Security and Safety Co-Engineering Revisited

There are those who denigrate such websites as ResearchGate and because they are for-profit, which is a discussion that I will not get into here. If this particular argument is of interest to you, you should read the Discover magazine piece “Who Isn’t Profiting Off the Backs of Researchers” by Jon Tennant posted on February 1, 2017 at and follow the link provided to a Forbes article by Sarah Bond.

I personally find that subscribing to ResearchGate provides me with some interesting pointers to relevant areas of research of which I might have not otherwise been made aware. Such was the case with an extensive two-part February 2016 report “Recommendations for Security and Safety Co-Engineering,” which happened to cite my book “Engineering Safe and Secure Software Systems” and several other of my articles on the securing of security-critical and safety-critical software systems and of cyber-physical systems, which explains why ResearchGate brought the report to my attention. I doubt that I would have known about the very thorough research that was published by members of the MERgE Safety and Security partners, had it not been for the cross-referencing capabilities of ResearchGate. The authors of the report hail from Thales Research & Technology, Thales Communications & Security, STUK (the Radiation and Nuclear Safety Authority of Finland), All4tec (a consulting firm providing model-based safety solutions and engineering) and ONERA (the French Aerospace Lab).

Part A of the report consists of a comprehensive review of the state of the art of safety and security co-engineering. In my opinion, it is an incredible resource for those interested in learning how to make critical systems both safe and secure. Unfortunately, because it was published more than a year ago, the report covers such research fully only through 2014, with partial results for 2015. However, I would expect to see subsequent versions that will surely add more recent references and will be on the lookout for these future reports.

It is noteworthy that, until 2002, papers on the subject were few and far between; they showed some increase from 2002 to 2011; and exhibited what appears to be substantial, even exponential, growth from 2012 on. Part B “reports on two prototype tools dedicated to safety and security co-engineering.”

I particularly liked the way the authors broke down the hodge-podge of references into three meaningful groups, namely:

  1. Papers that state issues regarding engineering security and safety separately and suggest how improvements could be made.
  2. Papers that propose improvements by taking techniques from one group and applying them to the other group.
  3. Papers that derive novel clean-slate approaches for safety and security co-engineering.

As these approaches evolve, we can hope that much more attention will paid to the general subject at hand. This is becoming increasingly necessary as we see every day that the Internet of Things, driverless vehicles, and general cyber-physical systems are becoming ubiquitous. As the MERgE report illustrates, there has been considerably more prior research than many (including me) realized and that body of knowledge (BoK) is growing at a very rapid pace. The BoK has not caught up with the runaway growth of smart cyber-physical systems and artificial intelligence, but it is gratifying to see that academic researchers are paying so much more attention to how to make modern systems both safe and cybersecure than previously. As more approaches and tools are developed, they need to be socialized and deployed as quickly as reasonably possible so as to address issues that are increasingly confronting us with respect to the safety and security of critical cyber-physical systems-of-systems.

Furthermore, the authors were surprised that there appear to be “very few courses addressing both cybersecurity and safety engineering” in the education domain, which, they write, “does not bode well for the future.”

In summary, we see that increasingly many researchers are really delving into safety and security co-engineering and there are more and more publications, conferences and seminars on the subject, but none of these efforts seem to have been translated into academic courses. I reiterate in my 2013 book, “Engineering Safe and Secure Software Systems,” a point made by Joe Weiss in his 2010 book “Protecting Industrial Control System from Electronic Threats,” namely, that cybersecurity is taught in computer science departments and the safety of control systems is taught in various engineering departments … and “never the twain shall meet,” as Rudyard Kipling would say. This must be remedied—and soon. So, let’s get to it all ye teachers of engineers!

Post a Comment

Your email is never published nor shared. Required fields are marked *