Overview
A secure system needs to cope with evolving threats and changes to the environment through design and architectural measures, as well as operational ones. CAE provides a framework for reasoning about the security of systems. The recent development of CAE has benefited from security research on cyber physical systems (see some papers in resources for details).
Research & Resources
The IEEE Computer article Security-Informed Safety: Supporting Stakeholders with Codes of Practice summarises how CAE was used in the development of Codes of Practice for security informed safety in the rail and automotive domains.
The Codes of Practice (CoP) provides principles and guidance on how organisations can incorporate security considerations into their safety engineering lifecycle and become more security minded. They recommend the use of CAE for the security informed safety cases and provide some introductory guidance. The CoP for automotive eco-system was issued as BSI PAS 11281 in late 2018, and the railway CoP will be published by the UK CPNI in 2019.
There is research on the use of CAE on layered assurance and in assuring models used in critical infrastructure protection.
[Header image by George Putic, VOA article 'Stuxnet: An Effective Cyberwar Weapon',