Article: Comparison of risk assessment methods for Cyber-Physical systems
Nelson H. Carreras Guzman, Jin Zhang, Jing Xie, Jon Arne Glomsrud (2021): A Comparative Study of STPA-Extension and the UFoI-E Method for Safety and Security Co-analysis, Reliability Engineering & System Safety, https://doi.org/10.1016/j.ress.2021.107633 (online first)
Our latest article compares the UFoI-E Method developed at DTU RiskLab to the most advanced existing method with a similar focus: STPA-Extension.
Its a bit nerdy, but if stuff like this excites you, this is a very, very cool article.
Highlights
Cyber-physical systems are exposed to both safety and security risks
STPA-Extension and UFoI-E are systematic safety and security co-analysis methods
A framework to compare these methods evaluates completeness and effort required
For a similar effort, the relative completeness of each method varies in scope
A tailored combination of these methods leverages their particular strengths
Abstract
Emerging challenges in cyber-physical systems (CPSs) have been encouraging the development of safety and security co-analysis methods. These methods aim at mitigating the new risks associated with the convergence of safety-related systemic flaws and security-related cyber-attacks that have led to major losses in CPSs. Although several studies have reviewed existing safety and security co-analysis methods, only a few empirical studies have attempted to compare their strengths and limitations to guide risk analysis in practice. This paper bridges the gap between two novel safety and security co-analysis methods and their practical implementations. Namely, this paper compares a novel extension of the System-Theoretic Process Analysis (STPA-Extension) and the Uncontrolled Flows of Information and Energy (UFoI-E) method through a common case study. In our case study, the CPS under analysis is a conceptual autonomous ship. We conducted our comparative study as two independent teams to guarantee that the implementation of one method did not influence the other method. Furthermore, we developed a comparative framework that evaluates the relative completeness and the effort required in each analysis. Finally, we propose a tailored combination of these methods, exploiting their unique strengths to achieve more complete and cost-effective risk analysis results.