A key difference between safety and security in high integrity systems is the level of certainty about risk and its acceptability. Safety arguments can have evidence-based claims about the structure of the system design, process and reliability of physical parts. However, for security, due to the presence of an intelligent adversary, there may be exploitable vulnerabilities in the system which increase uncertainty and undermine the security controls.

To address some of these challenges, this presentation gives a detailed view of a Vulnerability Management approach for safety-critical systems using real-world illustrative cases. The approach was developed in the Aerospace sector under the HICLASS programme, but likely has wider application in any sector with an objective- or risk-based approach to safety and security assurance.

The approach consists of an iterative process with several steps, decision points and output artefacts. The process steps are based on identifying, triaging, detailed analysis and treatment of vulnerabilities considering on their criticality. An important part of Vulnerability Management for high integrity systems is developing auditable evidence for claims relating to the impact on risk acceptability and assurance confidence.

The decision points are therefore an important component of the Vulnerability Management process. They are analogous to gated systems development processes with key entry and exit criteria. These allow for engineering judgement and rationale to be captured in a systematic way. This data can be used as evidence to auditors, regulators and customers who require this. The decision information also serves as a useful starting point to evaluate the criticality of change based on previous decisions.

It is important to note that vulnerability management is an ongoing process, and vulnerabilities must be continually monitored and managed to ensure the ongoing integrity of the system. Regular vulnerability scans and penetration testing can help identify new vulnerabilities as they emerge, and proactive measures can be taken to mitigate them before they can be exploited. Additionally, regular training and education for system administrators and operators can help raise awareness of potential vulnerabilities and promote best practices for managing them.

Vulnerabilities are dynamic and likely to change in response to a number of factors such as attacker capability, technology availability, information disclosure and system exposure to risk. It is impractical to have a static security argument based on unchangeable likelihoods. This Vulnerability Management approach provides a systematic way of incorporating new security information throughout the lifetime of the system.

Download Slides