• 9:00 - 10:30 Session 1

    • 9:00 Opening

    • 9:30 Pieter van Gelder (Delft University of Technology). Bayesian network model to distinguish between intentional attacks and accidental technical failure

    • 10:00 Stefano Nicoletti (University of Twente). Model-based Safety and Security Co-analysis: a Survey.

In this talk we present our survey of the state-of-the-art on model-based formalisms for safety and security co-analysis, where safety refers to the absence of unintended failures, and security refers to the absence of malicious attacks. We consider fourteen model-based formalisms, comparing their modeling principles, the interaction between safety and security that they can capture, and analysis methods they offer. In each formalism, we model the classical Locked Door Example where possible. In addition, we compare the formalisms according to their modeling expressiveness and we report on relevant findings.

  • 10:30 - 11:00 Coffee break

  • 11:00 - 12:30 Session 2

    • 11:00 Alexander Egyed (Johannes Kepler University Linz). A Systematic Mapping Study on Model-driven Engineering of Safety and Security in Software Systems

This talk presents key findings of a systematic mapping study on the model-driven engineering of safety and security concerns in software systems. Combined modeling and development of both safety and security concerns is an emerging field of research as both concerns affect one another in unique ways. Our mapping study provides an overview based on 143 publications and covers questions such as frequently used methods, tools and development stages where these concerns are typically investigated in application domains.

    • 11:30 Marc Bouissou (Electricité de France). Safety and security combined modeling: a knowledge-based approach

We present a framework for safety and security joint risk analysis for industrial control systems. S-cube (for SCADA Safety and Security joint modeling) is a new model-based approach that enables, thanks to a knowledge base, formal modeling of the physical and functional architecture of cyber physical systems and automatic generation of a qualitative and quantitative analysis encompassing safety risks (accidental) and security risks (malicious). We first give the principle and rationale of S-cube then we illustrate its inputs and outputs on a case study. S-cube is an application of the set of tools based on the Figaro modeling language that EDF has been developing since 1990.

    • 12:00 Uwe Becker (Drägerwerk). Increasing IoT Security by Supply Power Measurement

IoT devices are pervasive and provide valuable data in many aspects of life. Especially in the medical devices domain, people rely on the information provided by these devices. Medical IoT (MIoT) devices are of great interest to attackers and often easily fall victim to them. Attacks on MIoT devices can lead to injury or death of patients. The talk will use a small SensorPatch as an example device to show how power supply monitoring works and how it can help to detect attacks and unexpected tasks on the device. It will be demonstrated that the method is both easy to implement and only requires very few resources. It can act as an inexpensive early warning system.

  • 12:30 - 13:30 Lunch

  • 13:30 - 15:00 Session 3

    • 13:30 Ioana Boureanu (University of Surrey). Formal Verification of the Security and Privacy of Software Updates in Cars

In this talk, we look at the standard called Uptane, which aims to secure software updates in automobiles, i.e., to best protect over-the-air software updates of ECUs from malicious adversaries. See We focus on Uptane 2.0. In Tamarin, which is a protocol prover in the Dolev-Yao model, we encode all parties specified in the standard as well as the various threat models formulated therein. In these settings, verify several security as well as privacy properties, aligned to what the standard imposes. This is work in progress, in collaboration with Dr Steve Wesemeyer and Dr Fortunat Rajaona (University of Surrey, UK) and Thales, UK.

    • 14:00 Georg Macher (Graz University of Technology). Dependability engineering for autonomous CPSoS

This talk focuses on domain-specific dependability aspects for autonomous CPSoS approaches. To that aim, architectural design patterns to support dependability engineering of CPSoS and methods for dependable runtime adaptation and AI-based architectures will be discussed. Specifically, this will involve engineering methods for the automotive domain for safety and cybersecurity engineering. Also, mechanisms for providing trust measurements of AI-based CPSoS will be mentioned, as well as SW patterns to support these mechanisms. Contrary to this, also the viewpoint of ensuring CPSoS dependability via applying an AI-based algorithm will be discussed. The concluding part will focus on dependability engineering methods for cloud service integration for conventional and AI-based systems.

    • 14:30 Luca Arnaboldi and David Aspinall (University of Edinburgh). Toward Interdependent Safety-Security Assessments using Bowties

We present a way to combine security and safety assessments using Bowtie Diagrams. Bowties model both the causes leading up to a central failure event and consequences which arise from that event, as well as barriers which impede events. Bowties have previously been used separately for security and safety assessments, but we suggest that a unified treatment in a single model can elegantly capture safety-security interdependencies of several kinds. We showcase our approach with the example of the October 2021 Facebook DNS shutdown, examining the chains of events and the interplay between the security and safety barriers which caused the outage.

  • 15:00 - 15:30 Coffee break

  • 15:30 - 17:00 Session 4

    • 15:30 Christoph Schmittner (Austrian Institute of Technology). The approaches and increasing convergence regarding safety and security in the automotive domain

New regulations and standards in the automotive domain on software updates, cybersecurity, connected and automated driving are to a large degree motivated by the need for safe and trustworthy road vehicles. This talk will give an overview on the current status and on the connections between regulations and standard regarding safety and security.

    • 16:00 Interactive Session