In recent years, Open Source Software (OSS) has gained significant traction, also in sectors with stringent functional safety requirements like the automotive or engineering industry. While OSS offers many benefits, its integration into commercial systems raises security concerns, as it is just as vulnerable to flaws as proprietary software, demonstrated by incidents like Log4Shell and Heartbleed. Recent legislation and standards, such as the Cyber Resilience Act (CRA), IEC 62443, and ISO/SAE 21434, therefore require manufacturers to address security concerns throughout the product development lifecycle. In addition to pure security implications, attacks can also affect the safety and reliability of systems. Due to the high complexity and many interdependencies, even components that are not considered to be safety-critical may lead to hazards when exploited. Laws and regulations such as the recent EU Machinery Regulation therefore mandate a unified approach to security and safety.

Assurance cases must be created to demonstrate that the developed system is safe, secure, and compliant with laws and standards. These assurance cases argue that the security goals have been achieved and provide evidence for the safety claims. In particular, when using OSS components, it must be ensured that they are suitable for the intended use and that any vulnerabilities they may contain have been
mitigated by appropriate measures, e.g., process isolation or Defense in Depth. However, the process of ensuring and documenting that a system is safe and secure is complex and often burdensome. Assurance cases are typically text-heavy, necessitating significant manual effort to compile and maintain. The high amount of work involved in documenting security measures can take up a lot of time that could be better spent on other tasks, such as identifying threats and effectively securing the system.

In this presentation, we address these challenges by demonstrating how model-based assurance cases can be derived in a tool-supported, automated manner, leveraging the insights gained from a completed, publicly funded research project conducted at Fraunhofer IEM. This research project resulted in the prototypical implementation of a software tool, SMARAGD, the System Modeler for Architectural Risk Assessment and Guidance on Defenses. SMARAGD supports in the creation of safety and security documentation for safety-critical systems (SCS), e.g., automotive systems or industrial control systems,
by automatically deriving assurance cases from the results of a safety-informed threat modeling process.

The goal of the tool is to enable practitioners to create assurance cases that are not only comprehensive but also linked to artifacts from the secure design process such as architectural design principles like
Defense in Depth. An essential aspect of implementing an integrated safety and security risk analysis approach is to conduct a comprehensive threat analysis. In the safety-critical domain, this analysis not only needs to identify potential threats but also assess their potential impact on safety. Understanding if and how specific attacks on certain software components have a safety impact – e.g., which failures these attacks may cause and how these failures propagate through the system—is vital for developing effective risk mitigation strategies. To this end, SMARAGD provides a model-based data flow diagram (DFD) editor for threat modeling of SCS, following the STRIDE methodology. As a background task during design, SMARAGD furthermore automatically handles the generation and linking of failure modes for
messages and their dependencies modeled in the DFD. Additionally, depending on their STRIDE category, annotated threats are automatically matched to corresponding failure modes they may cause.
The calculated attack and failure propagation paths eventually end when they reach a hazard, indicating that the corresponding attack may have a safety impact.

To mitigate these threats, SMARAGD provides suggestions for suitable security controls and their possible deployment locations in the modeled architecture. Security controls (e.g., Message Signature
Checks, Input Validation, Firewalls, etc.) are measures implemented to protect information systems from threats and vulnerabilities. They help to ensure the confidentiality, integrity, and availability of
information. In SMARAGD, they are derived from calculated attack and failure propagation information.

Based on the modeled system, the calculated attack and failure propagation paths, and applied security controls, SMARAGD is able to assess the system design by calculating different architectural security
metrics. For this, the tool provides an extensible catalog of metrics and a rule-based assessment mechanism. A particular concern of these rules is to determine whether the Defense in Depth secure
design principle is considered in the system design. Defense in Depth aims to employ multiple layers of security controls and measures to protect the system, ensuring that even if one layer fails, others remain in place to mitigate risks. The attack path with the fewest controls thereby determines the number of defensive layers for the entire system.

After evaluating all metrics, SMARAGD generates model-based assurance cases in the Goal Structuring Notation (GSN). GSN is a popular graphical notation to visualize arguments, commonly used in the
safety domain to depict assurance cases. By combining each metric that fulfills a corresponding requirement with a corresponding GSN assurance case fragment, SMARAGD is able to automatically
generate preliminary assurance cases based on the current threat model, countermeasures applied therein, and the evaluated architectural risk assessment metrics.

In summary, this presentation demonstrates a novel tool-supported approach that enables system architects to assess security at the architectural level during the design phase, so that appropriate
measures can be taken at an early stage. By showcasing this innovative approach, we contribute a method to enhance the resilience of safety-critical systems in an increasingly interconnected and
software-reliant world. Through this work, we aim to streamline the joint development of safety and security, ultimately fostering more secure and reliable software products.

Short Bio:

Roman Trentinaglia is a research associate in the Safe & Secure IoT Systems department at Fraunhofer IEM. He completed his computer science studies in 2021 at Paderborn University in the field of Security Assurance Cases as Master of Science (M.Sc.). Since June 2021, he has been working in the Requirements Analysis & Design group on projects with partners from the mechanical & plant engineering and automotive industries, among others. One focus of such projects is the early and joint consideration of safety and security (Safety & Security by Design).

Thursday, September 25, 2.30 PM