Contrasting Approaches to Incident Reporting in the Development of Safety and Security-Critical Software

Johnson, C. W. (2015) Contrasting Approaches to Incident Reporting in the Development of Safety and Security-Critical Software. In: SAFECOMP 2015, Delft, The Netherlands, 22-25 Sept 2015, (Unpublished)

Full text not currently available from Enlighten.

Publisher's URL: http://safecomp2015.tudelft.nl/

Abstract

There are increasing obligations on companies to report cybersecurity incidents to national and international regulators. Article 13a of the Telecoms Directive (2009/140/EC) requires network service providers to report significant security breaches and losses of integrity to competent national authorities. The United States Security and Exchange Commission also expects its members to file information about cyber incidents. Existing cyber-incident reporting systems, typically, use tools and techniques that were initially intended to support Safety Management Systems, including reconstruction and causal analysis. This unified approach is particularly useful when, for example, the consequences of a cyber attack might compromise safety. In contrast, this paper identifies differences that complicate the use of conventional safety reporting techniques to mitigate cyber threats. For instance, it is important to communicate safety lessons as widely as possible to avoid any recurrence of previous accidents. However, disclosing the details of a security incident can expose vulnerabilities or assets that motivate further attacks. Similarly, most safety-management systems have clear reporting mechanisms via industry regulators. This is far more complicated for security incidents where companies have to report both to national industry regulators and to national telecoms authorities. They may also have to contact local and national law enforcement, to Computer Emergency Response Teams (CERTs) and to national infrastructure protection agencies. At a more technical level, the counterfactual arguments that are often used to distinguish causes and contextual factors in safety related accidents cannot easily be used to reason about the malicious causes of security incidents. The closing sections of this paper propose a research agenda that is urgently required before the proposed EC Network and Information Security Directive (COM2013/48) extends the Article 13a reporting obligations across all European critical infrastructure providers.

Item Type:Conference Proceedings
Status:Unpublished
Refereed:Yes
Glasgow Author(s) Enlighten ID:Johnson, Professor Chris
Authors: Johnson, C. W.
College/School:College of Science and Engineering > School of Computing Science

University Staff: Request a correction | Enlighten Editors: Update this record