:
safety and security (in industrial automation)”. Mission
of the group is to look into this issue from a more gen- • Requirements: Existing requirements engineering meth-
eral system point of view and to derive recommendations ods will not scale up with the complexity of CPS, for-
how to treat this issue in context of functional safety stan- malization and “standardization” of requirements will
dardization. As a starting point, an overview was provided have to be managed.
on how functional safety standards from different domains • Risk- and Hazard analysis: The different dependability
prefer more or less integration/separation of safety and se- categories cannot be considered independently. Com-
curity concerns. The following is an excerpt from the func- bined methods and techniques are required.
tional safety standards review, how security is considered in
the automotive, railway, machinery and generic functional • Scale of deployment: Mass deployment embedded in
safety standards. one or sometimes several (critical) infrastructures needs
In the automotive safety standard ISO 26262 [19], secu- particular attention, orchestrating the interrelation-
rity risks are not considered. While “reasonably foreseeable ships and dependencies, and potential misuse and ma-
misuse” is mentioned as an factor for the risk assessment, it licious interactions
relates only to misuse (e.g. a reckless driver) without mali-
cious intention. • Maintenance of CPS: Involves managing or correct-
Besides automotive-CPS such challenges arise also in the ing upcoming vulnerabilities, defects and wear-out, all
railway domain where in the past this was rather a phys- identified or happening by use, not only on the single
ical issue because of separated electro-mechanical and pro- embedded system, component or part, but also on the
prietary communication systems. With the increasing use overall infrastructure and all related elements. Remote
of wireless communication (European Train Control System maintenance is unavoidable, including coping with the
(ETCS)[20]) security requirements have to be considered, associated risks.
although safety remains the primary issue for certification. • Changing context: The context of use has to be ob-
The IEC 62443 standard [21] “Industrial communication net- served continuously, particularly human interaction,
works - Network and system security - Security for industrial experience and focus of control for partially automated
automation and control systems”, was identified as a start- systems.
ing point to integrate security in their domain specific safety
standards [22]. Particularly in Germany a draft for an up- • Flexibility: Adaptation, reconfiguration, enhancement
date of EN 50129 [23] to include security requirements from and frequent re-design of elements or infrastructure has
IEC 62443 was started. to be considered.
The functional safety standard for machinery group (IEC
TC44 committee) proposed to separate safety and security The basis for design, building and maintenance of trust-
requirements and responsibilities. This proposal was sent worthy systems remain a sound system risk- and hazard
to ISA for comments, and ISA stated: “Requirements for analysis (through the overall life time in case of systems of
safety and security can be termed differently, but separating CPS). From the systems engineering view, dependability has
them can easily lead to a misunderstanding in the integra- to built in from the very beginning, neither property can be
tor or end-user about the interrelationships between those later just be an add-on to a system of that level of complex-
requirements. By separating the requirements, integrators ity without running into the danger of causing unforeseen
and end-users may try to respond to them separately, which emergent faults (and failures).
can lead to increased risks”.
The generic safety standard, IEC 61508 Ed 2.0 (2010) 3. SAFETY AND SECURITY CO-ANALYSIS
[24] requires the consideration of security threats during haz- METHODS
ard analysis in the form of a security threat analysis (IEC
In [25] a first approach to combining fault and attack trees
61508, Part 1, 7.4.2.3). Nevertheless, there is no guidance for
was presented, in which attack trees are connected as spe-
this step. It is only mentioned that if such security threats
cial nodes to a fault tree. Depending on the combination,
have been identified, a vulnerability analysis should be un-
three different approaches for probability calculation were
dertaken to specify security requirements. Details should
proposed. Boolean logic Driven Markov Processes (BDMP)
be included in the safety manual. IEC 61508-3 has started
[26] is an approach where fault tree analysis and attack tree
to prepare for IEC 61508 Ed. 3.0. The more in-depth in-
analysis are combined and extended with temporal connec-
tegration of security throughout the whole life cycle have
tions. Besides the logical structuring, top events are acti-
been taken up as one of the high-priority issues. This will
vated based on the state of basic events. BDMP also uses
include new methods and techniques as discussed in this pa-
“triggers” to model dependencies among sub-trees. A sub-
per and the corresponding levels of recommendation in the
tree connected with a trigger is only true if the element at
mandatory and informative tables and guidelines.
the origin of the trigger is true. In addition, leave nodes
have two potential fault behaviors: failure in operation or
failure in demand.
2.4 CPS Challenges Young and Leveson [27] proposed to take a system think-
In general, none of the above standards mentions CPS ing approach to safety and security analysis. As a result,
or specific CPS related challenges. If we look at Internet a loss or disruption of the system is caused by interactions
of Things (IoT) standards in the IEC repository we get a among various factors including safety hazards and security
huge number of related standards which cover only parts vulnerabilities.
