8:30-9:15 Registration
9:15 - 10:30 Session 1
9:15 Opening
9:30 Keynote: Peter Roelofsma. TBA
10:00 Lewis Cox, Manuel Maarek, Sophie Pinchinat and Didier Vojtisek. Nuclear Power Plant Modeling and Threat Analysis from a Cyber Security Perspective
Given both the increasing digitisation and necessity of Nuclear Power Plants (NPPs), their cyber security has never been more important. NPPs require specific cyber security approaches due to their complex and sensitive nature as a Cyber-Physical System (CPS). This paper reports on the modeling of NPPs for cyber security threat analysis based on the Stuxnet case study and established literature. We conducted the modeling and analysis using the risk and attacks analysis platform ATSyRA which provides languages to express new domain abstractions and goal description and automates model verification, reachability analysis and visualisations. In this paper, we present our general NPP modeling domain language, its application to the Stuxnet case study and discuss our abstraction and analysis approach.
10:30 - 11:00 Coffee Break
11:00 - 13:30 Session 2
11:00 Keynote: Sara Martínez Giner. TBA
11:30 Tobias Dörr, Nicolas Coppik and Steffen Lindner. Maturity of the Safety-Critical Rust Ecosystem in the Context of IEC 61508
The Rust programming language provides a promising foun dation for improving the security of embedded software systems, in particular by eliminating entire classes of memory-related vulnerabilities. However, its adoption in safety-critical domains, including industrial automation, is constrained by the need to comply with functional safety standards such as IEC 61508. To determine the extent to which this potential can already be leveraged, we evaluate the maturity of the Rust development ecosystem in the context of IEC 61508, focusing specifically on SIL 2 and SIL 3 requirements. We derive six high-level requirements from IEC 61508-3 and systematically map them to the current state of the Rust ecosystem, covering qualified compiler toolchains, coding standards, static analysis, pre-existing software, and coverage tooling. As part of this, we conduct an empirical study of the pre-certified standard library subset provided by the Ferrocene compiler toolchain. This study shows that of the 200 most widely downloaded Rust libraries, 93 are generally applicable to embedded systems without dynamic memory allocators, and 27 can already be built using a recent version of Ferrocene’s pre-certified library subset. Overall, our analysis suggests that only a few gaps remain for SIL 2 development, while considerably more work is required to support SIL 3 systems.
12:00 Jonas Franken, Theresa Backes and Christian Reuter. Mapping the Maps: Safety-Security Trade-offs in the Charting of Subsea Data Cables
Subsea data cables (SDCs) are increasingly framed and regulated as critical maritime infrastructures whose protection requires both operational safety and strategic security measures. While charting SDC routes can prevent accidental damage by fishing, anchoring, and offshore activities, public visibility may also expose sensitive spatial dependencies. This paper examines this tension through an empirical comparison of 20 publicly accessible digital maps depicting SDCs. Applying a codebook-based analysis, we assess how maps differ in route granularity, informational scope, interactivity, and contextualization. The findings show that SDC visibility is not governed by disclosure alone, but by cartographic choices that make infrastructure more or less precise, in terpretable, and actionable. We identify mapping practices ranging from public information and commercial infrastructure visualization to maritime safety awareness and security-oriented situational analysis. The paper contributes to safety-security research by showing and comparing how trade-offs between both goals are mediated through infrastructure representations such as digital maps in practice.
12:30 Thomas Faschang. Passive CAN Bus Eavesdropping via Electromagnetic Emissions and Neural Network Analysis
This paper presents a novel electromagnetic side-channel attack on the automotive Controller Area Network (CAN) bus using low cost hardware and deep learning. We demonstrate that a passive adversary equipped with a consumer-grade Software Defined Radio (SDR) and a near-field probe can capture electromagnetic emissions generated during CAN message transmission. These emissions, caused by physical layer effects such as ringing and overshoot, contain distinguishable patterns that correlate with the rising and falling edges of the transferred CAN messages. By applying a convolutional neural network to the captured EMI traces, we show that it is possible to classify CAN IDs with high accuracy, without physical contact or protocol-level access. Our experimental setup comprising an SDR, probe, and open-source software costs less than 100 EUR, making this attack vector highly accessible. The results highlight a critical vulnerability in automotive systems and underscore the need to consider physical-layer threats in vehicle cybersecurity.
