Safety and security are often used in the same breath, particularly in ATM where there is a trend for safety managers to be given (cyber-)security responsibilities. But how similar are they and how should we approach them?
Both safety and security focus on the prevention of undesired events. Both relate to risks, and security can have 'safety of life' impacts. Both approaches have similar principles (holistic and full lifecycle consideration, absence of absolutes, need for assurance, etc) and similar needs (management systems, better evidence to inform risk assessments, controls to the human 'weak link', etc). Safety and security are even the same word in some languages (not least German, Italian and Spanish!). Key standards (eg ISO 27000 series) also take information/cyber-security to include both accidental and malicious compromise, therefore including both safety and security.
However, as Professor Chris Johnson eloquently articulates, safety and security may in fact be 'false friends' - i.e. the similarities are often superficial and can be misleading. Firstly, safety management systems have been extended to security: incident reporting informs risk assessment that informs development. However, there are major differences – for example, disclosing information about a security incident can trigger further attacks. Secondly, security is also much more dynamic than safety. Security assessments change overnight, which rarely happens in safety. 'Always apply the latest patch' is the security mantra, whereas in safety it is 'never change a running system'. Another contradiction (but not the last) is that in security the response to a compromised system is (typically) to immediately quarantine it for forensics analysis, whereas in safety-critical environments the imperative is for a safe transition (eg clear the skies), when crucial forensics data may be lost. There are further tensions between safety and security in redundancy. Redundancy increases safety when two (or more) systems have to fail before there is a problem, but can undermine security because it can expose our systems to multiple supply chains.
So where does that leave us? We know that the mathematics of safety do not work in security, and are therefore different analyses. And, at the moment, there is also a lack of established concepts, methods and standards on how to integrate these analyses.
Instead, for now, we can at least ensure that safety and security processes are compatible, and coordinated where needed. For example, as a minimum, the outputs of assessments must be cross-examined so that security analysis can raise new causes and safety hazards, and failure conditions can inform security analysis; and so that the consequences of equivalent events are normalised. Such touchpoints and cross-review are critical as, for example, an insecure system cannot be assured to be safe. 'False friends' they may be, but good working colleagues, they must become!
Equally important today is to present high-level risks in a common way to senior management. This would give a more complete picture of risk, help identify conflicts between safety and security early on, improve the allocation of resources/investments and enable decisions on whether services are 'safe and secure' enough. This emphasises their mutual importance and interdependence, whilst recognising disciplinary differences.
At Helios, we believe that looking at the issue from a resource allocation viewpoint gives rise to obvious trade-offs which must be considered together (along with quality, human factors, etc) to develop an optimised solution. Controlling risk takes resources and so these decisions must be made coherently for a single change. Irrespective of whether safety and security are 'the same coin', both must be considered for the coin to be well spent!
Contact the author
Tel: +44 1252 451 651