Donald Firesmith, profile picture
Uploaded byDonald Firesmith
2,277 views

Engineering Safety and Security-Related Requirements

The document presents a tutorial aiming to bridge the gap between safety, security, and requirements engineering by highlighting common challenges and offering reusable techniques to improve collaboration and requirement quality. It addresses the inefficiencies of treating safety and security as separate disciplines and emphasizes the need for a unified approach to prevent accidents and successful attacks. A free open-source tool is introduced to support this integrated method, with practical examples provided for its application.

Embed presentation

Downloaded 122 times
1 / 179
2 / 179
3 / 179
4 / 179
5 / 179
6 / 179
7 / 179
8 / 179
9 / 179
10 / 179
11 / 179
12 / 179
13 / 179
14 / 179
15 / 179
16 / 179
17 / 179
18 / 179
19 / 179
20 / 179
21 / 179
22 / 179
23 / 179
24 / 179
25 / 179
26 / 179
27 / 179
28 / 179
29 / 179
30 / 179
31 / 179
32 / 179
33 / 179
34 / 179
35 / 179
36 / 179
37 / 179
38 / 179
39 / 179
40 / 179
41 / 179
42 / 179
43 / 179
44 / 179
45 / 179
46 / 179
47 / 179
48 / 179
49 / 179
50 / 179
51 / 179
52 / 179
53 / 179
54 / 179
55 / 179
56 / 179
57 / 179
58 / 179
59 / 179
60 / 179
61 / 179
62 / 179
63 / 179
64 / 179
65 / 179
66 / 179
67 / 179
68 / 179
69 / 179
70 / 179
71 / 179
72 / 179
73 / 179
74 / 179
75 / 179
76 / 179
77 / 179
78 / 179
79 / 179
80 / 179
81 / 179
82 / 179
83 / 179
84 / 179
85 / 179
86 / 179
87 / 179
88 / 179
89 / 179
90 / 179
91 / 179
92 / 179
93 / 179
94 / 179
95 / 179
96 / 179
97 / 179
98 / 179
99 / 179
100 / 179
101 / 179
102 / 179
103 / 179
104 / 179
105 / 179
106 / 179
107 / 179
108 / 179
109 / 179
110 / 179
111 / 179
112 / 179
113 / 179
114 / 179
115 / 179
116 / 179
117 / 179
118 / 179
119 / 179
120 / 179
121 / 179
122 / 179
123 / 179
124 / 179
125 / 179
126 / 179
127 / 179
128 / 179
129 / 179
130 / 179
131 / 179
132 / 179
133 / 179
134 / 179
135 / 179
136 / 179
137 / 179
138 / 179
139 / 179
140 / 179
141 / 179
142 / 179
143 / 179
144 / 179
145 / 179
146 / 179
147 / 179
148 / 179
149 / 179
150 / 179
151 / 179
152 / 179
153 / 179
154 / 179
155 / 179
156 / 179
157 / 179
158 / 179
159 / 179
160 / 179
161 / 179
162 / 179
163 / 179
164 / 179
165 / 179
166 / 179
167 / 179
168 / 179
169 / 179
170 / 179
171 / 179
172 / 179
173 / 179
174 / 179
175 / 179
176 / 179
177 / 179
178 / 179
179 / 179
Engineering Safety- and Security-Related Requirements Donald Firesmith Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 18 June 2012 Half-Day Tutorial © 2012 Carnegie Mellon University
Tutorial Goals To familiarize safety, security, and requirements engineers with the: • Common challenges they face • Common foundational concepts underlying each other’s disciplines • Useful reusable techniques from each other’s disciplines • Different types of safety- and security-related requirements To provide safety, security, and requirements engineers with a common consistent method for engineering these requirements and thereby: • Improve collaboration • Engineer better safety- and security-related requirements • Decrease the incidence of accidents and successful attacks due to poor safety- and security-related requirements Engineering Safety- & Security-Related Requirements 2 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Intended Audiences Primary audience: • Safety engineers • Security engineers • Requirements engineers Secondary audience: • Project managers (acquisition, development, or sustainment) • Lead system engineers and system architects • System, software, and hardware engineers • Safety and security SMEs and consultants • Safety and security trainers and academic educators and researchers • Specialty engineers (e.g., human factors and reliability) • Any other stakeholders in safety and security Engineering Safety- & Security-Related Requirements 3 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
History Work began in 2002 Presented as conference tutorials and in journal articles (see http://donald.firesmith.net/home/publications) Taught at 5 NASA Centers (2008) and US Army ASSIP Program Presented to nuclear engineers at: • System Engineering Challenges International Workshop in Russia (RuSEC 2010) in Moscow, Russia on 23 September 2010 • Kärnteknik-2011 (Nuclear Technology 2011) Nordic Symposium in Stockholm Sweden on 8 December 2011 Free Open Source Tool began Fall 2011 http://donald.firesmith.net/home/safety-and-security-analysis-tool Book to be published Winter 2012 Engineering Safety- & Security-Related Requirements 4 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Related Disciplines ◄ Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 5 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Safety Engineering – Traditional Definition Safety freedom from accidental harm to people, property, and the environment Safety Engineering the process of ensuring that a system is safe to operate Major Limitations: • No nontrivial system is free from hazards that can cause accidental harm. • It is always a matter of degree and risk management. • Not just harm, but also accidents, vulnerabilities, and hazards • In spite of best efforts, accidents can (and sometimes do) happen. • It is important to address not just the prevention of accidental harm (and accidents, vulnerabilities, hazards, and risks), but also detecting their existence/occurrence, and reacting properly. Engineering Safety- & Security-Related Requirements 6 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Security Engineering – Traditional Definitions Security (of information and services) is often defined in terms of specific properties, whereby a system is secure when it exhibits these properties in spite of attack: • Access Control (including identification, authentication, and authorization) • Availability • Confidentiality (including both privacy and anonymity) • Integrity (including data and software) • Non-repudiation (of transactions) Security Engineering the process of ensuring that a system is sufficiently secure to operate Major limitations: • No nontrivial system is free from threats that can cause malicious harm. • It is always a matter of degree and risk management. • Not just harm, but also attacks, vulnerabilities, and threats • In spite of best efforts, attacks can (and typically will) happen. • It is important to address not just the prevention of malicious harm (and attacks, vulnerabilities, threats, and risks), but also detecting their existence/occurrence, and reacting properly. Engineering Safety- & Security-Related Requirements 7 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility Engineering – New Definitions Safety Engineering the systems engineering discipline concerned with lowering the risk of unintentional (i.e., accidental) unauthorized harm to defended assets to a level that is acceptable to the system’s stakeholders by preventing, detecting, and properly reacting to such harm, mishaps (i.e., accidents and safety incidents), system-internal vulnerabilities, system- external unintentional abusers, hazards, and safety risks Security Engineering the systems engineering discipline concerned with lowering the risk of intentional (i.e., malicious) unauthorized harm to defended assets to a level that is acceptable to the system’s stakeholders by preventing, detecting, and properly reacting to such harm, civilian misuses (i.e., attacks and security incidents), system-internal vulnerabilities, system-external intentional civilian abusers, threats, and security risks Survivability Engineering the systems engineering discipline concerned with lowering the risk of intentional (i.e., malicious) unauthorized harm to defended assets to a level that is acceptable to the system’s stakeholders by preventing, detecting, and properly reacting to such harm, military misuses (i.e., attacks and survivability incidents), system-internal vulnerabilities, system-external intentional military abusers, threats, and survivability risks Engineering Safety- & Security-Related Requirements 8 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Safety/Security Similarities and Differences Similarities: • Systems engineering rather than software engineering • Lower risks to acceptable levels: — Never zero – never perfectly safe, secure, or survivable • Prevention, detection, and reaction: — Unauthorized harm to defended assets (people, property, environment, services) — Abuses (safety mishaps and security misuses) — System-internal vulnerabilities — System-external abusers (exploit vulnerabilities to cause harm) — Dangers (safety hazards and security threats) — Risks (safety and security) Differences: • Unintentional (safety) vs. intentional (security and security) • Terminology Engineering Safety- & Security-Related Requirements 9 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Requirements Engineering Requirements Engineering the engineering discipline within systems/software engineering concerned with identifying, analyzing, reusing, specifying, managing, verifying, and validating goals and requirements (including safety- and security-related requirements) Safety- and security-related requirements are primarily system-level requirements. Engineering Safety- & Security-Related Requirements 10 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Related Disciplines Challenges ◄ Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 11 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Challenges1 Requirements engineering, safety engineering, and security engineering have different: • Communities • Disciplines with different training, books, journals, and conferences • Professions with different job titles • Foundational concepts and terminologies • Tasks, techniques, and work products Some of these differences are unnecessary and represent detrimental redundancies: • Underlying concepts and terminologies • Tasks and techniques • Work products (models and documents) Engineering Safety- & Security-Related Requirements 12 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Challenges2 Safety and security engineering are: • Typically treated as secondary specialty engineering disciplines • Performed separately from, largely independently of, and lagging behind the primary engineering workflow: (requirements, architecture, design, implementation, integration, testing, deployment, sustainment) Safety and security are too often tested into existing systems (reactively) rather than adequately built into systems during development (proactively) Engineering Safety- & Security-Related Requirements 13 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Challenges3 Separation of requirements engineering, safety engineering, and security engineering causes: • Poor safety- and security-related requirements that are often: — Vague, unverifiable, and infeasible capabilities or goals rather than true requirements — Potentially inappropriate architectural and design constraints — Inadequate to drive architecture, design, and implementation — Specified and managed separately from all other requirements — Relegated to “second class” “supplementary” specifications — Often ignored by requirements engineers and architects — Produced too late to drive architecture and testing • Safety and security are too often iterated and tested into existing systems (reactively) – “find and fix” – rather than adequately built into systems during development (proactively). Engineering Safety- & Security-Related Requirements 14 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Challenges4 How much safety and security is enough? • Insufficient defensibility is dangerous. • Excessive defensibility wastes scarce project resources. • Current requirements lack practical and precise thresholds. • Defenses (safeguards and countermeasures) should be commensurate with risk. — Goldilocks rule: not too little and not too big. • Without well-defined thresholds, how can: — Architects perform engineering trade-offs? — Testers set test completion criteria for the testing of safety- and security- related requirements? Engineering Safety- & Security-Related Requirements 15 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Challenges5 Many mandated security “requirements” are actually constraints such as: • Security subsystems • Industry “best practices” What about safety and security requirements for preventing, detecting, and reacting to: • Harm to defended assets? • Abuses (safety mishaps and security misuses)? • Vulnerabilities? • Abusers (unintentional and intentional)? • Dangers (safety hazards and security threats)? • Risks (safety and security)? Engineering Safety- & Security-Related Requirements 16 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Challenges6 Current separate methods for performing requirements, safety, and security engineering are inefficient and ineffective. Poor requirements are a primary cause of more than half of all project failures (defined in terms of): • Major cost overruns • Major schedule overruns • Major functionality not delivered • Large number of defects delivered • Delivered systems that are never used Poor requirements are a major “root cause” of many (or most) accidents involving software-intensive systems. Engineering Safety- & Security-Related Requirements 17 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Challenges7 Current state-of-the-practice cries out for improvement: • Better consistency between safety and security engineering — More consistent concepts and terminology — Reuse of techniques across disciplines — Less unnecessary overlap and avoidance of redundant work • Better collaboration: — Between safety and security engineering — With requirements engineering • Easier certification and accreditation • Better safety- and security-related requirements • Fewer accidents and successful attacks that cause less harm to defended assets Engineering Safety- & Security-Related Requirements 18 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Related Disciplines Challenges Common Example ◄ Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 19 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Common Example use throughout Tutorial Problem: How to enable large numbers of zoo patrons to quickly and conveniently tour the habitats of a huge new zoo? Proposed solution: the Zoo Automated Taxi System (ZATS) • Numerous small family-sized automated taxis: — Leisurely tours of habitats and fast transport between habitats — Inexpensive to operate (no driver salaries and benefits) — Reliable, easy to use, safe, and secure — Green (electric to minimize air and noise pollution) • Elevated concrete guideways: — Separate passengers from animals — Provide good views — Avoid collisions of taxis with pedestrians and vehicles in parking lot • Conveniently located taxi stations • Operations and maintenance facility in zoo back lots Engineering Safety- & Security-Related Requirements 20 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Related Disciplines Challenges Common Example Free, Open-Source Tool ◄ Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 21 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Free, Open-Source Tool Free and open-source tool Developed to: • Support the collaborative defensibility engineering method • Store the complete analysis results of the ZATS common example Exists in two forms: • Empty database for new project use • Populated database storing the “complete” analysis results of common example: ZATS Implemented using Microsoft Access Free download from: http://donald.firesmith.net/home/safety-and-security-analysis-tool Engineering Safety- & Security-Related Requirements 22 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Initial Screen Engineering Safety- & Security-Related Requirements 23 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Prepare to Analyze Safety and Security Menu Engineering Safety- & Security-Related Requirements 24 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Analyze Safety and Security Menu Engineering Safety- & Security-Related Requirements 25 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Related Disciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview ◄ Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 26 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Requirements Engineering Tasks Business Analysis (i.e., Customer, Competitor, Market, Technology, and User Analysis as well as Stakeholder Identification and Profiling) Visioning Requirements Identification (a.k.a., Elicitation) Requirements Analysis Requirements Specification Requirements Management Requirements Validation Scope Management (Management) Change Control (Configuration Management) Quality Control (Quality Engineering) Engineering Safety- & Security-Related Requirements 27 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Requirements Engineering Work Products Business analyses Stakeholder profiles Vision statement • Capabilities and Goals Concept of Operations (ConOps) or operational concept document (OCD) • Mission threads • Use cases • Usage scenarios Requirements repository and published specifications • Actual requirements Requirements prototypes Domain model Glossary Engineering Safety- & Security-Related Requirements 28 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Difficulty of Requirements Engineering “The hardest single part of building a software system is deciding precisely what to build. No other part of the conceptual work is as difficult as establishing the detailed technical requirements, including all the interfaces to people, to machines, and to other software systems. No other part of the work so cripples the resulting system if done wrong. No other part is more difficult to rectify later.” Fred Brooks, No Silver Bullet, IEEE Computer, 1987 Engineering Safety- & Security-Related Requirements 29 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Goals Goal an informally documented perceived need of a legitimate stakeholder Goals are: • Not requirements. • Drive the identification and analysis of the requirements. • Typically ambiguous and/or unrealistic (i.e. impossible to guarantee). Major problems with safety and security goals: • Ambiguous • Stated as absolutes • Not 100% feasible • Not verifiable Typically documented in a vision statement. Engineering Safety- & Security-Related Requirements 30 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Goals ZATS will take passengers on leisurely tours that provide excellent viewing of the zoo habitats. ZATS will take passengers rapidly to their desired taxi stations in the zoo and its parking lot. ZATS will prevent animals from reaching passengers in taxis and taxi stations. ZATS will never injure or kill a passenger. ZATS will not cause air and noise pollution. ZATS will be easy and intuitive for all of its passengers to use. ZATS will allow passengers to use securely use bank cards to pay for trips. Engineering Safety- & Security-Related Requirements 31 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Use Case Models and Mission Threads Usage Scenario a specific functionally cohesive sequence of interactions between user(s), the system, and potentially other actors that provides value to a stakeholder Use Case a general way to perform a function a functionally cohesive class of usage scenarios Use Case Path (a.k.a., flow and course) an equivalence set of usage scenarios that follow the same course through a use case Mission Thread an end-to-end sequence of use case paths that together achieves one of the system’s missions Engineering Safety- & Security-Related Requirements 32 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Use Case Models Use case paths: • Can be either: — Normal (Sunny Day or Happy Path) — Exceptional (Rainy Day) • Should have their own preconditions, triggers, and postconditions • Are often documented with text, sequence diagrams, or activity diagrams Use cases, use case paths, and usage scenarios: • Typically documented in a ConOps or operational concept document (OCD) • Drive the identification and analysis of the [primarily functional] requirements • Often include potential architectural and design information Use cases are far more than merely use case diagrams. Engineering Safety- & Security-Related Requirements 33 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Characteristics of Good Requirements All Types of Requirements Active Voice Correct Configuration Controlled Consistent (internally and with other requirements) Cohesive (individual) Differentiated from Non-requirements Complete Externally observable Concise Grammatically Correct and no Typos Feasible Managed (in requirements repository) Mandatory (necessary) Prioritized (for scheduling implementation) Properly Specified Normal and Exceptional Rationalized Relevant Scheduled Unique Stakeholder-centric Unambiguous Situation-specific (to mode, state, and/or event) Validatable Traced (to source and to architecture) Uniquely identified Verifiable Usable by stakeholders What or how well, not how http://www.jot.fm/issues/issue_2003_07/column7 Engineering Safety- & Security-Related Requirements 34 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Poor Requirements Cause Accidents1 “For the 34 (safety) incidents analyzed, 44% had inadequate specification as their primary cause.” Health and Safety Executive (HSE), Out of Control: Why Control Systems Go Wrong and How to Prevent Failure (2nd Edition), 1995 “Almost all accidents related to software components in the past 20 years can be traced to flaws in the requirements specifications, such as unhandled cases.” Grady Lee, Jeffry Howard, and Patrick Anderson, “Safety-Critical Requirements Specification and Analysis using SpecTRM”, Safeware Engineering, 2002 Engineering Safety- & Security-Related Requirements 35 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Poor Requirements Cause Accidents2 “Erroneous specification is a major source of defects and subsequent failure of safety-critical systems. Many failures occur in systems using software that is perfect, it is just not the software that is needed because the specification is defective.” John C. McKnight, “Software Challenges in Aviation Systems,” Proceedings of the 21st International Conference on Computer Safety, Reliability and Security, 2002 “Software-related accidents almost always are due to misunderstandings about what the software should do.” Kathryn Anne Weiss, “An Analysis of Causation in Aerospace Accidents,” Proceedings of the 2001 Digital Avionics Systems Conference, updated 7 September 2004 Engineering Safety- & Security-Related Requirements 36 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Poor Requirements Cause Accidents3 “Software-related accidents are usually caused by flawed requirements. Incomplete or wrong assumptions about the operation of the controlled system can cause software related accidents, as can incomplete or wrong assumptions about the required operation of the computer. Frequently, omitted requirements leave unhandled controlled-system states and environmental conditions.” Nancy G. Leveson, Safeware: System Safety and Computers, 2003 “Software-related accidents are almost all caused by flawed requirements: • Incomplete or wrong assumptions about the operation of the controlled system or required operation of the computer • Unhandled controlled-system states and environmental conditions.” Nancy G. Leveson, A new Approach to Ensuring Safety in Software and Human Intensive Systems, July 2009 Engineering Safety- & Security-Related Requirements 37 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
The Many Types of Requirements Business Industry Laws and Natural Organizational Rules Standard Regulations Laws Policies Innovative Rules Requirements Positive (shall) Documentation Entity Data * Requirements Requirements Requirements Requirements Stakeholder Facility Hardware Object Negative Requirements Requirements Requirements Requirements (shall not) Requirements Derived People (Role) Procedure Material (Technical) Requirements Requirements Requirements Requirements Requirements Software System / Development Requirements Subsystem Environment Requirements Requirements Architecture Process Constraints Manufacturing Product (Method) Requirements Requirements Primary Mission Design Requirements Requirements Constraints Operational Requirements Supporting Implementation Requirements Constraints Training Requirements “Pure” Integration Maintenance Constraints Requirements Constraints Requirements Non-Functional Requirements Manufacturing Sustainment Requirements Constraints Retirement Functional Entity (Data *) Interface Quality Deployment Requirements Requirements Requirements Requirements Requirements Constraints Engineering Safety- & Security-Related Requirements 38 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Product Requirements A product requirement is a requirement for a product (e.g., system, subsystem, software application, or component). • A functional requirement is a product requirement than specifies a mandatory function (i.e., behavior) of the product. • A data requirement is a product requirement that specifies mandatory [types of] data that must be manipulated by the product. • An interface requirement is a product requirement that specifies a mandatory interface with (or within) the product. • A quality requirement is a product requirement that specifies a mandatory amount of a type of product quality (characteristic or attribute). • A constraint is a property of the product (e.g., architecture or design decision) that would ordinarily not be a requirement but which is being mandated as if it were a normal requirement Engineering Safety- & Security-Related Requirements 39 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Quality Models Architectural Components define the meaning of the quality of Quality Systems Models define the meaning of a specific type of quality of are measure measured quality along Quality along Quality Quality Quality Measurement Measurement Characteristics Attributes Scales Methods are measured using Developmental Operational Quality Quality Characteristics Characteristics Engineering Safety- & Security-Related Requirements 40 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Quality Characteristics (Operational) Quality Characteristics Developmental Operational Quality Characteristics Quality Characteristics Configurability Efficiency Functionality Interoperability Serviceability Usability Compliance Dependability Environmental Habitability Operability Transportability Compatibility Robustness Defensibility Performance Soundness Safety Survivability Availability Correctness Predictability Security Capacity Reliability Stability Engineering Safety- & Security-Related Requirements 41 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Performance Attributes Jitter Problem Latency Prevention Harm Arrest Response Time Problem Detection Schedualability Harm Mitigation Problem Failure Analysis Throughput Reaction Failure Recovery Problem Type Solution Type Performance Attributes Performance Attributes System Adaptation measure quality along Performance Performance Attributes are measured along Quality Quality Quality Quality Measurement Measurement Characteristics Attributes Scales Methods define the meaning of the Quality quality of Models Systems Engineering Safety- & Security-Related Requirements 42 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility Quality Attributes Occurrence of Unauthorized Harm Harm Arrest Occurrence of Abuse Harm Mitigation (Safety Mishap or Security Misuse) Problem Abuse Analysis Existence of System-Internal Vulnerability Prevention Abuse Recovery Existence of System-External Abuser Problem Detection System Existence of Danger (Hazard or Threat) Adaptation Problem Existence of Defensibility Risk Reaction Counterattack (Security and Survivability) Problem Type Solution Type Defensibility Attributes Defensibility Attributes Safety measure quality along Security Defensibility Defensibility Attributes Survivability are measured along Quality Quality Quality Quality Measurement Measurement Characteristics Attributes Scales Methods define the meaning of the Quality quality of Models Systems Engineering Safety- & Security-Related Requirements 43 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Different Types of Defensibility Requirements Problem Type Quality Attributes Defensibility Quality Attributes Harm to Defensibility Abuse Abuser Vulnerability Danger Valuable Asset Risk Prevent Prevent Prevent Prevent Prevent Prevent Prevention Occurrence Occurrence Existence Existence of Existence Existence Quality Attributes Solution Type of Harm of Abuse of Abuser Vulnerability of Danger of Risk Detect Detect Detect Detect Detect Detect Detection Occurrence Occurrence Existence Existence of Existence Existence of Harm of Abuse of Abuser Vulnerability of Danger of Risk React to React to React to React to React to React to Reaction Occurrence Occurrence Existence Existence of Existence Existence of Harm of Abuse of Abuser Vulnerability of Danger of Risk Engineering Safety- & Security-Related Requirements 44 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Components of a Quality Requirement state stakeholders’ Quality Goals importance of achieving specify achievement of define stakeholders’ minimum acceptable levels of quality for a Quality Requirements System are applicable shall Conditions during or at System-Specific exceed Quality Thresholds or Events Quality Criteria indirectly state directly state are measured are measured existence of existence of along using Quality Quality Quality Quality Measurement Measurement Characteristics Attributes Scales Methods Quality define the meaning of the quality of a Models Engineering Safety- & Security-Related Requirements 45 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Quality Requirement Hazard prevention safety requirement: “Under normal operating conditions, ZATS shall not move when it’s doors are open at an average rate higher than once every 10,000 trips.” Component parts: • Condition: “Under normal operating conditions” • Mandatory system-specific quality criterion: “ZATS shall not move when it’s doors are open” • Measurement threshold: “at an average rate higher than once every 10,000 trips.” Definitions needed to avoid ambiguity: • Moving – traveling faster than 0.1 cm per second • Open – open more than 1 cm between doors • Normal operating conditions – neither during maintenance nor a fire • Trip – travel with passengers from a starting taxi station to the associated destination taxi station Engineering Safety- & Security-Related Requirements 46 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Importance of Measurement Threshold Measurement threshold is: • Critical • Difficult (but not impossible) to determine • Often left out of quality requirements • Needed to avoid ambiguity States how much quality is necessary (sufficient) Enables architects and architecture evaluators to: • Determine if architecture is adequate • Make engineering tradeoffs between competing quality characteristics and attributes Enables tester to determine the: • Test completion criteria • Number and types of test cases Engineering Safety- & Security-Related Requirements 47 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Related Disciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview ◄ Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 48 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Fundamental Safety and Security Concepts Safety and security as quality characteristics with associated quality attributes Stakeholders Defended assets Unauthorized harm to defended assets Abuses (accidents, attacks, and incidents) Vulnerabilities (system-internal weaknesses or defects) Abusers (external and internal, malicious and non-malicious) Dangers (hazards and threats) Defensibility risks (safety and security) Goals, policies, and requirements Defenses (safeguards and counter measures) Engineering Safety- & Security-Related Requirements 49 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Safety as a Quality Characteristic Safety is the subclass of defensibility capturing the degree to which: • The following safety problems: — Accidental harm to defended assets — Safety abuses (mishaps such as accidents and safety incidents) — Safety abusers (people, systems, and the environment) — Safety vulnerabilities — Safety dangers (hazards) including the existence (conditions) of non-malicious abusers who unintentionally exploit system vulnerabilities to accidentally harm vulnerable defended assets — Safety risks • Have safety solutions: — Prevented (eliminated, mitigated, keep acceptably low) — Detected — Reacted to Engineering Safety- & Security-Related Requirements 50 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Security as a Quality Characteristic Security is the subclass of defensibility capturing the degree to which: • The following security problems: — Malicious harm to defended assets — Security abuses (misuses such as attacks and security incidents) — Security abusers (attackers and malware – systems, software, and hardware) — Security vulnerabilities — Security dangers (threats) including the existence (conditions) of malicious abusers who can exploit system vulnerabilities to harm vulnerable defended assets — Security risks • Are security solutions: — Prevented (eliminated, mitigated, keep acceptably low) — Detected — Reacted to Engineering Safety- & Security-Related Requirements 51 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Three Disciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements ◄ Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 52 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Safety- and Security-Related Requirements Too often only a single type of requirements is considered. Not just: • Specific types of non-functional requirements (NFRs): — Safety and security requirements are quality requirements • Functional, data, and interface requirements with safety or security ramifications • Architecture and design constraints • Safety and security functions/subsystems • Software requirements • Constraints on functional requirements Reason for presentation title: Safety- and security-related requirements for software-intensive systems Engineering Safety- & Security-Related Requirements 53 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Requirements Business Industry Laws and Natural Organizational Rules Standard Regulations Laws Policies Innovative Rules Requirements Positive (shall) Documentation Entity Data * Requirements Requirements Requirements Requirements Stakeholder Facility Hardware Object Negative Requirements Requirements Requirements Requirements (shall not) Requirements Derived People (Role) Procedure Material (Technical) Requirements Requirements Requirements Requirements Requirements Software System / Development Requirements Subsystem Environment Requirements Requirements Architecture Process Constraints Manufacturing Product (Method) Requirements Requirements Primary Mission Design Requirements Requirements Constraints Operational Requirements Supporting Implementation Requirements Constraints Training Requirements “Pure” Integration Maintenance Constraints Requirements Constraints Requirements Non-Functional Requirements Manufacturing Sustainment Requirements Constraints Retirement Functional Entity (Data *) Interface Quality Deployment Requirements Requirements Requirements Requirements Requirements Constraints Engineering Safety- & Security-Related Requirements 54 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Different Types of Defensibility Requirements Problem Type Quality Attributes Defensibility Quality Attributes Harm to Defensibility Abuse Abuser Vulnerability Danger Valuable Asset Risk Prevent Prevent Prevent Prevent Prevent Prevent Prevention Occurrence Occurrence Existence Existence of Existence Existence Quality Attributes Solution Type of Harm of Abuse of Abuser Vulnerability of Danger of Risk Detect Detect Detect Detect Detect Detect Detection Occurrence Occurrence Existence Existence of Existence Existence of Harm of Abuse of Abuser Vulnerability of Danger of Risk React to React to React to React to React to React to Reaction Occurrence Occurrence Existence Existence of Existence Existence of Harm of Abuse of Abuser Vulnerability of Danger of Risk Engineering Safety- & Security-Related Requirements 55 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Defensibility-Related Requirements – 1 Safety Security Safety-Significant Safety Function/Subsystem Requirements Requirements Constraints Requirements Security- Security Security Security Significant Function/Subsystem Requirements Constraints Requirements Requirements Defensibility- Defensibility Defensibility Defensibility Significant Function/Subsystem Requirements Constraints Requirements Requirements Safety-Related System Defensibility- Requirements Requirements Related Requirements Security-Related Requirements Engineering Safety- & Security-Related Requirements 56 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Defensibility-Related Requirements – 2 Safety/Security- Safety/Security Significant Safety/Security Requirements Requirements Constraints Safety/Security Requirements that All Requirements Function/Subsystem are neither safety- Requirements nor security-related Engineering Safety- & Security-Related Requirements 57 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Defensibility-Related Requirements – 3 Safety/Security Assurance Level (SAL) Defensibility Quality Intolerable Requirements Requirements Defensibility-Related Requirements SAL = 5 Defensibility Function / Supporting Critical Subsystem Requirements Defensibility-Related Requirements Requirements SAL = 4 Defensibility Constraints Constraints Major Defensibility-Related Other Requirements Defensibility- SAL = 3 Related Functional Requirements Requirements Moderate Defensibility-Related Quality Requirements Defensibility-Related Requirements SAL = 2 Requirements SAL = 1 - 5 System Data Minor Requirements Requirements Defensibility-Related Requirements SAL = 1 Interface Requirements Defensibility-Independent Requirements Constraints SAL = 0 Engineering Safety- & Security-Related Requirements 58 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
