Environmental Engineering Reference
In-Depth Information
Approach to Assurance
three entities: technical specifications, an Event-B
tool model (a form of technical specification repre-
sentation in terms of a tool that is understandable
to developer and can automatically be translated
into a VHDL code), and the VHDL code itself.
Transitions from previous entities to the next
are accomplished by the execution of certain
processes, namely: formal notations development
process (implemented by the developer, and con-
sisting of translation of technical specifications
into a model, in terms of internal instructions of
the Event-B tool, allowing the developer to math-
ematically prove the correctness of the resulting
notation) and the translation process (implemented
by special add-ons of the Event-B tool, and con-
sisting of generating the final VHDL code on the
basis of the derived model) (Abrial, J.-R., 2010).
Discrepancies in such processes can be caused
by the applied tools only, since the formal notations
development process is followed by the model in
Event-B tool that is mathematically verifiable.
Discrepancies of the translation process (or dis-
crepancies of its sub-processes) can be caused by
the Event-B tool, for example, in a case, when
such tool is not fully tested or certified.
In this way, it is possible to state that we can
identify the only existing gap. Moreover, such a
gap can be eliminated if certified tools are applied.
Thus, in the case given in Equation (2), the risk
factor
R
is reduced due to the reductions in the
values of parameters
n
(from 2 to 1),
m
, and
p
ij
.
As a continuation of the proposed approach to
assessment of I&C systems cyber security we
represent here an applicable approach to assurance
of cyber security, which is based on the results of
gap-IMECA-oriented assessment. Such approach
consists in reduction of risks to acceptable values,
which, in turn, limited by the criticality diagonal
of a security criticality matrix.
Appropriate security criticality matrix is de-
picted in Figure 14. From cyber security assurance
point of view, the possible way of risk reduction
is in decreasing of attacks' occurrence probabil-
ity, since related damage is constant. Figure 14
represents worst-case criticality diagonal for the
matrix; acceptable values of risks are below the
diagonal. Cases of probability, decreasing for rows
2, 3, and 5 are denoted by dotted lines with arrows:
the problem is in decreasing of the probability by
the degree sufficient to move row of IMECA table
below the criticality diagonal. Such decreasing
of the probability can be achieved, for example,
by implementation of certain countermeasures.
Some of such countermeasures, partly based
on results of Christiansen B., (Christiansen, B.,
2006), are presented in Table 3. The choice of
countermeasures of different types can be based,
for example, on RG 5.71.
A problem of choice of optimal countermea-
sures set is discussed in the following subsection.
Choice of Optimal
Countermeasures Set
ASSURANCE OF CYBER
SECURITY FOR SAFETY
IMPORTANT I&C SYSTEMS
Each countermeasure can affect several secu-
rity characteristics simultaneously (for example,
probability of successful attack, attack severity,
time to recovery), so it can be described by a set
{ep, eh, et}, where ep is efficiency of successful
attack probability decreasing, eh is efficiency of
The objective of this subsection is to present an
approach and possible technique of assurance the
required level of cyber security for safety important
I&C systems.
Search WWH ::
Custom Search