Information SecurityInformation is an asset for companies and individuals and in a service-oriented society information is an increasingly valuable asset. In computer systems, information is central to control processes and decisions, why integrity and availability of information normally is essential for proper function.
Information security includes IT security as well as administrative processes and procedures to maintain the necessary integrity, confidentiality and availability of information. Computer security is the area of IT security that deals with technical protection of computer systems and data, and includes methods such as encryption, authentication and protection against denial-of-service attacks.
For computer systems that are functional safety-critical such as machine control and parts of automotive embedded systems that shall comply with functional safety standards such as IEC 61508, functional safety must not be compromised when they become connected to external systems or even Internet. Part of this work is to decide upon, and implement, appropriate security mechanisms to obtain sufficient security. The challenge is to do an adequate trade-off between cost and protection. To obtain such a balance, a comprehensive risk analysis must be performed, followed by risk reduction activities and evaluation. In the end, the organization must acknowledge and accept the residual risks based on the organization’s risk tolerance.
To be fully protected against all types of attack vectors for the foreseeable future is in most cases an impossible task while meeting availability requirements. It is therefore important to choose security technologies that provide an acceptable residual risk, which requires a systematic security and safety approach.
We can assist in all phases of development in the development of embedded systems.
Examples of services in information security
- Training and support in efforts to meet the functional safety standards such as IEC 61508 and the requirement on sufficient level of computer security
- Risk Analysis
- Verification of architecture and security mechanisms
We have long experience of training within the Machinery Directive and functional safety standards such as IEC 61508, ISO 13849 and ISO 26262. We also offer training in computer security to provide a sufficient theoretical foundation that is necessary when safety-critical systems are to be connected to external systems. The program includes the interpretation of the properties confidentiality, integrity and availability, and proposes mechanisms to obtain a sufficient level of computer security for the embedded system.
Risk analysis is a general method and can be done on all types of systems for different types of risks. We have extensive experience in doing risk analysis for functional safety as well as information security. Thus we can assist, by using methods such as HAZOP, FTA and FMEA, in the identification of the risks that your system is facing in terms of reliability as well as information security.
Verification of architecture and security mechanisms
When the risk assessment is completed and the system architecture and security mechanisms chosen to manage the risks have been chosen and implemented, We can assist in the analysis of the architecture to provide an independent opinion on whether adequate security is obtained with the proposed architecture and the proposed security mechanisms. Further, we can help to validate the implemented security mechanisms by means of systematic analysis (e.g. code inspection, evaluation of circuit diagrams and test specifications).