Combined Assessment of Software Safety and Security Requirements: An Industrial Evaluation of the CHASSIS Method

Combined Assessment of Software Safety and Security Requirements: An Industrial Evaluation of the CHASSIS Method

Christian Raspotnig (ATM System Development, Avinor Air Navigation Services, Gardermoen, Norway), Peter Karpati (Institute for Energy Technology, Halden, Norway) and Andreas L. Opdahl (Department of Information Science and Media Studies, University of Bergen, Bergen, Norway)
Copyright: © 2018 |Pages: 24
DOI: 10.4018/JCIT.2018010104
Article PDF Download
Open access articles are freely available for download

Abstract

Safety is a fundamental concern in modern society, and security is a precondition for safety. Ensuring safety and security of complex integrated systems requires a coordinated approach that involve different stakeholder groups going beyond safety and security experts and system developers. The authors have therefore proposed CHASSIS (Combined Harm Assessment of Safety and Security for Information Systems), a method for collaborative determination of requirements for safe and secure systems. In this article, the authors evaluate CHASSIS through industrial case studies of two small-to-medium sized suppliers to the air-traffic management (ATM) sector. The results suggest that CHASSIS is easy to use, and that handling safety and security together provides benefits because techniques, information, and knowledge can be reused. The authors conclude that further exploration and development of CHASSIS is worthwhile, but that better documentation is needed—including more detailed process guidelines—to support elicitation of security and safety requirements and to systematically relate them to functional requirements.
Article Preview

Introduction

Safety can be defined as resilience to unintended hazards. The goal of system safety is the protection of life, systems, equipment and the environment (Ericson, 2005). Safety is a fundamental concern in modern society, whose infrastructures for, e.g., health, welfare, energy, transport, communication and the environment have become critically dependent on the complex and tightly coupled ICT systems that support them (Perrow, 1999; Leveson, 2011). Software safety is therefore a central research problem with great industrial and societal importance. Security (Stallings & Brown, 2008) can be defined as resilience to intended threats. Security is a prerequisite for safety. Whereas safety-critical systems of the past ran in isolation on specialised software and hardware, modern systems are internetworked and based on standard technologies. In recent years, safety-critical systems in areas such as Air-Traffic Management (ATM) have thus become increasingly exposed to security threats. Software safety and security have become central research areas of great industrial and societal importance.

New methods are therefore needed that integrate assessment of safety and security when developing software and other systems. Such new methods must take into account that modern safety- and security-critical system are complex, typically spanning both organisational boundaries and domains of expertise. Ensuring the safety and security of such systems thus requires collaboration between different stakeholder groups beyond safety and security experts and system developers. The new methods can exploit that safety and security are — to an extent — similar because they are both concerned with what a new system should not do, whereas existing methods focus on what the system should do (Raspotnig & Opdahl, 2013b).

Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS) (Raspotnig et al., 2012a; 2013a) is a method for determining requirements for safe and secure systems, in particular software and information systems. The method comprises a requirements analysis process and a set of extended UML techniques, specifically Misuse Cases (MUC) (Sindre & Opdahl 2000, 2005; Sindre 2007), Misuse Sequence Diagrams (MUSD) (Katta et al., 2010), and Failure Sequence Diagrams (FSD) (Raspotnig & Opdahl, 2012b; 2012c). It also uses guidewords from the hazard and operability study (HAZOP) (Winther, 2001; Ericson, 2005) technique to identify hazards and threats, and a HAZOP table is used to collect and summarize important information about potential harm.

The purpose of this paper is to contribute towards software systems that are both safe and secure. We have therefore for the first time evaluated the feasibility, ease of use, and usefulness of CHASSIS through industrial case studies of two small-to-medium sized suppliers of software in the Air-Traffic Management (ATM) sector. We have asked whether the same basic concepts can be used to deal with both safety and security aspects; whether the CHASSIS method is easy to use; and whether the method is useful. The paper is structured as follows: Section 2 presents the background and the CHASSIS method, before Section 3 describes our research method. Section 4 presents the two case studies along with the survey data we collected. Section 5 summarises and discusses our results, before Section 6 concludes the papers and presents ideas for further work.

Background

This section reviews existing safety and security practices along with earlier work on the CHASSIS method.

Complete Article List

Search this Journal:
Reset
Open Access Articles
Volume 21: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 20: 4 Issues (2018)
Volume 19: 4 Issues (2017)
Volume 18: 4 Issues (2016)
Volume 17: 4 Issues (2015)
Volume 16: 4 Issues (2014)
Volume 15: 4 Issues (2013)
Volume 14: 4 Issues (2012)
Volume 13: 4 Issues (2011)
Volume 12: 4 Issues (2010)
Volume 11: 4 Issues (2009)
Volume 10: 4 Issues (2008)
Volume 9: 4 Issues (2007)
Volume 8: 4 Issues (2006)
Volume 7: 4 Issues (2005)
Volume 6: 1 Issue (2004)
Volume 5: 1 Issue (2003)
Volume 4: 1 Issue (2002)
Volume 3: 1 Issue (2001)
Volume 2: 1 Issue (2000)
Volume 1: 1 Issue (1999)
View Complete Journal Contents Listing