Understanding, Implementing, and Supporting Security Assurance Cases in Safety-Critical Domains
Abstract
The increasing demand for connectivity in safety-critical domains has made security assurance a crucial consideration. In safety-critical industry, software, and connectivity have become integral to meeting market expectations. Regulatory bodies now require security assurance cases (SAC) to verify compliance, as demonstrated in ISO/SAE-21434 for automotive. However, existing approaches for creating SACs do not adequately address industry-specific constraints and requirements.
In this thesis, we present CASCADE, an approach for creating SACs that aligns with ISO/SAE-21434 and integrates quality assurance measures. CASCADE is developed based on insights from industry needs and a systematic literature review. We explore various factors driving SAC adoption, both internal and external to companies in safety-critical domains, and identify gaps in the existing literature.
Our approach addresses these gaps and focuses on asset-driven methodology and quality assurance. We provide an illustrative example and evaluate CASCADE’s suitability and scalability in an automotive OEM. We evaluate the generalizability of CASCADE in the medical domain, high-lighting its benefits and necessary adaptations.
Furthermore, we support the creation and management of SACs by developing a machine-learning model to classify security-related requirements and investigating the management of security evidence. We identify deficiencies in evidence management practices and propose potential areas for automation. Finally, our work contributes to the advancement of security assurance practices and provides practical support for practitioners in creating and managing SACs.
Parts of work
[A] M. Mohamad, A. Åström, Ö. Askerdal, J. Borg, R. Scandariato “Security
Assurance Cases for Road Vehicles: an Industry Perspective”
Proceedings of the 15th International Conference on Availability, Reliability and Security, 2020. [B] M. Mohamad, J.P. Steghöfer, R. Scandariato “Security Assurance Cases – State of the Art of an Emerging Approach” Empirical Software Engineering Journal 26 (4), 70, 2021. [C] M. Mohamad, R. Jolak, Ö. Askerdal, J.P. Steghöfer, R. Scandariato “CASCADE: An Asset-driven Approach to Build Security Assurance Cases for Automotive Systems” ACM Transactions on Cyber-Physical Systems 7 (1), 1-26, 2023. [D] M. Fransson, A. Andersson, M. Mohamad, J.P. Steghöfer “Security Assurance Cases in the Medical Domain: A Case Study” Under submission to the International Symposium on Foundations & Practice of Security (FPS – 2023). [E] M. Mohamad, JP. Steghöfer, A. Åström, R. Scandariato “Identifying security-related requirements in regulatory documents based on cross-project classification” Proceedings of the 18th International Conference on Predictive Models and Data Analytics in Software Engineering, 2022. [F] M. Mohamad, JP. Steghöfer, E. Knauss, R. Scandariato “Managing Security Evidence in Safety-Critical Organizations” Submitted to the Journal of Systems and Software.
Degree
Doctor of Philosophy
University
University of Gothenburg. IT Faculty
Institution
Department of Computer Science and Engineering ; Institutionen för data- och informationsteknik
Disputation
Onsdag 14 juni 2023, kl 13.00, Rum Alfa, Hus Saga, Institutionen för Data- och informationsteknik, Hörselgången 4, Campus Lindholmen, Göteborg.
Date of defence
2023-06-14
mazen.mohamad@gu.se
Date
2023-05-25Author
Mohamad, Mazen
Keywords
Security
Assurance case
Safety-critical
Automotive systems
Arguments
Evidence
Security claims
Publication type
Doctoral thesis
ISBN
978-91-8069-329-5 (PRINT)
978-91-8069-330-1 (PDF)
Language
eng