Securely connecting safety devices to the Internet is a key requirement in just about every industry, especially so in the medical and automotive sectors. Safety and security share many properties; however, these similarities can be dangerous, and if handled incorrectly can result in the wrong design decisions being made. Understand the differences to ensure the best results.

Start in the design phase. Security and safety require similar, yet different processes. To identify safety requirements, you need a highly structured technique such as a hazard and operability study (HAZOP), whereas to identify security requirements you need to ignore the limitations of the structured environment and consider all contexts that are possible in Threat Analysis and Attack Surface Studies.

In some ways, designing for safety is easier; the device works in a known context, and if the context moves outside of its defined operating parameters, then the system is placed in its safe state. Security is more difficult to ensure, as the attacker is attempting to manipulate the system context to gain access to it. The danger is that a context that was impossible to conceive during design is presented to the system, resulting in unwanted side effects which might leave the system open to attack.

Guidelines for developing secure systems are limited, and achieving independent certification is difficult. This is a direct contrast to safe systems—there are many safety development standards (IEC 61508 is particularly well known) that can be followed to ensure a highly reliable and independently certifiable system. Independent certification by a respected and trusted body can provide a high level of reassurance in the system.

Different as they are, safety and security cannot be considered in isolation. There are unwanted interactions between safety and security, and sometimes this can include unwelcome side effects. For example, an alarm system that automatically opens the doors to allow evacuation of a building could also be manipulated to allow an attacker to gain access to the building.

In conclusion, one of the main things designers can do to help is take real care in the design phase. Identify safety and security threats separately during HAZOPs and Threat Analysis and Attack Surface Studies, remembering that security features need to be safe, and safety features need to be secure.

Andrew Longhurst is a Business Manager at Wittenstein. A skilled project leader with an extensive background in electrical, electronic, and software engineering, he can deliver an in-depth understanding of the challenges facing embedded engineers within the safety critical sector. Andrew holds a BEng in Electrical & Electronic Engineering and an MSc in Robotics & Automation.

eletter-02-02-2018 eletter-02-05-2018