1) Safety and Security Requirements Safety and security requirements are quality requirements. Quality requirements are product requirements that specify a mandatory minimum amount of a type of product quality: • Quality characteristic (generally) • Quality attributes (specifically) Safety and security requirements: • Are typically negative requirements • Specify what the system shall not cause, enable, or allow to: — Occur (e.g., unauthorized harm to defended assets, accidents, attacks) — Exist (e.g., vulnerabilities, threats, abusers, hazards, risks) Engineering Safety- & Security-Related Requirements 59 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Safety and Security Requirements Quality requirements should be: • Scalar (how well or how much) • Based on a quality model defining the specific types of quality and how their measurement scales • Stored in requirements repositories and specified in requirements specifications, NOT just in: — Secondary specifications — Safety/security documents Quality requirements are critically important drivers of the architecture and testing. Engineering Safety- & Security-Related Requirements 60 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Safety Requirement Templates When in mode V, the system shall limit the occurrence of accidental harm of type W to defended assets of type X to an average rate of no more than Y asset value per Z time duration. When in mode W, the system shall not cause mishaps of type X with an average rate of more than Y mishaps per Z trips. When in mode X, the system shall not cause hazard Y to exist for more than an average of Z percent of the time. When in mode X, the system shall not have a residual safety risk level of Y or above. When in mode X, the system shall detect accidents of type Y an average of at least Z percent of the time. Upon detecting an accident of type W when in mode X, the system shall react by performing functions Y an average of at least Z percent of the time. Engineering Safety- & Security-Related Requirements 61 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Security Requirement Templates When in mode V, the system shall limit the occurrence of malicious harm of type W to defended assets of type X to an average rate of less than Y asset value per Z time duration. When in mode W, the system shall prevent the first successful attacks of type X for a minimum of Z time duration. When in mode X, the system shall not have security vulnerability Y for more than an average of Z percent of the time. When in mode X, the system shall not have a security risk level of Y. When in mode X, the system shall detect misuses of type Y an average of at least Z percent of the time. Upon detecting a misuse of type W when in mode X, the system shall react by performing functions Y an average of at least Z percent of the time. Engineering Safety- & Security-Related Requirements 62 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
2) Defensibility-Significant Requirements – 1 Defensibility-significant requirement a requirement with significant safety or security ramifications Are identified based on safety or security (e.g., hazard or threat) analysis Can be any kind of product requirements: • Functional, data, interface, quality, and constraints • Pure safety and security requirements • Safety and security function/subsystem requirements • Safety and security constraints Engineering Safety- & Security-Related Requirements 63 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility-Significant Requirements – 2 Safety/Security- Upper 3 circles Safety/Security Significant Safety/Security Requirements Requirements Constraints Horizontal lines Not all of the safety/security function/subsystem requirements Safety/Security Requirements that All Requirements Function/Subsystem are neither safety- Requirements nor security-related Engineering Safety- & Security-Related Requirements 64 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Safety/Security Assurance Levels (SALs) Safety/Security Assurance Level (SAL) Defensibility Quality Intolerable Requirements Requirements Defensibility-Related Requirements SAL = 5 Defensibility Function / Supporting Critical Subsystem Requirements Defensibility-Related Requirements Requirements SAL = 4 Defensibility Constraints Constraints Major Defensibility-Related Other Requirements Defensibility- SAL = 3 Related Functional Requirements Requirements Moderate Defensibility-Related Quality Requirements Defensibility-Related Requirements SAL = 2 Requirements SAL = 1 - 5 System Data Minor Requirements Requirements Defensibility-Related Requirements SAL = 1 Interface Requirements Defensibility-Independent Requirements Constraints SAL = 0 Engineering Safety- & Security-Related Requirements 65 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Safety-Significant Requirements Firing missiles from military aircraft requirements: • When to arm missiles • When not to arm missiles (e.g., detecting weight-on-wheels) • Controlling doors before and after firing missiles Chemical plant requirements: • Mixing and heating toxic chemicals • Controlling exothermic reactions • Detecting and controlling temperature, pressure, and flow-rate ZATS requirements: • Taxi starting, accelerating, cruising, decelerating, and stopping • Opening and closing doors (taxi, taxi station safety wall, taxi station elevator) Engineering Safety- & Security-Related Requirements 66 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Security-Significant Requirements Access control requirements: • Identification, authentication, and authorization Accountability (e.g., non-repudiation requirements): • Creation, storage, and transmission of financial transactions Availability (under attack) requirements: • Services subject to denial-of-services attacks Confidentiality requirements: • Storage and transmission of sensitive information • Confidential intellectual property in the software or its documentation Integrity requirements: • Storage and transmission of sensitive data • Software that might get Infected by malware Engineering Safety- & Security-Related Requirements 67 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
3) Defensibility Function/Subsystem Rqmts – 1 Defensibility function/subsystem requirements are requirements for functions or subfunctions that exist strictly to improve defensibility (as opposed to support the primary mission requirements). • Safety function/subsystem requirements are requirements for safety functions or subsystems. • Security function/subsystem requirements are requirements for security functions or subsystems. Engineering Safety- & Security-Related Requirements 68 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility Function/Subsystem Rqmts – 2 Safety/Security- Bottom circle Safety/Security Significant Safety/Security Requirements Requirements Constraints Vertical lines Overlaps other 3 types Not all of the safety/security function/subsystem requirements are safety/security significant Safety/Security Requirements that All Requirements Function/Subsystem are neither safety- Requirements nor security-related Engineering Safety- & Security-Related Requirements 69 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Safety Functions/Subsystems Automobile functions or subsystems added strictly for safety: • Adaptive Cruise Control (ACC) • Forward Collision Warning Systems • Adaptive Headlights • Intelligent Parking Assist Systems (IPAS) • Airbag Systems • Lane Departure Warning Systems • Anti-lock Braking Systems (ABS) • On-Board Diagnostics (OBD) • Automatic Braking • On-Board Prognostics (OBP) • Automatic Crash Response • Reverse Backup Sensors Systems • Seat Belt Systems • Automotive Night Vision Systems • Tire Pressure Monitoring Systems • Backup Cameras • Traction Control Systems (TCS) • Backup Collision Intervention Systems • Electronic Brakeforce Distribution (EBD) • Electronic Stability Control (ESC) • Emergency Brake Assist (EBA) Engineering Safety- & Security-Related Requirements 70 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Security Functions/Subsystems – 1 Automobile functions or subsystems added strictly for security: • Car Alarm Systems • Door Locks • Ignition Key Systems • Stolen Vehicle Recovery Systems Engineering Safety- & Security-Related Requirements 71 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Security Functions/Subsystems – 2 Functions or subsystems strictly added for security: • Access control • Antivirus / antispyware / antispam / antiphishing subsystems • Encryption/decryption subsystem • Firewalls • Intrusion detection subsystem (IDS) / intrusion prevention subsystem (IPS) All requirements for such functions/subsystems are security-related. Look in the Common Criteria (ISO/IEC 15408) for many generic reusable security function requirements. Engineering Safety- & Security-Related Requirements 72 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Safety Function/Subsystem Rqmts Except when the weapons bay doors are open or have been open within the previous 90 seconds, the weapons bay cooling subsystem shall maintain the temperature of the air in the weapons bay at or below X° C. The Fire Detection and Suppression Subsystem (FDSS) shall detect smoke above X ppm in the weapons bay within 2 seconds at least 99.9% of the time. The FDSS shall detect temperatures above X° C in the weapons bay within 2 seconds at least 99% of the time. Upon detection of smoke or excess temperature, the FDSS shall begin fire suppression within 1 second at least 99.9% of the time. Engineering Safety- & Security-Related Requirements 73 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Security Function/Subsystem Rqmts Access Control Function: • The Access Control Function shall require at least 99.99% of users to identify themselves before enabling them to perform the following actions: … • The Access Control Function shall require at least 99.99% of users to successfully authenticate their claimed identity before enabling them to perform the following actions: … • The Access Control Function shall authorize the system administrators to configure the maximum number of unsuccessful authentication attempts between the range of 1 and X. • The Access Control Function shall perform the following actions when the maximum number of unsuccessful authentication attempts has been exceeded: … Engineering Safety- & Security-Related Requirements 74 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
4) Defensibility Constraints – 1 A constraint is any engineering decision that has been chosen to be mandated as a requirement. For example: • Architecture constraints • Design constraints • Implementation constraints (e.g., coding standards, safe language subset, and nonhazardous materials) • Integration constraints • Deployment or configuration constraints A safety constraint is any constraint primarily intended to ensure a minimum level of safety (e.g., a mandated safeguard). A security constraint is any constraint primarily intended to ensure a minimum level of security (e.g., a mandated countermeasure). Safety and security standards often mandate industry best practices as constraints. Engineering Safety- & Security-Related Requirements 75 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility Constraints – 2 Safety/Security- Right circle Safety/Security Significant Safety/Security Requirements Requirements Constraints Diagonal lines Overlaps only 2 of the other types All of the defensibility constraints are safety- or security- significant Safety/Security Requirements that All Requirements Function/Subsystem are neither safety- Requirements nor security-related Engineering Safety- & Security-Related Requirements 76 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Safety Constraints The system shall use hardware interlocks to prevent users from physically coming into contact with moving parts. The system shall not have a single point of failure that can cause an accident unless the associated risk is acceptable to authoritative stakeholders. The system shall use a safe subset of C++. The system shall not contain any of the hazardous materials in Table X in concentrations in excess of those listed in the table: • Biologically Hazardous Materials (e.g., infectious agents or toxins) • Chemically Hazardous Materials (e.g., carcinogens, corrosives, heptatoxins, irritants, mutagens, nephratoxins, neurotoxins, poisons, or teratogens) • Physically Hazardous Materials (e.g., combustible chemicals, compressed gases, explosives, flammable chemicals, oxidizers, or pyrophorics) Engineering Safety- & Security-Related Requirements 77 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Security Constraints The system shall user use IDs and passwords for identification and authentication. The system shall incorporate COTS firewalls to protect servers. The system shall incorporate the latest version of Norton Antivirus for malware detection and removal. The system shall use public key encryption to protect confidential information. The system shall use digital signatures to provide nonrepudiation. Engineering Safety- & Security-Related Requirements 78 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Related Disciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method ◄ Conclusion Engineering Safety- & Security-Related Requirements 79 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Desired Method Properties Help meet challenges listed at start of tutorial Promote close collaboration among safety, security, and requirements teams Better integrate safety and security methods: • Based on common foundational concepts and terminology • Reuse of techniques and work products • Based on defensibility (safety and security) analysis Better integrate safety and security engineering with requirements engineering: • Clearly defined role and team responsibilities • Early input to requirements engineering • Develop all types of safety- and security-related requirements • Ensure these requirements have the proper characteristics Engineering Safety- & Security-Related Requirements 80 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Overall Defensibility Engineering Method Defensibility Defensibility Defensibility Policy Monitoring Event Handling Development Defensibility Defensibility Program Planning Analysis Defensibility Defensibility Defense Compliance Certification and Determination Assessment Accreditation Engineering Safety- & Security-Related Requirements 81 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility Analysis System Safety Team Security Team Defensibility Safety and collaborates Analysis Security Requirements with Engineering Engineering SMEs Stakeholder Defensibility Requirements Team Analysis performs Safety Relevant Laws, Regulations, and Asset Requirements Standards Analysis performs Security Organizational Requirements and Project Abuse Defensibility Analysis Policies Defensibility Defensibility- Defensibility Requirements Analysis Related Reusable Analysis Development Vulnerability Work Products Requirements Safety & Security Work Products Analysis Requirements Safety- Contractual Validation Significant Documents Abuser Requirements Analysis Safety & Security Security- Program Plans support perform Significant Danger Requirements Requirements Engineering Analysis Subject Work Products Safety and Security Safety Security Matter Team Team Experts Stakeholders Certification Architectural Repositories Risk Engineering Analysis Work Products Significance Analysis Engineering Safety- & Security-Related Requirements 82 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
System Defensibility Analysis Safety Team Security Team Requirements collaborates Engineering with Requirements Requirements Models Team Understand Requirements Requirements Documents performs Requirements System Defensibility Analysis Architecture Team Architecture Model Understand Architecture Safety and Architecture Security Documents Engineering Architecture Engineering Engineering Safety- & Security-Related Requirements 83 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Stakeholder Defensibility Analysis Safety Team Security Team collaborates with Safety and Security Subject Matter Experts Engineering (SMEs) provide input Requirements during Teams performs Preparation Stakeholders provide input Stakeholder Updated during Identification Stakeholder List Stakeholder Defensibility Analysis Updated Contractual Documentation Stakeholder (RFP, Contract) Profiles Stakeholder Modeling Requirements Defensibility Work Products Stakeholder (Vision Statement, ConOps, Interests Table Initial Stakeholder List, Stakeholder Profiles, Initial Draft Requirements Models, Initial Goal Safety and Security Specifications, and Identification Goals Repositories) Existing Documentation (Organizational Defensibility Policies and Legacy Hazard Safety and Security and Threat Analyses, Certification Mishap and Misuse Reports, Repositories and Stakeholder Lists) Engineering Safety- & Security-Related Requirements 84 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Stakeholders Human play Organizational play Direct Stakeholders Stakeholders Stakeholders Indirect Human Organization Stakeholders Roles Roles Attackers Stakeholders Legitimate Stakeholders have desire to Asset System harm the Stakeholders Stakeholders primarily have primarily have have a interest in interest in legitimate and value other and value the interest in the must Defended defend System Assets must meet Stakeholder Needs Engineering Safety- & Security-Related Requirements 85 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Stakeholders Entry/Edit Form Engineering Safety- & Security-Related Requirements 86 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Stakeholders Report Engineering Safety- & Security-Related Requirements 87 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Stakeholder Safety/Security Analysis Safety/Security Analysis of PMI Corporate Management General Responsibilities: – Ensure the short- and long-term profitability of PMI. – Ensure the marketability of PMI automated people movers (APM). – Ensure customer and user satisfaction with PMI APMs. – Ensure the quality of PMI APMs (e.g., capacity, maintainability, reliability, usability). Safety/Security Responsibilities: – Provide leadership in safety and security matters. – Ensure that PMI APM vehicles will operate safely. – Ensure that PMI APM systems will be secure against attack (e.g., cybercrime and theft). – Ensure that PMI proprietary information will be secure from corporate espionage. – Ensure that effective safety and security policies will exist and be enforced. – Provide oversight of PMI projects with regard to safety and security. Context: – PMI is subject to very stiff competition from both domestic and foreign competitors. – PMI’s ability to create APMs that enable large numbers of small vehicles to safely share guideways with minimal headway is a cutting-edge technology that provides a competitive edge over some of PMI’s rivals. – Corporate management is primarily trained in business management and does not understand the technology, especially the importance of software to achieving technical requirements. – PMI’s previous smaller and simpler APMs have not suffered serious accidents or security attacks. – ZATS is PMI’s current flagship APM. Actual or Potential Process Model Defects: – Has underestimated the maturity and risk of the new technology. – Has assumed that ZATS development productivity will be the same or better than previous projects. – Believes that the large number of failures found and fixed during initial prototyping indicate that the major problems are all solved and are not indicative of future failures once full scale development starts and ZATS has been placed into operation. Actual or Potential Dangerous Decisions and Actions: – Has pushed ZATS project management to lower their estimates of the cost of ZATS development and the time required for ZATS development in order to win the contract. – Is counting on the project future income from ZATS, even though ZATS is likely to suffer from both cost and schedule overruns. – May let safety and security policies and requirements be violated in order to meet project budget, schedule, and functionality goals. – May provide inadequate oversight of the ZATS project with regard to safety and security. Engineering Safety- & Security-Related Requirements 88 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Asset Analysis Subject Matter Safety Team Security Team Experts collaborates Requirements Engineering with Asset-Harm Prevention Standard / Reusable Requirements Team provide Requirements Asset-Harm Stakeholders input Requirements Asset-Harm during performs Detection Preparation Requirements provide input Asset Value Asset-Harm during performs Reaction Categorization Asset Requirements ZATS Contractual Asset Identification Documentation Analysis Harm Severity Categorization ZATS Requirements Asset Requirements Asset-Harm Work Products Modeling Asset Development Requirements Descriptions ZATS Architectural Asset-Harm Representations Asset Goal Asset-Harm Requirements Safety Identification Goals Validation Requirements Project-External Documentation Asset Asset-Harm ZATS Defensibility Work Product perform Security Work Products V&V support Requirements Generic Reusable Requirements Safety Security Documentation Safety and Security Team Support Team Team SMEs Stakeholders Certification Repositories Safety and Security Engineering Engineering Safety- & Security-Related Requirements 89 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Defended Assets Ownerless Objects value Unauthorized Privately Owned Harm Stakeholders Intangible Objects Objects can happen to have an Publically Owned Physical Objects interest in the Objects must defend Inanimate Objects Defended System Living Objects Assets Objects Atmosphere play Roles Things Biosphere Electromagnetic Roles Played play Spectrum People Environment By People Hydrosphere Roles Played By play Lithosphere Organizations Services Organizations Outer Space Prime Contractor Customer Developer Subcontractors Maintainer Operator Supplier / Vendor Owner Regulator Sustainer User Engineering Safety- & Security-Related Requirements 90 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Assets People: • Passengers - people who are riding ZATS taxis Organizations: • Metropolitan Zoo Authority (MZA) - the organization that operates the Metropolitan Zoo and acquires ZATS Property: • ZATS line replaceable units (LRUs) - ZATS architectural components (data, hardware, software, subsystem) that can be repaired or replaced by the maintainer after ZATS has been placed in operation Environment: • Atmosphere - the layer of gas surrounding the earth that is retained by gravity and subject to both air and noise pollution Service: • Taxi service - transportation by ZATS taxis of passengers and their personal property around the zoo Engineering Safety- & Security-Related Requirements 91 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Defended Assets Entry/Edit Form Engineering Safety- & Security-Related Requirements 92 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Defended Assets Report Engineering Safety- & Security-Related Requirements 93 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Unintentional Safety (Accidental) Types of Harm Harm Unauthorized Authorized e.g., caused to enemy forces by Harm Harm Intentional weapons systems Security and (Malicious) Survivability Harm can Direct Harm happen to Defended Assets Harm Indirect Harm Harm to Harm to Harm to Harm to the Harm to a People Organizations Objects Environment Service Being Bankruptcy Corruption Contami- Accidental Loss Kidnapped nation of Service Legal Conse- Damage Corruption quences Damage Corruption (bribery or Destruction extortion) Loss of Destruction Denial of Market Share Lost Value Service (DOS) Death Loss of Use Loss of Loss of Trust Theft or Disability Reputation Pollution Piracy Repudiation of Financial Loss of Unauthorized Wildlife Transaction Hardship Trained Staff Access Death, Injury, or Unauthorized Lost Illness Illness Unauthorized Usage (Theft) Opportunity Disclosure Costs Injury Lost Profits Loss of Anonymity, Identity, or Privacy Loss of Employment Engineering Safety- & Security-Related Requirements 94 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Security Characteristics as Types of Harm Accountability Nonrepudiation Data Integrity Availability (Defensibility) Document Integrity Desired Tamper System Security Integrity Hardware Integrity Resistence Characteristic Personal Integrity Software Integrity Immunity depends on Confidentiality Anonymity Identification Access Control Authentication Safety Authorization (degree qualified) Authorization Security Authorization (degree trusted) Engineering Safety- & Security-Related Requirements 95 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Harm Severity Harm severity is an appropriate categorization of the amount of harm: • Potential harm • Actual harm • Maximum credible harm Harm severity categories can be standardized (ISO, military, industry- wide) or endeavor-specific. Harm severity categories need to be: • Clearly identified. • Appropriately and unambiguously defined. Note that some standards confuse harm severity with hazard “severity” (i.e., categorization of hazard based on the severity of harm that its accidents can cause) Engineering Safety- & Security-Related Requirements 96 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative Harm to a ZATS Defended Asset Person: • Death • Injury – minor, major, and disability (physical and psychological) • Occupational illness (maintainer) • Loss of money – various amounts • Lost of confidentiality of sensitive information (passenger identity theft) • Loss of reputation (managers, developers) Engineering Safety- & Security-Related Requirements 97 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Defended Asset Types Report Engineering Safety- & Security-Related Requirements 98 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
The ZATS Harm Severity Categories Catastrophic: Potential ZATS lifespan harm that is unacceptable to authoritative stakeholders (loss of priceless defended asset) Major: Potential five-year harm that is only acceptable to authoritative stakeholders after major actions have been taken to lower its risk (loss of extremely defended asset) Minor: Potential yearly harm that is acceptable to authoritative stakeholders after minor action has been taken to lower its risk (loss of moderate or low value asset) Negligible: Potential yearly harm that is acceptable to authoritative stakeholders but that does not justify any action to lower its risk (loss of inconsequential asset) Engineering Safety- & Security-Related Requirements 99 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
The ZATS Harm Likelihood Categories Frequent: An average of once or more times every month Probable: Less than an average of once every month (but more than occasional) Occasional: Less than an average of once every year (but more than remote) Remote: Less than an average of once every 5 years (but more than implausible) Implausible: Less than a 10% chance of happening during the entire ZATS 30 year planned lifespan Engineering Safety- & Security-Related Requirements 100 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Asset-Harm Safety and Security Goals Asset-Harm Prevention Safety Goal: • ZATS will not accidentally kill or injure its passengers. Asset-Harm Detection Security Goal: • ZATS will detect infection of its data and software files by malware. Asset-Harm Reaction Security Goal: • On detecting malware infection, ZATS will quarantine the infected file and notify the operator and maintainer. Engineering Safety- & Security-Related Requirements 101 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Asset-Harm Safety and Security Requirements Asset-Harm Prevention Safety Requirement: • Passenger death prevention: ZATS shall ensure that the expected frequency with which it accidentally kills a passenger does not exceed 0.1 passenger during the projected 30 year system lifespan. Asset-Harm Detection Security Requirement: • Malware detection: ZATS shall detect infection of its data and software files by at least 99% of known malware. Asset-Harm Reaction Security Requirement: • Malware reaction: On detecting malware infection, ZATS shall quarantine the infected file and notify the operator and maintainer at least 99.9% of the time. Engineering Safety- & Security-Related Requirements 102 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Abuse (Misuse and Mishap) Analysis Subject Safety and Matter Safety Team Security Team Requirements Experts collaborates Security Engineering with Engineering Abuse Prevention Requirements Team Requirements provide input Abuse Stakeholders during Preparation Detection Requirements perform provide Abuse input performs Abuse Abuse Reaction during Identification Profiles Requirements Abuse Requirements & Architecture Analysis Work Products: Abuse Graphical Requirements Abuse - RFP and Contract - ConOps Modeling Models Development Requirements - Rqmts Repository - Architecture Abuse (Mishap) Abuse Goal Abuse Requirements Safety Project-Specific Identification Goals Validation Requirements Work Products: - Asset Profiles Abuse Abuse (Misuse) - Asset Value Categorization Work Product support perform Security - Harm Severity Categorization V&V Requirements Generic Reusable Subject Work Products: Safety Security Matter - Abuse Lists & Tables Requirements Team Team Experts Stakeholders - Abuse Cases & Trees Team Support - Abuse Goals - Enterprise and Reference Safety and Security Architectures Certification Repositories Engineering Safety- & Security-Related Requirements 103 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Abuses (Mishaps and Misuses) Abuse (defensibility) a series (or network) of one or more unwanted events that cause (or can cause) unauthorized harm to one or more defended assets Mishap (safety) an accidental abuse Misuse (security or survivability) a intentional (malicious) abuse Engineering Safety- & Security-Related Requirements 104 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Abuses is a network of Defensibility Abuses Events Mishaps Misuses Security Survivability Misuses Misuses Safety Civilian Security Enemy Military Survivability Accidents Incidents Attacks Incidents Attacks Incidents Successful Probes Successful Civilian Enemy Military Attacks Attacks cause Unauthorized can occur to Defended Harm Assets Engineering Safety- & Security-Related Requirements 105 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Importance of Accidents (Safety) Accidents can have expensive and potentially fatal repercussions: • Ariane 5 maiden launch — Reuse of Ariane 4 software not matching Ariane 5 specification • Mars Climate Orbiter ($125 million) — English vs. Metric units mismatch • Mars Polar Lander — Missing requirement concerning touchdown sensor behavior • Patriot Missile Battery misses SCUD missile — Missing availability (uptime) requirement • Sheffield sinking during Falkland War — Radar misidentifies incoming Argentinean missile as “friendly” • Therac–25 Radiation Therapy Machine — Timing of rare input sequence results in race condition and extreme radiation doses Engineering Safety- & Security-Related Requirements 106 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Importance of Attacks (Security) Largest unauthorized disclosure of confidential information: 150,000,000 customer records on 17 March 2012, Shanghai Roadway D&B Marketing Services Co. Ltd Predator and Reaper unauthorized disclosure of confidential video feeds In 2009, Iraqi insurgents were able to intercept the unencrypted video feeds from Predator and Reaper drones. No security requirements to protect sensitive video feed information during transmission. Stuxnet (cyber warfare) In 2010, the computer worm infected the supervisory control and data acquisition (SCADA) software on the programmable logic controllers (PLCs) that controlled Iran’s uranium enrichment centrifuges. Stuxnet commanded excessive rotational speeds while displaying fake normal sensor data to the operators. No security requirements to address malware, to check for valid speed inputs, or to ensure the integrity of sensor values. Engineering Safety- & Security-Related Requirements 107 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example ZATS Security Abuse (Attack) Tree Steal ZATS Legend Industrial wants to Attack Spy Attacker Intellectual Goal Instantiation (is a) Property Inheritance (is a kind of) achieves performs Industrial Aggregation (is part of) Attack Espionage Association Nation State Spy Insider Dumpster Internet Plant Physical Social Recruitment Diving Access Spy Access Engineering Domain Name Control Facility Current or Blackmail Break-in Determination Access Former Employee Bribery Impersonation ZATS Firewall Maintenance Extortion Exploit Facility Access PMI Web Server Employee Janitor Taxi Access Exploit Recruitment Safety / Security Zoo Control Server Maintainer Accreditor Administration Exploit Recruitment Office Access Safety Operator Inspector Recruitment Engineering Safety- & Security-Related Requirements 108 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Safety Abuse (Mishap) Tree Cave or Mine Ocean Building Electrical Fire and Smoke Structural Water Wind Collapse Damage Damage Damage Damage Damage Hurricane River Snow Storm Destroy or Damage “wants” to Natural Maintenance / Mishap Legend Storm Disaster Operations Facility “Goal” and Taxi Stations Instantiation (is a) Thunder achieves Inheritance (is a kind of) Storm Sun performs Abuse of Association Mishap ZATS Building Tornado Tectonic Fault Cave in / Flying Heavy High Voltage Storm Wild Earthquake Sinkhole Debris Snow Spike (EMP) Surge Fire Volcano Coastal High Lightning Volcanic Flood Hail Erosion Winds Strike Ash Fall Engineering Safety- & Security-Related Requirements 109 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example ZATS Abuse (Misuse) Cases Steal from Travel Card Vending threatens Machine Buy Travel Card Steal from Bank Passenger Steal Card Server Bank Card Add Funds to Data Steal from Network Travel Card threatens Steal from threatens Passenger Ride Taxi Thief Steal from Passengers threatens Steal from Vending Machine threatens Steal Cash Steal from Service threatens Maintainer Maintainers Vending Machine Steal from Safe threatens Steal Equipment threatens Service Taxis Steal ZATS Steal Tools threatens Controller Property Steal Hardware threatens Control ZATS Steal Software threatens Engineering Safety- & Security-Related Requirements 110 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative Potential Types of ZATS Safety Abuses (Mishaps) Accident: • Rear-end Collision One taxi rear-ends another taxi causing damage to one or both of the taxis. Safety Incidents: • Bumping Bumpers One taxi lightly bumps into another taxi without causing damage to one or both taxis. • Inadequate Headway (tailgating) The distance between two adjacent taxis becomes less than the minimum safe braking distance. Starting to tailgate (event) is an safety incident (near miss), whereas Tailgating (condition) is a hazard. Engineering Safety- & Security-Related Requirements 111 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative Potential Types of ZATS Security Abuses (Misuses) Successful attacks: • Arson of Taxi Station An arsonists starts a fire in a taxi station. • Denial of Service (DoS) A cybercriminal uses signal jamming to mount a successful DoS attack against the ZATS taxis. Security Incidents: • Unsuccessful Malware Infection Software malware (e.g., worms and viruses) fails to infect a ZATS computer (e.g., because of the existence of properly installed antivirus software with current virus definitions). • Undetected Probe A cybercriminal’s attempt to identify computer vulnerabilities (e.g., open ports) goes undetected. Engineering Safety- & Security-Related Requirements 112 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Abuse (Mishap and Misuse) Requirements Mishap prevention requirement: Taxi collisions: Under normal operating conditions, ZATS shall ensure that the rate of major collisions between taxis* is less than X per [Y trips | time unit]. * Terms must be properly defined. For example, a major taxi collision could be defined as one with a relative speed of at least 10 mph. It could also be defined in terms of cost but… Misuse prevention requirement: Denial of service: ZATS shall detect Internet launched denial of service attacks within 2 minutes at least 99% of the time. Engineering Safety- & Security-Related Requirements 113 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Abuses Entry/Edit Form Engineering Safety- & Security-Related Requirements 114 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Abuses Report Engineering Safety- & Security-Related Requirements 115 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Vulnerability Analysis Architects, Designers, and Safety and Requirements Team Requirements Implementers Safety Team Security Team Security collaborates Engineering Engineering Generic / Reusable with Vulnerability Requirements Safety and Constraints Vulnerability Preparation Requirements performs Quality Engineers, Security provide Testers, and input Vulnerability Maintainers performs Vulnerability Vulnerability during Requirements Identification Table provide Vulnerability input Vulnerability and Abuse during Table Requirements Vulnerability Vulnerability Requirements Analysis Modeling Development Concept of Vulnerability Operations (ConOps) and Defense Vulnerability Table Constraints Requirements, Vulnerability Requirements Glossaries, and Vulnerability Validation Goal Domain Models Goals Safety Identification Vulnerability System Architectural Constraints support perform Representations Abuse Table Safety and Security Security Subject Vulnerability Certification Safety Security Abuse Cases Matter Constraints Repository Team Team Stakeholders Experts Abuse Trees Engineering Safety- & Security-Related Requirements 116 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Vulnerabilities Vulnerability a potential or actual system-internal weakness or defect in the system that enables or causes: — A danger (hazard or threat) to exist. — An abuse (mishap or misuse) to occur. Ways to identify vulnerabilities include: • Analyze historical data • Identify and analyze plausible “defects”: — Requirements defects (missing, ambiguous, incomplete, or incorrect requirements) — Component internal defects (component fails to meet its requirements) — Component interaction defects (components meet individual requirements) • Consider human issues beyond “user error”: — Human limitations, financial and schedule pressures, psychology, etc. Engineering Safety- & Security-Related Requirements 117 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Vulnerabilities Data Missing Management Vulnerabilities Component Vulnerabilities Vulnerabilities Energy Safety Requirements Vulnerabilities Component- Vulnerabilities Vulnerabilities Ergonomic Internal Architectural Vulnerabilities Vulnerabilities Security Vulnerabilities Vulnerabilities Facility Component Design Defective Vulnerabilities Interaction Survivability Vulnerabilities Materials Vulnerabilities Vulnerabilities Hardware Implementation Hazardous Vulnerabilities Vulnerabilities Biologicals Material Integration Vulnerabilities Vulnerabilities Vulnerabilities Hazardous Chemicals Procedural Manufacturing Hazardous Vulnerabilities Vulnerabilities Physical Software Actual Potential Configuration Materials Vulnerabilities Vulnerabilities Vulnerabilities Vulnerabilities Subsystem Maintenance Vulnerabilities Vulnerabilities Known Unknown Vulnerabilities Vulnerabilities Engineering Safety- & Security-Related Requirements 118 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Vulnerabilities (Potential or Actual) Defensibility vulnerability: • Lack of or defective fire detection and suppression system in the ZATS buildings Safety vulnerability: • Defect (accidentally incorporated) in the software of the LIDAR proximity detection subsystem Security vulnerability: • Lack of or defect in the encryption/decryption software • Incorporation of a backdoor, logic bomb, time