[Cryptography] Security Standard for Safety Critical Software

[ianG]

On 23/10/2015 21:01 pm, Adrian McCullagh wrote:
> Hi Everyone;
>
> With the continued development of Safety Critical products that are
> dependent upon software does any one know of any standards that
> specifically deals with the security issues for safety critical software.
>
> I am aware of IEC 61508 but this standards does not specifically deal
> with the security of such software even SIL 3 or SIL 4 do not as far as
> I can determine deal with security from hackers.
>
> The reason for this request has arise from the recent hacker attack of
> the Jeep automobile.  With the continued development of autonomous
> vehicles and other devices it is something that I feel needs to be
> addressed before it is too late.


(I don't know of one off hand, but see below...)

> If there is not such a standard then does the group think that such as
> standard warrants being developed?


The theoretical problem with dealing with a security standard is that it 
is a byzantine field.  That is, the attacker is aggressive, can read our 
documents including our standards, and model his attack to suit.

As a consequence of this, the attacks evolve.

Following OODA, the attacks can evolve faster than the standards can 
evolve.  In effect, in such an environment, good security means paying 
more attention to what the attackers are doing this year, not last decade.

In such an environment, there isn't a passive enough base to write and 
rely on a standard in the long run.

Cyber-security especially is becoming much more dynamic, over the last 
5-10 years or so.  One can imagine other environments where it is mostly 
passive in technique such as home robbery.  But it's just not where 
Internet and cyber security are at the moment.



iang