GENERALIZED RISK ASSESSMENT PROCEDURE FOR SOFTWARE TESTING OF LEGALLY REGULATED MEASURING INSTRUMENTS

1
State Enterprise “Ukrmetrteststandard”
2
State Enterprise “Ukrmetrteststandard”
3
Інститут електромагнітних вимірювань Державного підприємства «Укрметртестстандарт», Київ, Україна

The legal metrology covers measuring instruments (MI), the measurement results of which are used in calculations for consumed energy resources, in the fields of information protection, security, environmental protection, etc. Most modern MIs use microcontrollers or are controlled by computers. The software (SW) of such MIs provides an opportunity not only to automate the processes of measurement and calculation of results but also to ensure long-term storage and data transfer. The manufacturer is responsible for investigating and assessing all possible risks related to the MI SW. The task of the conformity assessment body is to assess the conformity of MIs adequately in general and software, in particular, to the established requirements based on the analysis of risk classes. Standards for information security risk management, information technology security assessment, and information technology security assessment criteria consider only general issues of software security and risk assessment without taking into account the scope of its application. The existing regulatory documents on software risk management were considered. Modern methods of assessing the risks of the MI SW were studied. To assess the risks of software of legally regulated MIs, a general classification of threats and vulnerabilities of MI SW was made. For choosing threats that affect functionality, only those that affect metrological characteristics during measurement are taken into account. Possible manifestations of the impact of threats on stored data can be their distortion or destruction, and transmissions of data can be data distortion during transmission or data loss due to a break in the telecommunications connection. A proposed simplified risk assessment methodology for assessing the compliance of MI SW without statistical data on the probabilities of threats and the amount of harm from the implementation of threats is presented. Risk is defined as the probability of harm due to a certain vulnerability, taking into account the conditional amount of harm.

[1] Technical regulation of measuring equipment. Resolution of the Cabinet of Ministers of Ukraine, 24.02.2016, № 163. – Available at: https://zakon.rada.gov.ua/laws/show/163- 2016-%D0%BF#Text.

[2] Technical regulation of legally regulated measuring equipment. Resolution of the Cabinet of Ministers of Ukraine, 13.01.2016, № 94. – Available at: https://zakon.rada. gov.ua/laws/show/94-2016-%D0%BF#Text.

[3] WELMEC 7.2:2021. Issue 9. Software Guide (Measuring Instruments Directive 2014/32/EU1). – WELMEC, 2021. – 148 с. https://www.welmec.org/welmec/documents/ guides/7.2/2021/WELMEC_Guide_7.2_v2021.pdf.

[4] Directive 2014/32/EU of 26 February 2014 on the harmonization of the laws of the Member States relating to the making available on the market of measuring instruments (recast). – Available at: https://eur-lex.europa.eu/eli/dir/2014/32/oj. [5] ISO/IEC 27005:2022, “Information technology – Security techniques – Information security risk management”, ISO, 2022.

[6] ISO/IEC 18045:2008, “Common Methodology for Information Technology Security Evaluation”, ISO, 2008.

[7] ISO/IEC 15408:2012, “Common Criteria for Information Technology Security Evaluation”, ISO, 2012.

[8] M. Esche and F. Thiel, “Software risk assessment for measuring instruments in legal metrology”, 2015 Federated Conference on Computer Science and Information Systems (FedCSIS), Lodz, Poland, 2015, pp. 1113-1123, doi: 10.15439/2015F127.

[9] M. Esche, F. G. Toro, and F. Thiel, “Representation of attacker motivation in software risk assessment using attack probability trees”, 2017 Federated Conference on Computer Science and Information Systems (FedCSIS), Prague, Czech Republic, 2017, pp. 763-771, doi: 10.15439/2017F112.

[10] M. Esche and F. G. Toro, “Developing Defense Strategies from At-tack Probability Trees in Software Risk Assessment”, 2020 15th Conference on Computer Science and Information Systems (FedCSIS), Sofia, Bulgaria, 2020, pp. 527-536, doi: 10.15439/2020F21.

[11] F. G. Toro, M. Koval, M. Esche, “Proposal for simplified implementation of risk assessment method for measuring instruments”, 2018 Federated Conference on Computer Science and Information Systems (FedCSIS), Poznan, Poland, 2018, pp. 43-47. doi:10.15439/2018F377.

[12] WELMEC Guide 7.6, “Software Risk Assessment for Measuring Instruments”, WELMEC, 2021. – Available at: https://www.welmec.org/welmec/documents/guides/7.6/20 21/WELMEC_Guide_7.6_v2021.pdf.

[13] O. Velychko, T. Gordiyenko, and O. Hrabovskyi, “Testing of measurement instrument software on the national level”, Eastern-European Journal of Enterprise Technologies. Information and control systems, 2018, № 2/9 (92), pp. 13– 20. doi: 10.15587/1729-4061.2018.125994.

[14] O. Velychko, V. Gaman, T. Gordiyenko, and O. Hrabovskyi, “Testing of measurement instrument software with the purpose of conformity assessment”, Eastern-European Journal of Enterprise Technologies. Information and control systems, 2019, № 1/9 (97), pp. 19–26. doi: 10.15587/1729-4061.2019.154352.

[15] O. Velychko, O. Hrabovskyi, and T. Gordiyenko, “Quality assessment of measurement instrument software with analytic hierarchy process”, Eastern-European Journal of Enterprise Technologies. Information and control systems, 2019, № 4/9 (100), pp. 35–42. doi: 10.15587/1729- 4061.2019.175811.

[16] List of categories of legally regulated measuring equipment subject to periodic verification. Resolution of the Cabinet of Ministers of Ukraine, 04.06.2015. № 374. – Available at: https://zakon.rada.gov.ua/laws/show/374-2015- %D0%BF#Text.