bomb, or Trojan horse Engineering Safety- & Security-Related Requirements 119 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Vulnerabilities Entry/Edit Form Engineering Safety- & Security-Related Requirements 120 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Vulnerabilities Report Engineering Safety- & Security-Related Requirements 121 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Ways to Identify Vulnerabilities Analyze historical data: • Published lists of commonly occurring vulnerabilities and vulnerability types Brainstorm plausible “defects”: • Requirements defects (missing, ambiguous, incomplete, or incorrect requirements) • Component internal defects (component fails to meet its requirements) • Component interaction defects (components meet individual requirements) Consider human issues beyond “user error”: • Human limitations, financial and schedule pressures, psychology, etc. Engineering Safety- & Security-Related Requirements 122 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Safety Vulnerability Requirements Vulnerability: Taxi Doors Cannot Lock: A ZATS taxi cannot lock its closed doors when moving. Vulnerability prevention requirement: Lock Taxi Doors: When its doors are closed, each ZATS taxi shall be able to lock and unlock its doors with a success rate of at least 99.99%. Vulnerability detection requirement: Detection of Unlocked Taxi Doors: When it is moving and its doors are closed, each ZATS taxi shall be able to determine if its doors are unlocked at least 99.99% of the time. Vulnerability reaction requirement: Reaction to Unlocked Taxi Doors: If any ZATS taxi is moving and detects that its doors are not locked, then the taxi shall : • Notify the ZATS operator within 5 seconds at least 99.99% of the time • Warn the taxi passengers to stay away from the doors until the taxi has berthed at the next taxi station within 1 second at least 99.99% of the time Engineering Safety- & Security-Related Requirements 123 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Security Vulnerability Requirements Vulnerability: Server Infected with Malware: A ZATS server is infected with malware. Vulnerability prevention requirement: Malware Infection Prevention: ZATS servers shall not be infected with known malware at least 99.99% of the time. Vulnerability detection requirement: Malware Infection Detection: Each ZATS shall detect when it is infected with known malware at least 99.99% of the time. Security vulnerability reaction requirement: Malware Infection Reaction : When a ZATS server detects that it is infected by malware, it shall: • Delete the malware at least 95% of the time • Quarantine any malware it could not remove at least 99% of the time • Notify the ZATS operator of the infection and the status (i.e., malware deleted, malware quarantined, or malware unaffected) at least 99% of the time Engineering Safety- & Security-Related Requirements 124 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Abuser Analysis Subject Matter Safety Team Security Team Requirements Team Experts collaborates Generic / Reusable with Abuser Abuser-Related Requirements Protection Requirements provide Preparation Abuser Abuser Stakeholders input Table Detection during Requirements performs Abuser Abuser performs provide Profiles Identification Abuser input Reaction during Asset Abuser Requirements Project Documentation Abuser Table Requirements (RFP, Contract, ConOps) Analysis Abuser Development Abuser- Abuser Modeling Related Abuse Asset Generic / Reusable Harm Table Requirements Abuser Lists Requirements Abuser- Validation Abuser Goal Safety Generic / Reusable Related Development Abuser Abuser Profiles Goals Requirements perform support Generic / Reusable Safety and Security Security Abuser-Related Goals Certification Abuser Repositories Subject Requirements Safety Security Matter Team Team Experts Stakeholders Safety and Security Requirements Engineering Engineering Engineering Safety- & Security-Related Requirements 125 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Abusers Foreign Disgruntled Intelligence Dishonest Script Professional Malicious Agencies Employees Kiddies Criminals Hackers Phishers & Botnet Industrial Hactivists Terrorists Spammers Operators Spies Hazardous Hazardous Hazardous Zombies Materials Parts of Nature Systems create Malware and use Zombie Systems Armies Hazardous Hazardous Hazardous Hardware Attackers Malware Energies Objects People Malware Adware Software Logic Bombs Malware Malvertisements can Unintentional Abusers Intentional Abusers can Ransomware cause (Safety) (Security) cause Root Kits Direct Actual Scareware Abusers Abusers Spyware Abusers Time Bombs Potential Indirect Abusers Abusers Trojan Horses can cause can can harm exploit Worms Abuses Vulnerabilities Viruses can harm can enable Defended Assets Safety Security Abuses Abuses Engineering Safety- & Security-Related Requirements 126 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Abuser Profiles Abuser Profile a description of a specific type of abuser, typically including: • Means including tools, training, expertise, support, and time • Motive including both desired harm and risk aversion (for attackers) • Opportunity including access to system and defended assets • External influences such as project cost and schedule pressures, personal financial pressures • Abuser weaknesses such as human mental and physical limitations, untreated addictions and mental illness Profiles are highly reusable. Profiles more commonly used for attackers than non-malicious abusers, but are useful for both. Engineering Safety- & Security-Related Requirements 127 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative Potential ZATS Abusers Accidental human abuser: • Maintainers (who make mistakes if inattentive, careless, or fatigued) Accidental external system abuser: • Electrical power grid (which may provides current or voltage spikes and surges, sustained overvoltage or undervoltage, complete power loss, random noise, or electromagnetic interference) Accidental environmental abuser: • Storm (which may provide high winds, hail, heavy snow, ice, etc.) Attacker (malicious human abuser): • Industrial spy (who may steal proprietary data) Malware (malicious nonhuman abuser): • Adware, ransomware, scareware, spyware, virus, or worm Engineering Safety- & Security-Related Requirements 128 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Abusers Entry/Edit Form Engineering Safety- & Security-Related Requirements 129 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Abusers Report Engineering Safety- & Security-Related Requirements 130 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Abuser Requirements Safety abuser prevention requirement: ZATS shall ensure that its operations and maintenance facility is beyond reach of the nearby river, even in the event of 100 year floods. Security abuser prevention requirement: ZATS shall prevent attackers of type X with profile Y from successfully causing the loss of confidentiality and integrity of sensitive information Z by preventing attacks lasting no more than 8 total hours at least 99% of the time. Engineering Safety- & Security-Related Requirements 131 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Danger Analysis Safety Team Security Team collaborates Subject Matter with Safety and Security Requirements Experts Engineering Engineering Requirements Team Danger Protection Requirements Preparation Generic / Reusable Hazard and Threat Danger provide Danger Requirements Stakeholders Danger (Hazard Detection input Identification & Threat) Requirements during performs performs List provide Danger Danger input Profiling Reaction Danger during Requirements Task Profiles System Safety and Analysis Requirements Danger Security Development Analysis Danger Documentation Cause Danger Requirements Analysis Cause & Generic / Reusable Effects Danger Requirements Danger Lists Diagrams Modeling Root Validation Cause(s) Safety Hazard Generic / Reusable Analysis Requirements Danger Profiles perform FMECA support Common Tables Security Generic / Reusable Cause Threat Danger Probabilities Analysis Subject Requirements HAZOP Safety Security Matter Danger Tables Team Team Experts Stakeholders Safety and Effects Security Analysis Certification Danger Goal Danger Requirements Repositories Identification Goals Engineering Engineering Safety- & Security-Related Requirements 132 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Components of Dangers are simultaneous and co-located combinations of dangerous Dangers Conditions increase the Existence Existence of probability of of Abusers Defended Assets Existence of Other can Vulnerabilities Conditions cause Abuses Abusers can cause Unauthorized Vulnerabilities Harm can exist in can happen to abuse System Defended Assets must defend Engineering Safety- & Security-Related Requirements 133 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Dangers Acoustic Business Hazards Hazards Biological Malware Hazards Computational Security Survivability Chemical Hazards Hazards Threats Threats Electrical Hazards Environmental Computational Fire Hazards Threats Hazards Gravitational Human Hazards Threats Hazards Hazards Kinetic Human Hazards Threats Material Physical Hazards Hazards Dangers Mechanical Hazards Procedural Radiation Attackers Hazards Hazards Thermal Hazards Actual Potential Miscellaneous Dangers Dangers Hazards Engineering Safety- & Security-Related Requirements 134 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Dangers Danger a potential or actual situation that increases the likelihood of one or more related abuses Hazard a danger that increases the likelihood of mishaps (safety) Threat a danger that increases the likelihood of misuses (security) A danger consists of one or more conditions concerning the existence of: • Vulnerable defended assets that can be harmed by abuses • System-internal vulnerabilities or other system-internal conditions, states, or modes • System-external abusers or other system-external conditions, states, or modes Dangers are sets of concurrent conditions, whereas abuses are networks of events. Engineering Safety- & Security-Related Requirements 135 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Identifying Dangers (Hazards and Threats) Several approaches exist that can be used to identify dangers: • Abuse-Based Identification – Consider each identified abuse to identify the associated dangers that increase the probability of the abuse occurring. • Abuser-Based Identification – Consider each identified abuser to identify the associated dangers that include the existence of the abuser as a component condition. This is especially useful for identifying security threats based on generic types of attackers and malware. • Asset-Based Identification – Consider each defended asset to identify the dangerous conditions that can lead to that asset being harmed. • Task-Based Identification – Consider each task performed by a “user” of the system to identify the relevant dangers that can exist. Observe the users while performing their tasks. • Use-Case-Based Identification – Consider each use case and use case flow to identify the associated dangers. • Vulnerability-Based Identification – Consider each vulnerability to identify the associated dangers. Engineering Safety- & Security-Related Requirements 136 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Traditional Hazard Analysis (Safety)1 As used in the safety community, hazard analysis usually implies the analysis of assets, harm, incidents, hazards, and risks. Hazard analysis often occurs multiple times before various milestones: • Preliminary Hazard Analysis (PHA) • System Hazard Analysis (SHA) Hazard analysis should probably be performed continuously. Engineering Safety- & Security-Related Requirements 137 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Traditional Hazard Analysis (Safety)2 Traditional hazard analysis techniques: • Come from reliability analysis • Concentrate on individual component failures • Do not address all (or even most) safety concerns • Are inadequate for software and “human error” Traditional techniques borrowed from reliability include: • Event Tree Analysis (ETA) • Fault Tree Analysis (FTA) • Hazard Cause and Effect Analysis (HCEA) • Failure Mode Effects Criticality Analysis (FMECA) Engineering Safety- & Security-Related Requirements 138 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example ZATS Hazard, Events, Harm, and Assets Door Passenger Taxi Starts Unexpectedly Falls Out of Taxi Passenger Passenger Hits Head Moving Starts Opening (accident Lands On Guideway on Guideway (normal event) (hazardous event) trigger) (harm event) (harm event) Passenger is Passenger is Passenger is Dead Passenger is Okay Falling (abnormal Rolling and Injured (abnormal (normal condition) condition) (abnormal condition) condition) Taxi is Moving Taxi is Moving (normal condition) (abnormal condition when taxi door is open) Taxi Door Taxi Door is Open is Closed (abnormal condition when taxi is moving) (normal condition) Taxi Cabin Contains one Passenger Taxi Cabin is Empty (normal condition) (abnormal condition during habitat tour or passenger trip) Taxi Control Software (SW) is Defective (failure causes door to open inappropriately) (vulnerability) Passenger is in Moving Taxi with Passenger is Killed Open Door and Falling From Moving Taxi Defective SW (accident) (hazard) Time Engineering Safety- & Security-Related Requirements 139 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Fault Tree Passenger falls out of open door of moving taxi Passenger inattentive and near taxi door Door opens on Train starts moving moving taxi with open door Warning is Taxi Taxi door is Door motor ineffective Taxi door fails to close starts to unlocked opens taxi door move A Taxi Taxi door lock Taxi Taxi door Taxi Taxi door Taxi motor Taxi fails computer motor fails computer motor fails computer fails computer unlocked fails open fails open fails on fails Taxi door Taxi door sensor fails lock sensor closed fails locked Engineering Safety- & Security-Related Requirements 140 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example Event Tree Taxi Door Taxi Taxi Taxi Speed Position Door Brakes Speaker Sensor Sensor Motor closes door Passenger is protected. detects issues open door stops warning taxi Passenger may fall out of stopped taxi. fails Passenger likely to fall out of stopped taxi. detects fails motion issues Passenger is warning fails Passenger may fall out of stopped taxi. near open door on a moving taxi fails Passenger likely to fall out of stopped taxi. fails Passenger likely to fall out of stopped taxi. fails Passenger likely to fall out of stopped taxi. Engineering Safety- & Security-Related Requirements 141 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Example ZATS FMECA Table Component Failure Failure Failure Failure Failure Criticality Safety that fail Mode Cause Effect Severity Likelihood (Risk) Controls Hardware No data, Bad Excessive redundancy, data (0, last Hardware failure, acceleration or Accelerometer High-reliability value, loss of electrical deceleration Minor Low Moderate (Taxi sensor) COTS maximum power, wiring fails causing passenger component, SW value) injury fault tolerance Taxi not controllable Hardware CPU, electrical (e.g., braking, redundancy, Loss of power (loss or power, steering), High-reliability Computer function spike), hard drive, collision between COTS Hardware (complete or Severe Moderate Critical motherboard, or taxis, collision with components, (Taxi) intermittent), RAM failure, guideway, temperature bad data high temperature unexpected or sensor, SW emergency braking fault tolerance SEAL 1 applied Loss of Taxi not controllable (e.g., SW fault function CPU, electrical (e.g., braking, tolerance, real- (complete or power (loss or power, steering), time operating Computer intermittent), spike), hard drive, collision between system, safe Software Severe High Critical incorrect motherboard, or taxis, collision with language (Taxi) function, bad RAM failure, guideway, subset, formal timing of high temperature unexpected or specification of function emergency braking core functions, etc.) Engineering Safety- & Security-Related Requirements 142 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Hazard Analysis (Safety) – A Relook1 Safety and reliability are not the same: • Unreliable systems can be safe (failsafe systems – failures do not cause harm) • Reliable systems can be unsafe (poor requirements lead to accidents) Reliability-based safety analysis assumes: • Accidents are due to the independent failures of individual components • Defective components fail to meet their requirements However, most accidents are due to: • Poor (missing, ambiguous, incomplete, or incorrect) requirements • Component interaction defects, whereby the individual components meet their requirements and are thus reliable • Software, that glues complex components together • Human causes of accidents beyond “user” errors: — Management and developer rather than operator (e.g., pilot) errors — Unavoidable human limitations, financial and schedule pressures, psychology, sociology, etc. Engineering Safety- & Security-Related Requirements 143 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Hazard Analysis (Safety) – A Relook2 Modern Hazard Analysis: • Add requirements defects to component defects. • Add component interaction failures to individual component failures. • View safety and security as emergent system characteristics arising from the interaction among system components and the system’s environment rather than the characteristics of individual system components in isolation. • Emphasize software and humans over hardware. Danger Analysis: • Emphasize safe and secure interfaces. • View safety and security not as a reliability problem but rather as a problem of controlling dangers by enforcing safety- and security-related requirements. • Address indirect and systemic causes of accidents and successful attacks. Engineering Safety- & Security-Related Requirements 144 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Hazard - Overspeed Primary Condition: • Taxi exceeds the speed limit. Existence of one or more Vulnerable Assets: • Guideways • One or more passengers • Passenger property • Taxis • Taxi stations Existence of one or more system Vulnerabilities: • Defective speed sensor • Defective power braking system • Defective taxi processor • Defective associated software Existence of one or more Non-malicious Abusers: • None (taxi speed is automatically controlled by the taxi) Engineering Safety- & Security-Related Requirements 145 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Hazard Requirements - Overspeed Overspeed Requirements: • ZATS taxis shall not exceed the speed limit by more than one mile an hour more than 0.001 % of the time. • ZATS taxis shall not exceed the speed limit by more than five miles an hour more than 0.0001 % of the time. • ZATS taxis shall not exceed the speed limit by more than one mile an hour for durations longer than 10 seconds more than 0.0001 % of the time. Engineering Safety- & Security-Related Requirements 146 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Threat (Bank Card Confidentiality) Primary Condition: • Travel Card Vending Machine computer connected to Internet via Operations Facility Server Existence of one or more Vulnerable Assets: • Passengers’ bank card information Existence of one or more system Vulnerabilities: • Lack of encryption during transmission • Lack of encryption during storage • Weak encryption • Lack of firewalls or firewalls improperly configured Existence of one or more Malicious Abusers: • Cyber-thief: — Means: Expertise plus relevant hacking tools — Motive: Greed — Opportunity: Computer access to the Internet Engineering Safety- & Security-Related Requirements 147 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Threat Requirements Threat Requirements: • ZATS shall encrypt all passenger bank card information while stored within ZATS. • ZATS shall not store passenger bank card information in the travel card vending machines. • ZATS shall encrypt all passenger’s bank card information sent to the bank card processing gateway. Rationale: to make the bank card information unusable by cyberthieves if accessed. Engineering Safety- & Security-Related Requirements 148 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Dangers Entry/Edit Form Engineering Safety- & Security-Related Requirements 149 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Dangers Report Engineering Safety- & Security-Related Requirements 150 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility Risk Analysis Safety Team Security Team Requirements Team Safety and Risk collaborates Requirements Subject with Security Protection Matter Engineering Requirements Engineering Experts Standard / Reusable Risk Detection Defensibility Risk Requirements Requirements performs performs Preparation provide Risk Reaction Stakeholders input Requirements during Risk Risk provide Identification Lists Requirements input Risk Development Analysis Risk Risk-Related during Risk Requirements Definition Modeling Tables Generic / Reusable Requirements Risk Tables Validation Risk Goal Defensibility Safety Risk Identification Risk Goals Requirements Abuse Table perform support Abuse Trees Security Risk Requirements Subject Abuse Cases Safety Security Matter Team Team Experts Stakeholders Danger Profiles Safety and Security Danger Cause and Certification Effects Diagrams Repositories Engineering Safety- & Security-Related Requirements 151 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility Risks Risk the expected or maximum credible amount of unauthorized harm Traditionally calculated as the product of the: • probability that harm will occur • the amount or severity of the harm Defensibility Risks the expected or maximum credible amount of unauthorized harm that can occur • To [a type of] defended assets • Due to a specific [type] of abuse • Due to the existence of [a type of] vulnerability, abuser, or danger Engineering Safety- & Security-Related Requirements 152 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Estimating Safety and Security Risk Safety Risk the expected or maximum credible amount of unintentional unauthorized harm • Probability accident occurs x harm severity • Probability hazard exists x conditional probability accident occurs given hazard exists x harm severity Security Risk the expected or maximum credible amount of intentional unauthorized harm • Probability attack occurs x conditional probability/rate attack is successful x harm severity • Probability threat exists x conditional probability attack occurs given threat exists x conditional probability attack is successful x harm severity Engineering Safety- & Security-Related Requirements 153 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
are due to Defensibility Defensibility Risks can be estimated in Risks are estimated terms of in terms of Harm Harm Expected amount of harm are the Likelihoods Severities likelihoods to defended assets of the can be estimated occurrences of in terms of Dangers Maximum credible amount Danger Harm Event Conditional of harm to defended Likelihoods Likelihoods increase the assets probability of Determining harm Hazard Threat Accident Successful Attack Likelihoods Likelihoods Likelihoods likelihoods very difficult Likelihoods with software are the conditional likelihoods given danger of occurrence of Abuses can cause categorize amount of Unauthorized Harm correspond to the “expected” amount of can happen to Defended Assets Engineering Safety- & Security-Related Requirements 154 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
The ZATS Safety Risk Matrix Safety risk matrix defines safety risk as a function of: • Harm severity • Frequency of harm occurrence, abuse occurrence or danger existence ZATS Safety/Security Risk Matrix Frequency of Harm / Abuse / Danger Harm Severity Frequent Probable Occasional Remote Implausible Catastrophic Intolerable Intolerable Intolerable High Medium Critical Intolerable Intolerable High Medium Medium Major High High Medium Medium Low Minor High Medium Low Negigible Negligible Negligible Medium Low Negligible Negligible Negligible Engineering Safety- & Security-Related Requirements 155 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Risks Entry/Edit Form Engineering Safety- & Security-Related Requirements 156 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Defensibility Risk Goals and Requirements Defensibility Risk Goal • The risk of fires in ZATS buildings will be acceptable to zoo management and the Metropolitan Zoo Authority. Defensibility Risk Requirement • The risk of fires in ZATS buildings shall be less than or equal to the fire risk to other zoo buildings. Engineering Safety- & Security-Related Requirements 157 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility Significance Analysis Safety Team Security Team Requirements Team collaborates Subject with Matter Requirements Experts Engineering Preparation performs provide performs SAL input Category Stakeholders during Definition Requirements Requirements Identification provide SAL Repository input Significance Categorization during Analysis Requirements SEAL Analysis Safety and Security Category Goals Definition Standard Reusable SEAL Architecture Architecture Safety and Security Allocation Representations Verification Safety and Security Assurance Level (SAL) Certification Definitions Repositories perform produces Standard Reusable Safety and Security collaborate Evidence Assurance Subject in the Architecture Safety Security Level (SEAL) Definitions Matter performance Team Team Team Stakeholders Experts of Safety and Security Architecture Engineering Engineering Engineering Safety- & Security-Related Requirements 158 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Safety/Security Assurance Levels (SALs) Safety/Security Assurance Level (SAL) a category of requirements based on their defensibility (i.e., safety/security) relevance. SALs are used to categorize the safety/security relevance of the subsystems to which they are allocated. SALs can be determined for: • Individual requirements. • Groups of related requirements (e.g., features or functions) SALs should be clearly and unambiguously defined. Engineering Safety- & Security-Related Requirements 159 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Five Ways to Categorize SALs There are five ways to categorize defensibility relevance (in decreasing order of goodness): 1. Risk – Increased risk increases SAL (best but labor intensive) 2. Harm severity – increased harm severity increases SAL (good but not quite as labor intensive as risk) 3. Ad hoc – intuitively assigned based on experience of requirements, safety, or security engineer (usually adequate and low labor) 4. Degree of software control – Increased degree of software control increases SAL (NOT recommended) 5. Degree of software control x harm severity – analogous to risk (NOT recommended) Engineering Safety- & Security-Related Requirements 160 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
SAL in terms of Software Degree of Control categorize SAL is a function is a function of of Defensibility Software Harm Requirements Degrees of Control Severity specify the is software’s control categorizes required amounts over occurrence of amount of of defensibility needed by the System Unauthorized Harm may occur to Valuable Assets Engineering Safety- & Security-Related Requirements 161 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Common Categories of Degrees of Software Control Autonomous Time-Critical: Software completely controls time-critical potentially dangerous system behavior, whereby there is no time for a human user/operator to override the software and either eliminate the danger or prevent the abuse. For example, software failure can directly lead to the existence of the danger or the occurrence of the abuse. Autonomous Allowing Intervention: Software completely controls potentially dangerous system behavior, but there is sufficient time for either a safety/security system or a human user/operator to override the software and either eliminate the danger or prevent the abuse. The software warns the user/operator that immediate action is required. Information Generated: Software generates information that a human user/operator uses to make a decision with safety or security ramifications. Immediate user/operator action is not required. Autonomous Requiring Human Completion: Software primarily controls potentially dangerous system behavior, but a human user/operator must issue a command before the behavior is completed. No Defensibility Significance: Software either controls system behavior or provides information that has negligible safety or security significance. Adequate safeguards or countermeasures exist and have been successfully verified so that any residual safety or security risks are acceptable. Engineering Safety- & Security-Related Requirements 162 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
SAL Definition Table – Degrees of Software Control ZATS Safety/Security Assurance Level Harm Severity (SAL) Definition Table Catastrophic Major Minor Negligible Autonomous Time-Critical SAL = 3 SAL = 3 SAL = 2 SAL = 1 SW Control Degrees of Autonomous Allowing Human Intervention SAL = 3 SAL = 3 SAL = 2 SAL = 1 Defensibility Information Generated SAL = 3 SAL = 2 SAL = 1 SAL = 0 Autonomous Requiring Human Completion SAL = 2 SAL = 1 SAL = 1 SAL = 0 No Defensibility Significance SAL = 1 SAL = 0 SAL = 0 SAL = 0 Engineering Safety- & Security-Related Requirements 163 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
SEALs Safety/security evidence assurance level (SEAL) a category of architectural components based on the highest SAL of the allocated and derived requirements they implement SEALs categorize architectural components to which defensibility-related requirements are allocated. SEALs define increasingly strict associated development methods needed to assure fulfillment of the highest associated SAL requirement. SEALs should be clearly and unambiguously defined. Engineering Safety- & Security-Related Requirements 164 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
SAL versus SEAL Categorized Categorized Architectural Requirements Components SAL = 0 Component 1 R1 SEAL = 0 SAL = {0} Requirements R3 R7 R1 Component 2 R11 SEAL = 1 R2 R13 SAL = {0,1} R3 R4 SAL = 1 Component 3 R5 R2 SEAL = 2 R6 R5 SAL = {0,1,2} R7 R12 R8 R15 Component 4 SEAL = 2 R9 SAL = {0,1,2} SAL = 2 R10 R4 R11 R6 Component 5 Refactored SEAL = 3 R12 R9 Architectural SAL = {1,2,3} Components R13 R10 R14 Component 7 R15 SAL = 3 SEAL 2 R14 SAL = {2} R16 Component 6 R16 SEAL = 4 R17 Component 8 R17 SAL = {2,3,4} R18 SEAL 3 R18 SAL = {2,3} SAL = 4 R8 Engineering Safety- & Security-Related Requirements 165 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Safety/Security Evidence Assurance Level (SEAL) High SEALs require more rigorous development method (including better requirements and architecture engineering): • Formal specification of requirements • Fagan inspections of requirements • Quality assessments of the architecture Often SEALs only apply to design, coding, and testing: • Design inspections • Formal derivation of code and proof of correctness • Model-Based Development (MBD) of software from models • Safe subset of programming language • Extra testing (test types and test completion criteria) Because of the added cost and schedule, architects often attempt to minimize the scope of components having high SEALs. Engineering Safety- & Security-Related Requirements 166 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defensibility-Related Requirements (SAL = 1 - 5) Safety/Security Assurance Level (SAL) Defensibility Quality Intolerable Requirements Requirements Defensibility-Related Requirements SAL = 5 Defensibility Function / Supporting Critical Subsystem Requirements Defensibility-Related Requirements Requirements SAL = 4 Defensibility Constraints Constraints Major Defensibility-Related Other Requirements Defensibility- SAL = 3 Related Functional Requirements Requirements Moderate Defensibility-Related Quality Requirements Defensibility-Related Requirements SAL = 2 Requirements SAL = 1 - 5 System Data Minor Requirements Requirements Defensibility-Related Requirements SAL = 1 Interface Requirements Defensibility-Independent Requirements Constraints SAL = 0 Engineering Safety- & Security-Related Requirements 167 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Defense Determination collaborate with SMEs Safety and Security Requirements Safety Security Architecture Engineering Engineering Team Team Team Requirements Team Safety Defensibility Existing Subsystem / Laws and Defenses Function Regulations Analysis Existing Requirements Relevant Safety Defenses Table Security and Security Defense Subsystem / Policies performs Needs performs Function Analysis Requirements Requirements Engineering Work Defense Products Defense Defensibility- Gap Analysis Goals Requirements Defense Related Safety & Security Development Determination Potential Requirements Assurance Defenses Potential Level (SAL) Table Defense Allocations Requirements Identification Safety Defense Validation Architecture Constraints Vendor Trade Engineering Potential Studies Work Products Defense Security Evaluation Defense support perform Constraints Safety and Defense Analysis Product Security Work Products Evaluation Certification Defense Subject Reports Repositories Selection Safety Security Matter Documentation Architecture Team Team Experts Stakeholders of Existing Authoritative Stakeholders Represen- Defenses Residual tations Catalogues of perform Risks Updated with Standard Acceptance Defenses Defenses Engineering Safety- & Security-Related Requirements 168 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Types of Defenses Safety Security Survivability Active Operational Defenses increase increase Defenses Passive Safeguards Countermeasures Technical Defenses Defenses Defenses (a.k.a., Controls) prevent or help to mandate the eliminate use of specific lessen the meet the or lower frequency of prevent or Defensibility-related Defensibility eliminate lessen the Requirements Constraints severity of Defensibility Abuses Risks Unauthorized Vulnerabilities Harm Engineering Safety- & Security-Related Requirements 169 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Defenses Entry/Edit Form Engineering Safety- & Security-Related Requirements 170 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
ESSR Tool – Defenses Report Engineering Safety- & Security-Related Requirements 171 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Safety Constraints Each ZATS taxi shall contain a taxi door subsystem consisting of two doors, two door position sensors, two door locks, two door lock sensors, one door motor, and associated computer hardware and software. ZATS guideways shall be constructed from pre-stressed reinforced concrete that can support at least 150% of the maximum expected loading. Rationale: This constraint practically prevents the risk of guideway collapse due to credible excessive loading. The bottom of ZATS guideways shall be a minimum of 17 feet above ground level. Rationale: Elevation of the guideways provides patrons with good visibility of the animals in their habitats, safely separates zoo patrons from the animals, eliminates the possibility of taxis running down patrons on zoo walkways, and eliminates the possibility of collision between taxis and patrons’ vehicles in the parking lots. The minimum height of the bottom of the guideway was also chosen to exceed the American Zoological Association (AZA) recommendation of 16 feet. Engineering Safety- & Security-Related Requirements 172 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Representative ZATS Security Constraints ZATS shall use a COTS public key encryption/decryption product to protect sensitive data. Rationale: Encryption and decryption is the most effective countermeasure for ensuring the confidentiality of sensitive data. Using a COTS product is best in terms of cost and schedule, and COTS products tend to use public key encryption. ZATS shall use of a COTS antivirus product to prevent server infection by malware. Rationale: ZATS servers are threatened by the existence of software malware (e.g., viruses, worms, and Trojans). COTS antivirus products maintain current definitions of such malware and are of higher quality and much less expensive than developing and maintaining such a subsystem in-house. Engineering Safety- & Security-Related Requirements 173 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Where We Are Related Disciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion ◄ Engineering Safety- & Security-Related Requirements 174 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Conclusion1 Engineering safety- and security-related requirements requires appropriate: • Concepts • Methods • Techniques and tools • Expertise There are four types of safety- and security-related requirements: • Safety and security quality requirements • Safety- and security-significant requirements • Safety and security function/subsystem requirements • Safety and security constraints These different types of requirements need to be identified, analyzed, and specified differently. Engineering Safety- & Security-Related Requirements 175 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Conclusion2 Processes for requirements engineering, safety engineering, and security engineering need to be: • Properly interwoven. • Consistent with each other. • Performed collaboratively and in parallel (i.e., overlapping in time). Engineering Safety- & Security-Related Requirements 176 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
Recommendations Ensure close collaboration among safety, security, and requirements teams. Better integrate safety and security methods: • Concepts and terminology • Techniques and work products • Provide cross training Better integrate defensibility methods with requirements method: • Early during development cycle (build safety/security in) • Clearly define team responsibilities • Provide cross training Develop all types of safety- and security-related requirements. Ensure that these requirements have the proper characteristics. Engineering Safety- & Security-Related Requirements 177 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
For More Information This tutorial is taken from Engineering Safety- and Security-related Requirements, which will be published in Summer 2011 by Auerbach. Donald Firesmith U.S. Mail: Senior Member of the Tech. Staff Software Engineering Institute Acquisition Support Program Customer Relations Telephone: +1 412-268-6874 4500 Fifth Avenue Email: dgf@sei.cmu.edu Pittsburgh, PA 15213-2612 USA World Wide Web: Customer Relations www.sei.cmu.edu Email: customer-relations@sei.cmu.edu www.sei.cmu.edu/contact.html SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257 Engineering Safety- & Security-Related Requirements 178 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Engineering Safety- & Security-Related Requirements 179 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University

