Limitation and Improvement of STPA-Sec for Safety and Security Co-analysis

  • Christoph SchmittnerEmail author
  • Zhendong Ma
  • Peter Puschner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9923)


Safety-critical Cyber-physical Systems (CPS) in vehicles are becoming more and more complex and interconnected. There is a pressing need for holistic approaches for safety and security analysis to address the challenges. System-Theoretic Process Analysis (STPA) is a top-down safety hazard analysis method, based on systems theory especially aimed at such systems. In contrast to established approaches, hazards are treated as a control problem rather than a reliability problem. STPA-Sec extends this approach to also include security analysis. However, when we applied STPA-Sec to real world use cases for joint safety and security analysis, a Battery Management System for a hybrid vehicle, we observed several limitations of the security extension. We propose improvements to address these limitations for a combined safety and security analysis. Our improvements lead to a better identification of high level security scenarios. We evaluate the feasibility of the improved co-analysis method in a self-optimizing battery management system. We also discuss the general applicability of STPA-Sec to high level safety and security analysis and the relation to automotive cybersecurity standards.


Cyber-physical systems Safety and security co-analysis STAMP STPA-Sec Automotive cybersecurity 



This work is partially supported by EU ARTEMIS project AMASS (contract no. 692474) and Austrian Research Promotion Agency FFG on behalf of Austrian Federal Ministry of Transport, Innovation and Technology BMVIT.


  1. 1.
    Young, W., Leveson, N.: Systems thinking for safety and security. In: Proceeding ACSAC 2013, pp. 1–8. ACM Press (2013)Google Scholar
  2. 2.
    Leveson, N.: A new accident model for engineering safer systems. Saf. Sci. 42, 237–270 (2004)CrossRefGoogle Scholar
  3. 3.
    Leveson, N., Thomas, J.: An STPA Primer. Cambridge, MA (2013)Google Scholar
  4. 4.
    ISO: ISO 26262-Road vehicles-Functional safety (2011)Google Scholar
  5. 5.
    SAE: J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems (2016)Google Scholar
  6. 6.
    Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: 2015 Design, Automation and Test in Europe Conference and Exhibition (DATE), pp. 621–624. IEEE (2015)Google Scholar
  7. 7.
    Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Heidelberg (2014)Google Scholar
  8. 8.
    Raspotnig, C., Karpati, P., Katta, V.: A combined process for elicitation and analysis of safety and security requirements. In: Bider, I., Halpin, T., Krogstie, J., Nurcan, S., Proper, E., Schmidt, R., Soffer, P., Wrycza, S. (eds.) EMMSAD 2012 and BPMDS 2012. LNBIP, vol. 113, pp. 347–361. Springer, Heidelberg (2012)Google Scholar
  9. 9.
    Steiner, M., Liggesmeyer, P., et al.: Combination of safety and security analysis-finding security problems that threaten the safety of a system. In: Computer Safety, Reliability, and Security (2013)Google Scholar
  10. 10.
    Masera, M., Nai Fovion, I., De Cian, A.: Integrating cyber attacks within fault trees. Reliab. Eng. Syst. Saf. 94(9), 1394–1402 (2009)CrossRefGoogle Scholar
  11. 11.
    Bouissou, M., Bon, J.-L.: A new formalism that combines advantages of fault-trees and markov models: Boolean logic driven Markov processes. Reliab. Eng. Syst. Saf. 82(2), 149–163 (2003)CrossRefGoogle Scholar
  12. 12.
    ISO/IEC: ISO/IEC 27000 Information technology - Security techniques - Information security management systems - Overview and vocabularyGoogle Scholar
  13. 13.
    Miller, C., Valasek, C.: Adventures in Automotive Networks and Control Units, Las Vegas (2013)Google Scholar
  14. 14.
    Kundur, D., Feng, X., Liu, S., Zourntos, T., Butler-Purry, K.L.: Towards a framework for cyber attack impact analysis of the electric smart grid. In: 2010 First IEEE International Conference on Smart Grid Communications (SmartGridComm), pp. 244–249. IEEE (2010)Google Scholar
  15. 15.
    Dadras, S., Gerdes, R.M., Sharma, R.: Vehicular platooning in an adversarial environment. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 167–178. ACM (2015)Google Scholar
  16. 16.
    Krotofil, M., Larsen, J., Gollmann, D.: The process matters: ensuring data veracity in cyber-physical systems. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 133–144. ACM (2015)Google Scholar
  17. 17.
    Chynoweth, J., Chung, C.-Y., Qiu, C., Chu, P., Gadh, R.: Smart electric vehicle charging infrastructure overview. In: Innovative Smart Grid Technologies Conference (ISGT), pp. 1–5 (2014)Google Scholar
  18. 18.
    Goodwin, A.: 2011 Kia Optima Hybrid review: 2011 Kia Optima Hybrid, June 2011.
  19. 19.
    Goodwin, A.: 2015 Ford Focus Electric review: Ford keeps its electric car in Focus by lowering the price, November 2014.
  20. 20.
    Ye, F., Kelly, T.: Component failure mitigation according to failure type. In: 2004 Proceedings of the 28th Annual International Computer Software and Applications Conference. COMPSAC 2004, pp. 258–264. IEEE (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Christoph Schmittner
    • 1
    Email author
  • Zhendong Ma
    • 1
  • Peter Puschner
    • 2
  1. 1.Department of Digital Safety and SecurityAIT Austrian Institute of TechnologyViennaAustria
  2. 2.Department of Computer EngineeringVienna University of TechnologyViennaAustria

Personalised recommendations