Fig 7 - uploaded by Marc Bouissou
Content may be subject to copyright.
Source publication
![Fig. 2. Safety – security lifecycle model [10].](profile/Marc-Bouissou-2/publication/265704308/figure/fig2/AS:322430758342659@1453884891970/Safety-security-lifecycle-model-10_Q320.jpg)
![Fig. 3. Con fl ict resolution at the requirements level [10].](profile/Marc-Bouissou-2/publication/265704308/figure/fig3/AS:322430758342660@1453884893324/Con-fl-ict-resolution-at-the-requirements-level-10_Q320.jpg)
![Fig. 4. Key lifecycle alignment points [30].](profile/Marc-Bouissou-2/publication/265704308/figure/fig4/AS:322430766731264@1453884893715/Key-lifecycle-alignment-points-30_Q320.jpg)
![Fig. 5. Security – safety lifecycle [26].](profile/Marc-Bouissou-2/publication/265704308/figure/fig5/AS:322430770925568@1453884894392/Security-safety-lifecycle-26_Q320.jpg)
The migration towards digital control systems creates new security threats that can endanger the safety of industrial infrastructures. Addressing the convergence of safety and security concerns in this context, we provide a comprehensive survey of existing approaches to industrial facility design and risk assessment that consider both safety and se...
Context in source publication
Context 1
... we believe that in the general case, the risk analysis process should combine both safety and security. In Fig. 7, we provide a high level view of a safety and security risk analysis process inspired from the generic approaches identified in Section 4.1. The first step of this integrated risk analysis process is to perform a hazard analysis to identify the hazardous/unsafe states of the system. Considering the definition of safety in the context ...
Citations
... Threats to systems or individuals are complex and varied (Bubnovskaia, Leonidova & Lysova, 2019;Leveson, 2020), differing in nature (ex., malicious/accidental), origin (ex., internal/external), and target (ex., individual/system/environment) (Andéol-Aussage et al. 2013;Brantingham & Brantingham, 1991;Piètre-Cambacédès & Chaudet, 2010). Personnel training, OSH standards, and system redundancies are often used to address internally or system-originating threats to safety, like equipment malfunctions and human error (Kriaa et al., 2015). Crime prevention and physical security strategies, conversely, are used to address maliciously originating threats, such as intrusion, sabotage, or violence (Kriaa et al., 2015;Piètre-Cambacédès & Chaudet, 2010). ...
... Personnel training, OSH standards, and system redundancies are often used to address internally or system-originating threats to safety, like equipment malfunctions and human error (Kriaa et al., 2015). Crime prevention and physical security strategies, conversely, are used to address maliciously originating threats, such as intrusion, sabotage, or violence (Kriaa et al., 2015;Piètre-Cambacédès & Chaudet, 2010). As crime and violence become growing concerns in vocational settings (Casteel & Peek-Asa, 2000), applications examining threat reductions of this type-separate from those examining system function or behavioral OSH standards-are necessary for comprehensive threat risk management and security enhancement efforts (Blokland & Reniers, 2019;Boustras & Waring, 2020;Crawford & Hutchinson, 2016). ...
Career and technical education (CTE) facilities on school campuses present unique security challenges due to their distinct layouts, structures, and equipment, which require tailored security considerations given expanding CTE student populations and increasing concerns of school violence. Drawing on principles of crime prevention through environmental design (CPTED) with Texas as a case application, this study developed a novel survey instrument to evaluate the influence of CTE facility design features and security activities on principals' perceptions of facility security. One hundred and eighty-three public middle and high school principals in Texas participated in the survey. A series of four hierarchical multiple regressions found that principals perceived CTE facilities as more secure the more they aligned with CPTED-oriented qualities. Security approaches more conventionally used in school settings, such as the use of security equipment and organized security activities, were not significantly associated with higher perceptions of facility security when design features were considered. The results suggest that integrating CPTED features into CTE classroom spaces can foster security perceptions similar to those in broader school design contexts, highlighting the importance of security approaches that include more than conventional classrooms and go beyond mechanical or organizational activities. District and school administrators, emergency management coordinators, and CTE program personnel can apply these results to improve the design of CTE facilities and non-traditional classrooms, as well as the content of comprehensive facility plans, to enhance holistic approaches to school safety and security.
... Numerous methodologies have been developed to model cybersecurity threats in the ICS domain (Bhamare et al., 2020b). However, the predominant approaches often involve integrating security considerations into established safety models (Kriaa et al., 2015). ...