More Related Content

PDF
1 page JLS bio
byJim Lynch
 
PPT
The New Security - Post "9/11"
byWivenhoe Management Group
 
PPTX
Practical Application of Physical Security Criteria
byScott L Weiland PE
 
DOCX
Linder,William H IT Auditor 0216
byWilliam Linder
 
PDF
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
bySeungjoo Kim
 
PDF
Veracity Product Guide
byChris Van Leeuwen
 
PDF
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
byBHAVANA KONERU
 
PPTX
Physical Security - Why Your Business Needs It
byTerra Verde
 
1 page JLS bio
byJim Lynch
 
The New Security - Post "9/11"
byWivenhoe Management Group
 
Practical Application of Physical Security Criteria
byScott L Weiland PE
 
Linder,William H IT Auditor 0216
byWilliam Linder
 
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
bySeungjoo Kim
 
Veracity Product Guide
byChris Van Leeuwen
 
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
byBHAVANA KONERU
 
Physical Security - Why Your Business Needs It
byTerra Verde
 

Similar to Engineering Safety and Security-Related Requirements

PDF
Safety, Risk, Hazard and Engineer’s Role Towards Safety
byAli Sufyan
 
PPTX
safety engineering course fees 
byNational Safety Academy
 
PPTX
Safety enginereing corse
byAcountsinstitute
 
PPTX
CISSP Certification- Security Engineering-part1
byHamed Moghaddam
 
PPTX
Safety Engineering in Project Supervision.pptx
byalutarep1
 
PPTX
Safety Engineering in Project Supervision.pptx
byalutarep1
 
PDF
A model based security requirements engineering framework
byIAEME Publication
 
PDF
A model based security requirements engineering framework
byiaemedu
 
PDF
A model based security requirements engineering framework
byiaemedu
 
PDF
A model based security requirements engineering framework
byiaemedu
 
PPTX
Safety specification (CS 5032 2012)
byIan Sommerville
 
PDF
Engineering Safe And Secure Software Systems 1st Edition C Warren Axelrod
byginartniese
 
PDF
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATING SAFETY AND SECURITY ENGIN...
byIJCSES Journal
 
PDF
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
byIJCSES Journal
 
PPTX
Safety enginnering college
byNational Safety Academy
 
PPTX
Safety engineering
byNational Safety Academy
 
PPTX
CS5032 L9 security engineering 1 2013
byIan Sommerville
 
PDF
Engineering safe and secure software systems 1st Edition C. Warren Axelrod
bylammarmoleva
 
PDF
Basic Safety Concepts in Nuclear Engineering
byGlobal Risk Forum GRFDavos
 
PPTX
CS 5032 L12 security testing and dependability cases 2013
byIan Sommerville
 
Safety, Risk, Hazard and Engineer’s Role Towards Safety
byAli Sufyan
 
safety engineering course fees 
byNational Safety Academy
 
Safety enginereing corse
byAcountsinstitute
 
CISSP Certification- Security Engineering-part1
byHamed Moghaddam
 
Safety Engineering in Project Supervision.pptx
byalutarep1
 
Safety Engineering in Project Supervision.pptx
byalutarep1
 
A model based security requirements engineering framework
byIAEME Publication
 
A model based security requirements engineering framework
byiaemedu
 
A model based security requirements engineering framework
byiaemedu
 
A model based security requirements engineering framework
byiaemedu
 
Safety specification (CS 5032 2012)
byIan Sommerville
 
Engineering Safe And Secure Software Systems 1st Edition C Warren Axelrod
byginartniese
 
