Trustworthiness in Operating Industrial Systems
2022-08-17 Marcellus Buchheit
In the Fall 2018 issue of the Industry IoT Consortium (IIC)’s Journal of Innovation, I published an article on Trustworthiness in Industrial System Design. The article introduced trustworthiness as an integral part of the design of industry IoT systems, and in particular, put forward the concept of Trustworthiness Methods as an important implementation technique and the Trustworthiness Systems Status for assigning trustworthinesss methods to keep the system in a specific status.
A sequel to the afore mentioned article was published in the July 2022 issue of the Journal of Innovation. This new essay, titled Trustworthiness in IoT Systems: From Design to Operation, extends the trustworthiness concept to the actual operation of industry IoT systems and introduces the System Peril Model. In the past, only threats were seen as challenges to a trustworthy system. But now we strictly separate between threats and hazards and the results with attacks and accidents. Moreover, trustworthiness characteristics are clearly assigned to these perils: Security to threats and attacks, Safety, Reliability, Resilience and Privacy to hazards and accidents.
The article also defines the key terms − incidents, hazards, accidents, software bugs, threats, attacks, and perils − and discusses them in the context of the Trustworthy System Status Model and Trustworthiness Security Methods.
Here is a closer look at the key terms and their definitions:
- Incident: The moment when a system is affected by a hazard or threat.
- Hazard: A peril which results in an accident if it targets the system. A hazard occurs randomly and may be visible or hidden.
- Software Bug: A hazard in the design or implementation of software.
- Nature-Caused Incidents: Unintentional incidents caused by hazards rather than threats e.g., a physical system is hit by a heavy windstorm, unusually hot weather, or an earthquake.
- Threat: A peril which results in an attack if it targets the system. A threat occurs intentionally and is mostly visible but may be hidden in rare cases.
- Peril: A peril is either a hazard or a threat. All specific hazards and threats to a system are the Perils of the System.
- Accident: The result of a hazard-caused incident. The system should be protected with a Trustworthiness Reliability, Safety, Resilience or Privacy Method.
- Attack: The result of a threat-caused incident. The system should be protected with a Trustworthiness Security Method.
In general, a system is protected against hazards with Trustworthiness Methods: If the process inside the system requires protection (preventing a disruption), they are Reliability Methods; if humans need to be protected from harm of a hazard, they are Safety Methods; If personal information needs protection, they are Privacy Methods; and if the system itself requires protection, they are Resilience Methods.
If such methods cannot defend successfully against a hazard-caused incident, the status of a normally running system leads to disruption. And if the hazard cannot be stopped in the status of the interrupted system, there is a risk of damage or even total loss of the system.
If you are involved with industrial IoT systems, I invite you to read the full article and gain an in-depth understanding of the key issues in designing and operating trustworthy industry IoT systems, courtesy of the IIC.
Contributor
Marcellus Buchheit
Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA
Marcellus Buchheit earned a master's degree in computer science from the University of Karlsruhe, Germany, in 1989, the same year he co-founded Wibu-Systems. He is known for designing innovative techniques to protect software from reverse-engineering, tampering and debugging. He frequently speaks at industry events and is co-author of the IIC's Industry IoT Security Framework publication. He is currently president and CEO of Wibu-Systems USA, Inc. based in Edmonds, Washington State.