13:00 Ashok Krishna, András Wippelhauser and László Bokor. Cybersecurity Implications on V2X Assisted Safe Cooperative Maneuvers
Road safety remains a major challenge for modern transportation systems. V2X communication promises to improve safety by enabling standardized, reliable, and low-latency information exchange among traffic participants, which is increasingly important for AD/ADAS and higher levels of vehicle automation. However, relying on data from remote and heterogeneous sources poses critical challenges in trust, data quality, and cybersecurity. In this position paper, we systematically examine the different aspects of how trust in V2X data is built, and present a qualitative analysis of implementation gaps in V2X-enabled vehicular functions, particularly those supporting highly automated cooperative maneuvers. We discuss the resulting cybersecurity and safety implications and argue for stronger trust management and misbehavior detection mechanisms to ensure the safe, secure, and trustworthy operation of cooperative functions that facilitate maneuver coordination.
13:30 - 14:30 Lunch Break
14:30 - 16:00 Session 3
14:30 Akira Takada, Kiyoshi Sasaki, Keishi Okamoto, Shuhei Yamashita, Fumiaki Kono, Toyokazu Ogasawara and Ryo Kurachi. An Integrated Design Specification Approach Using SCDL for the Co-Engineering of Functional Safety and Cybersecurity in Automotive Control Systems
In the development of automotive control systems, simultaneous compliance with ISO 26262 (functional safety) and ISO/SAE 21434 (cybersecurity) has become essential. However, the difference in the granularity of design information between these two domains poses a significant challenge for practical co-engineering during the early development phases. This paper proposes a "Functional Concept (FC)-wise approach" that integrates safety and security requirements using SCDL (Safety Concept Description Language). A key feature of this approach is that it utilizes the existing syntax of SCDL without any language extensions. Instead, it synchronizes the granularity of security requirements with the hierarchical levels of the Layer Phase Model (LPM) used in safety analysis. This alignment enables the visualization of mutual influences and trade-offs between safety and security on a unified archi tectural representation. The proposed method was validated through a case study of an automotive control system. The results demonstrate that streamlining design information through SCDL facilitates smoother communication between safety and security engineers and ensures a consistent, integrated design process.
15:00 Stefano M. Nicoletti. A Unified Architecture for Risk Reasoning: Bridging Ontologies, Theorem Proving, and Model Checking
Formal risk analysis for complex systems is fragmented across heterogeneous standard models – including fault trees, attack trees, and Bayesian networks – each with distinct semantics and verification techniques. This fragmentation hinders interoperability, compositional reasoning, and the integration of formal guarantees for complex systems, where safety and security intersect and interact. In this vision paper, we design a high-level framework for a unified architectural approach to safety-(cyber)security risk verification based on three pillars: (i) ontology grounded semantics ensuring a shared conceptual foundation, (ii) deductive verification via interactive theorem proving, enabling compositional and explainable reasoning, and (iii) integration with model checking techniques for automation of (quantitative) analysis. The key insight is the integration of deductive and automatic reasoning about risk, where model checking is used as a scoped external oracle within proof development: interoperability is guaranteed via an ontology that builds shared semantics. In this architecture, classical risk models emerge as fragments of a unified language, rather than being treated as stand-alone artifacts. This yields a semantically robust, hybrid risk reasoning workflow, combining proof and automation. We argue that this approach provides a principled foundation for unified, rigorous, explainable, and scalable safety-(cyber)security risk analysis of complex systems.
15:30 Nida Zeeshan, Naghmeh Moradpoor and Luigi Laspada. Observer-Aware Runtime Exposure Mitigation for Mobile Edge Devices
Mobile authentication systems typically verify identity only at login, leaving active sessions vulnerable to post-authentication exposure and opportunistic observation attacks. This paper presents an observer-aware runtime session protection framework for mobile edge devices that combines lightweight facial verification with adaptive contextual exposure monitoring. The proposed framework integrates Siamese neu ral network–based facial verification, gaze consistency analysis, multi-face observer detection, and runtime contextual variation monitoring within an event-driven on-device architecture using session-bound cancellable embeddings. Unlike conventional continuous authentication approaches that focus primarily on identity persistence, the proposed framework models runtime exposure as a contextual risk problem and dynamically regulates session continuity according to sustained observer-related conditions. The framework was trained using the Labelled Faces in the Wild (LFW) dataset and deployed on an Apple iPhone 16 Pro for real-time evaluation. Experimental results across 240 controlled authentication trials achieved 95.4% verification accuracy with a median runtime latency of 42 ms and low energy overhead during continuous operation. Controlled observer-presence experiments demonstrated that adaptive runtime monitoring reduced successful shoulder-surfing session continuation from approximately 17% to 3%. These results demonstrate the practical feasibility of observer-aware runtime exposure mitigation using fully on-device mobile edge processing.
16:00 - 16:30 Coffee break
16:30-18:00 Interactive session