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATING SAFETY AND SECURITY ENGIN...
byIJCSES Journal
 
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
byIJCSES Journal
 
Safety enginnering college
byNational Safety Academy
 
Safety engineering
byNational Safety Academy
 
CS5032 L9 security engineering 1 2013
byIan Sommerville
 
Engineering safe and secure software systems 1st Edition C. Warren Axelrod
bylammarmoleva
 
Basic Safety Concepts in Nuclear Engineering
byGlobal Risk Forum GRFDavos
 
CS 5032 L12 security testing and dependability cases 2013
byIan Sommerville
 

More from Donald Firesmith

PPTX
Testing Types and Paradigms - 2015-07-13 - V11
byDonald Firesmith
 
PDF
2015-NextGenTesting-Testing-Types-Updated
byDonald Firesmith
 
PDF
Common System and Software Testing Pitfalls Checklist - 2014
byDonald Firesmith
 
PDF
Common testing pitfalls tsp-2014 - 2014-11-03 v10
byDonald Firesmith
 
PDF
QUality Assessment of System Architectures and their Requirements (QUASAR)
byDonald Firesmith
 
PDF
Common testing pitfalls er-2014 - 2014-10-27
byDonald Firesmith
 
PDF
Method Framework for Engineering System Architectures - 2014
byDonald Firesmith
 
PDF
Common testing pitfalls NextGen Testing Conference - 2014-09-18
byDonald Firesmith
 
DOCX
Common Testing Problems – Pitfalls to Prevent and Mitigate
byDonald Firesmith
 
PDF
Common Test Problems Checklist
byDonald Firesmith
 
PDF
The Method Framework for Engineering System Architectures (MFESA)
byDonald Firesmith
 
Testing Types and Paradigms - 2015-07-13 - V11
byDonald Firesmith
 
2015-NextGenTesting-Testing-Types-Updated
byDonald Firesmith
 
Common System and Software Testing Pitfalls Checklist - 2014
byDonald Firesmith
 
Common testing pitfalls tsp-2014 - 2014-11-03 v10
byDonald Firesmith
 
QUality Assessment of System Architectures and their Requirements (QUASAR)
byDonald Firesmith
 
Common testing pitfalls er-2014 - 2014-10-27
byDonald Firesmith
 
Method Framework for Engineering System Architectures - 2014
byDonald Firesmith
 
Common testing pitfalls NextGen Testing Conference - 2014-09-18
byDonald Firesmith
 
Common Testing Problems – Pitfalls to Prevent and Mitigate
byDonald Firesmith
 
Common Test Problems Checklist
byDonald Firesmith
 
The Method Framework for Engineering System Architectures (MFESA)
byDonald Firesmith
 

Recently uploaded

PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
cybercrime in Information security .pptx
byismaeelsahib032
 
API-First Architecture in Financial Systems
bycyy111112
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 

