Cyber LOPA: An Integrated Approach for the Design of Dependable and Secure Cyber Physical Systems

TL;DR

This paper introduces Cyber LOPA, a novel safety design method that extends traditional risk assessment to include cyber attack failures, enabling integrated safety-security lifecycle management for dependable CPS.

Contribution

It presents a new mathematical framework called Cyber LOPA that incorporates cyber attack failures into safety risk assessment and proposes an integrated lifecycle process for safety and security co-design.

Findings

CLOPA effectively quantifies safety-security trade-offs.

The integrated lifecycle improves risk management in CPS.

CLOPA outperforms traditional LOPA in cyber-physical contexts.

Abstract

Safety risk assessment is an essential process to ensure a dependable Cyber-Physical System (CPS) design. Traditional risk assessment considers only physical failures. For modern CPS, failures caused by cyber attacks are on the rise. The focus of latest research effort is on safety-security lifecycle integration and the expansion of modeling formalisms for risk assessment to incorporate security failures. The interaction between safety and security lifecycles and its impact on the overall system design, as well as the reliability loss resulting from ignoring security failures are some of the overlooked research questions. This paper addresses these research questions by presenting a new safety design method named Cyber Layer Of Protection Analysis (CLOPA) that extends existing LOPA framework to include failures caused by cyber attacks. The proposed method provides a rigorous mathematical formulation that expresses quantitatively the trade-off between designing a highly-reliable versus a highly-secure CPS. We further propose a co-design lifecycle process that integrates the safety and security risk assessment processes. We evaluate the proposed CLOPA approach and the integrated lifecycle on a practical case study of a process reactor controlled by an industrial control testbed, and provide a comparison between the proposed CLOPA and current LOPA risk assessment practice.