Limitation and Improvement of STPA-Sec for Safety and Security Co-analysis

  • Christoph Schmittner
  • Zhendong Ma
  • Peter Puschner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9923)


Safety-critical Cyber-physical Systems (CPS) in vehicles are becoming more and more complex and interconnected. There is a pressing need for holistic approaches for safety and security analysis to address the challenges. System-Theoretic Process Analysis (STPA) is a top-down safety hazard analysis method, based on systems theory especially aimed at such systems. In contrast to established approaches, hazards are treated as a control problem rather than a reliability problem. STPA-Sec extends this approach to also include security analysis. However, when we applied STPA-Sec to real world use cases for joint safety and security analysis, a Battery Management System for a hybrid vehicle, we observed several limitations of the security extension. We propose improvements to address these limitations for a combined safety and security analysis. Our improvements lead to a better identification of high level security scenarios. We evaluate the feasibility of the improved co-analysis method in a self-optimizing battery management system. We also discuss the general applicability of STPA-Sec to high level safety and security analysis and the relation to automotive cybersecurity standards.


Cyber-physical systems Safety and security co-analysis STAMP STPA-Sec Automotive cybersecurity 


  1. 1.
    Young, W., Leveson, N.: Systems thinking for safety and security. In: Proceeding ACSAC 2013, pp. 1–8. ACM Press (2013)Google Scholar
  2. 2.
    Leveson, N.: A new accident model for engineering safer systems. Saf. Sci. 42, 237–270 (2004)CrossRefGoogle Scholar
  3. 3.
    Leveson, N., Thomas, J.: An STPA Primer. Cambridge, MA (2013)Google Scholar
  4. 4.
    ISO: ISO 26262-Road vehicles-Functional safety (2011)Google Scholar
  5. 5.
    SAE: J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems (2016)Google Scholar
  6. 6.
    Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: 2015 Design, Automation and Test in Europe Conference and Exhibition (DATE), pp. 621–624. IEEE (2015)Google Scholar
  7. 7.
    Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Heidelberg (2014)Google Scholar
  8. 8.
    Raspotnig, C., Karpati, P., Katta, V.: A combined process for elicitation and analysis of safety and security requirements. In: Bider, I., Halpin, T., Krogstie, J., Nurcan, S., Proper, E., Schmidt, R., Soffer, P., Wrycza, S. (eds.) EMMSAD 2012 and BPMDS 2012. LNBIP, vol. 113, pp. 347–361. Springer, Heidelberg (2012)Google Scholar
  9. 9.
    Steiner, M., Liggesmeyer, P., et al.: Combination of safety and security analysis-finding security problems that threaten the safety of a system. In: Computer Safety, Reliability, and Security (2013)Google Scholar
  10. 10.
    Masera, M., Nai Fovion, I., De Cian, A.: Integrating cyber attacks within fault trees. Reliab. Eng. Syst. Saf. 94(9), 1394–1402 (2009)CrossRefGoogle Scholar
  11. 11.
    Bouissou, M., Bon, J.-L.: A new formalism that combines advantages of fault-trees and markov models: Boolean logic driven Markov processes. Reliab. Eng. Syst. Saf. 82(2), 149–163 (2003)CrossRefGoogle Scholar
  12. 12.
    ISO/IEC: ISO/IEC 27000 Information technology - Security techniques - Information security management systems - Overview and vocabularyGoogle Scholar
  13. 13.
    Miller, C., Valasek, C.: Adventures in Automotive Networks and Control Units, Las Vegas (2013)Google Scholar
  14. 14.
    Kundur, D., Feng, X., Liu, S., Zourntos, T., Butler-Purry, K.L.: Towards a framework for cyber attack impact analysis of the electric smart grid. In: 2010 First IEEE International Conference on Smart Grid Communications (SmartGridComm), pp. 244–249. IEEE (2010)Google Scholar
  15. 15.
    Dadras, S., Gerdes, R.M., Sharma, R.: Vehicular platooning in an adversarial environment. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 167–178. ACM (2015)Google Scholar
  16. 16.
    Krotofil, M., Larsen, J., Gollmann, D.: The process matters: ensuring data veracity in cyber-physical systems. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 133–144. ACM (2015)Google Scholar
  17. 17.
    Chynoweth, J., Chung, C.-Y., Qiu, C., Chu, P., Gadh, R.: Smart electric vehicle charging infrastructure overview. In: Innovative Smart Grid Technologies Conference (ISGT), pp. 1–5 (2014)Google Scholar
  18. 18.
    Goodwin, A.: 2011 Kia Optima Hybrid review: 2011 Kia Optima Hybrid, June 2011.
  19. 19.
    Goodwin, A.: 2015 Ford Focus Electric review: Ford keeps its electric car in Focus by lowering the price, November 2014.
  20. 20.
    Ye, F., Kelly, T.: Component failure mitigation according to failure type. In: 2004 Proceedings of the 28th Annual International Computer Software and Applications Conference. COMPSAC 2004, pp. 258–264. IEEE (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Christoph Schmittner
    • 1
  • Zhendong Ma
    • 1
  • Peter Puschner
    • 2
  1. 1.Department of Digital Safety and SecurityAIT Austrian Institute of TechnologyViennaAustria
  2. 2.Department of Computer EngineeringVienna University of TechnologyViennaAustria

Personalised recommendations