Engineering Safety and Security-Related Requirements

  • 1.
    Engineering Safety- and Security-Related Requirements DonaldFiresmith Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 18 June 2012 Half-Day Tutorial © 2012 Carnegie Mellon University
  • 2.
    Tutorial Goals To familiarizesafety, security, and requirements engineers with the: • Common challenges they face • Common foundational concepts underlying each other’s disciplines • Useful reusable techniques from each other’s disciplines • Different types of safety- and security-related requirements To provide safety, security, and requirements engineers with a common consistent method for engineering these requirements and thereby: • Improve collaboration • Engineer better safety- and security-related requirements • Decrease the incidence of accidents and successful attacks due to poor safety- and security-related requirements Engineering Safety- & Security-Related Requirements 2 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 3.
    Intended Audiences Primary audience: • Safety engineers • Security engineers • Requirements engineers Secondary audience: • Project managers (acquisition, development, or sustainment) • Lead system engineers and system architects • System, software, and hardware engineers • Safety and security SMEs and consultants • Safety and security trainers and academic educators and researchers • Specialty engineers (e.g., human factors and reliability) • Any other stakeholders in safety and security Engineering Safety- & Security-Related Requirements 3 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 4.
    History Work began in2002 Presented as conference tutorials and in journal articles (see http://donald.firesmith.net/home/publications) Taught at 5 NASA Centers (2008) and US Army ASSIP Program Presented to nuclear engineers at: • System Engineering Challenges International Workshop in Russia (RuSEC 2010) in Moscow, Russia on 23 September 2010 • Kärnteknik-2011 (Nuclear Technology 2011) Nordic Symposium in Stockholm Sweden on 8 December 2011 Free Open Source Tool began Fall 2011 http://donald.firesmith.net/home/safety-and-security-analysis-tool Book to be published Winter 2012 Engineering Safety- & Security-Related Requirements 4 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 5.
    Where We Are RelatedDisciplines ◄ Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 5 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 6.
    Safety Engineering –Traditional Definition Safety freedom from accidental harm to people, property, and the environment Safety Engineering the process of ensuring that a system is safe to operate Major Limitations: • No nontrivial system is free from hazards that can cause accidental harm. • It is always a matter of degree and risk management. • Not just harm, but also accidents, vulnerabilities, and hazards • In spite of best efforts, accidents can (and sometimes do) happen. • It is important to address not just the prevention of accidental harm (and accidents, vulnerabilities, hazards, and risks), but also detecting their existence/occurrence, and reacting properly. Engineering Safety- & Security-Related Requirements 6 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 7.
    Security Engineering –Traditional Definitions Security (of information and services) is often defined in terms of specific properties, whereby a system is secure when it exhibits these properties in spite of attack: • Access Control (including identification, authentication, and authorization) • Availability • Confidentiality (including both privacy and anonymity) • Integrity (including data and software) • Non-repudiation (of transactions) Security Engineering the process of ensuring that a system is sufficiently secure to operate Major limitations: • No nontrivial system is free from threats that can cause malicious harm. • It is always a matter of degree and risk management. • Not just harm, but also attacks, vulnerabilities, and threats • In spite of best efforts, attacks can (and typically will) happen. • It is important to address not just the prevention of malicious harm (and attacks, vulnerabilities, threats, and risks), but also detecting their existence/occurrence, and reacting properly. Engineering Safety- & Security-Related Requirements 7 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 8.
    Defensibility Engineering –New Definitions Safety Engineering the systems engineering discipline concerned with lowering the risk of unintentional (i.e., accidental) unauthorized harm to defended assets to a level that is acceptable to the system’s stakeholders by preventing, detecting, and properly reacting to such harm, mishaps (i.e., accidents and safety incidents), system-internal vulnerabilities, system- external unintentional abusers, hazards, and safety risks Security Engineering the systems engineering discipline concerned with lowering the risk of intentional (i.e., malicious) unauthorized harm to defended assets to a level that is acceptable to the system’s stakeholders by preventing, detecting, and properly reacting to such harm, civilian misuses (i.e., attacks and security incidents), system-internal vulnerabilities, system-external intentional civilian abusers, threats, and security risks Survivability Engineering the systems engineering discipline concerned with lowering the risk of intentional (i.e., malicious) unauthorized harm to defended assets to a level that is acceptable to the system’s stakeholders by preventing, detecting, and properly reacting to such harm, military misuses (i.e., attacks and survivability incidents), system-internal vulnerabilities, system-external intentional military abusers, threats, and survivability risks Engineering Safety- & Security-Related Requirements 8 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 9.
    Safety/Security Similarities andDifferences Similarities: • Systems engineering rather than software engineering • Lower risks to acceptable levels: — Never zero – never perfectly safe, secure, or survivable • Prevention, detection, and reaction: — Unauthorized harm to defended assets (people, property, environment, services) — Abuses (safety mishaps and security misuses) — System-internal vulnerabilities — System-external abusers (exploit vulnerabilities to cause harm) — Dangers (safety hazards and security threats) — Risks (safety and security) Differences: • Unintentional (safety) vs. intentional (security and security) • Terminology Engineering Safety- & Security-Related Requirements 9 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 10.
    Requirements Engineering Requirements Engineering the engineering discipline within systems/software engineering concerned with identifying, analyzing, reusing, specifying, managing, verifying, and validating goals and requirements (including safety- and security-related requirements) Safety- and security-related requirements are primarily system-level requirements. Engineering Safety- & Security-Related Requirements 10 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 11.
    Where We Are RelatedDisciplines Challenges ◄ Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 11 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 12.
    Challenges1 Requirements engineering, safetyengineering, and security engineering have different: • Communities • Disciplines with different training, books, journals, and conferences • Professions with different job titles • Foundational concepts and terminologies • Tasks, techniques, and work products Some of these differences are unnecessary and represent detrimental redundancies: • Underlying concepts and terminologies • Tasks and techniques • Work products (models and documents) Engineering Safety- & Security-Related Requirements 12 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 13.
    Challenges2 Safety and securityengineering are: • Typically treated as secondary specialty engineering disciplines • Performed separately from, largely independently of, and lagging behind the primary engineering workflow: (requirements, architecture, design, implementation, integration, testing, deployment, sustainment) Safety and security are too often tested into existing systems (reactively) rather than adequately built into systems during development (proactively) Engineering Safety- & Security-Related Requirements 13 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 14.
    Challenges3 Separation of requirementsengineering, safety engineering, and security engineering causes: • Poor safety- and security-related requirements that are often: — Vague, unverifiable, and infeasible capabilities or goals rather than true requirements — Potentially inappropriate architectural and design constraints — Inadequate to drive architecture, design, and implementation — Specified and managed separately from all other requirements — Relegated to “second class” “supplementary” specifications — Often ignored by requirements engineers and architects — Produced too late to drive architecture and testing • Safety and security are too often iterated and tested into existing systems (reactively) – “find and fix” – rather than adequately built into systems during development (proactively). Engineering Safety- & Security-Related Requirements 14 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 15.
    Challenges4 How much safetyand security is enough? • Insufficient defensibility is dangerous. • Excessive defensibility wastes scarce project resources. • Current requirements lack practical and precise thresholds. • Defenses (safeguards and countermeasures) should be commensurate with risk. — Goldilocks rule: not too little and not too big. • Without well-defined thresholds, how can: — Architects perform engineering trade-offs? — Testers set test completion criteria for the testing of safety- and security- related requirements? Engineering Safety- & Security-Related Requirements 15 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 16.
    Challenges5 Many mandated security“requirements” are actually constraints such as: • Security subsystems • Industry “best practices” What about safety and security requirements for preventing, detecting, and reacting to: • Harm to defended assets? • Abuses (safety mishaps and security misuses)? • Vulnerabilities? • Abusers (unintentional and intentional)? • Dangers (safety hazards and security threats)? • Risks (safety and security)? Engineering Safety- & Security-Related Requirements 16 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 17.
    Challenges6 Current separate methodsfor performing requirements, safety, and security engineering are inefficient and ineffective. Poor requirements are a primary cause of more than half of all project failures (defined in terms of): • Major cost overruns • Major schedule overruns • Major functionality not delivered • Large number of defects delivered • Delivered systems that are never used Poor requirements are a major “root cause” of many (or most) accidents involving software-intensive systems. Engineering Safety- & Security-Related Requirements 17 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 18.
    Challenges7 Current state-of-the-practice criesout for improvement: • Better consistency between safety and security engineering — More consistent concepts and terminology — Reuse of techniques across disciplines — Less unnecessary overlap and avoidance of redundant work • Better collaboration: — Between safety and security engineering — With requirements engineering • Easier certification and accreditation • Better safety- and security-related requirements • Fewer accidents and successful attacks that cause less harm to defended assets Engineering Safety- & Security-Related Requirements 18 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 19.
    Where We Are RelatedDisciplines Challenges Common Example ◄ Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 19 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 20.
    Common Example usethroughout Tutorial Problem: How to enable large numbers of zoo patrons to quickly and conveniently tour the habitats of a huge new zoo? Proposed solution: the Zoo Automated Taxi System (ZATS) • Numerous small family-sized automated taxis: — Leisurely tours of habitats and fast transport between habitats — Inexpensive to operate (no driver salaries and benefits) — Reliable, easy to use, safe, and secure — Green (electric to minimize air and noise pollution) • Elevated concrete guideways: — Separate passengers from animals — Provide good views — Avoid collisions of taxis with pedestrians and vehicles in parking lot • Conveniently located taxi stations • Operations and maintenance facility in zoo back lots Engineering Safety- & Security-Related Requirements 20 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 21.
    Where We Are RelatedDisciplines Challenges Common Example Free, Open-Source Tool ◄ Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 21 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 22.
    Free, Open-Source Tool Freeand open-source tool Developed to: • Support the collaborative defensibility engineering method • Store the complete analysis results of the ZATS common example Exists in two forms: • Empty database for new project use • Populated database storing the “complete” analysis results of common example: ZATS Implemented using Microsoft Access Free download from: http://donald.firesmith.net/home/safety-and-security-analysis-tool Engineering Safety- & Security-Related Requirements 22 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 23.
    Initial Screen Engineering Safety- & Security-Related Requirements 23 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 24.
    Prepare to AnalyzeSafety and Security Menu Engineering Safety- & Security-Related Requirements 24 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 25.
    Analyze Safety andSecurity Menu Engineering Safety- & Security-Related Requirements 25 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 26.
    Where We Are RelatedDisciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview ◄ Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 26 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 27.
    Requirements Engineering Tasks BusinessAnalysis (i.e., Customer, Competitor, Market, Technology, and User Analysis as well as Stakeholder Identification and Profiling) Visioning Requirements Identification (a.k.a., Elicitation) Requirements Analysis Requirements Specification Requirements Management Requirements Validation Scope Management (Management) Change Control (Configuration Management) Quality Control (Quality Engineering) Engineering Safety- & Security-Related Requirements 27 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 28.
    Requirements Engineering WorkProducts Business analyses Stakeholder profiles Vision statement • Capabilities and Goals Concept of Operations (ConOps) or operational concept document (OCD) • Mission threads • Use cases • Usage scenarios Requirements repository and published specifications • Actual requirements Requirements prototypes Domain model Glossary Engineering Safety- & Security-Related Requirements 28 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 29.
    Difficulty of RequirementsEngineering “The hardest single part of building a software system is deciding precisely what to build. No other part of the conceptual work is as difficult as establishing the detailed technical requirements, including all the interfaces to people, to machines, and to other software systems. No other part of the work so cripples the resulting system if done wrong. No other part is more difficult to rectify later.” Fred Brooks, No Silver Bullet, IEEE Computer, 1987 Engineering Safety- & Security-Related Requirements 29 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 30.
    Goals Goal an informallydocumented perceived need of a legitimate stakeholder Goals are: • Not requirements. • Drive the identification and analysis of the requirements. • Typically ambiguous and/or unrealistic (i.e. impossible to guarantee). Major problems with safety and security goals: • Ambiguous • Stated as absolutes • Not 100% feasible • Not verifiable Typically documented in a vision statement. Engineering Safety- & Security-Related Requirements 30 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 31.
    Representative ZATS Goals ZATSwill take passengers on leisurely tours that provide excellent viewing of the zoo habitats. ZATS will take passengers rapidly to their desired taxi stations in the zoo and its parking lot. ZATS will prevent animals from reaching passengers in taxis and taxi stations. ZATS will never injure or kill a passenger. ZATS will not cause air and noise pollution. ZATS will be easy and intuitive for all of its passengers to use. ZATS will allow passengers to use securely use bank cards to pay for trips. Engineering Safety- & Security-Related Requirements 31 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 32.
    Use Case Modelsand Mission Threads Usage Scenario a specific functionally cohesive sequence of interactions between user(s), the system, and potentially other actors that provides value to a stakeholder Use Case a general way to perform a function a functionally cohesive class of usage scenarios Use Case Path (a.k.a., flow and course) an equivalence set of usage scenarios that follow the same course through a use case Mission Thread an end-to-end sequence of use case paths that together achieves one of the system’s missions Engineering Safety- & Security-Related Requirements 32 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 33.
    Use Case Models Usecase paths: • Can be either: — Normal (Sunny Day or Happy Path) — Exceptional (Rainy Day) • Should have their own preconditions, triggers, and postconditions • Are often documented with text, sequence diagrams, or activity diagrams Use cases, use case paths, and usage scenarios: • Typically documented in a ConOps or operational concept document (OCD) • Drive the identification and analysis of the [primarily functional] requirements • Often include potential architectural and design information Use cases are far more than merely use case diagrams. Engineering Safety- & Security-Related Requirements 33 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 34.
    Characteristics of GoodRequirements All Types of Requirements Active Voice Correct Configuration Controlled Consistent (internally and with other requirements) Cohesive (individual) Differentiated from Non-requirements Complete Externally observable Concise Grammatically Correct and no Typos Feasible Managed (in requirements repository) Mandatory (necessary) Prioritized (for scheduling implementation) Properly Specified Normal and Exceptional Rationalized Relevant Scheduled Unique Stakeholder-centric Unambiguous Situation-specific (to mode, state, and/or event) Validatable Traced (to source and to architecture) Uniquely identified Verifiable Usable by stakeholders What or how well, not how http://www.jot.fm/issues/issue_2003_07/column7 Engineering Safety- & Security-Related Requirements 34 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 35.
    Poor Requirements CauseAccidents1 “For the 34 (safety) incidents analyzed, 44% had inadequate specification as their primary cause.” Health and Safety Executive (HSE), Out of Control: Why Control Systems Go Wrong and How to Prevent Failure (2nd Edition), 1995 “Almost all accidents related to software components in the past 20 years can be traced to flaws in the requirements specifications, such as unhandled cases.” Grady Lee, Jeffry Howard, and Patrick Anderson, “Safety-Critical Requirements Specification and Analysis using SpecTRM”, Safeware Engineering, 2002 Engineering Safety- & Security-Related Requirements 35 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 36.
    Poor Requirements CauseAccidents2 “Erroneous specification is a major source of defects and subsequent failure of safety-critical systems. Many failures occur in systems using software that is perfect, it is just not the software that is needed because the specification is defective.” John C. McKnight, “Software Challenges in Aviation Systems,” Proceedings of the 21st International Conference on Computer Safety, Reliability and Security, 2002 “Software-related accidents almost always are due to misunderstandings about what the software should do.” Kathryn Anne Weiss, “An Analysis of Causation in Aerospace Accidents,” Proceedings of the 2001 Digital Avionics Systems Conference, updated 7 September 2004 Engineering Safety- & Security-Related Requirements 36 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 37.
    Poor Requirements CauseAccidents3 “Software-related accidents are usually caused by flawed requirements. Incomplete or wrong assumptions about the operation of the controlled system can cause software related accidents, as can incomplete or wrong assumptions about the required operation of the computer. Frequently, omitted requirements leave unhandled controlled-system states and environmental conditions.” Nancy G. Leveson, Safeware: System Safety and Computers, 2003 “Software-related accidents are almost all caused by flawed requirements: • Incomplete or wrong assumptions about the operation of the controlled system or required operation of the computer • Unhandled controlled-system states and environmental conditions.” Nancy G. Leveson, A new Approach to Ensuring Safety in Software and Human Intensive Systems, July 2009 Engineering Safety- & Security-Related Requirements 37 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 38.
    The Many Typesof Requirements Business Industry Laws and Natural Organizational Rules Standard Regulations Laws Policies Innovative Rules Requirements Positive (shall) Documentation Entity Data * Requirements Requirements Requirements Requirements Stakeholder Facility Hardware Object Negative Requirements Requirements Requirements Requirements (shall not) Requirements Derived People (Role) Procedure Material (Technical) Requirements Requirements Requirements Requirements Requirements Software System / Development Requirements Subsystem Environment Requirements Requirements Architecture Process Constraints Manufacturing Product (Method) Requirements Requirements Primary Mission Design Requirements Requirements Constraints Operational Requirements Supporting Implementation Requirements Constraints Training Requirements “Pure” Integration Maintenance Constraints Requirements Constraints Requirements Non-Functional Requirements Manufacturing Sustainment Requirements Constraints Retirement Functional Entity (Data *) Interface Quality Deployment Requirements Requirements Requirements Requirements Requirements Constraints Engineering Safety- & Security-Related Requirements 38 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 39.
    Product Requirements A productrequirement is a requirement for a product (e.g., system, subsystem, software application, or component). • A functional requirement is a product requirement than specifies a mandatory function (i.e., behavior) of the product. • A data requirement is a product requirement that specifies mandatory [types of] data that must be manipulated by the product. • An interface requirement is a product requirement that specifies a mandatory interface with (or within) the product. • A quality requirement is a product requirement that specifies a mandatory amount of a type of product quality (characteristic or attribute). • A constraint is a property of the product (e.g., architecture or design decision) that would ordinarily not be a requirement but which is being mandated as if it were a normal requirement Engineering Safety- & Security-Related Requirements 39 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 40.
    Quality Models Architectural Components define the meaning of the quality of Quality Systems Models define the meaning of a specific type of quality of are measure measured quality along Quality along Quality Quality Quality Measurement Measurement Characteristics Attributes Scales Methods are measured using Developmental Operational Quality Quality Characteristics Characteristics Engineering Safety- & Security-Related Requirements 40 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 41.
    Quality Characteristics (Operational) Quality Characteristics Developmental Operational Quality Characteristics Quality Characteristics Configurability Efficiency Functionality Interoperability Serviceability Usability Compliance Dependability Environmental Habitability Operability Transportability Compatibility Robustness Defensibility Performance Soundness Safety Survivability Availability Correctness Predictability Security Capacity Reliability Stability Engineering Safety- & Security-Related Requirements 41 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 42.
    Performance Attributes Jitter Problem Latency Prevention Harm Arrest Response Time Problem Detection Schedualability Harm Mitigation Problem Failure Analysis Throughput Reaction Failure Recovery Problem Type Solution Type Performance Attributes Performance Attributes System Adaptation measure quality along Performance Performance Attributes are measured along Quality Quality Quality Quality Measurement Measurement Characteristics Attributes Scales Methods define the meaning of the Quality quality of Models Systems Engineering Safety- & Security-Related Requirements 42 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 43.
    Defensibility Quality Attributes Occurrence of Unauthorized Harm Harm Arrest Occurrence of Abuse Harm Mitigation (Safety Mishap or Security Misuse) Problem Abuse Analysis Existence of System-Internal Vulnerability Prevention Abuse Recovery Existence of System-External Abuser Problem Detection System Existence of Danger (Hazard or Threat) Adaptation Problem Existence of Defensibility Risk Reaction Counterattack (Security and Survivability) Problem Type Solution Type Defensibility Attributes Defensibility Attributes Safety measure quality along Security Defensibility Defensibility Attributes Survivability are measured along Quality Quality Quality Quality Measurement Measurement Characteristics Attributes Scales Methods define the meaning of the Quality quality of Models Systems Engineering Safety- & Security-Related Requirements 43 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 44.
    Different Types ofDefensibility Requirements Problem Type Quality Attributes Defensibility Quality Attributes Harm to Defensibility Abuse Abuser Vulnerability Danger Valuable Asset Risk Prevent Prevent Prevent Prevent Prevent Prevent Prevention Occurrence Occurrence Existence Existence of Existence Existence Quality Attributes Solution Type of Harm of Abuse of Abuser Vulnerability of Danger of Risk Detect Detect Detect Detect Detect Detect Detection Occurrence Occurrence Existence Existence of Existence Existence of Harm of Abuse of Abuser Vulnerability of Danger of Risk React to React to React to React to React to React to Reaction Occurrence Occurrence Existence Existence of Existence Existence of Harm of Abuse of Abuser Vulnerability of Danger of Risk Engineering Safety- & Security-Related Requirements 44 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 45.
    Components of aQuality Requirement state stakeholders’ Quality Goals importance of achieving specify achievement of define stakeholders’ minimum acceptable levels of quality for a Quality Requirements System are applicable shall Conditions during or at System-Specific exceed Quality Thresholds or Events Quality Criteria indirectly state directly state are measured are measured existence of existence of along using Quality Quality Quality Quality Measurement Measurement Characteristics Attributes Scales Methods Quality define the meaning of the quality of a Models Engineering Safety- & Security-Related Requirements 45 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 46.
    Example Quality Requirement Hazardprevention safety requirement: “Under normal operating conditions, ZATS shall not move when it’s doors are open at an average rate higher than once every 10,000 trips.” Component parts: • Condition: “Under normal operating conditions” • Mandatory system-specific quality criterion: “ZATS shall not move when it’s doors are open” • Measurement threshold: “at an average rate higher than once every 10,000 trips.” Definitions needed to avoid ambiguity: • Moving – traveling faster than 0.1 cm per second • Open – open more than 1 cm between doors • Normal operating conditions – neither during maintenance nor a fire • Trip – travel with passengers from a starting taxi station to the associated destination taxi station Engineering Safety- & Security-Related Requirements 46 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 47.
    Importance of MeasurementThreshold Measurement threshold is: • Critical • Difficult (but not impossible) to determine • Often left out of quality requirements • Needed to avoid ambiguity States how much quality is necessary (sufficient) Enables architects and architecture evaluators to: • Determine if architecture is adequate • Make engineering tradeoffs between competing quality characteristics and attributes Enables tester to determine the: • Test completion criteria • Number and types of test cases Engineering Safety- & Security-Related Requirements 47 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 48.
    Where We Are RelatedDisciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview ◄ Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 48 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 49.
    Fundamental Safety andSecurity Concepts Safety and security as quality characteristics with associated quality attributes Stakeholders Defended assets Unauthorized harm to defended assets Abuses (accidents, attacks, and incidents) Vulnerabilities (system-internal weaknesses or defects) Abusers (external and internal, malicious and non-malicious) Dangers (hazards and threats) Defensibility risks (safety and security) Goals, policies, and requirements Defenses (safeguards and counter measures) Engineering Safety- & Security-Related Requirements 49 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 50.
    Safety as aQuality Characteristic Safety is the subclass of defensibility capturing the degree to which: • The following safety problems: — Accidental harm to defended assets — Safety abuses (mishaps such as accidents and safety incidents) — Safety abusers (people, systems, and the environment) — Safety vulnerabilities — Safety dangers (hazards) including the existence (conditions) of non-malicious abusers who unintentionally exploit system vulnerabilities to accidentally harm vulnerable defended assets — Safety risks • Have safety solutions: — Prevented (eliminated, mitigated, keep acceptably low) — Detected — Reacted to Engineering Safety- & Security-Related Requirements 50 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 51.
    Security as aQuality Characteristic Security is the subclass of defensibility capturing the degree to which: • The following security problems: — Malicious harm to defended assets — Security abuses (misuses such as attacks and security incidents) — Security abusers (attackers and malware – systems, software, and hardware) — Security vulnerabilities — Security dangers (threats) including the existence (conditions) of malicious abusers who can exploit system vulnerabilities to harm vulnerable defended assets — Security risks • Are security solutions: — Prevented (eliminated, mitigated, keep acceptably low) — Detected — Reacted to Engineering Safety- & Security-Related Requirements 51 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 52.
    Where We Are ThreeDisciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements ◄ Collaborative Defensibility Engineering Method Conclusion Engineering Safety- & Security-Related Requirements 52 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 53.
    Types of Safety-and Security-Related Requirements Too often only a single type of requirements is considered. Not just: • Specific types of non-functional requirements (NFRs): — Safety and security requirements are quality requirements • Functional, data, and interface requirements with safety or security ramifications • Architecture and design constraints • Safety and security functions/subsystems • Software requirements • Constraints on functional requirements Reason for presentation title: Safety- and security-related requirements for software-intensive systems Engineering Safety- & Security-Related Requirements 53 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 54.
    Types of Requirements Business Industry Laws and Natural Organizational Rules Standard Regulations Laws Policies Innovative Rules Requirements Positive (shall) Documentation Entity Data * Requirements Requirements Requirements Requirements Stakeholder Facility Hardware Object Negative Requirements Requirements Requirements Requirements (shall not) Requirements Derived People (Role) Procedure Material (Technical) Requirements Requirements Requirements Requirements Requirements Software System / Development Requirements Subsystem Environment Requirements Requirements Architecture Process Constraints Manufacturing Product (Method) Requirements Requirements Primary Mission Design Requirements Requirements Constraints Operational Requirements Supporting Implementation Requirements Constraints Training Requirements “Pure” Integration Maintenance Constraints Requirements Constraints Requirements Non-Functional Requirements Manufacturing Sustainment Requirements Constraints Retirement Functional Entity (Data *) Interface Quality Deployment Requirements Requirements Requirements Requirements Requirements Constraints Engineering Safety- & Security-Related Requirements 54 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 55.
    Different Types ofDefensibility Requirements Problem Type Quality Attributes Defensibility Quality Attributes Harm to Defensibility Abuse Abuser Vulnerability Danger Valuable Asset Risk Prevent Prevent Prevent Prevent Prevent Prevent Prevention Occurrence Occurrence Existence Existence of Existence Existence Quality Attributes Solution Type of Harm of Abuse of Abuser Vulnerability of Danger of Risk Detect Detect Detect Detect Detect Detect Detection Occurrence Occurrence Existence Existence of Existence Existence of Harm of Abuse of Abuser Vulnerability of Danger of Risk React to React to React to React to React to React to Reaction Occurrence Occurrence Existence Existence of Existence Existence of Harm of Abuse of Abuser Vulnerability of Danger of Risk Engineering Safety- & Security-Related Requirements 55 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 56.
    Types of Defensibility-RelatedRequirements – 1 Safety Security Safety-Significant Safety Function/Subsystem Requirements Requirements Constraints Requirements Security- Security Security Security Significant Function/Subsystem Requirements Constraints Requirements Requirements Defensibility- Defensibility Defensibility Defensibility Significant Function/Subsystem Requirements Constraints Requirements Requirements Safety-Related System Defensibility- Requirements Requirements Related Requirements Security-Related Requirements Engineering Safety- & Security-Related Requirements 56 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 57.
    Types of Defensibility-RelatedRequirements – 2 Safety/Security- Safety/Security Significant Safety/Security Requirements Requirements Constraints Safety/Security Requirements that All Requirements Function/Subsystem are neither safety- Requirements nor security-related Engineering Safety- & Security-Related Requirements 57 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 58.
    Types of Defensibility-RelatedRequirements – 3 Safety/Security Assurance Level (SAL) Defensibility Quality Intolerable Requirements Requirements Defensibility-Related Requirements SAL = 5 Defensibility Function / Supporting Critical Subsystem Requirements Defensibility-Related Requirements Requirements SAL = 4 Defensibility Constraints Constraints Major Defensibility-Related Other Requirements Defensibility- SAL = 3 Related Functional Requirements Requirements Moderate Defensibility-Related Quality Requirements Defensibility-Related Requirements SAL = 2 Requirements SAL = 1 - 5 System Data Minor Requirements Requirements Defensibility-Related Requirements SAL = 1 Interface Requirements Defensibility-Independent Requirements Constraints SAL = 0 Engineering Safety- & Security-Related Requirements 58 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 59.
    1) Safety andSecurity Requirements Safety and security requirements are quality requirements. Quality requirements are product requirements that specify a mandatory minimum amount of a type of product quality: • Quality characteristic (generally) • Quality attributes (specifically) Safety and security requirements: • Are typically negative requirements • Specify what the system shall not cause, enable, or allow to: — Occur (e.g., unauthorized harm to defended assets, accidents, attacks) — Exist (e.g., vulnerabilities, threats, abusers, hazards, risks) Engineering Safety- & Security-Related Requirements 59 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 60.
    Safety and SecurityRequirements Quality requirements should be: • Scalar (how well or how much) • Based on a quality model defining the specific types of quality and how their measurement scales • Stored in requirements repositories and specified in requirements specifications, NOT just in: — Secondary specifications — Safety/security documents Quality requirements are critically important drivers of the architecture and testing. Engineering Safety- & Security-Related Requirements 60 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 61.
    Example Safety RequirementTemplates When in mode V, the system shall limit the occurrence of accidental harm of type W to defended assets of type X to an average rate of no more than Y asset value per Z time duration. When in mode W, the system shall not cause mishaps of type X with an average rate of more than Y mishaps per Z trips. When in mode X, the system shall not cause hazard Y to exist for more than an average of Z percent of the time. When in mode X, the system shall not have a residual safety risk level of Y or above. When in mode X, the system shall detect accidents of type Y an average of at least Z percent of the time. Upon detecting an accident of type W when in mode X, the system shall react by performing functions Y an average of at least Z percent of the time. Engineering Safety- & Security-Related Requirements 61 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 62.
    Example Security RequirementTemplates When in mode V, the system shall limit the occurrence of malicious harm of type W to defended assets of type X to an average rate of less than Y asset value per Z time duration. When in mode W, the system shall prevent the first successful attacks of type X for a minimum of Z time duration. When in mode X, the system shall not have security vulnerability Y for more than an average of Z percent of the time. When in mode X, the system shall not have a security risk level of Y. When in mode X, the system shall detect misuses of type Y an average of at least Z percent of the time. Upon detecting a misuse of type W when in mode X, the system shall react by performing functions Y an average of at least Z percent of the time. Engineering Safety- & Security-Related Requirements 62 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 63.
