search

CERTCC / SSVC

Stakeholder-Specific Vulnerability Categorization
https://certcc.github.io/SSVC/
Other
131 stars 33 forks source link

Realign Safety DPs with IEC 61508? #311

Closed ahouseholder closed 9 months ago

ahouseholder commented 1 year ago

Based on https://en.wikipedia.org/wiki/IEC_61508, IEC 61508 has the consequence categories:

Category Definition
Catastrophic Multiple loss of life
Critical Loss of a single life
Marginal Major injuries to one or more persons
Negligible Minor injuries at worst

We have None, Minor, Major, Hazardous, and Catastrophic. Which is 5 instead of 4, but our physical harm scale is not semantically aligned to the same cut lines as IEC 61508 either. 

flowchart LR
subgraph SSVC
  None
  Minor
  Major
  Hazardous
  c1[Catastrophic]
end
subgraph IEC 61508
  Negligible
  Marginal
  Critical
  c2[Catastrophic]
end
None --> Negligible
Minor --> Negligible
Major --> Negligible
Major --> Marginal
Hazardous --> Marginal
Hazardous --> Critical
c1 --> c2

I realize our Safety concept is considerably broader than IEC 61508's. But I wonder if it might make sense to at least acknowledge the mapping disparity somehow.

j--- commented 1 year ago

I don't think we're so misaligned. We cited the FAA in the original SSVC when we initiated these safety categories. But the FAA cites this IEC doc.

I thought it's

None, Minor --> Negligible Major --> Marginal Hazardous --> Critical Catastrophic --> Catastrophic

But maybe I just argued in favor of removing None at some point and we didn't align on that at the time.

Would probably be good to clearly make this the intended mapping and change the terms to match IEC, as it's not US centric. I don't think this changes the non-physical harm definition levels.

Also, CVSS uses the IEC doc, and it would make things easier if we're cleanly aligned there.

-- best, Jono

From my mobile, please excuse brevity

ahouseholder commented 1 year ago

See also @j---'s comment in #377, reproduced here in full:

FWIW, CVSS supplemental metric "Safety" "Yes/no" is conceptually a map to "public safety impact" in SSVC. This is identically true if we map the SSVC safety impact descriptions back to IEC/ISO 61508 explicitly. SSVC currently implicitly maps to it since SSVC uses FAA and CDC definitions which are based on 61508, whereas CVSS explicitly uses 61508.