Understanding, Implementing, and Supporting Security Assurance Cases in Safety-Critical Domains
Mazen Mohamad
TL;DR
The thesis addresses the need for robust security assurance in safety-critical domains by introducing CASCADE, an asset-driven SAC creation approach aligned with ISO/SAE-21434 and embedded with quality assurance. It combines a systematic literature review, industry case studies, and design-science iterations to develop, map, and evaluate CASCADE, including an ML-assisted classification of security-related requirements and an examination of security-evidence management. Results show CASCADE is suitable for automotive contexts, generalizable to the medical domain with adaptations, and supported by empirical mapping and regulatory-focused evaluation; the ML component demonstrates practical utility for prioritizing security requirements and regulatory sections. Overall, the work advances practical security assurance practices, offering a concrete, scalable method for practitioners to create and manage SACs and highlighting automation opportunities to address evidence-management maturity gaps in industry.
Abstract
The increasing demand for connectivity in safety-critical domains has made security assurance a crucial consideration. In safety-critical industry, software, and connectivity have become integral to meeting market expectations. Regulatory bodies now require security assurance cases (SAC) to verify compliance, as demonstrated in ISO/SAE-21434 for automotive. However, existing approaches for creating SACs do not adequately address industry-specific constraints and requirements. In this thesis, we present CASCADE, an approach for creating SACs that aligns with ISO/SAE-21434 and integrates quality assurance measures. CASCADE is developed based on insights from industry needs and a systematic literature review. We explore various factors driving SAC adoption, both internal and external to companies in safety-critical domains, and identify gaps in the existing literature. Our approach addresses these gaps and focuses on asset-driven methodology and quality assurance. We provide an illustrative example and evaluate CASCADE's suitability and scalability in an automotive OEM. We evaluate the generalizability of CASCADE in the medical domain, highlighting its benefits and necessary adaptations. Furthermore, we support the creation and management of SACs by developing a machine-learning model to classify security-related requirements and investigating the management of security evidence. We identify deficiencies in evidence management practices and propose potential areas for automation. Finally, our work contributes to the advancement of security assurance practices and provides practical support for practitioners in creating and managing SACs.