Addressing cyber security in the Safety Case Report

Safety cases need to address how cyber-attacks and cyber security activities affect the safety of the service(s). The book addresses how and where the Safety Case Report should include the safety case material (if it is present) that concerns the potential effect of security and cyber security threats on the safety of the services.

However, sometimes the safety case is also made responsible for justifying that the delivered service(s) meets stipulated physical or cyber security risk management criteria. The book does not address these or any other aspect of security risk management.

The rest of this page discusses this in more detail.

The Safety Case Report needs to address the potential effects of cyber security threats as part of demonstrating the safety of all behaviour. The book has adopted an approach that treats the potential safety effects of cyber security threats in the same way as failures. However, it is recognised that a common approach is to show that cyber security management is adequate and therefore the safety case does not address cyber security threat effects on the assumption that there will be none. The format allows for this or any other proprietary approach to be documented.

The book considers cyber security threats as part of the environments of the operational service(s) and functional system. The potential effects of the cyber security threats on the functional system need to be analysed (the CTIBI Analysis) and included into the functional system specifications in the same manner as failure behaviour. A CTIBI Analysis takes account of the arrangements in the functional system that mitigate cyber security threats e.g. security architectural components and the functions of a Cyber Security Maintenance System (CSMS). 

As long as the physical security measures ensure that the functional system is not physically modified, the effect of cyber security threats on the safety of the service(s) can only be to:

a)   alter the probability of previously identified hazards occurring

b)   make otherwise incredible hazards possible (both those identifiable by traditional HAZOPS but considered incredible in the absence of malicious intent, and those which cannot be identified without considering deliberate, malicious behaviour)

c)   increase the probability of an accident arising from a hazard, by reducing the effectiveness of mitigations.

Cases where a cyber-attack adds to the functional system by modifying software-controlled connectivity requires special consideration. As an extreme example, a malicious actor could hack an internet-connected functional system and create a totally new system by connecting it to other internet-connected resources. In such a scenario, the safety case is only concerned with the effect on the intended services of the functional system. The new ‘services’ introduced by the change would be outside of the responsibility of the Service Provider (and may be unknown) and hence outside the scope of their safety case. So even in this scenario only the effects in a) to c) above are possible.