Why We Cannot (Yet) Ensure the Cybersecurity of Safety-Critical Systems

Johnson, C. W. (2016) Why We Cannot (Yet) Ensure the Cybersecurity of Safety-Critical Systems. In: 24th Safety-Critical Systyems Symposium, Brighton, UK, 2-4 Feb 2016, pp. 171-182. ISBN 9781519420077

130822.pdf - Published Version



There is a growing threat to the cyber-security of safety-critical systems. The introduction of Commercial Off The Shelf (COTS) software, including Linux, specialist VOIP applications and Satellite Based Augmentation Systems across the aviation, maritime, rail and power-generation infrastructures has created common, vulnerabilities. In consequence, more people now possess the technical skills required to identify and exploit vulnerabilities in safety-critical systems. Arguably for the first time there is the potential for cross-modal attacks leading to future ‘cyber storms’. This situation is compounded by the failure of public-private partnerships to establish the cyber-security of safety critical applications. The fiscal crisis has prevented governments from attracting and retaining competent regulators at the intersection of safety and cyber-security. In particular, we argue that superficial similarities between safety and security have led to security policies that cannot be implemented in safety-critical systems. Existing office-based security standards, such as the ISO27k series, cannot easily be integrated with standards such as IEC61508 or ISO26262. Hybrid standards such as IEC 62443 lack credible validation. There is an urgent need to move beyond high-level policies and address the more detailed engineering challenges that threaten the cyber-security of safety-critical systems. In particular, we consider the ways in which cyber-security concerns undermine traditional forms of safety engineering, for example by invalidating conventional forms of risk assessment. We also summarise the ways in which safety concerns frustrate the deployment of conventional mechanisms for cyber-security, including intrusion detection systems.

Item Type:Conference Proceedings
Glasgow Author(s) Enlighten ID:Johnson, Professor Chris
Authors: Johnson, C. W.
College/School:College of Science and Engineering > School of Computing Science
Copyright Holders:Copyright © 2016 The Author
Publisher Policy:Reproduced in accordance with the copyright policy of the publisher
Related URLs:

University Staff: Request a correction | Enlighten Editors: Update this record