... In the context of modeling cybersecurity threats in the ICS domain, various methodologies and approaches have been developed (Bhamare et al., 2020b). Notably, security contextualization of well-established safety models (Kriaa et al., 2015;Leveson, 2004;Yan et al., 2016;Leveson, 2013, 2014) has been widely adopted. In our upcoming work, we aim to practically apply such methodologies within SCASS to identify comprehensive attack graphs. ...
Industrial Controls Systems (ICS) represent a relevant target for attackers. In order to prevent such critical security threats, ICS security assessment activities should be conducted. Conventional vulnerability assessment and penetration testing within ICSs are not practicable due to safety risks and cost constraints. To overcome these challenges, security researchers have developed cybersecurity testbeds. However, these testbeds commonly rely on closed components, cannot be extended, and are very expensive. This research investigates how a modular, open-source framework can enhance the development of robust cybersecurity testbeds and facilitate the implementation of digital twins for securing Industrial Control Systems. We present SCASS, a fully customizable testbed designed to replicate complex SCADA and ICS environments with high fidelity. SCASS addresses the need for accessible, scalable platforms by supporting both physical and virtual components while enabling the evaluation of heterogeneous attack scenarios and security methodologies. By combining advanced attack scenarios with an objective comparative analysis against existing testbeds, SCASS demonstrates its ability to fill critical gaps in the ICS security landscape, fostering collaboration and advancing security assessment methodologies.
... Several studies in literature approach the topic from different angles (L. Piètre-Cambacédès and Bouissou 2013; Kriaa et al. 2015;Nicoletti et al. 2023) including, among others, systems-theory (Leveson 2016;Young and Porada 2017;Friedberg et al. 2017;Mailloux et al. 2019;Howard et al. 2019; Khan and Madnick 2020; and model-based engineering (Macher et al. 2015;Meng et al. 2021;De Saqui-Sannes, Apvrille, and Vingerhoeds 2021), control theory (Cardenas, Amin, and Sastry 2008;Teixeira et al. 2012;Hahn et al. 2015), attack tree analysis (Longari et al. 2019;Kumar et al. 2022), AND/OR graphs (Barrère and Hankin 2021), and Boolean Driven Markov Processes (Ludovic Piètre-Cambacédès and Bouissou 2010; Johnson 2011; Kriaa, Bouissou, and Laarouchi 2019). ...
Ensuring the safety of cyber-physical systems (CPS) against cyber security threats is essential in safety-critical sectors. To this end, the systematic derivation of clear and robust safety claims is needed to demonstrate that safety properties are preserved even when the system is under attack or partially compromised. It is also necessary to demonstrate regulatory compliance. In this paper, we present, a framework for the automatic identification of safety-critical attacks targeting CPS and generation of Assurance Case Fragments (ACF). To identify attacks that can compromise safety we use a combination of STPA-Sec, STRIDE, and formal verification. This allows us to determine sequences of attack steps leading to safety violations (i.e. threat scenarios) and the attack paths that enable them on the system architecture. We automatically derive ACFs in Goal Structuring Notation (GSN), which show whether the CPS can operate within an acceptable risk whilst under attack and that security controls in place are adequate. To illustrate the application 1 of our approach we use the example of a railway traffic control system and discuss how the derived ACFs demonstrate system safety as well as the soundness of our integrated approach to safety and security analysis.
... This perspective aligns with the growing body of the literature that emphasizes the convergence of safety and security in high-risk industries, where integrating both domains is key to improving risk management outcomes [8,29,30]. Studies have shown that integrated frameworks reduce redundancies, enhance efficiency, and improve overall risk management outcomes [16,17,31,32]. However, achieving integration remains challenging due to organizational silos, and differing priorities between safety and security teams remain significant barriers to attaining integration [19,29,33]. ...
... This echoes findings in the risk management literature, where value alignment is seen as critical for creating a cohesive decision-making environment in a dynamic socio-technical system [21,44]. Among respondents, one of the most consistently prioritized values was "Risk reduction potential", which ranked highly in both process safety and process security domains, demonstrating that shared values can minimize conflicts between safety and security objectives [32,45]. ...
... The theme of continuous improvement and adaptation was prominent in the qualitative responses, aligning with the literature on adaptive risk management and organizational learning [21,32,44]. Respondents highlighted the need for ongoing learning and adaptation, leveraging new technologies and data analytics to enhance system resilience. ...
