The risk assessment according to ISO 12100 starts at the very beginning of the development of a machine during the design phase and considers the hazards that can arise during the complete lifecycle. The aim is to identify all hazards and to minimise them following the risk assessment process. The process starts with the determination of the physical machine limits, such as size, weight, or materials, and continues with the identification of hazards in preparation for the risk assessment. Since ISO 12100 is a standard for the safety of machines and thus concerns the classic field of safety, the very first point of consideration, the limits of the machine, lacks a concept for the coverage of cyber physical machines due to an increased connectivity and additional interfaces.
After the risk assessment follows the risk evaluation. The risk evaluation aims to check whether the mitigation measures are effective. Risk reduction should be approached in three steps: The first step is the intrinsic safety design, which means that if a hazard that can be mitigated by design measures is identified, these should be used. If the mitigation measures are not sufficient, the possibility of a technical protection measure is considered in a second step by installing safety functions with safety components to further minimise the corresponding risks. In this step, the corresponding functional safety standards are used. These are ISO 13849-1, IEC 62061 where the risks are explicitly calculated with a risk graph and the safety function is designed according to the determined safety characteristic value (SIL or PL). The last step includes the implementation of warning signs on the machine itself, additional information within the corresponding manuals, and specific user training.
The general procedure to make IT systems secure is to continuously execute security-relevant activities like described in ISO/IEC 27001. This can be achieved by executing the Plan, Do, Check, Act (PDCA) cycle and building up an Information Security Management System (ISMS). The IEC 62443 for the industrial automation domain adopted most of these concepts and represents the most important reference for secure industrial systems. Further, in VDI/VDE 2182 an eight-step process is specified including (1) Identify assets, (2) Analyse threats, (3) Determine relevant security objectives, (4) Analyse and assess risks, (5) Identify individual measures and assess their effectiveness, (6) Select countermeasures, (7) Implement countermeasures and (8) Perform process audit. A more detailed overview can be found inside .
Authors in  describe the issues for interconnected, flexible, and self-optimizing production systems in respect of safety and security. After every modification of the production system during the operation phase, a new manual assessment is necessary. This results in the need for a conjunct consideration of safety and security in an automated assessment algorithm to ensure a safe, secure and efficient operation of the future industrial production systems.
One of the first technical reports for a harmonized framework of (functional) safety (IEC 61508) and security (IEC 62443) for industrial automation and control systems is the IEC TR 63069. It includes general term definitions for safety, security, and their combined risks. In addition, three guiding principles are provided, which includes the protection of safety implementations, the protection of security implementations, and the compatibility of implementations from both domains. The focus of this work is set on the risk assessment phase, which is also covered inside the IEC TR 63069. Nevertheless, only abstract differences are presented and a proposal for a high-level combination of safety and security is shown. A practical guidance for modular industrial systems is missing. That is where the ISA TR 84.00.09 might come into place. It should describe a completely coupled lifecycle for safety and security with example methodologies for each phase. Unfortunately, it is not yet publicly available and will have a focus on the process industry. Further conclusions from this work can be drawn as soon it has been published.
Another technical report is provided by the ISO TR 22100-4 which covers the general safety of machinery in relationship with the ISO 12100 standard and presents considerations for a safety and security interplay. Especially machine builders and system integrators are addressed here. It describes general similarities and differences between both domains with regard to aims and critical aspects, e.g. risk elements. In addition, a five-step procedure (Identify, Protect, Discover, React, and Restore) to secure systems is presented, and general advisories are given to increase the overall security in compliance to safety. The approaches provide a policy-like view on the interplay of safety and security. This work discusses the corresponding contents in order to pave the way for an integrated process for safety and security. Another standard to include into these considerations is the IEC TR 63074:2019 which shows possible effects of security risks to a safety-related control system from a technical perspective by providing countermeasure implementation guidance.
In addition, several surveys from the research and development domain are available which present combined approaches for safety and security . They mostly contain overviews of generally available approaches for the representation and processing of distinctive domain knowledge. This includes the usage of, e.g. fault or attack trees, model-based engineering, Bayesian networks, distributed ledger technologies, or Markov processes . All these approaches represent value for the interplay of safety and security, but cannot be used for problems that are addressed by this work, which focuses on the alignment of a more detailed process to combine both domains based on a common process.
System Theoretic Process Analysis for safety and security (STPA-SafeSec) is a novel analysis methodology addressing the dependencies between security vulnerabilities and the overall system safety in a single framework. In , the overall approach is presented and evaluated against a power grid use case. It enables users to analyse specific cyber-physical systems with regard to safety and security, but is currently missing the possibility to quantify risks, which could resolved by introducing already existing quantification methods . STPA-SafeSec contains two loops (system refinement and control analysis) aiming at the non-static nature of industrial systems and the internal complexity of modern systems with regard to technologies. It also provides a way to commonly investigate safety and security based on integrated definitions, such as constraints, hazardous scenarios, and hazard control actions. Additionally, an identification of the most critical system components is performed to propose mitigation strategies efficiently. STPA-SafeSec provides a well-designed approach to combine safety and security for cyber-physical systems, also specifying a process to follow during the practical implementation. Nevertheless, the approach of aligning safety and security specific characteristics to unified definitions increases the danger of loosing domain-relevant information which could be important for the overall assessment of a system. Therefore, this work tries to further describe the common information base for safety and security in order to make processes more efficient, but also taking into account the characteristics which represent an antagonism .
The FMVEA (Failure Mode, Vulnerabilities and Effects Analysis)  method extends the FMEA (Failure Mode and Effect Analysis) for safety analysis with an analysis for threat modes to cover information security as well. For each component of the considered system, the potential failure modes (safety) and threat modes (security) and the resulting effects are identified. Further, for each failure mode, a potential cause, and for each threat mode a potential vulnerability and threat agent as well as the probability of occurrence are identified. This process is repeated until all threat and failure modes for every component are examined and all cause-effect chains are known. This method describes a well-structured proceeding to examine the relevant attack possibilities and failure scenarios component-by-component to eliminate the corresponding causes. Nevertheless, according to the authors, this method is best suited for the early design phase and multi-stage attacks may be overlooked. Also, the overall process for an analysis including the information sources as well as mitigations and countermeasures are not part of this process.
The need for a combined process for safety and security is presented in  as well. In addition to the impact of security attacks on the safety of machinery, safety and security have similar objectives and scopes, namely trying to prevent undesirable emergences and making systems more resilient. Thus, the different methodologies to analyse safety and security should stay separate, but need to be aligned as much as possible in order to increase the efficiency of the corresponding analyses. A presented approach is to define a shared objective, define a shared scope, and then analyse risks from both perspectives . However, no specified process is provided yet. Another mentioned supportive overlap are skills of safety and security engineers with the general thinking in risks and thinking about worst case scenarios in both domains leading to mutual understanding. To further integrate these two domains now, not only finding analogies in the lifecycles, but integrating the safety and security lifecycle is necessary to avoid them undermining each other . The aim should be to create one concrete step-by-step execution process. Therefore, the necessary inputs and outputs for each step need to be identified to create a combined process for safety and security .
It is required to define commonalities and antagonisms of safety and security with regard to mandatory information, data sources, and process steps. This work will focus on the risk assessment (identification, analysis & evaluation) during the operation phase and the inherited information. In addition, the introduction of a common risk assessment process and the implementation of needed consequences are going to be analysed and discussed.