Securite des syst`emes critiques et cybercriminalite : vers une securite globale ?

For modern critical systems, it is necessary to consider their ability to avoid catastrophic behavior following fortuitous events such as internal failures in hardware components, environmental disturbances or even involuntary human error in the design and operation, but also non fortuitous events such as malicious attacks. Unfortunately, in French the same word “s'ecurit'e” is used to cover two different problematics, what in English is expressed in two different words : safety and security. The interconnected modern information systems, such as rail traffic signalling systems point out the need to deal in an overall way with both safety and security

💡 Research Summary

The paper addresses a fundamental problem in the engineering of modern critical infrastructures: the conflation of “safety” (the ability of a system to avoid catastrophic outcomes caused by accidental failures) and “security” (the ability to resist deliberate malicious attacks). In French the single term sécurité covers both concepts, which leads to linguistic and conceptual confusion in English‑speaking engineering practice. The authors argue that this confusion is not merely semantic; it has concrete consequences for the design, certification, and operation of safety‑critical systems such as railway traffic signalling, power‑grid control, and industrial automation.

The first part of the paper delineates the two traditional domains. Safety engineering, codified in standards such as IEC 61508/61511, focuses on hardware faults, power disturbances, environmental stressors, and human error. Its toolbox includes fault‑tree analysis, redundancy, fail‑safe design, and rigorous verification. Security engineering, represented by IEC 62443, NIST SP 800‑53, and related frameworks, concentrates on intentional threats: cyber intrusions, malware, denial‑of‑service attacks, and data tampering. Its countermeasures comprise threat modeling (e.g., STRIDE), authentication, encryption, intrusion detection, and patch management. Historically, these domains have evolved in parallel, each with its own certification path, risk‑assessment methodology, and professional community.

The authors then illustrate the pitfalls of treating safety and security as separate silos through a detailed case study of railway signalling. Traditional signalling systems rely on physical interlocks and fail‑safe logic: a detected fault automatically forces signals to a “stop” aspect, preventing collisions. However, recent cyber‑attacks have demonstrated that an adversary who compromises the signalling communication bus can inject false “clear” commands, effectively bypassing the fail‑safe logic. In this scenario, a safety‑oriented design that assumes any command is trustworthy becomes a liability. Conversely, a security‑focused design that hardens the communication channel but neglects hardware redundancy may leave the system vulnerable to a simple component failure that triggers a hazardous state. This “safety‑security trade‑off” illustrates why a fragmented approach can create new failure modes.

To resolve this dilemma, the paper proposes an integrated risk‑management framework that merges safety and security analyses from the earliest design phases. The framework consists of four pillars:

1. Joint Hazard Identification – Conduct parallel Failure Mode and Effects Analysis (FMEA) and STRIDE threat modeling, then map identified safety hazards and security threats onto a common taxonomy.
2. Unified Risk Scoring – Quantify likelihood, severity, and detectability for both accidental and intentional events using a single risk matrix, producing a composite risk score that drives prioritization.
3. Co‑Engineered Design Solutions – Develop “dual‑purpose” mitigations, such as redundant hardware that is both fault‑tolerant and tamper‑resistant, or communication protocols that embed cryptographic authentication while preserving real‑time error‑checking needed for safety.
4. Integrated Monitoring & Response – Deploy runtime monitoring platforms that correlate safety alarms with security alerts, enabling operators to distinguish between a sensor failure and a cyber‑induced anomaly, and to trigger appropriate containment actions.

The paper also calls for systemic changes at the standards and regulatory level. It recommends the creation of a “Safety‑Security Co‑Engineering” annex to existing IEC standards, the establishment of a combined certification pathway that verifies compliance with both safety and security requirements, and the mandatory inclusion of multidisciplinary risk‑management teams (safety engineers, security analysts, operators, and human‑factors specialists) in the lifecycle of critical systems. Training curricula should be updated to ensure that engineers are fluent in both domains, reducing the cultural gap that currently separates them.

Finally, the authors argue that the ultimate goal of this integrated approach is to enhance system resilience – the capacity to maintain or quickly restore an acceptable level of operation after a disturbance, whether accidental or malicious. By treating safety and security as complementary facets of a single robustness objective, designers can avoid the creation of hidden attack surfaces, reduce unnecessary duplication of effort, and deliver critical infrastructures that are truly trustworthy in the face of an increasingly complex threat landscape.