Your browser does not support JavaScript!

access icon free Merging safety and cybersecurity analysis in product design

When developing cyber-physical systems such as automated vehicles, safety and cybersecurity analyses are often conducted separately. However, unlike in the IT world, safety hazards and cybersecurity threats converge in cyber-physical systems; a malicious party can exploit cyber-threats to create extremely hazardous situations, whether in autonomous vehicles or nuclear plants. The authors propose a framework for integrated system-level analyses for functional safety and cyber security. They present a generic model named Threat Identification and Refinement for Cyber-Physical Systems (TIRCPS) extending Microsoft's six classes of threat modelling including Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-Service and Elevation Privilege. TIRCPS introduces three benefits of developing complex systems: first, it allows the refinement of abstract threats into specific ones as physical design information becomes available. Second, the approach provides support for constructing attack trees with traceability from high-level goals and hazardous events (HEs) to threats. Third, TIRCPS formalises the definition of threats such that intelligent tools can be built to automatically detect most of a system's vulnerable components requiring protection. They present a case study on an automated-driving system to illustrate the proposed approach. The analysis results of a hierarchical attack tree with cyber-threats traceable to high-level HEs are used to design mitigation solutions.


    1. 1)
      • 21. Leveson, N.: ‘Engineering a safer world: systems thinking applied to safety’ (MIT press, Cambridge, MA, USA, 2011).
    2. 2)
      • 24. ISO 26262: ‘Road vehicles – functional safety’, 2011.
    3. 3)
      • 1. Schoitsch, E., Schmittner, C., Ma, Z., et al: ‘The need for safety and cyber-security co-engineering and standardization for highly automated automotive vehicles’. Advanced Microsystems for Automotive Applications, 2016 pp. 251261.
    4. 4)
      • 6. Sun, M., Mohan, S., Sha, L., et al: ‘Addressing safety and security contradictions in cyber-physical systems’. Proc. of the 1st Workshop on Future Directions in Cyber-Physical Systems Security (CPSSW'09), Newark, NJ, USA, 2009.
    5. 5)
      • 22. Siegel, J.: ‘Data proxies, the cognitive layer, and application locality: enablers of cloud-connected vehicles and next-generation Internet of Things’. PhD Thesis, MIT, 2016.
    6. 6)
      • 4. J3061: ‘Cybersecurity guidebook for cyber-physical systems’, 2016.
    7. 7)
      • 27. Shin, H., Kim, D., Kwon, Y., et al: ‘Illusion and dazzle: adversarial optical channel exploits against LIDARs for automotive applications’. Int. Conf. on Cryptographic Hardware and Embedded Systems, Taipei, September 2017, pp. 445467.
    8. 8)
      • 35. Raya, M., Hubaux, J.P.: ‘Securing vehicular ad hoc networks’, J. Comput. Secur., 2007, 15, (1), pp. 3968.
    9. 9)
      • 9. Caralli, R., Stevens, J., Young, L., et al: ‘Introducing OCTAVE allegro: improving the information security risk assessment process’. Technical Report CMU/SEI-2007-TR-012, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2007. Available at
    10. 10)
      • 28. Papernot, N., McDaniel, P., Goodfellow, I., et al: ‘Practical black-box attacks against machine learning’. Proc. of the 2017 ACM on Asia Conf. on Computer and Communications Security, Abu Dhabi, United Arab Emirates, April 2017, pp. 506519.
    11. 11)
      • 7. Petit, J., Shladover, S.E.: ‘Potential cyberattacks on automated vehicles’, IEEE Trans. Intell. Transp. Syst., 2015, 16, (2), pp. 546556.
    12. 12)
      • 12. Fovino, I.N., Masera, M., De Cian, A.: ‘Integrating cyber-attacks within fault trees’, Reliab. Eng. Syst. Saf., 2009, 94, (9), pp. 13941402.
    13. 13)
      • 15. Delgrossi, L., Zhang, T.: ‘Vehicle safety communications: protocols, security, and privacy’ (John Wiley & Sons, Inc, Hoboken, NJ, USA, 2012), pp. 152153.
