Generalized risk assessment procedure for software testing of legally regulated measuring instruments

Abstract

The legal metrology covers measuring instruments (MI), the measurement results of which are used in calculations for consumed energy resources, in the fields of information protection, security, environmental protection, etc. Most modern MIs use microcontrollers or are controlled by computers. The software (SW) of such MIs provides an opportunity not only to automate the processes of measurement and calculation of results but also to ensure long-term storage and data transfer. The manufacturer is responsible for investigating and assessing all possible risks related to the MI SW. The task of the conformity assessment body is to assess the conformity of MIs adequately in general and software, in particular, to the established requirements based on the analysis of risk classes. Standards for information security risk management, information technology security assessment, and information technology security assessment criteria consider only general issues of software security and risk assessment without taking into account the scope of its application. The existing regulatory documents on software risk management were considered. Modern methods of assessing the risks of the MI SW were studied. To assess the risks of software of legally regulated MIs, a general classification of threats and vulnerabilities of MI SW was made. For choosing threats that affect functionality, only those that affect metrological characteristics during measurement are taken into account. Possible manifestations of the impact of threats on stored data can be their distortion or destruction, and transmissions of data can be data distortion during transmission or data loss due to a break in the telecommunications connection. A proposed simplified risk assessment methodology for assessing the compliance of MI SW without statistical data on the probabilities of threats and the amount of harm from the implementation of threats is presented. Risk is defined as the probability of harm due to a certain vulnerability, taking into account the conditional amount of harm.