Combined Security and Safety Risk Assessment - What Needs to be Done For ICS and The IOT

Abstract

Industrial Control Systems (ICS) are now routinely connected to other networks to optimise business efficiency. Designs for safety and security risk treatment measures may conflict and cannot be designed in isolation yet we find there are still problems in combining them. If a CEO were to ask his safety engineer and his security engineer of a complex, networked, software-intensive system to produce a combined security and safety risk assessment, there is no industry-recognised method to do so. We believe that Systems Engineering techniques can combine safety and security requirements to help avoid `hazardous system states', by design. However, such systems are too complex to be modelled reliably, which can lead to safety and security design failures; it is impractical to identify all their vulnerabilities and, being networked, such systems evolve, so new vulnerabilities can emerge; finally, current methodologies may not adequately address the intelligent adversary. Therefore, we believe that a `re-imagining' of approaches to safety and security risk assessment is needed to deal with such systems. We aim to expose the issues so that both communities can develop a lingua franca as the foundation for the further work that we identify.