Journal of Network and Information Security

Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

Combining Security and Safety Risk Management in Critical Infrastructure


Affiliations
1 De Montfort University, Leicester, England, United Kingdom
     

   Subscribe/Renew Journal


Within the critical infrastructure sector, risk management for safety and security are often treated as disjoint processes. Separating these processes creates duplication of effort when safety and security concerns align, and it will obscure the situations where a trade-off between safety and security needs to be resolved. This paper proposes a risk management process that enables an organisation to carry out safety and security risk assessment within one combined process. The results show that this is possible, but changes need to be made within the organisation and the process for it to be successful. Some examples of the changes are around terminology used, culture and how threats and hazards are assessed. The combining of the risk management process for safety and security can also support compliance to safety and security standards. Often organisations will need to comply with both standards and can leverage the combined risk management process to allow compliance without creating two separate risk management processes.

Keywords

Critical infrastructure, Risk Management, Safety, Security, Standards.
Subscription Login to verify subscription
User
Notifications
Font Size


  • P. Litherland, R. Orr, and R. Piggin, “Cyber security of operational technology: Understanding differences and achieving balance between nuclear safety and nuclear security,” in 11th International Conference on System Safety and Cyber-Security (SSCS 2016), London, 2016, pp. 1-6, doi: 10.1049/CP.2016.0856.

  • K. Pettersen, and T. Bjørnskau, “Organizational contradictions between safety and security - Perceived challenges and ways of integrating critical infrastructure protection in civil aviation,” Safety Science, vol. 71, no. Part B, pp. 167-177, 2015, doi: 10.1016/J.SSCI.2014.04.018.

  • F. Reichenbach, J. Endresen, M. Chowdhury, and J. Rossebo, “A pragmatic approach on combined safety and security risk analysis,” in Proceedings of the IEEE 23rd International Symposium on Software Reliability Engineering Workshops (ISSREW), 2012, pp. 239-244, doi: 10.1109/ISSREW.2012.98.

  • S. Kriaa, M. Bouissou, L. Piètre-Cambacedes, and Y. Halgand, “A survey of approaches combining safety and security for industrial control systems,” Reliability Engineering and System Safety,” vol. 139, pp. 156-178, 2015, doi: 10.1016/j.ress.2015.02.008.

  • M. Bartnes, “Safety vs. security?,” in Proceedings of the 8th International Conference on Probabilistic Safety Assessment and Management, New Orleans, Louisiana, USA, May 14-18, 2006.

  • International Organization for Standardization, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2nd ed. American National Standards Institute, 2013.

  • International Electrotechnical Commission, “61508-1 2010 Functional safety of electrical electronic programmable electronic safety-related systems,” 2010.

  • NERC, “CIP standards,” 2021. [Online]. Available: https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx [9] International Electrotechnical Commission, “61513:2013 Nuclear power plants - Instrumentation and control important to safety - General requirements for systems,” 2013.

  • Centre for the Protection of National Infrastructure, “Critical national infrastructure,” 2020. [Online]. Available: https://www.cpni.gov.uk/critical-national -infrastructure-0 [11] United States Department of Homeland Security, “Critical infrastructure sectors,” 2020. [Online]. Available: https://www.cisa.gov/critical-infrastructure -sectors

  • United States Chemical Safety and Hazard Investigation Board, Drilling Rig Explosion and Fire at the Macondo Well. 2016.

  • A. Derock, “Convergence of the latest standards addressing safety and security for information technology,” in On-line Proceedings of Embedded Real Time Software and Systems (ERTS2 2010), Toulouse, France, 2010.

  • G. Stoneburner, “Toward a unified security-safety model,” Computer, vol. 39, no. 8, pp. 96-97, 2006, doi: 10.1109/MC.2006.283.

  • G. Howard, M. Butler, J. Colley, and V. Sassone, “Formal analysis of safety and security requirements of critical systems supported by an extended STPA methodology,” in 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Paris, 2017, pp. 174-180.

  • N. Subramanian, and J. Zalewski, “Assessment of safety and security of system architectures for cyberphysical systems,” in Proceedings of the IEEE International Systems Conference (SysCon), 2013, pp. 634-641, doi: 10.1109/SysCon.2013.6549949.

  • W. Young, and N. Leveson, “Systems thinking for safety and security,” in Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC ‘13), ACM, New York, NY, USA, 2013, pp. 1-8, doi: 10.1145/2523649.2530277.

  • I. Friedberg, K. Mclaughlin, P. Smith, D. Laverty, and S. Sezer, “STPA-SafeSec: Safety and security analysis for cyber-physical systems,” Journal of Information Security and Applications, vol. 34, no. Part 2, pp. 183-196, 2017, doi: 10.1016/j.jisa.2016.05.008.

  • S. A. Merrell, A. P. Moore, and J. F. Stevens, “Goal-based assessment for the cybersecurity of critical infrastructure,” 2010 IEEE International Conference on Technologies for Homeland Security (HST), Waltham, MA, 2010, pp. 84-88, doi: 10.1109/THS.2010.5655090.

  • A. Poletykin, “Cyber security risk assessment method for SCADA of industrial control systems,” in 2018 International Russian Automation Conference (RusAutoCon), Sochi, 2018, pp. 1-5, doi: 10.1109/RUSAUTOCON.2018.8501811.

  • Y. Cherdantesva, P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby, and K. Stoddart, “A review of cyber security risk assessment methods for SCADA systems,” Computers & Security, vol. 56, pp. 1-27, 2016, doi: 10.1016/j.cose.2015.09.009.

  • M. Staalduinen, F. Khan, V. Gadag, and G. Reniers, “Functional quantitative security risk analysis (QSRA) to assist in protecting critical process infrastructure,” Reliability Engineering & System Safety, vol. 157, pp. 23-34, 2017, doi: 10.1016/j.ress.2016.08.014.

  • S. Marcin, and P. Emilian, “Functional safety with cybersecurity for the control and protection systems on example of the oil port infrastructure,” Journal of Polish Safety and Reliability Association Summer Safety and Reliability Seminars, vol. 9, no. 3, 2018.

  • T. Barnert, K. T. Kosmowski, and M. Śliwiński, “The impact of security aspects on functional safety analysis / Wpływ Aspektów Ochrony Informacji Na Wyniki Analiz Bezpieczeństwa Funkcjonalnego,” Journal of KONBiN, vol. 1, no. 21, pp. 27-40, 2012, doi: 10.2478/jok-2013-0003.


Abstract Views: 182

PDF Views: 0




  • Combining Security and Safety Risk Management in Critical Infrastructure

Abstract Views: 182  |  PDF Views: 0

Authors

Robert Kemp
De Montfort University, Leicester, England, United Kingdom
Richard Smith
De Montfort University, Leicester, England, United Kingdom

Abstract


Within the critical infrastructure sector, risk management for safety and security are often treated as disjoint processes. Separating these processes creates duplication of effort when safety and security concerns align, and it will obscure the situations where a trade-off between safety and security needs to be resolved. This paper proposes a risk management process that enables an organisation to carry out safety and security risk assessment within one combined process. The results show that this is possible, but changes need to be made within the organisation and the process for it to be successful. Some examples of the changes are around terminology used, culture and how threats and hazards are assessed. The combining of the risk management process for safety and security can also support compliance to safety and security standards. Often organisations will need to comply with both standards and can leverage the combined risk management process to allow compliance without creating two separate risk management processes.

Keywords


Critical infrastructure, Risk Management, Safety, Security, Standards.

References