AI powered safety and security analysis

Safety is a decisive factor in the development and operation of software and systems. It encompasses both functional safety and information security. Under defined conditions, such a system must work safely and minimize potential dangers. Targeted safety analyses make it possible to take preventive measures at an early stage: Reduce anomalies in system behavior, minimize unauthorized access to data or systems and protect against misuse and loss. In addition, the reliability of the systems is improved and security is continuously increased during development.

A major challenge in performing security analysis is the shortage of skilled labor, which is exacerbated by growing system complexity and the operation of legacy systems. Companies are struggling to optimize time-to-market while ensuring the quality and standard compliance of their systems. Especially in highly automated systems, complex operational areas lead to a multitude of possible critical situations that are difficult to manage.

Artificial intelligence (AI) can help here if it is used in a considered manner. Hallucinations or non-deterministic behavior of the models give rise to risks. 

Despite this challenge, AI offers significant advantages. Through the targeted use of AI, companies can focus their scarce human resources on the essential aspects of security and safety analysis. The (partial) automation of processes leads to an increase in efficiency, enables the early detection of security risks and improves response times and risk management. The successful use of AI in security and safety analyses requires detailed knowledge. In-depth experience in the areas of safety, security and AI is also necessary. This is the only way to make the uncertainties, limits and risks of AI manageable. A well-thought-out interaction concept between humans and AI tools is crucial to ensure the quality of results in critical areas and avoid hallucinations. Our ongoing research aims to integrate AI support into safety and security processes and safety analyses of systems.

Automated safety analysis

We carry out safety analyses such as HARA in accordance with domain-specific standards such as ISO 26262 (“Road vehicles - Functional safety”). This requires an expert with experience and time to carry out and check the analysis carefully. Our AI-based tool now improves situation room exploration and increases both completeness and efficiency.

We start by providing and evaluating various data sources to identify potential situations. The list of situations created by our AI-based tool can also be expanded, customized and exported by an expert.

In the next step, our tool provides valuable information, including reasoning for the relevance of each identified situation.

Our experts can then continue the security analysis and perform a detailed risk assessment, define or redefine hazards or start a security analysis based on the situations.

Security analysis with AI tool

We focus on threat and risk analysis (TARA) and improve this analysis step by refining security objectives. Our solution is based on the concepts and terminology of the “Common Criteria for Information Technology Security Evaluation” (ISO/IEC 15408) and accompanying documentation, in particular the “Guide for the production of Protection Profiles and Security Targets” (ISO/IEC TR 15446).

We start by identifying the information assets, function assets and physical assets to be protected, as well as potential attackers. This requires comprehensive and detailed information about the systems. This often requires the review of a considerable amount of documentation, which is time-consuming. This is where our AI-based tool provides support by importing and analyzing a large number of documents.

In the next step, we record and analyze potential threats using our AI-based tool. This requires expertise in various frameworks, such as the STRIDE threat model. This is the only way to assess risks based on the latest technological developments and publications, such as the ENISA Foresight Cybersecurity Threats for 2030. Our AI-based tool also helps us to be more efficient here.

We then use tools to define suitable security objectives in order to counter security threats, comply with applicable security guidelines and fulfill the assumptions made. Depending on the area of application, various regulations must be taken into account, such as the General Data Protection Regulation, the European Cybersecurity Act, the NIS2 Directive, HIPAA or PCI-DSS. In addition, resources such as Information Security Controls (ISO/IEC 27002) or OWASP documentation provide valuable guidance. Our AI-based tool can be used flexibly. With the help of a module based on Retrieval Augmented Generation (RAG), our tool-supported security analysis can also be adapted and used effectively for customer systems and company-specific requirements.