A STAMP-based ontology approach to support safety and security analyses

Abstract Considerations of safety and security in the early stage of system life cycle are essential to collect and prioritize operation needs, determine feasibility of the desired system, and identify technology gaps. Experts from many disciplines are needed to perform the safety and security analyses, ensuring that a system has the necessary attributes. Safety assessment is usually conducted in the concept stage. On the order hand, security assessment is performed in design stage usually when an initial architecture along with the logical and physical components are defined. Systems-Theoretic Process Analysis (STPA) is a new hazard analysis technique based on systems thinking and is built on top of a new causality model of accident, which stands for Systems-Theoretic Accident Model and Processes (STAMP), grounded in systems theory. STPA for Security (STPA-Sec) is an extension of STPA that proposes to include security concerns into the analysis. STPA-Sec helps identifying some hazardous control actions, causal scenarios, and casual factors; however, no emphasis is placed on security threat scenarios. In this paper we propose an ontology-based technique that extends STPA-Sec to improve identification of causal scenarios and associated casual factors, specifically those related to security. We propose an approach that assists safety and security experts conducting safety and security analyses using STPA-Sec with a supporting ontology. First, we present an ontology representing the safety and security knowledge through STPA-Sec process, and provide a tool that implements the proposed ontology. We then propose a process to capture safety and security knowledge into the proposed ontology to identify causal scenarios. We perform a preliminary evaluation of the ontology and the process using an aeronautic case study. The results show that the ontology-based approach helps systems engineers to identify more security scenarios compared to the case where they use only STPA-Sec. Furthermore, some hazardous control actions are not addressed if the systems engineer uses the basic STPA-Sec.