Software Risk Assessment for Measuring Instruments in Legal Metrology
In Europe, measuring instruments subject to legal control are responsible for an annual turnover of 500 billion Euros and need to pass a conformity assessment with respect to European directives or national legislation before they can be used. Today, measuring instruments are frequently integrated into open networks and even branch into the areas of cloud computing and Internet of Things. Since software is one of the key components of such devices, Germany's national metrology institute, the Physikalisch-Technische Bundesantalt, is developing a method to assess the risks and evaluate current threats associated with software. The method uses the structure of and combines elements from the international ISO/IEC standards 27005 and 15408. It could be helpful for conformity assessment bodies and industry alike and supports the comparability of risk assessment results. Despite its focus on legal metrology, the method is applicable to other areas where software risk assessment is required, too.(original abstract)
- "Directive 2014/32/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of measuring instruments," European Union, Council of the European Union ; European Parliament, Directive, February 2014.
- D. Peters, U. Grottker, F. Thiel, M. Peter, and J.-P. Seifert, "Achieving software security for measuring instruments under legal control," in Proceedings of the Federated Conference on Computer Science and Information Systems, vol. 3, Warsaw Poland, September 2014, pp. 123- 130, DOI: 10.15439/2014F460.
- "ISO/IEC 27005:2011(e) Information technology - Security techniques - Information security risk management," International Organization for Standardization, Geneva, CH, Standard, June 2011.
- G. Geiger, "Ict Security Risk Management: Economic Perspectives," in Proceedings of the Federated Conference on Computer Science and Information Systems, vol. 3, 2014, pp. 119-122, DOI: 10.15439/2014F439.
- "Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products," European Union, Council of the European Union ; European Parliament, Regulation, July 2008.
- "WELMEC 5.3 Risk Assessment Guide for Market Surveillance: Weigh and Measuring Instrument," European cooperation in legal metrology, WELMEC Secretariat, Ljubljana, Standard, May 2011.
- A. van Deursen and T. Kuipers, "Source-based software risk assessment," in Proceedings of the IEEE International Conference on Software Maintenance. IEEE, September 2003, pp. 385-388, DOI: 10.1109/ICSM.2003.1235448.
- S.-W. Foo and A. Muruganantham, "Software risk assessment model," in Proceedings of the IEEE International Conference on Management of Innovation and Technology, vol. 2. IEEE, November 2000, pp. 536- 544, DOI: 10.1109/ICMIT.2000.916747.
- N. Greif and G. Parkin, "An international harmonised measurement software guide: the need and the concept," in Proceedings of the IMEKO World Congress Fundamental and Applied Metrology, Lisbon, Portugal, September 2009, pp. 2440-2443.
- M. Sadiq, M. K. I. Rahmani, M. W. Ahmad, and S. Jung, "Software risk assessment and evaluation process (sraep) using model based approach," in Proceedings of the IEEE International Conference on Networking and Information Technology. IEEE, June 2010, pp. 171-177, DOI: 10.1109/ICNIT.2010.5508535.
- "ISO/IEC 15408:2012 Common Criteria for Information Technology Security Evaluation," International Organization for Standardization, Geneva, CH, Standard, September 2012, Version 3.1 Revision 4.
- "ISO/IEC 18045:2012 Common Methodology for Information Technology Security Evaluation," International Organization for Standardization, Geneva, CH, Standard, September 2012, Version 3.1 Revision 4.
- "ETSI TS 102 165-1 Telecommunications and Internet converged Services and Protocols for Advanced Networking; Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis," European Telecommunications Standards Institute, Sophia Antipolis Cedex, FR, Standard, March 2011, v4.2.3.
- "WELMEC 7.2 Software Guide," European cooperation in legal metrology, WELMEC Secretariat, Delft, Standard, March 2012.
- "CVE - Common Vulnerabilities and Exposures," https://cve.mitre.org/, Accessed 04|17|2015.