    2) Defensibility-Significant Requirements– 1 Defensibility-significant requirement a requirement with significant safety or security ramifications Are identified based on safety or security (e.g., hazard or threat) analysis Can be any kind of product requirements: • Functional, data, interface, quality, and constraints • Pure safety and security requirements • Safety and security function/subsystem requirements • Safety and security constraints Engineering Safety- & Security-Related Requirements 63 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 64.
    Defensibility-Significant Requirements –2 Safety/Security- Upper 3 circles Safety/Security Significant Safety/Security Requirements Requirements Constraints Horizontal lines Not all of the safety/security function/subsystem requirements Safety/Security Requirements that All Requirements Function/Subsystem are neither safety- Requirements nor security-related Engineering Safety- & Security-Related Requirements 64 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 65.
    Safety/Security Assurance Levels(SALs) Safety/Security Assurance Level (SAL) Defensibility Quality Intolerable Requirements Requirements Defensibility-Related Requirements SAL = 5 Defensibility Function / Supporting Critical Subsystem Requirements Defensibility-Related Requirements Requirements SAL = 4 Defensibility Constraints Constraints Major Defensibility-Related Other Requirements Defensibility- SAL = 3 Related Functional Requirements Requirements Moderate Defensibility-Related Quality Requirements Defensibility-Related Requirements SAL = 2 Requirements SAL = 1 - 5 System Data Minor Requirements Requirements Defensibility-Related Requirements SAL = 1 Interface Requirements Defensibility-Independent Requirements Constraints SAL = 0 Engineering Safety- & Security-Related Requirements 65 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 66.
    Example Safety-Significant Requirements Firingmissiles from military aircraft requirements: • When to arm missiles • When not to arm missiles (e.g., detecting weight-on-wheels) • Controlling doors before and after firing missiles Chemical plant requirements: • Mixing and heating toxic chemicals • Controlling exothermic reactions • Detecting and controlling temperature, pressure, and flow-rate ZATS requirements: • Taxi starting, accelerating, cruising, decelerating, and stopping • Opening and closing doors (taxi, taxi station safety wall, taxi station elevator) Engineering Safety- & Security-Related Requirements 66 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 67.
    Example Security-Significant Requirements Accesscontrol requirements: • Identification, authentication, and authorization Accountability (e.g., non-repudiation requirements): • Creation, storage, and transmission of financial transactions Availability (under attack) requirements: • Services subject to denial-of-services attacks Confidentiality requirements: • Storage and transmission of sensitive information • Confidential intellectual property in the software or its documentation Integrity requirements: • Storage and transmission of sensitive data • Software that might get Infected by malware Engineering Safety- & Security-Related Requirements 67 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 68.
    3) Defensibility Function/SubsystemRqmts – 1 Defensibility function/subsystem requirements are requirements for functions or subfunctions that exist strictly to improve defensibility (as opposed to support the primary mission requirements). • Safety function/subsystem requirements are requirements for safety functions or subsystems. • Security function/subsystem requirements are requirements for security functions or subsystems. Engineering Safety- & Security-Related Requirements 68 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 69.
    Defensibility Function/Subsystem Rqmts– 2 Safety/Security- Bottom circle Safety/Security Significant Safety/Security Requirements Requirements Constraints Vertical lines Overlaps other 3 types Not all of the safety/security function/subsystem requirements are safety/security significant Safety/Security Requirements that All Requirements Function/Subsystem are neither safety- Requirements nor security-related Engineering Safety- & Security-Related Requirements 69 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 70.
    Example Safety Functions/Subsystems Automobilefunctions or subsystems added strictly for safety: • Adaptive Cruise Control (ACC) • Forward Collision Warning Systems • Adaptive Headlights • Intelligent Parking Assist Systems (IPAS) • Airbag Systems • Lane Departure Warning Systems • Anti-lock Braking Systems (ABS) • On-Board Diagnostics (OBD) • Automatic Braking • On-Board Prognostics (OBP) • Automatic Crash Response • Reverse Backup Sensors Systems • Seat Belt Systems • Automotive Night Vision Systems • Tire Pressure Monitoring Systems • Backup Cameras • Traction Control Systems (TCS) • Backup Collision Intervention Systems • Electronic Brakeforce Distribution (EBD) • Electronic Stability Control (ESC) • Emergency Brake Assist (EBA) Engineering Safety- & Security-Related Requirements 70 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 71.
    Example Security Functions/Subsystems– 1 Automobile functions or subsystems added strictly for security: • Car Alarm Systems • Door Locks • Ignition Key Systems • Stolen Vehicle Recovery Systems Engineering Safety- & Security-Related Requirements 71 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 72.
    Example Security Functions/Subsystems– 2 Functions or subsystems strictly added for security: • Access control • Antivirus / antispyware / antispam / antiphishing subsystems • Encryption/decryption subsystem • Firewalls • Intrusion detection subsystem (IDS) / intrusion prevention subsystem (IPS) All requirements for such functions/subsystems are security-related. Look in the Common Criteria (ISO/IEC 15408) for many generic reusable security function requirements. Engineering Safety- & Security-Related Requirements 72 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 73.
    Example Safety Function/SubsystemRqmts Except when the weapons bay doors are open or have been open within the previous 90 seconds, the weapons bay cooling subsystem shall maintain the temperature of the air in the weapons bay at or below X° C. The Fire Detection and Suppression Subsystem (FDSS) shall detect smoke above X ppm in the weapons bay within 2 seconds at least 99.9% of the time. The FDSS shall detect temperatures above X° C in the weapons bay within 2 seconds at least 99% of the time. Upon detection of smoke or excess temperature, the FDSS shall begin fire suppression within 1 second at least 99.9% of the time. Engineering Safety- & Security-Related Requirements 73 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 74.
    Example Security Function/SubsystemRqmts Access Control Function: • The Access Control Function shall require at least 99.99% of users to identify themselves before enabling them to perform the following actions: … • The Access Control Function shall require at least 99.99% of users to successfully authenticate their claimed identity before enabling them to perform the following actions: … • The Access Control Function shall authorize the system administrators to configure the maximum number of unsuccessful authentication attempts between the range of 1 and X. • The Access Control Function shall perform the following actions when the maximum number of unsuccessful authentication attempts has been exceeded: … Engineering Safety- & Security-Related Requirements 74 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 75.
    4) Defensibility Constraints– 1 A constraint is any engineering decision that has been chosen to be mandated as a requirement. For example: • Architecture constraints • Design constraints • Implementation constraints (e.g., coding standards, safe language subset, and nonhazardous materials) • Integration constraints • Deployment or configuration constraints A safety constraint is any constraint primarily intended to ensure a minimum level of safety (e.g., a mandated safeguard). A security constraint is any constraint primarily intended to ensure a minimum level of security (e.g., a mandated countermeasure). Safety and security standards often mandate industry best practices as constraints. Engineering Safety- & Security-Related Requirements 75 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 76.
    Defensibility Constraints –2 Safety/Security- Right circle Safety/Security Significant Safety/Security Requirements Requirements Constraints Diagonal lines Overlaps only 2 of the other types All of the defensibility constraints are safety- or security- significant Safety/Security Requirements that All Requirements Function/Subsystem are neither safety- Requirements nor security-related Engineering Safety- & Security-Related Requirements 76 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 77.
    Example Safety Constraints Thesystem shall use hardware interlocks to prevent users from physically coming into contact with moving parts. The system shall not have a single point of failure that can cause an accident unless the associated risk is acceptable to authoritative stakeholders. The system shall use a safe subset of C++. The system shall not contain any of the hazardous materials in Table X in concentrations in excess of those listed in the table: • Biologically Hazardous Materials (e.g., infectious agents or toxins) • Chemically Hazardous Materials (e.g., carcinogens, corrosives, heptatoxins, irritants, mutagens, nephratoxins, neurotoxins, poisons, or teratogens) • Physically Hazardous Materials (e.g., combustible chemicals, compressed gases, explosives, flammable chemicals, oxidizers, or pyrophorics) Engineering Safety- & Security-Related Requirements 77 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 78.
    Example Security Constraints Thesystem shall user use IDs and passwords for identification and authentication. The system shall incorporate COTS firewalls to protect servers. The system shall incorporate the latest version of Norton Antivirus for malware detection and removal. The system shall use public key encryption to protect confidential information. The system shall use digital signatures to provide nonrepudiation. Engineering Safety- & Security-Related Requirements 78 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 79.
    Where We Are RelatedDisciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method ◄ Conclusion Engineering Safety- & Security-Related Requirements 79 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 80.
    Desired Method Properties Helpmeet challenges listed at start of tutorial Promote close collaboration among safety, security, and requirements teams Better integrate safety and security methods: • Based on common foundational concepts and terminology • Reuse of techniques and work products • Based on defensibility (safety and security) analysis Better integrate safety and security engineering with requirements engineering: • Clearly defined role and team responsibilities • Early input to requirements engineering • Develop all types of safety- and security-related requirements • Ensure these requirements have the proper characteristics Engineering Safety- & Security-Related Requirements 80 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 81.
    Overall Defensibility EngineeringMethod Defensibility Defensibility Defensibility Policy Monitoring Event Handling Development Defensibility Defensibility Program Planning Analysis Defensibility Defensibility Defense Compliance Certification and Determination Assessment Accreditation Engineering Safety- & Security-Related Requirements 81 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 82.
    Defensibility Analysis System Safety Team Security Team Defensibility Safety and collaborates Analysis Security Requirements with Engineering Engineering SMEs Stakeholder Defensibility Requirements Team Analysis performs Safety Relevant Laws, Regulations, and Asset Requirements Standards Analysis performs Security Organizational Requirements and Project Abuse Defensibility Analysis Policies Defensibility Defensibility- Defensibility Requirements Analysis Related Reusable Analysis Development Vulnerability Work Products Requirements Safety & Security Work Products Analysis Requirements Safety- Contractual Validation Significant Documents Abuser Requirements Analysis Safety & Security Security- Program Plans support perform Significant Danger Requirements Requirements Engineering Analysis Subject Work Products Safety and Security Safety Security Matter Team Team Experts Stakeholders Certification Architectural Repositories Risk Engineering Analysis Work Products Significance Analysis Engineering Safety- & Security-Related Requirements 82 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 83.
    System Defensibility Analysis Safety Team Security Team Requirements collaborates Engineering with Requirements Requirements Models Team Understand Requirements Requirements Documents performs Requirements System Defensibility Analysis Architecture Team Architecture Model Understand Architecture Safety and Architecture Security Documents Engineering Architecture Engineering Engineering Safety- & Security-Related Requirements 83 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 84.
    Stakeholder Defensibility Analysis Safety Team Security Team collaborates with Safety and Security Subject Matter Experts Engineering (SMEs) provide input Requirements during Teams performs Preparation Stakeholders provide input Stakeholder Updated during Identification Stakeholder List Stakeholder Defensibility Analysis Updated Contractual Documentation Stakeholder (RFP, Contract) Profiles Stakeholder Modeling Requirements Defensibility Work Products Stakeholder (Vision Statement, ConOps, Interests Table Initial Stakeholder List, Stakeholder Profiles, Initial Draft Requirements Models, Initial Goal Safety and Security Specifications, and Identification Goals Repositories) Existing Documentation (Organizational Defensibility Policies and Legacy Hazard Safety and Security and Threat Analyses, Certification Mishap and Misuse Reports, Repositories and Stakeholder Lists) Engineering Safety- & Security-Related Requirements 84 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 85.
    Types of Stakeholders Human play Organizational play Direct Stakeholders Stakeholders Stakeholders Indirect Human Organization Stakeholders Roles Roles Attackers Stakeholders Legitimate Stakeholders have desire to Asset System harm the Stakeholders Stakeholders primarily have primarily have have a interest in interest in legitimate and value other and value the interest in the must Defended defend System Assets must meet Stakeholder Needs Engineering Safety- & Security-Related Requirements 85 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 86.
    ESSR Tool –Stakeholders Entry/Edit Form Engineering Safety- & Security-Related Requirements 86 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 87.
    ESSR Tool –Stakeholders Report Engineering Safety- & Security-Related Requirements 87 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 88.
    Example Stakeholder Safety/SecurityAnalysis Safety/Security Analysis of PMI Corporate Management General Responsibilities: – Ensure the short- and long-term profitability of PMI. – Ensure the marketability of PMI automated people movers (APM). – Ensure customer and user satisfaction with PMI APMs. – Ensure the quality of PMI APMs (e.g., capacity, maintainability, reliability, usability). Safety/Security Responsibilities: – Provide leadership in safety and security matters. – Ensure that PMI APM vehicles will operate safely. – Ensure that PMI APM systems will be secure against attack (e.g., cybercrime and theft). – Ensure that PMI proprietary information will be secure from corporate espionage. – Ensure that effective safety and security policies will exist and be enforced. – Provide oversight of PMI projects with regard to safety and security. Context: – PMI is subject to very stiff competition from both domestic and foreign competitors. – PMI’s ability to create APMs that enable large numbers of small vehicles to safely share guideways with minimal headway is a cutting-edge technology that provides a competitive edge over some of PMI’s rivals. – Corporate management is primarily trained in business management and does not understand the technology, especially the importance of software to achieving technical requirements. – PMI’s previous smaller and simpler APMs have not suffered serious accidents or security attacks. – ZATS is PMI’s current flagship APM. Actual or Potential Process Model Defects: – Has underestimated the maturity and risk of the new technology. – Has assumed that ZATS development productivity will be the same or better than previous projects. – Believes that the large number of failures found and fixed during initial prototyping indicate that the major problems are all solved and are not indicative of future failures once full scale development starts and ZATS has been placed into operation. Actual or Potential Dangerous Decisions and Actions: – Has pushed ZATS project management to lower their estimates of the cost of ZATS development and the time required for ZATS development in order to win the contract. – Is counting on the project future income from ZATS, even though ZATS is likely to suffer from both cost and schedule overruns. – May let safety and security policies and requirements be violated in order to meet project budget, schedule, and functionality goals. – May provide inadequate oversight of the ZATS project with regard to safety and security. Engineering Safety- & Security-Related Requirements 88 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 89.
    Asset Analysis Subject Matter Safety Team Security Team Experts collaborates Requirements Engineering with Asset-Harm Prevention Standard / Reusable Requirements Team provide Requirements Asset-Harm Stakeholders input Requirements Asset-Harm during performs Detection Preparation Requirements provide input Asset Value Asset-Harm during performs Reaction Categorization Asset Requirements ZATS Contractual Asset Identification Documentation Analysis Harm Severity Categorization ZATS Requirements Asset Requirements Asset-Harm Work Products Modeling Asset Development Requirements Descriptions ZATS Architectural Asset-Harm Representations Asset Goal Asset-Harm Requirements Safety Identification Goals Validation Requirements Project-External Documentation Asset Asset-Harm ZATS Defensibility Work Product perform Security Work Products V&V support Requirements Generic Reusable Requirements Safety Security Documentation Safety and Security Team Support Team Team SMEs Stakeholders Certification Repositories Safety and Security Engineering Engineering Safety- & Security-Related Requirements 89 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 90.
    Types of DefendedAssets Ownerless Objects value Unauthorized Privately Owned Harm Stakeholders Intangible Objects Objects can happen to have an Publically Owned Physical Objects interest in the Objects must defend Inanimate Objects Defended System Living Objects Assets Objects Atmosphere play Roles Things Biosphere Electromagnetic Roles Played play Spectrum People Environment By People Hydrosphere Roles Played By play Lithosphere Organizations Services Organizations Outer Space Prime Contractor Customer Developer Subcontractors Maintainer Operator Supplier / Vendor Owner Regulator Sustainer User Engineering Safety- & Security-Related Requirements 90 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 91.
    Representative ZATS Assets People: • Passengers - people who are riding ZATS taxis Organizations: • Metropolitan Zoo Authority (MZA) - the organization that operates the Metropolitan Zoo and acquires ZATS Property: • ZATS line replaceable units (LRUs) - ZATS architectural components (data, hardware, software, subsystem) that can be repaired or replaced by the maintainer after ZATS has been placed in operation Environment: • Atmosphere - the layer of gas surrounding the earth that is retained by gravity and subject to both air and noise pollution Service: • Taxi service - transportation by ZATS taxis of passengers and their personal property around the zoo Engineering Safety- & Security-Related Requirements 91 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 92.
    ESSR Tool –Defended Assets Entry/Edit Form Engineering Safety- & Security-Related Requirements 92 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 93.
    ESSR Tool –Defended Assets Report Engineering Safety- & Security-Related Requirements 93 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 94.
    Unintentional Safety (Accidental) Types of Harm Harm Unauthorized Authorized e.g., caused to enemy forces by Harm Harm Intentional weapons systems Security and (Malicious) Survivability Harm can Direct Harm happen to Defended Assets Harm Indirect Harm Harm to Harm to Harm to Harm to the Harm to a People Organizations Objects Environment Service Being Bankruptcy Corruption Contami- Accidental Loss Kidnapped nation of Service Legal Conse- Damage Corruption quences Damage Corruption (bribery or Destruction extortion) Loss of Destruction Denial of Market Share Lost Value Service (DOS) Death Loss of Use Loss of Loss of Trust Theft or Disability Reputation Pollution Piracy Repudiation of Financial Loss of Unauthorized Wildlife Transaction Hardship Trained Staff Access Death, Injury, or Unauthorized Lost Illness Illness Unauthorized Usage (Theft) Opportunity Disclosure Costs Injury Lost Profits Loss of Anonymity, Identity, or Privacy Loss of Employment Engineering Safety- & Security-Related Requirements 94 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 95.
    Security Characteristics asTypes of Harm Accountability Nonrepudiation Data Integrity Availability (Defensibility) Document Integrity Desired Tamper System Security Integrity Hardware Integrity Resistence Characteristic Personal Integrity Software Integrity Immunity depends on Confidentiality Anonymity Identification Access Control Authentication Safety Authorization (degree qualified) Authorization Security Authorization (degree trusted) Engineering Safety- & Security-Related Requirements 95 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 96.
    Harm Severity Harm severityis an appropriate categorization of the amount of harm: • Potential harm • Actual harm • Maximum credible harm Harm severity categories can be standardized (ISO, military, industry- wide) or endeavor-specific. Harm severity categories need to be: • Clearly identified. • Appropriately and unambiguously defined. Note that some standards confuse harm severity with hazard “severity” (i.e., categorization of hazard based on the severity of harm that its accidents can cause) Engineering Safety- & Security-Related Requirements 96 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 97.
    Representative Harm toa ZATS Defended Asset Person: • Death • Injury – minor, major, and disability (physical and psychological) • Occupational illness (maintainer) • Loss of money – various amounts • Lost of confidentiality of sensitive information (passenger identity theft) • Loss of reputation (managers, developers) Engineering Safety- & Security-Related Requirements 97 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 98.
    ESSR Tool –Defended Asset Types Report Engineering Safety- & Security-Related Requirements 98 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 99.
    The ZATS HarmSeverity Categories Catastrophic: Potential ZATS lifespan harm that is unacceptable to authoritative stakeholders (loss of priceless defended asset) Major: Potential five-year harm that is only acceptable to authoritative stakeholders after major actions have been taken to lower its risk (loss of extremely defended asset) Minor: Potential yearly harm that is acceptable to authoritative stakeholders after minor action has been taken to lower its risk (loss of moderate or low value asset) Negligible: Potential yearly harm that is acceptable to authoritative stakeholders but that does not justify any action to lower its risk (loss of inconsequential asset) Engineering Safety- & Security-Related Requirements 99 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 100.
    The ZATS HarmLikelihood Categories Frequent: An average of once or more times every month Probable: Less than an average of once every month (but more than occasional) Occasional: Less than an average of once every year (but more than remote) Remote: Less than an average of once every 5 years (but more than implausible) Implausible: Less than a 10% chance of happening during the entire ZATS 30 year planned lifespan Engineering Safety- & Security-Related Requirements 100 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 101.
    Representative ZATS Asset-Harm Safetyand Security Goals Asset-Harm Prevention Safety Goal: • ZATS will not accidentally kill or injure its passengers. Asset-Harm Detection Security Goal: • ZATS will detect infection of its data and software files by malware. Asset-Harm Reaction Security Goal: • On detecting malware infection, ZATS will quarantine the infected file and notify the operator and maintainer. Engineering Safety- & Security-Related Requirements 101 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 102.
    Representative ZATS Asset-Harm Safetyand Security Requirements Asset-Harm Prevention Safety Requirement: • Passenger death prevention: ZATS shall ensure that the expected frequency with which it accidentally kills a passenger does not exceed 0.1 passenger during the projected 30 year system lifespan. Asset-Harm Detection Security Requirement: • Malware detection: ZATS shall detect infection of its data and software files by at least 99% of known malware. Asset-Harm Reaction Security Requirement: • Malware reaction: On detecting malware infection, ZATS shall quarantine the infected file and notify the operator and maintainer at least 99.9% of the time. Engineering Safety- & Security-Related Requirements 102 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 103.
    Abuse (Misuse andMishap) Analysis Subject Safety and Matter Safety Team Security Team Requirements Experts collaborates Security Engineering with Engineering Abuse Prevention Requirements Team Requirements provide input Abuse Stakeholders during Preparation Detection Requirements perform provide Abuse input performs Abuse Abuse Reaction during Identification Profiles Requirements Abuse Requirements & Architecture Analysis Work Products: Abuse Graphical Requirements Abuse - RFP and Contract - ConOps Modeling Models Development Requirements - Rqmts Repository - Architecture Abuse (Mishap) Abuse Goal Abuse Requirements Safety Project-Specific Identification Goals Validation Requirements Work Products: - Asset Profiles Abuse Abuse (Misuse) - Asset Value Categorization Work Product support perform Security - Harm Severity Categorization V&V Requirements Generic Reusable Subject Work Products: Safety Security Matter - Abuse Lists & Tables Requirements Team Team Experts Stakeholders - Abuse Cases & Trees Team Support - Abuse Goals - Enterprise and Reference Safety and Security Architectures Certification Repositories Engineering Safety- & Security-Related Requirements 103 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 104.
    Abuses (Mishaps andMisuses) Abuse (defensibility) a series (or network) of one or more unwanted events that cause (or can cause) unauthorized harm to one or more defended assets Mishap (safety) an accidental abuse Misuse (security or survivability) a intentional (malicious) abuse Engineering Safety- & Security-Related Requirements 104 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 105.
    Types of Abuses is a network of Defensibility Abuses Events Mishaps Misuses Security Survivability Misuses Misuses Safety Civilian Security Enemy Military Survivability Accidents Incidents Attacks Incidents Attacks Incidents Successful Probes Successful Civilian Enemy Military Attacks Attacks cause Unauthorized can occur to Defended Harm Assets Engineering Safety- & Security-Related Requirements 105 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 106.
    Importance of Accidents(Safety) Accidents can have expensive and potentially fatal repercussions: • Ariane 5 maiden launch — Reuse of Ariane 4 software not matching Ariane 5 specification • Mars Climate Orbiter ($125 million) — English vs. Metric units mismatch • Mars Polar Lander — Missing requirement concerning touchdown sensor behavior • Patriot Missile Battery misses SCUD missile — Missing availability (uptime) requirement • Sheffield sinking during Falkland War — Radar misidentifies incoming Argentinean missile as “friendly” • Therac–25 Radiation Therapy Machine — Timing of rare input sequence results in race condition and extreme radiation doses Engineering Safety- & Security-Related Requirements 106 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 107.
    Importance of Attacks(Security) Largest unauthorized disclosure of confidential information: 150,000,000 customer records on 17 March 2012, Shanghai Roadway D&B Marketing Services Co. Ltd Predator and Reaper unauthorized disclosure of confidential video feeds In 2009, Iraqi insurgents were able to intercept the unencrypted video feeds from Predator and Reaper drones. No security requirements to protect sensitive video feed information during transmission. Stuxnet (cyber warfare) In 2010, the computer worm infected the supervisory control and data acquisition (SCADA) software on the programmable logic controllers (PLCs) that controlled Iran’s uranium enrichment centrifuges. Stuxnet commanded excessive rotational speeds while displaying fake normal sensor data to the operators. No security requirements to address malware, to check for valid speed inputs, or to ensure the integrity of sensor values. Engineering Safety- & Security-Related Requirements 107 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 108.
    Example ZATS SecurityAbuse (Attack) Tree Steal ZATS Legend Industrial wants to Attack Spy Attacker Intellectual Goal Instantiation (is a) Property Inheritance (is a kind of) achieves performs Industrial Aggregation (is part of) Attack Espionage Association Nation State Spy Insider Dumpster Internet Plant Physical Social Recruitment Diving Access Spy Access Engineering Domain Name Control Facility Current or Blackmail Break-in Determination Access Former Employee Bribery Impersonation ZATS Firewall Maintenance Extortion Exploit Facility Access PMI Web Server Employee Janitor Taxi Access Exploit Recruitment Safety / Security Zoo Control Server Maintainer Accreditor Administration Exploit Recruitment Office Access Safety Operator Inspector Recruitment Engineering Safety- & Security-Related Requirements 108 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 109.
    Representative ZATS SafetyAbuse (Mishap) Tree Cave or Mine Ocean Building Electrical Fire and Smoke Structural Water Wind Collapse Damage Damage Damage Damage Damage Hurricane River Snow Storm Destroy or Damage “wants” to Natural Maintenance / Mishap Legend Storm Disaster Operations Facility “Goal” and Taxi Stations Instantiation (is a) Thunder achieves Inheritance (is a kind of) Storm Sun performs Abuse of Association Mishap ZATS Building Tornado Tectonic Fault Cave in / Flying Heavy High Voltage Storm Wild Earthquake Sinkhole Debris Snow Spike (EMP) Surge Fire Volcano Coastal High Lightning Volcanic Flood Hail Erosion Winds Strike Ash Fall Engineering Safety- & Security-Related Requirements 109 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 110.
    Example ZATS Abuse(Misuse) Cases Steal from Travel Card Vending threatens Machine Buy Travel Card Steal from Bank Passenger Steal Card Server Bank Card Add Funds to Data Steal from Network Travel Card threatens Steal from threatens Passenger Ride Taxi Thief Steal from Passengers threatens Steal from Vending Machine threatens Steal Cash Steal from Service threatens Maintainer Maintainers Vending Machine Steal from Safe threatens Steal Equipment threatens Service Taxis Steal ZATS Steal Tools threatens Controller Property Steal Hardware threatens Control ZATS Steal Software threatens Engineering Safety- & Security-Related Requirements 110 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 111.
    Representative Potential Typesof ZATS Safety Abuses (Mishaps) Accident: • Rear-end Collision One taxi rear-ends another taxi causing damage to one or both of the taxis. Safety Incidents: • Bumping Bumpers One taxi lightly bumps into another taxi without causing damage to one or both taxis. • Inadequate Headway (tailgating) The distance between two adjacent taxis becomes less than the minimum safe braking distance. Starting to tailgate (event) is an safety incident (near miss), whereas Tailgating (condition) is a hazard. Engineering Safety- & Security-Related Requirements 111 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 112.
    Representative Potential Typesof ZATS Security Abuses (Misuses) Successful attacks: • Arson of Taxi Station An arsonists starts a fire in a taxi station. • Denial of Service (DoS) A cybercriminal uses signal jamming to mount a successful DoS attack against the ZATS taxis. Security Incidents: • Unsuccessful Malware Infection Software malware (e.g., worms and viruses) fails to infect a ZATS computer (e.g., because of the existence of properly installed antivirus software with current virus definitions). • Undetected Probe A cybercriminal’s attempt to identify computer vulnerabilities (e.g., open ports) goes undetected. Engineering Safety- & Security-Related Requirements 112 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 113.
    Representative ZATS Abuse(Mishap and Misuse) Requirements Mishap prevention requirement: Taxi collisions: Under normal operating conditions, ZATS shall ensure that the rate of major collisions between taxis* is less than X per [Y trips | time unit]. * Terms must be properly defined. For example, a major taxi collision could be defined as one with a relative speed of at least 10 mph. It could also be defined in terms of cost but… Misuse prevention requirement: Denial of service: ZATS shall detect Internet launched denial of service attacks within 2 minutes at least 99% of the time. Engineering Safety- & Security-Related Requirements 113 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 114.
    ESSR Tool –Abuses Entry/Edit Form Engineering Safety- & Security-Related Requirements 114 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 115.
    ESSR Tool –Abuses Report Engineering Safety- & Security-Related Requirements 115 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 116.
    Vulnerability Analysis Architects, Designers, and Safety and Requirements Team Requirements Implementers Safety Team Security Team Security collaborates Engineering Engineering Generic / Reusable with Vulnerability Requirements Safety and Constraints Vulnerability Preparation Requirements performs Quality Engineers, Security provide Testers, and input Vulnerability Maintainers performs Vulnerability Vulnerability during Requirements Identification Table provide Vulnerability input Vulnerability and Abuse during Table Requirements Vulnerability Vulnerability Requirements Analysis Modeling Development Concept of Vulnerability Operations (ConOps) and Defense Vulnerability Table Constraints Requirements, Vulnerability Requirements Glossaries, and Vulnerability Validation Goal Domain Models Goals Safety Identification Vulnerability System Architectural Constraints support perform Representations Abuse Table Safety and Security Security Subject Vulnerability Certification Safety Security Abuse Cases Matter Constraints Repository Team Team Stakeholders Experts Abuse Trees Engineering Safety- & Security-Related Requirements 116 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 117.
    Vulnerabilities Vulnerability a potential or actual system-internal weakness or defect in the system that enables or causes: — A danger (hazard or threat) to exist. — An abuse (mishap or misuse) to occur. Ways to identify vulnerabilities include: • Analyze historical data • Identify and analyze plausible “defects”: — Requirements defects (missing, ambiguous, incomplete, or incorrect requirements) — Component internal defects (component fails to meet its requirements) — Component interaction defects (components meet individual requirements) • Consider human issues beyond “user error”: — Human limitations, financial and schedule pressures, psychology, etc. Engineering Safety- & Security-Related Requirements 117 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 118.
    Types of Vulnerabilities Data Missing Management Vulnerabilities Component Vulnerabilities Vulnerabilities Energy Safety Requirements Vulnerabilities Component- Vulnerabilities Vulnerabilities Ergonomic Internal Architectural Vulnerabilities Vulnerabilities Security Vulnerabilities Vulnerabilities Facility Component Design Defective Vulnerabilities Interaction Survivability Vulnerabilities Materials Vulnerabilities Vulnerabilities Hardware Implementation Hazardous Vulnerabilities Vulnerabilities Biologicals Material Integration Vulnerabilities Vulnerabilities Vulnerabilities Hazardous Chemicals Procedural Manufacturing Hazardous Vulnerabilities Vulnerabilities Physical Software Actual Potential Configuration Materials Vulnerabilities Vulnerabilities Vulnerabilities Vulnerabilities Subsystem Maintenance Vulnerabilities Vulnerabilities Known Unknown Vulnerabilities Vulnerabilities Engineering Safety- & Security-Related Requirements 118 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 119.
    Representative ZATS Vulnerabilities (Potentialor Actual) Defensibility vulnerability: • Lack of or defective fire detection and suppression system in the ZATS buildings Safety vulnerability: • Defect (accidentally incorporated) in the software of the LIDAR proximity detection subsystem Security vulnerability: • Lack of or defect in the encryption/decryption software • Incorporation of a backdoor, logic bomb, time bomb, or Trojan horse Engineering Safety- & Security-Related Requirements 119 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 120.
    ESSR Tool –Vulnerabilities Entry/Edit Form Engineering Safety- & Security-Related Requirements 120 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 121.
    ESSR Tool –Vulnerabilities Report Engineering Safety- & Security-Related Requirements 121 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 122.
    Ways to IdentifyVulnerabilities Analyze historical data: • Published lists of commonly occurring vulnerabilities and vulnerability types Brainstorm plausible “defects”: • Requirements defects (missing, ambiguous, incomplete, or incorrect requirements) • Component internal defects (component fails to meet its requirements) • Component interaction defects (components meet individual requirements) Consider human issues beyond “user error”: • Human limitations, financial and schedule pressures, psychology, etc. Engineering Safety- & Security-Related Requirements 122 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 123.
