Merging fault and attack tree analysis

Methods of merging attack tree analysis with FTA exist in the literature, but significant research and work remains to find new, efficient ways of performing combined tree analysis for CPS IoT. Processes are needed that help both safety and security engineers navigate a system's statistical failure modes in a manner cognizant of the different attack modalities that also may be present. One challenge is the potentially enormous state space that may ensue from the analysis and the difficulty of making the results useful and actionable for developing optimal mitigations.

With the challenges in mind, high safety and security assurances are achievable today with the following recommendations:

• Integrate FTA into safety-critical IoT device and system engineering methodologies (many IoT implementers are probably not doing this today).
• Ensure that the actual intended IoT use cases are represented in the FTA. For example, if a device's power filter and supply were to fail or produce an under-voltage situation, would its microcontroller shut down automatically, or would it continue to function at high risk of erratic behavior? Maintaining power supply thresholds in processors is fairly standard design, but is there a redundant battery backup that will allow the device to continue to operate normally as needed, for example, in a safety-critical medical device?
• As fault-tolerant design is performed (for example, built-in redundancies), ensure the security engineers have a seat at the table. They should perform security threat modeling on the device (or system) in a way that addresses its redundancies, gateways, communications protocols, endpoints and other hosts, environment, and the myriad potential pathways to compromise any one of them.
• As security engineers identify necessary security controls, determine if proposed security controls impact the fault-tolerance design features or the basic functionality and performance needed. This may happen, for example, in time-sensitive safety shutoff/cutoff mechanisms. A security engineer may want to perform traffic scanning or cryptographic controls across a data bus or network, but the resultant latencies might cause the safety features to respond too slowly, for example, potentially impacting controller phase and frequency response to the point of disaster. Workarounds may be possible by allowing timing information to flow through alternate pathways.
• The scariest combined safety/security threats are those in which an attacker explicitly targets a safety design feature. For example, a microcontroller that controls voltage or temperature cutoffs to prevent thermodynamic meltdown can possibly be targeted and disabled by an attacker. Controller and sensor redundancies can also be targeted such that the failure rates skyrocket in conjunction with parallel or serial attacks taking place. In these instances, the safety and security experts need to jointly and very carefully come up with the following:
  • They need to come up with safety mitigations that don't undermine needed security controls
  • They need to come up with security mitigations that don't diminish safety controls
  • This is not always an easy feat and there may be instances when compromises have to be made that result in residual, accepted risks on both fronts.