Understanding, Implementing, and Supporting Security Assurance Cases in Safety-Critical Domains

TL;DR

This paper introduces CASCADE, a comprehensive approach for creating security assurance cases in safety-critical domains, aligning with industry standards, integrating quality assurance, and supporting evidence management with machine learning.

Contribution

It presents CASCADE, a novel, industry-aligned methodology for security assurance cases, including a machine learning model for requirement classification and evidence management insights.

Findings

CASCADE aligns with ISO/SAE-21434 and addresses industry-specific constraints.

The approach is scalable and adaptable to automotive and medical domains.

Machine learning aids in classifying security requirements and improving evidence management.

Abstract

The increasing demand for connectivity in safety-critical domains has made security assurance a crucial consideration. In safety-critical industry, software, and connectivity have become integral to meeting market expectations. Regulatory bodies now require security assurance cases (SAC) to verify compliance, as demonstrated in ISO/SAE-21434 for automotive. However, existing approaches for creating SACs do not adequately address industry-specific constraints and requirements. In this thesis, we present CASCADE, an approach for creating SACs that aligns with ISO/SAE-21434 and integrates quality assurance measures. CASCADE is developed based on insights from industry needs and a systematic literature review. We explore various factors driving SAC adoption, both internal and external to companies in safety-critical domains, and identify gaps in the existing literature. Our approach addresses these gaps and focuses on asset-driven methodology and quality assurance. We provide an illustrative example and evaluate CASCADE's suitability and scalability in an automotive OEM. We evaluate the generalizability of CASCADE in the medical domain, highlighting its benefits and necessary adaptations. Furthermore, we support the creation and management of SACs by developing a machine-learning model to classify security-related requirements and investigating the management of security evidence. We identify deficiencies in evidence management practices and propose potential areas for automation. Finally, our work contributes to the advancement of security assurance practices and provides practical support for practitioners in creating and managing SACs.