    Representative ZATS Safety VulnerabilityRequirements Vulnerability: Taxi Doors Cannot Lock: A ZATS taxi cannot lock its closed doors when moving. Vulnerability prevention requirement: Lock Taxi Doors: When its doors are closed, each ZATS taxi shall be able to lock and unlock its doors with a success rate of at least 99.99%. Vulnerability detection requirement: Detection of Unlocked Taxi Doors: When it is moving and its doors are closed, each ZATS taxi shall be able to determine if its doors are unlocked at least 99.99% of the time. Vulnerability reaction requirement: Reaction to Unlocked Taxi Doors: If any ZATS taxi is moving and detects that its doors are not locked, then the taxi shall : • Notify the ZATS operator within 5 seconds at least 99.99% of the time • Warn the taxi passengers to stay away from the doors until the taxi has berthed at the next taxi station within 1 second at least 99.99% of the time Engineering Safety- & Security-Related Requirements 123 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 124.
    Representative ZATS Security VulnerabilityRequirements Vulnerability: Server Infected with Malware: A ZATS server is infected with malware. Vulnerability prevention requirement: Malware Infection Prevention: ZATS servers shall not be infected with known malware at least 99.99% of the time. Vulnerability detection requirement: Malware Infection Detection: Each ZATS shall detect when it is infected with known malware at least 99.99% of the time. Security vulnerability reaction requirement: Malware Infection Reaction : When a ZATS server detects that it is infected by malware, it shall: • Delete the malware at least 95% of the time • Quarantine any malware it could not remove at least 99% of the time • Notify the ZATS operator of the infection and the status (i.e., malware deleted, malware quarantined, or malware unaffected) at least 99% of the time Engineering Safety- & Security-Related Requirements 124 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 125.
    Abuser Analysis Subject Matter Safety Team Security Team Requirements Team Experts collaborates Generic / Reusable with Abuser Abuser-Related Requirements Protection Requirements provide Preparation Abuser Abuser Stakeholders input Table Detection during Requirements performs Abuser Abuser performs provide Profiles Identification Abuser input Reaction during Asset Abuser Requirements Project Documentation Abuser Table Requirements (RFP, Contract, ConOps) Analysis Abuser Development Abuser- Abuser Modeling Related Abuse Asset Generic / Reusable Harm Table Requirements Abuser Lists Requirements Abuser- Validation Abuser Goal Safety Generic / Reusable Related Development Abuser Abuser Profiles Goals Requirements perform support Generic / Reusable Safety and Security Security Abuser-Related Goals Certification Abuser Repositories Subject Requirements Safety Security Matter Team Team Experts Stakeholders Safety and Security Requirements Engineering Engineering Engineering Safety- & Security-Related Requirements 125 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 126.
    Types of Abusers Foreign Disgruntled Intelligence Dishonest Script Professional Malicious Agencies Employees Kiddies Criminals Hackers Phishers & Botnet Industrial Hactivists Terrorists Spammers Operators Spies Hazardous Hazardous Hazardous Zombies Materials Parts of Nature Systems create Malware and use Zombie Systems Armies Hazardous Hazardous Hazardous Hardware Attackers Malware Energies Objects People Malware Adware Software Logic Bombs Malware Malvertisements can Unintentional Abusers Intentional Abusers can Ransomware cause (Safety) (Security) cause Root Kits Direct Actual Scareware Abusers Abusers Spyware Abusers Time Bombs Potential Indirect Abusers Abusers Trojan Horses can cause can can harm exploit Worms Abuses Vulnerabilities Viruses can harm can enable Defended Assets Safety Security Abuses Abuses Engineering Safety- & Security-Related Requirements 126 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 127.
    Abuser Profiles Abuser Profile a description of a specific type of abuser, typically including: • Means including tools, training, expertise, support, and time • Motive including both desired harm and risk aversion (for attackers) • Opportunity including access to system and defended assets • External influences such as project cost and schedule pressures, personal financial pressures • Abuser weaknesses such as human mental and physical limitations, untreated addictions and mental illness Profiles are highly reusable. Profiles more commonly used for attackers than non-malicious abusers, but are useful for both. Engineering Safety- & Security-Related Requirements 127 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 128.
    Representative Potential ZATSAbusers Accidental human abuser: • Maintainers (who make mistakes if inattentive, careless, or fatigued) Accidental external system abuser: • Electrical power grid (which may provides current or voltage spikes and surges, sustained overvoltage or undervoltage, complete power loss, random noise, or electromagnetic interference) Accidental environmental abuser: • Storm (which may provide high winds, hail, heavy snow, ice, etc.) Attacker (malicious human abuser): • Industrial spy (who may steal proprietary data) Malware (malicious nonhuman abuser): • Adware, ransomware, scareware, spyware, virus, or worm Engineering Safety- & Security-Related Requirements 128 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 129.
    ESSR Tool –Abusers Entry/Edit Form Engineering Safety- & Security-Related Requirements 129 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 130.
    ESSR Tool –Abusers Report Engineering Safety- & Security-Related Requirements 130 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 131.
    Representative ZATS AbuserRequirements Safety abuser prevention requirement: ZATS shall ensure that its operations and maintenance facility is beyond reach of the nearby river, even in the event of 100 year floods. Security abuser prevention requirement: ZATS shall prevent attackers of type X with profile Y from successfully causing the loss of confidentiality and integrity of sensitive information Z by preventing attacks lasting no more than 8 total hours at least 99% of the time. Engineering Safety- & Security-Related Requirements 131 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 132.
    Danger Analysis Safety Team Security Team collaborates Subject Matter with Safety and Security Requirements Experts Engineering Engineering Requirements Team Danger Protection Requirements Preparation Generic / Reusable Hazard and Threat Danger provide Danger Requirements Stakeholders Danger (Hazard Detection input Identification & Threat) Requirements during performs performs List provide Danger Danger input Profiling Reaction Danger during Requirements Task Profiles System Safety and Analysis Requirements Danger Security Development Analysis Danger Documentation Cause Danger Requirements Analysis Cause & Generic / Reusable Effects Danger Requirements Danger Lists Diagrams Modeling Root Validation Cause(s) Safety Hazard Generic / Reusable Analysis Requirements Danger Profiles perform FMECA support Common Tables Security Generic / Reusable Cause Threat Danger Probabilities Analysis Subject Requirements HAZOP Safety Security Matter Danger Tables Team Team Experts Stakeholders Safety and Effects Security Analysis Certification Danger Goal Danger Requirements Repositories Identification Goals Engineering Engineering Safety- & Security-Related Requirements 132 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 133.
    Components of Dangers are simultaneous and co-located combinations of dangerous Dangers Conditions increase the Existence Existence of probability of of Abusers Defended Assets Existence of Other can Vulnerabilities Conditions cause Abuses Abusers can cause Unauthorized Vulnerabilities Harm can exist in can happen to abuse System Defended Assets must defend Engineering Safety- & Security-Related Requirements 133 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 134.
    Types of Dangers Acoustic Business Hazards Hazards Biological Malware Hazards Computational Security Survivability Chemical Hazards Hazards Threats Threats Electrical Hazards Environmental Computational Fire Hazards Threats Hazards Gravitational Human Hazards Threats Hazards Hazards Kinetic Human Hazards Threats Material Physical Hazards Hazards Dangers Mechanical Hazards Procedural Radiation Attackers Hazards Hazards Thermal Hazards Actual Potential Miscellaneous Dangers Dangers Hazards Engineering Safety- & Security-Related Requirements 134 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 135.
    Dangers Danger a potential or actual situation that increases the likelihood of one or more related abuses Hazard a danger that increases the likelihood of mishaps (safety) Threat a danger that increases the likelihood of misuses (security) A danger consists of one or more conditions concerning the existence of: • Vulnerable defended assets that can be harmed by abuses • System-internal vulnerabilities or other system-internal conditions, states, or modes • System-external abusers or other system-external conditions, states, or modes Dangers are sets of concurrent conditions, whereas abuses are networks of events. Engineering Safety- & Security-Related Requirements 135 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 136.
    Identifying Dangers (Hazardsand Threats) Several approaches exist that can be used to identify dangers: • Abuse-Based Identification – Consider each identified abuse to identify the associated dangers that increase the probability of the abuse occurring. • Abuser-Based Identification – Consider each identified abuser to identify the associated dangers that include the existence of the abuser as a component condition. This is especially useful for identifying security threats based on generic types of attackers and malware. • Asset-Based Identification – Consider each defended asset to identify the dangerous conditions that can lead to that asset being harmed. • Task-Based Identification – Consider each task performed by a “user” of the system to identify the relevant dangers that can exist. Observe the users while performing their tasks. • Use-Case-Based Identification – Consider each use case and use case flow to identify the associated dangers. • Vulnerability-Based Identification – Consider each vulnerability to identify the associated dangers. Engineering Safety- & Security-Related Requirements 136 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 137.
    Traditional Hazard Analysis(Safety)1 As used in the safety community, hazard analysis usually implies the analysis of assets, harm, incidents, hazards, and risks. Hazard analysis often occurs multiple times before various milestones: • Preliminary Hazard Analysis (PHA) • System Hazard Analysis (SHA) Hazard analysis should probably be performed continuously. Engineering Safety- & Security-Related Requirements 137 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 138.
    Traditional Hazard Analysis(Safety)2 Traditional hazard analysis techniques: • Come from reliability analysis • Concentrate on individual component failures • Do not address all (or even most) safety concerns • Are inadequate for software and “human error” Traditional techniques borrowed from reliability include: • Event Tree Analysis (ETA) • Fault Tree Analysis (FTA) • Hazard Cause and Effect Analysis (HCEA) • Failure Mode Effects Criticality Analysis (FMECA) Engineering Safety- & Security-Related Requirements 138 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 139.
    Example ZATS Hazard,Events, Harm, and Assets Door Passenger Taxi Starts Unexpectedly Falls Out of Taxi Passenger Passenger Hits Head Moving Starts Opening (accident Lands On Guideway on Guideway (normal event) (hazardous event) trigger) (harm event) (harm event) Passenger is Passenger is Passenger is Dead Passenger is Okay Falling (abnormal Rolling and Injured (abnormal (normal condition) condition) (abnormal condition) condition) Taxi is Moving Taxi is Moving (normal condition) (abnormal condition when taxi door is open) Taxi Door Taxi Door is Open is Closed (abnormal condition when taxi is moving) (normal condition) Taxi Cabin Contains one Passenger Taxi Cabin is Empty (normal condition) (abnormal condition during habitat tour or passenger trip) Taxi Control Software (SW) is Defective (failure causes door to open inappropriately) (vulnerability) Passenger is in Moving Taxi with Passenger is Killed Open Door and Falling From Moving Taxi Defective SW (accident) (hazard) Time Engineering Safety- & Security-Related Requirements 139 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 140.
    Example Fault Tree Passenger falls out of open door of moving taxi Passenger inattentive and near taxi door Door opens on Train starts moving moving taxi with open door Warning is Taxi Taxi door is Door motor ineffective Taxi door fails to close starts to unlocked opens taxi door move A Taxi Taxi door lock Taxi Taxi door Taxi Taxi door Taxi motor Taxi fails computer motor fails computer motor fails computer fails computer unlocked fails open fails open fails on fails Taxi door Taxi door sensor fails lock sensor closed fails locked Engineering Safety- & Security-Related Requirements 140 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 141.
    Example Event Tree Taxi Door Taxi Taxi Taxi Speed Position Door Brakes Speaker Sensor Sensor Motor closes door Passenger is protected. detects issues open door stops warning taxi Passenger may fall out of stopped taxi. fails Passenger likely to fall out of stopped taxi. detects fails motion issues Passenger is warning fails Passenger may fall out of stopped taxi. near open door on a moving taxi fails Passenger likely to fall out of stopped taxi. fails Passenger likely to fall out of stopped taxi. fails Passenger likely to fall out of stopped taxi. Engineering Safety- & Security-Related Requirements 141 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 142.
    Example ZATS FMECATable Component Failure Failure Failure Failure Failure Criticality Safety that fail Mode Cause Effect Severity Likelihood (Risk) Controls Hardware No data, Bad Excessive redundancy, data (0, last Hardware failure, acceleration or Accelerometer High-reliability value, loss of electrical deceleration Minor Low Moderate (Taxi sensor) COTS maximum power, wiring fails causing passenger component, SW value) injury fault tolerance Taxi not controllable Hardware CPU, electrical (e.g., braking, redundancy, Loss of power (loss or power, steering), High-reliability Computer function spike), hard drive, collision between COTS Hardware (complete or Severe Moderate Critical motherboard, or taxis, collision with components, (Taxi) intermittent), RAM failure, guideway, temperature bad data high temperature unexpected or sensor, SW emergency braking fault tolerance SEAL 1 applied Loss of Taxi not controllable (e.g., SW fault function CPU, electrical (e.g., braking, tolerance, real- (complete or power (loss or power, steering), time operating Computer intermittent), spike), hard drive, collision between system, safe Software Severe High Critical incorrect motherboard, or taxis, collision with language (Taxi) function, bad RAM failure, guideway, subset, formal timing of high temperature unexpected or specification of function emergency braking core functions, etc.) Engineering Safety- & Security-Related Requirements 142 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 143.
    Hazard Analysis (Safety)– A Relook1 Safety and reliability are not the same: • Unreliable systems can be safe (failsafe systems – failures do not cause harm) • Reliable systems can be unsafe (poor requirements lead to accidents) Reliability-based safety analysis assumes: • Accidents are due to the independent failures of individual components • Defective components fail to meet their requirements However, most accidents are due to: • Poor (missing, ambiguous, incomplete, or incorrect) requirements • Component interaction defects, whereby the individual components meet their requirements and are thus reliable • Software, that glues complex components together • Human causes of accidents beyond “user” errors: — Management and developer rather than operator (e.g., pilot) errors — Unavoidable human limitations, financial and schedule pressures, psychology, sociology, etc. Engineering Safety- & Security-Related Requirements 143 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 144.
    Hazard Analysis (Safety)– A Relook2 Modern Hazard Analysis: • Add requirements defects to component defects. • Add component interaction failures to individual component failures. • View safety and security as emergent system characteristics arising from the interaction among system components and the system’s environment rather than the characteristics of individual system components in isolation. • Emphasize software and humans over hardware. Danger Analysis: • Emphasize safe and secure interfaces. • View safety and security not as a reliability problem but rather as a problem of controlling dangers by enforcing safety- and security-related requirements. • Address indirect and systemic causes of accidents and successful attacks. Engineering Safety- & Security-Related Requirements 144 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 145.
    Representative ZATS Hazard- Overspeed Primary Condition: • Taxi exceeds the speed limit. Existence of one or more Vulnerable Assets: • Guideways • One or more passengers • Passenger property • Taxis • Taxi stations Existence of one or more system Vulnerabilities: • Defective speed sensor • Defective power braking system • Defective taxi processor • Defective associated software Existence of one or more Non-malicious Abusers: • None (taxi speed is automatically controlled by the taxi) Engineering Safety- & Security-Related Requirements 145 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 146.
    Representative ZATS HazardRequirements - Overspeed Overspeed Requirements: • ZATS taxis shall not exceed the speed limit by more than one mile an hour more than 0.001 % of the time. • ZATS taxis shall not exceed the speed limit by more than five miles an hour more than 0.0001 % of the time. • ZATS taxis shall not exceed the speed limit by more than one mile an hour for durations longer than 10 seconds more than 0.0001 % of the time. Engineering Safety- & Security-Related Requirements 146 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 147.
    Representative ZATS Threat (BankCard Confidentiality) Primary Condition: • Travel Card Vending Machine computer connected to Internet via Operations Facility Server Existence of one or more Vulnerable Assets: • Passengers’ bank card information Existence of one or more system Vulnerabilities: • Lack of encryption during transmission • Lack of encryption during storage • Weak encryption • Lack of firewalls or firewalls improperly configured Existence of one or more Malicious Abusers: • Cyber-thief: — Means: Expertise plus relevant hacking tools — Motive: Greed — Opportunity: Computer access to the Internet Engineering Safety- & Security-Related Requirements 147 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 148.
    Representative ZATS ThreatRequirements Threat Requirements: • ZATS shall encrypt all passenger bank card information while stored within ZATS. • ZATS shall not store passenger bank card information in the travel card vending machines. • ZATS shall encrypt all passenger’s bank card information sent to the bank card processing gateway. Rationale: to make the bank card information unusable by cyberthieves if accessed. Engineering Safety- & Security-Related Requirements 148 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 149.
    ESSR Tool –Dangers Entry/Edit Form Engineering Safety- & Security-Related Requirements 149 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 150.
    ESSR Tool –Dangers Report Engineering Safety- & Security-Related Requirements 150 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 151.
    Defensibility Risk Analysis Safety Team Security Team Requirements Team Safety and Risk collaborates Requirements Subject with Security Protection Matter Engineering Requirements Engineering Experts Standard / Reusable Risk Detection Defensibility Risk Requirements Requirements performs performs Preparation provide Risk Reaction Stakeholders input Requirements during Risk Risk provide Identification Lists Requirements input Risk Development Analysis Risk Risk-Related during Risk Requirements Definition Modeling Tables Generic / Reusable Requirements Risk Tables Validation Risk Goal Defensibility Safety Risk Identification Risk Goals Requirements Abuse Table perform support Abuse Trees Security Risk Requirements Subject Abuse Cases Safety Security Matter Team Team Experts Stakeholders Danger Profiles Safety and Security Danger Cause and Certification Effects Diagrams Repositories Engineering Safety- & Security-Related Requirements 151 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 152.
    Defensibility Risks Risk the expected or maximum credible amount of unauthorized harm Traditionally calculated as the product of the: • probability that harm will occur • the amount or severity of the harm Defensibility Risks the expected or maximum credible amount of unauthorized harm that can occur • To [a type of] defended assets • Due to a specific [type] of abuse • Due to the existence of [a type of] vulnerability, abuser, or danger Engineering Safety- & Security-Related Requirements 152 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 153.
    Estimating Safety andSecurity Risk Safety Risk the expected or maximum credible amount of unintentional unauthorized harm • Probability accident occurs x harm severity • Probability hazard exists x conditional probability accident occurs given hazard exists x harm severity Security Risk the expected or maximum credible amount of intentional unauthorized harm • Probability attack occurs x conditional probability/rate attack is successful x harm severity • Probability threat exists x conditional probability attack occurs given threat exists x conditional probability attack is successful x harm severity Engineering Safety- & Security-Related Requirements 153 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 154.
    are due to Defensibility Defensibility Risks can be estimated in Risks are estimated terms of in terms of Harm Harm Expected amount of harm are the Likelihoods Severities likelihoods to defended assets of the can be estimated occurrences of in terms of Dangers Maximum credible amount Danger Harm Event Conditional of harm to defended Likelihoods Likelihoods increase the assets probability of Determining harm Hazard Threat Accident Successful Attack Likelihoods Likelihoods Likelihoods likelihoods very difficult Likelihoods with software are the conditional likelihoods given danger of occurrence of Abuses can cause categorize amount of Unauthorized Harm correspond to the “expected” amount of can happen to Defended Assets Engineering Safety- & Security-Related Requirements 154 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 155.
    The ZATS SafetyRisk Matrix Safety risk matrix defines safety risk as a function of: • Harm severity • Frequency of harm occurrence, abuse occurrence or danger existence ZATS Safety/Security Risk Matrix Frequency of Harm / Abuse / Danger Harm Severity Frequent Probable Occasional Remote Implausible Catastrophic Intolerable Intolerable Intolerable High Medium Critical Intolerable Intolerable High Medium Medium Major High High Medium Medium Low Minor High Medium Low Negigible Negligible Negligible Medium Low Negligible Negligible Negligible Engineering Safety- & Security-Related Requirements 155 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 156.
    ESSR Tool –Risks Entry/Edit Form Engineering Safety- & Security-Related Requirements 156 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 157.
    Representative ZATS DefensibilityRisk Goals and Requirements Defensibility Risk Goal • The risk of fires in ZATS buildings will be acceptable to zoo management and the Metropolitan Zoo Authority. Defensibility Risk Requirement • The risk of fires in ZATS buildings shall be less than or equal to the fire risk to other zoo buildings. Engineering Safety- & Security-Related Requirements 157 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 158.
    Defensibility Significance Analysis Safety Team Security Team Requirements Team collaborates Subject with Matter Requirements Experts Engineering Preparation performs provide performs SAL input Category Stakeholders during Definition Requirements Requirements Identification provide SAL Repository input Significance Categorization during Analysis Requirements SEAL Analysis Safety and Security Category Goals Definition Standard Reusable SEAL Architecture Architecture Safety and Security Allocation Representations Verification Safety and Security Assurance Level (SAL) Certification Definitions Repositories perform produces Standard Reusable Safety and Security collaborate Evidence Assurance Subject in the Architecture Safety Security Level (SEAL) Definitions Matter performance Team Team Team Stakeholders Experts of Safety and Security Architecture Engineering Engineering Engineering Safety- & Security-Related Requirements 158 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 159.
    Safety/Security Assurance Levels(SALs) Safety/Security Assurance Level (SAL) a category of requirements based on their defensibility (i.e., safety/security) relevance. SALs are used to categorize the safety/security relevance of the subsystems to which they are allocated. SALs can be determined for: • Individual requirements. • Groups of related requirements (e.g., features or functions) SALs should be clearly and unambiguously defined. Engineering Safety- & Security-Related Requirements 159 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 160.
    Five Ways toCategorize SALs There are five ways to categorize defensibility relevance (in decreasing order of goodness): 1. Risk – Increased risk increases SAL (best but labor intensive) 2. Harm severity – increased harm severity increases SAL (good but not quite as labor intensive as risk) 3. Ad hoc – intuitively assigned based on experience of requirements, safety, or security engineer (usually adequate and low labor) 4. Degree of software control – Increased degree of software control increases SAL (NOT recommended) 5. Degree of software control x harm severity – analogous to risk (NOT recommended) Engineering Safety- & Security-Related Requirements 160 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 161.
    SAL in termsof Software Degree of Control categorize SAL is a function is a function of of Defensibility Software Harm Requirements Degrees of Control Severity specify the is software’s control categorizes required amounts over occurrence of amount of of defensibility needed by the System Unauthorized Harm may occur to Valuable Assets Engineering Safety- & Security-Related Requirements 161 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 162.
    Common Categories ofDegrees of Software Control Autonomous Time-Critical: Software completely controls time-critical potentially dangerous system behavior, whereby there is no time for a human user/operator to override the software and either eliminate the danger or prevent the abuse. For example, software failure can directly lead to the existence of the danger or the occurrence of the abuse. Autonomous Allowing Intervention: Software completely controls potentially dangerous system behavior, but there is sufficient time for either a safety/security system or a human user/operator to override the software and either eliminate the danger or prevent the abuse. The software warns the user/operator that immediate action is required. Information Generated: Software generates information that a human user/operator uses to make a decision with safety or security ramifications. Immediate user/operator action is not required. Autonomous Requiring Human Completion: Software primarily controls potentially dangerous system behavior, but a human user/operator must issue a command before the behavior is completed. No Defensibility Significance: Software either controls system behavior or provides information that has negligible safety or security significance. Adequate safeguards or countermeasures exist and have been successfully verified so that any residual safety or security risks are acceptable. Engineering Safety- & Security-Related Requirements 162 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 163.
    SAL Definition Table– Degrees of Software Control ZATS Safety/Security Assurance Level Harm Severity (SAL) Definition Table Catastrophic Major Minor Negligible Autonomous Time-Critical SAL = 3 SAL = 3 SAL = 2 SAL = 1 SW Control Degrees of Autonomous Allowing Human Intervention SAL = 3 SAL = 3 SAL = 2 SAL = 1 Defensibility Information Generated SAL = 3 SAL = 2 SAL = 1 SAL = 0 Autonomous Requiring Human Completion SAL = 2 SAL = 1 SAL = 1 SAL = 0 No Defensibility Significance SAL = 1 SAL = 0 SAL = 0 SAL = 0 Engineering Safety- & Security-Related Requirements 163 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 164.
    SEALs Safety/security evidence assurancelevel (SEAL) a category of architectural components based on the highest SAL of the allocated and derived requirements they implement SEALs categorize architectural components to which defensibility-related requirements are allocated. SEALs define increasingly strict associated development methods needed to assure fulfillment of the highest associated SAL requirement. SEALs should be clearly and unambiguously defined. Engineering Safety- & Security-Related Requirements 164 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 165.
    SAL versus SEAL Categorized Categorized Architectural Requirements Components SAL = 0 Component 1 R1 SEAL = 0 SAL = {0} Requirements R3 R7 R1 Component 2 R11 SEAL = 1 R2 R13 SAL = {0,1} R3 R4 SAL = 1 Component 3 R5 R2 SEAL = 2 R6 R5 SAL = {0,1,2} R7 R12 R8 R15 Component 4 SEAL = 2 R9 SAL = {0,1,2} SAL = 2 R10 R4 R11 R6 Component 5 Refactored SEAL = 3 R12 R9 Architectural SAL = {1,2,3} Components R13 R10 R14 Component 7 R15 SAL = 3 SEAL 2 R14 SAL = {2} R16 Component 6 R16 SEAL = 4 R17 Component 8 R17 SAL = {2,3,4} R18 SEAL 3 R18 SAL = {2,3} SAL = 4 R8 Engineering Safety- & Security-Related Requirements 165 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 166.
    Safety/Security Evidence AssuranceLevel (SEAL) High SEALs require more rigorous development method (including better requirements and architecture engineering): • Formal specification of requirements • Fagan inspections of requirements • Quality assessments of the architecture Often SEALs only apply to design, coding, and testing: • Design inspections • Formal derivation of code and proof of correctness • Model-Based Development (MBD) of software from models • Safe subset of programming language • Extra testing (test types and test completion criteria) Because of the added cost and schedule, architects often attempt to minimize the scope of components having high SEALs. Engineering Safety- & Security-Related Requirements 166 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 167.
    Defensibility-Related Requirements (SAL= 1 - 5) Safety/Security Assurance Level (SAL) Defensibility Quality Intolerable Requirements Requirements Defensibility-Related Requirements SAL = 5 Defensibility Function / Supporting Critical Subsystem Requirements Defensibility-Related Requirements Requirements SAL = 4 Defensibility Constraints Constraints Major Defensibility-Related Other Requirements Defensibility- SAL = 3 Related Functional Requirements Requirements Moderate Defensibility-Related Quality Requirements Defensibility-Related Requirements SAL = 2 Requirements SAL = 1 - 5 System Data Minor Requirements Requirements Defensibility-Related Requirements SAL = 1 Interface Requirements Defensibility-Independent Requirements Constraints SAL = 0 Engineering Safety- & Security-Related Requirements 167 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 168.
    Defense Determination collaborate with SMEs Safety and Security Requirements Safety Security Architecture Engineering Engineering Team Team Team Requirements Team Safety Defensibility Existing Subsystem / Laws and Defenses Function Regulations Analysis Existing Requirements Relevant Safety Defenses Table Security and Security Defense Subsystem / Policies performs Needs performs Function Analysis Requirements Requirements Engineering Work Defense Products Defense Defensibility- Gap Analysis Goals Requirements Defense Related Safety & Security Development Determination Potential Requirements Assurance Defenses Potential Level (SAL) Table Defense Allocations Requirements Identification Safety Defense Validation Architecture Constraints Vendor Trade Engineering Potential Studies Work Products Defense Security Evaluation Defense support perform Constraints Safety and Defense Analysis Product Security Work Products Evaluation Certification Defense Subject Reports Repositories Selection Safety Security Matter Documentation Architecture Team Team Experts Stakeholders of Existing Authoritative Stakeholders Represen- Defenses Residual tations Catalogues of perform Risks Updated with Standard Acceptance Defenses Defenses Engineering Safety- & Security-Related Requirements 168 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 169.
    Types of Defenses Safety Security Survivability Active Operational Defenses increase increase Defenses Passive Safeguards Countermeasures Technical Defenses Defenses Defenses (a.k.a., Controls) prevent or help to mandate the eliminate use of specific lessen the meet the or lower frequency of prevent or Defensibility-related Defensibility eliminate lessen the Requirements Constraints severity of Defensibility Abuses Risks Unauthorized Vulnerabilities Harm Engineering Safety- & Security-Related Requirements 169 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 170.
    ESSR Tool –Defenses Entry/Edit Form Engineering Safety- & Security-Related Requirements 170 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 171.
    ESSR Tool –Defenses Report Engineering Safety- & Security-Related Requirements 171 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 172.
    Representative ZATS SafetyConstraints Each ZATS taxi shall contain a taxi door subsystem consisting of two doors, two door position sensors, two door locks, two door lock sensors, one door motor, and associated computer hardware and software. ZATS guideways shall be constructed from pre-stressed reinforced concrete that can support at least 150% of the maximum expected loading. Rationale: This constraint practically prevents the risk of guideway collapse due to credible excessive loading. The bottom of ZATS guideways shall be a minimum of 17 feet above ground level. Rationale: Elevation of the guideways provides patrons with good visibility of the animals in their habitats, safely separates zoo patrons from the animals, eliminates the possibility of taxis running down patrons on zoo walkways, and eliminates the possibility of collision between taxis and patrons’ vehicles in the parking lots. The minimum height of the bottom of the guideway was also chosen to exceed the American Zoological Association (AZA) recommendation of 16 feet. Engineering Safety- & Security-Related Requirements 172 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 173.
    Representative ZATS SecurityConstraints ZATS shall use a COTS public key encryption/decryption product to protect sensitive data. Rationale: Encryption and decryption is the most effective countermeasure for ensuring the confidentiality of sensitive data. Using a COTS product is best in terms of cost and schedule, and COTS products tend to use public key encryption. ZATS shall use of a COTS antivirus product to prevent server infection by malware. Rationale: ZATS servers are threatened by the existence of software malware (e.g., viruses, worms, and Trojans). COTS antivirus products maintain current definitions of such malware and are of higher quality and much less expensive than developing and maintaining such a subsystem in-house. Engineering Safety- & Security-Related Requirements 173 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 174.
    Where We Are RelatedDisciplines Challenges Common Example Free, Open-Source Tool Requirements Engineering Overview Safety and Security Engineering Overview Safety- and Security-related Requirements Collaborative Defensibility Engineering Method Conclusion ◄ Engineering Safety- & Security-Related Requirements 174 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 175.
    Conclusion1 Engineering safety- andsecurity-related requirements requires appropriate: • Concepts • Methods • Techniques and tools • Expertise There are four types of safety- and security-related requirements: • Safety and security quality requirements • Safety- and security-significant requirements • Safety and security function/subsystem requirements • Safety and security constraints These different types of requirements need to be identified, analyzed, and specified differently. Engineering Safety- & Security-Related Requirements 175 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 176.
    Conclusion2 Processes for requirementsengineering, safety engineering, and security engineering need to be: • Properly interwoven. • Consistent with each other. • Performed collaboratively and in parallel (i.e., overlapping in time). Engineering Safety- & Security-Related Requirements 176 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 177.
    Recommendations Ensure close collaborationamong safety, security, and requirements teams. Better integrate safety and security methods: • Concepts and terminology • Techniques and work products • Provide cross training Better integrate defensibility methods with requirements method: • Early during development cycle (build safety/security in) • Clearly define team responsibilities • Provide cross training Develop all types of safety- and security-related requirements. Ensure that these requirements have the proper characteristics. Engineering Safety- & Security-Related Requirements 177 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 178.
    For More Information Thistutorial is taken from Engineering Safety- and Security-related Requirements, which will be published in Summer 2011 by Auerbach. Donald Firesmith U.S. Mail: Senior Member of the Tech. Staff Software Engineering Institute Acquisition Support Program Customer Relations Telephone: +1 412-268-6874 4500 Fifth Avenue Email: dgf@sei.cmu.edu Pittsburgh, PA 15213-2612 USA World Wide Web: Customer Relations www.sei.cmu.edu Email: customer-relations@sei.cmu.edu www.sei.cmu.edu/contact.html SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257 Engineering Safety- & Security-Related Requirements 178 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University
  • 179.
    This work wascreated in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Engineering Safety- & Security-Related Requirements 179 Donald Firesmith, 18 June 2012 © 2012 Carnegie Mellon University