Claudius LinkMay 6, 2024

Today was the #PapersInSystems event on the paper:
How to Perform Hazard Analysis on a "System-of-Systems" by Nancy Leveson

Thanks to @adrianco I learned a lot about #STPA & #STAMP (but much more is there still to learn)

And I got some more ideas how it fits or can be applied to #cybersecurity.

The following is my (probably flawed) understanding

Lets dive in :

In STAMP (System-Theoretic Accident Model and Processes) safety is treated as a dynamic control problem rather than a failure prevention problem.

This leads to the following generic abstraction (model) of a safety relevant system as a socio-technical system

Source: Engineering a Safer World: Systems Thinking Applied to Safety
by Nancy G. Leveson

Show threadClaudius LinkMay 6, 2024

This model is directly map-able on IT systems

See Failing Over Without Falling Over by @adrianco
https://github.com/adrianco/slides/blob/master/FailingWithoutFalling-9.29.pdf

slides/FailingWithoutFalling-9.29.pdf at master · adrianco/slides

Slide decks with editable source files. Contribute to adrianco/slides development by creating an account on GitHub.

GitHub
Show threadClaudius LinkMay 6, 2024

To analyse possible failure or rather inadequate controls you can go the a s"standard" set of hazard specific to certain point in the model

E.g. you check the sensors of your system against the STPA Hazards regarding Sensor Metrics:

  • Missing updates
  • Zeroed
  • Overflowed
  • Corrupted
  • Out of order
  • Updates too rapid
  • Updates infrequent
  • Updates delayed
  • Coordination problems
  • Degradation over time
Show threadClaudius LinkMay 6, 2024

Or check your Human Control Actions against the Human Control Action Hazards:

  • Not provided
  • Unsafe action
  • Safe but too early
  • Safe but too late
  • Wrong sequence
  • Stopped too soon
  • Applied too long
  • Conflicts
  • Coordination problems
  • Degradation over time
Show threadClaudius LinkMay 6, 2024

I'm not completely clear how to map this model to #Cybersecurity and how to integrate an attacker. But you could see #STRIDE as possible Data Plan Hazards:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege

So you "just" need hazards lists for the other planes and interaction points ;-)

Show threadClaudius LinkMay 6, 2024

Thanks again to @adrianco, @tianijones, @yvonnezlam, @RuthMalan and the other for your impulses.

And @adamshostack for the ideas regarding #cybersecurity

Show threadAdrian CockcroftMay 7, 2024
@realn2s @tianijones @yvonnezlam @RuthMalan @adamshostack There are some specific examples of applying this to security topics on the MIT site and in previous conference papers from the last few years. It’s fairly well developed from what I’ve seen, but not my personal focus.
Show threadAdrian CockcroftMay 7, 2024

@realn2s @tianijones @yvonnezlam @RuthMalan @adamshostack http://psas.scripts.mit.edu/home/mit-stamp-workshop-presentations/ and in particular search for security e.g.

2021 STPA Applied Before the SolarWinds Attack
Michael Bear (BAE)
John Thomas (MIT)
William Young (U.S. Air Force - USAF)

2021 Cybersecurity Incident Analysis by CAST using the Report of Unauthorized Access to the Information System
Tomoko Kaneko (National Institute of Informatics)

Show threadClaudius Link

@adrianco @tianijones @yvonnezlam @RuthMalan @adamshostack
🙏🏻

That should keep me busy for some time
😅

May 7, 2024 at 4:30amWeb
Show threadRuth — of systems & designMay 7, 2024

@realn2s 🙏🏻 for thread

@adrianco, were your observability, modelability, controllability points on a slide? (Where?) I want to use those (with attribution, obviously) (too)! :) Will you be talking at the STAMP online workshop in September? That’d be great for everyone!!

Show threadAdrian CockcroftMay 7, 2024
@RuthMalan @realn2s I think I tended to use the terms verbally rather than writing them on a slide. The deck I presented part of is just one version of the failing over without falling over talk that I’ve given over several years… I won’t be talking at the STAMP workshop, they really want a published use case rather than theoretical discussion. I submitted an abstract a few years ago and didn’t get picked.
Show threadRuth — of systems & designMay 7, 2024

@adrianco …. The work you’re currently doing, and have done, is of so much interest … if they’re wanting to reach new spaces of application…

//
@realn2s

Show threadRuth — of systems & designMay 7, 2024

@adrianco @realn2s

Also, a blog post where you put the words in writing, so we can quote? Or may I use my notes and approximate your words (with attribution)? It’s such a good addition!

Show threadAdrian CockcroftMay 7, 2024
@RuthMalan @realn2s here's the blog post - almost 5 years ago... https://medium.com/@adrianco/failure-modes-and-continuous-resilience-6553078caad5
Failure Modes and Continuous Resilience - adrian cockcroft - Medium

A resilient system continues to operate successfully in the presence of failures. There are many possible failure modes, and each exercises a different aspect of resilience. The system needs to…

Medium
Show threadRuth — of systems & designMay 7, 2024

@adrianco yeah, it’s really useful; was reading it yesterday looking for your observability/modelability/controllability frame — it covers most of what I’m looking to steal-with-attribution :)

@realn2s

Show threadRuth — of systems & designMay 7, 2024

@adrianco I guess model-ability is there implicitly:

“How is the human controller expected to develop their own models of the controlled process and the automation, and understand what to expect when they make control inputs?” Etc.

But the 3-part frame is so useful!

Show threadAdrian CockcroftMay 7, 2024
@RuthMalan this is effectively the follow up post... https://stackoverflow.blog/2020/10/23/adrian-cockcroft-aws-failover-chaos-engineering-fault-tolerance-distaster-recovery/
Failing over without falling over - Stack Overflow

Show threadRuth — of systems & designMay 7, 2024
@adrianco thank you!
Show threadAdrian CockcroftMay 7, 2024
@RuthMalan my friends at Gremlin even turned it into a class... :-) https://www.pluralsight.com/courses/chaos-conf-session-11
Failing over without Falling over

This talk will show how we can use System Theoretic Process Analysis (STPA), as advocated by Professor Nancy Leveson’s team at MIT, to analyze failover hazards.

Show threadAdrian CockcroftMay 7, 2024
@RuthMalan then there's the video of me talking about it... https://www.youtube.com/watch?v=R3_ccsuPoD8