Integrating process safety and process security risk management is increasingly essential for enhancing resilience in the chemical process industry. This study addresses how practitioners perceive the integration of these two domains, identifying key benefits, barriers, and strategies for effective implementation. A mixed-methods approach was applied, combining quantitative survey data from 47 industry professionals with qualitative insights from open-ended responses. The findings highlight significant advantages of integration, such as optimized resource use, reduced operational redundancies, and improved risk management. However, barriers such as knowledge gaps, resource constraints, and communication silos were identified. Respondents emphasized the importance of adopting a resilience-oriented approach involving proactive risk management, continuous improvement, and adaptability in both safety and security practices. Critical enablers for integration include strong leadership, alignment of societal values, cross-disciplinary training, and integrated risk assessment methodologies. Emerging technologies and regulatory alignment were also identified as critical factors in facilitating integration. The study contributes to the theoretical understanding of integrated risk management by supporting resilience engineering and systems theory. It offers actionable strategies for overcoming barriers and leveraging enablers, laying the groundwork for developing a resilience-oriented framework for process safety and process security risk management.
... V. TAILORING SECURITY MEASURES TO THE UNIQUE NEEDS OF CONVERGED OT/IT SYSTEMS Addressing the security challenges of converged OT/IT systems necessitates a tailored approach that recognizes the distinct operational requirements and constraints within these environments [15]. Implementing traditional IT security measures may not suffice, as the real-time and deterministic nature of OT systems demands specialized solutions that account for critical operational processes. ...
... Operational technology primarily deals with the control and monitoring of physical devices and processes, such as industrial control systems, supervisory control and data acquisition systems, and other machinery. On the other hand, information technology encompasses the management and processing of digital data, communication systems, and software applications [15] [21]. ...
The convergence of Operational Technology and Information Technology systems has brought about great advancements in industrial processes and efficiency. However, this convergence has also introduced new security challenges, as these traditionally isolated systems are now interconnected. Balancing the need for robust security measures with the requirements for operational efficiency is crucial for organizations operating in this environment. This paper explores the development of a security framework specifically tailored to address the unique challenges posed by converged OT/IT systems. The framework aims to mitigate security risks while ensuring that operational processes remain efficient and productive. Additionally, this paper discusses the policy and economic importance of such a security framework in the context of the United States, aligning with Sustainable Development Goal 9. While this transformation promises immense operational benefits to the utilities, it brings along significant security concerns in terms of increasing the enterprise-class security risks. The challenge for the utilities, therefore, is to implement new approaches and tools in building a secure smart grid network that is reliable and resilient.
... In principle, this makes it possible to model more complex safety-security interactions, in which, for example, failures stop attacks from propagating. Such behaviour is called antagonism [17], which can be incorporated into AFTs e.g. by adding a NOT-gate [24]. ...
Adequate risk assessment of safety critical systems needs to take both safety and security into account, as well as their interaction. A prominent methodology for modeling safety and security are attack-fault trees (AFTs), which combine the well-established fault tree and attack tree methodologies for safety and security, respectively. AFTs can be used for quantitative analysis as well, capturing the interplay between safety and security metrics. However, existing approaches are based on modeling the AFT as a priced-timed automaton. This allows for a wide range of analyses, but Pareto analsis is still lacking, and analyses that exist are computationally expensive. In this paper, we combine safety and security analysis techniques to introduce a novel method to find the Pareto front between the metrics reliability (safety) and attack cost (security) using Markov decision processes. This gives us the full interplay between safety and security while being considerably more lightweight and faster than the automaton approach. We validate our approach on a case study of cyberattacks on an oil pipe line.
... SIS have a wide range of applications in various industrial areas, including intelligent manufacturing, 1 chemical production, 2 and power grids (Figure 1). 3 SIS consist of complex information communicators and embedded devices that are interconnected with the network/physical world through sensors and actuators. 4 These sensors collect real-time data from the physical environment, while actuators perform specific operations based on the information processed by SIS, ensuring the safe and reliable operation of industrial processes. ...
... 25 Research on the integration analysis approach of functional safety and security is still in its early stages, with most studies focused on conceptual stage. 3 However, the impact of cyber-attacks on systems or equipment with functional safety has received relatively little attention. 26 The contributions of this paper are described as follows: ...
Fieldbus transmitters are commonly used in modern industrial productions, particularly in Safety Instrumented Systems (SIS). Safety and security are critical considerations in the design and operation of these transmitters. Previous research has tended to address safety issues and security issues separately, but with the increasing complexity of network technology, it is important to analyze them simultaneously. In this paper, a systematic framework for comprehensively analyzing random failures and cyber-attack failures is proposed. The framework adopts the FMEA-IMEA method, which combines Failure Modes and Effects Analysis (FMEA) and Intrusion Modes and Effects Analysis (IMEA), to analyze failure modes and effects of fieldbus transmitters. In addition, by extending Reliability Block Diagrams (RBD), the impact of random failures and cyber-attack failures on fieldbus transmitters is quantitatively determined. At the same time, calculation approach of the residual error rate (RER), Component counting method, and Monte Carlo are used to determine random failure rate and cyber-attack failure rate. Using fieldbus pressure transmitter and fieldbus temperature transmitter as examples, the results demonstrate that security issues can significantly impact the safety integrity level. In fact, the safety integrity level is reduced from SIL3 to SIL1 when cyber-attacks are considered. Compared to existing FMEA, the proposed approach offers a more comprehensive analysis of random failures and cyber-attack failures in fieldbus transmitters.