The analysis focuses on modeling systems into a hierarchi- Threat modes are based on the STRIDE [13] approach,
cal structure in order to identify control actions at each level which classifies threats in six categories (Spoofing of user
that have the potential to bring a system to a vulnerable identity, Tampering, Repudiation, Information disclosure,
state. Based on the control actions, security requirements Denial of service, Elevation of privilege). Depending on the
and constraints, as well as the causal relations are identi- domain, the system architecture and the knowledge about
fied. However, their approach has a focus on strategy and the system, failure and threat modes can be refined and ex-
conceptual guidelines. In our opinion, the lack of details on tended.
actionable techniques and the high level of abstraction make Each identified failure or threat mode associated with the
it not readily applicable to real world problems. element is investigated for potential effects. For modes with
This paper focuses on two recent approaches, Failure Mode, critical effects, potential causes are analyzed and the likeli-
Vulnerabilities and Effects Analysis (FMVEA) and Com- hood for each cause is estimated. For threat modes, likeli-
bined Harm Assessment of Safety and Security for Informa- hood is determined using a combination of threat and sys-
tion Systems (CHASSIS), which in our opinion, provide not tem properties. Threat properties mainly describe the re-
only high level concepts but also concrete and actionable ac- source and motivation of a potential threat agent while sys-
tion points for the combined safety and security analysis of tem properties include reachability and system architecture.
CPS. The system model is based on a three-level data flow dia-
gram (DFD). Effects of failure and threat modes are pre-
3.1 FMVEA sented at the context level of the diagram, which shows the
Failure Mode, Vulnerabilities and Effects Analysis (FMVEA) interaction between the system and its environment. Failure
is based on the Failure Mode and Effect Analysis (FMEA) and threat modes are located at the level 1 DFD. Vulnera-
[12] and extends the standard approach with security re- bilities and failure causes are based on the level 2 DFDs.
lated threat modes. Figure 1 shows the process of applying
3.2 CHASSIS
Combined Harm Assessment of Safety and Security for
Information Systems (CHASSIS) [6] is an approach for re-
quirements engineering via use cases and sequence diagrams.
Figure 2 gives an overview about the CHASSIS process
regarding the elicitation of functional and safety and secu-
rity Requirements. Step 1 of CHASSIS is concerned with
the definition of functional requirements as a basis for the
elicitation of safety and security requirements. Users, func-
tions and services are described in use case diagrams (D-UC)
and textual descriptions of use cases (T-UC). Sequence di-
agrams (SD) are used to refine the contents of the use case
diagrams and to model objects and their interactions. If a
system is already developed to the point where architecture
and functions are defined, the artifacts produced during this
activity might have to be reworked in order to be used for
CHASSIS.
In step 2, the elicitation of safety and security require-
ments is carried out. Through a brainstorming session with
domain as well as safety and security experts, potential mis-
uses of the system are identified. The names of use cases are
combined with hazard and operability study (HAZOP) [28]
guide words in order to obtain potential misuses of the sys-
tem2 . There may be more than one misuse case per use case.
After the identification of potential misuse cases, potential
misusers are identified. Misusers include all human users (al-
lowed or not), external systems and internal parts which can
fail or threaten the system. Based on the identified scenar-
ios misuse case diagrams (D-MUC) are drawn. Besides the
graphical representation, safety and security misuse cases
are also written down as textual misuse case (T-MUC). The
T-MUC may contain additional details and a extended de-
scription of actors and misusers. Misuse sequence diagrams
are used to describe chains of events and interactions which
Figure 1: Overview of FMVEA method
leads to an misuse of the system. In safety and failure related
cases the same task is fulfilled by failure sequence diagrams
FMVEA to a system. First a system is modeled. Then
(FSD).
the failure and threat modes for each element of the system
model are identified. While a failure mode describes the
manner in which the function of an element fails, a threat
mode describes the way in which the identified function of 2
Since CHASSIS does not provide a specific list of guide
a element can be misused. words, we opt to use the standard guide words in [28].
Figure 3: Overview of OTA system
4. CASE STUDY
In order to compare both approaches, we use a similar
target system as in [5]. As shown in multiple studies and
surveys [29, 30, 31] today’s vehicles are vulnerable to se-
curity threats which can adversely affect the safety. While
most existing investigations for automotive systems are con-
cerned with finding existing vulnerabilities in vehicles, we
aim at an approach for a proactive and combined safety and
security analysis in the design phase for automotive CPS.
4.2.1 FMVEA
Figure 5 shows a simplified context level data flow diagram
of a vehicle system.