Andreas Platschek, Vienna University of Technology

Since the current common practice is to connect every industrial system to the internet in one way or the other, the security of a system has to be evaluated and assured - especially when it comes to safety critical systems.

Recent standards (notably IEC 61508 Ed2 and EN 50159 Ed2), have begun to normatively include security for systems that are no longer closed. These standards contain clauses that require a systematic method used to perform a threat analysis if they could constitute a relevant safety impact. While there is a number of threat modeling techniques available, many of those were developed for the server and office space, but would require a number of adaptions for the use in industrial systems. Other methods are newly developed for  industrial systems, but they lack the confidence a development team has to put into them.

A third option - presented in this paper - is to reuse a method that has already been in use in the safety domain for a long time, is well known, understood and trusted, and adapt it to be suitable for security. The methods are compliant with the safety standards and thus the extension - if done carefully - does not invalidate this acceptance and can build on well established competence of the safety engineering staff. At the same time, this harmonization is crucial as both security and safety are system properties and treating interdependent system properties as independent is technically not reasonable and economically not efficient.

The advantage of this approach is, that the development team only needs to be firm in one analysis method and use it for threat analysis when security is analyzed and hazards when safety is analyzed.