    14. 14)
      • 16. Yan, C., Xu, W., Liu, J.: ‘Can you trust autonomous vehicles: contactless attacks against sensors of self-driving vehicle’. DEF CON, 24, Las Vegas, NV, USA, 2016.
    15. 15)
      • 17. Petit, J., Stottelaar, B., Feiri, M., et al: ‘Remote attacks on automated vehicles sensors: experiments on camera and LiDAR’. Black Hat Europe, Amsterdam, Netherlands, November 2015, p. 2015.
    16. 16)
      • 5. Parkinson, S., Ward, P., Wilson, K., et al: ‘Cyber threats facing autonomous and connected vehicles: future challenges’, IEEE Trans. Intell. Transp. Syst., 2017, 18, (11).
    17. 17)
      • 32. Shoukry, Y., Martin, P., Tabuada, P., et al: ‘Non-invasive spoofing attacks for anti-lock braking systems’. Int. Workshop on Cryptographic Hardware and Embedded Systems, Santa Barbara, CA, USA, August 2013, pp. 5572.
    18. 18)
      • 23. Rasmussen, J.: ‘Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models’, IEEE Trans. Syst. Man Cybern., 1983, SMC-13, (3), pp. 257266.
    19. 19)
      • 30. J3016: ‘Taxonomy and definitions for terms related to on-road motor vehicle automated driving systems’, 2014.
    20. 20)
      • 2. Kriaa, S., Pietre-Cambacedes, L., Bouissou, M., et al: ‘A survey of approaches combining safety and security for industrial control systems’, Reliab. Eng. Syst. Saf., 2015, 139, pp. 156178.
    21. 21)
      • 19. Humayed, A., Lin, J., Li, F., et al: ‘Cyber-physical systems security--a survey’, IEEE Internet Things J., 2017, 4, (6).
    22. 22)
      • 14. Douceur, J.R.: ‘The sybil attack’. Int. Workshop on Peer-to-Peer Systems, Cambridge, MA, USA, March 2002, pp. 251260.
    23. 23)
      • 29. ‘Fooling Neural Networks in the Physical World with 3D Adversarial Objects’, available at
    24. 24)
      • 11. Steiner, M., Liggesmeyer, P.: ‘Combination of safety and security analysis-finding security problems that threaten the safety of a system’, SAFECOMP 2013 - Workshop DECS (ERCIM/EWICS Workshop on Dependable Embedded and Cyber-physical Systems) of the 32nd International Conference on Computer Safety, Reliability and Security, Toulouse, France, Sep 2013.
    25. 25)
      • 13. Sabaliauskaite, G., Mathur, A.P.: ‘Aligning cyber-physical system safety and security’. Complex Systems Design & Management Asia, Singapore, 2015, pp. 4153.
    26. 26)
      • 31. Ali, A.A.: ‘CPS security: vehicle platooning system identifying & modelling cyber-attacks’. Master Thesis, Newcastle University, 2016.
    27. 27)
      • 20. Young, W., Leveson, N.G.: ‘An integrated approach to safety and security based on systems theory’, Commun. ACM, 2014, 57, (2), pp. 3135.
    28. 28)
      • 3. Suo, D., Yako, S., Boesch, M., et al: ‘Integrating STPA into ISO 26262 process for requirement development’. SAE Technical Paper, 2017, No. 2017-01-0058.
    29. 29)
      • 10. Schneier, B.: ‘Attack trees’, Dr. Dobb's J., 1999, 24, (12), pp. 2129.
    30. 30)
      • 25. Lee, E.A.: ‘Cyber-physical systems-are computing foundations adequate’. Position Paper for NSF Workshop on Cyber-Physical Systems: Research Motivation, Techniques and Roadmap, Austin, TX, USA, October 2006, vol. 2.
    31. 31)
      • 26. Myagmar, S., Lee, A.J., Yurcik, W.: ‘Threat modeling as a basis for security requirements’. Symp. on Requirements Engineering for Information Security (SREIS), Paris, France, August 2005, vol. 2005, pp. 18.
    32. 32)
      • 33. Savic, V., Schiller, E.M., Papatriantafilou, M.: ‘Distributed algorithm for collision avoidance at road intersections in the presence of communication failures’, arXiv preprint arXiv:1701.02641, 2017.
    33. 33)
      • 34., accessed 18 June 2018.
    34. 34)
      • 18. Miller, C., Valasek, C.: ‘Adventures in automotive networks and control units’. DEF CON, 21, Las Vegas, Nevada, USA, 2013, pp. 260264.
    35. 35)
      • 8. ‘The STRIDE Threat Model’, available at, accessed 14 December 2017.

Related content

This is a required field
Please enter a valid email address