... This model operates by tasking two separate engineering groups to design two distinct systems, with one system being utilized to safeguard the other [6,7]. Security and Safety (S&S) embodies a fusion of cybersecurity principles within the design and manufacturing phases of technologies and products [8,9]. This entails the incorporation of cybersecurity features into the design process before development, configuration, and delivery [10,11], thereby actualizing the concept of "security by design" for digital products [12,13]. ...
To address the serious imbalance between the supply and demand of the cybersecurity workforce, this paper proposes to embrace the latest trend of a fundamental shift in the “underlying dynamics of the digital ecosystem”, focusing on a shared liability for cybersecurity between the application side and the manufacturing side. Assuming that product providers shall take more responsibility by implementing secure defaults, this paper explores the establishment of an S&S talent cultivation system to strike the right balance of cybersecurity liabilities by nurturing more responsible developers. This paper proposes a Knowledge, Skill, and Awareness (KSA) model for Security and Safety (S&S) talent cultivation, proves the feasibility of this model by analyzing the theoretical, disciplinary, methodological, practical, and societal foundations of S&S talent cultivation. Additionally, this paper proposes principles and strategies for building a S&S talent cultivation system based on its unique characteristics and patterns. It gives a talent cultivation scheme, supported by an “Independent Knowledge System, Education and Cultivation System, Practice and Training system, Evaluation and Certification system, and Awareness Popularization System”. Finally, this paper puts forward a proposal for coordinating efforts and adopting multiple measures to accelerate the cultivation of S&S talents.
... This relationship can be characterized as a mutual dependent coexistent relationship. This is due the fact that cyber-attacks can benefit from shortfalls in the protection systems, protocols, or human careless disregard for consequences and directly influence the integrity or availability of the data and control systems [31,32]. For example, a thief can steal a house if he can hack the cameras and control them. ...
A smart home’s safety is a very urgent question due to several causes. This chapter analyzes current directions of smart house system safety technologies in use nowadays. Current studies are dedicated to the integration of Internet of Things (IoT) into smart home systems; critical situations that may arise; and specifications of sensors in the smart home system. The huge number of connected devices and the capacity embedded within these devices to direct demand resources make deliberate attacks on them and/or inadvertent downfall events such as abrupt bad interactions between connected devices, mechanical failure of devices, and unsuccessful communication may lead to IoT-based systems entering unreliable and threatening physical states. We review current trends in security-enabled safety monitoring frameworks for IoT-based smart homes. We demonstrate the use of various techniques in utilizing system analysis during design to develop a monitoring model that can be executed, providing run-time safety assurance for a system. This is achieved through collecting and analysis of operational data and evidence to assess the safety status of the system. Subsequently, appropriate actions are taken, and the safety status is communicated securely to system users, along with recommended actions to reduce the risk of the system entering an unsafe state.
... The design of ICSs at first solely considered unintentional component failures. Nevertheless, the growing utilization of communication technologies and open protocols, like Transport Control Protocol/Internet Protocol, has resulted in the development of systems that are more susceptible to cyberattacks [42]. ICS threats can be classified as follows [43]: ...
Industrial control systems (ICSs) are crucial in managing critical infrastructure, making their security a paramount concern. In recent years, their widespread adoption, together with the overall distance spanned by the critical infrastructure of industrial communication networks, have increased the complexity of the networks’ topological arrangement, increasing their structural vulnerabilities. In this scenario, deep learning models, especially those that incorporate graph-aware mechanisms, have arisen as a promising solution. This paper presents a novel centrality-and graph-aware attack detector (CGAAD) that includes nodes’ significance by centrality measures within a graph convolution network (GCN) framework to provide superior cyberattack detection performance and increase the resilience of critical ICS infrastructure. The proposed CGAAD model is in three parts. First, centrality measures are used as features for each of the nodes in the ICS graph topology. Then, a sparse-autoencoder (sparse-AE) enhances the feature representations to harness the subsequent classification step. Finally, the GCN leverages the graph structure and the enhanced features to classify dataflow between nodes as either normal or attacked. Experimental results demonstrate promising performance, reaching nearly 99% in terms of accuracy and F1-score, reducing misclassifications of both normal and attacked samples, which is crucial in ICS critical infrastructure applications.
