Safety and security risk assessment in cyber-physical systems

: The term cyber physical systems (CPS) refers to a new generation of systems with integrated computational and physical capabilities through computation, communication, and control. In the past decades, related techniques for CPS have been well studied and developed, and are widely applied in the fields such as industrial automation, smart transportation, aerospace, environment monitoring, and smart grids. However, with the expansion of CPS complexity and the enhancement of the system openness, most of CPS become not only safety-critical but also security-critical since deeply involving both physical objects and computer networks. In the last decade, it is no longer rare to see safety incidents and security attacks happening in industries. Safety and security issues are increasingly converging on CPS, leading to new situations in which these two closely interdependent issues should now be considered together, rather than separately or in sequence. This paper reviews the existing approaches of risk assessment and management from the perspective of safety, security, and their integration. The comparisons of these approaches are summarised with their pros and cons before the technical gaps between the demand and the current situation of safety and security issues in CPS are identified.


Introduction
Cyber physical systems (CPS) are controllable, trusted, and extensible network physical systems, which are further integrated with computation, communication, and control capabilities that can interact with humans through many new modalities. CPS are the foundation and core of the 'Industry 4.0' and the 'Industrial Internet'. CPS are essentially Internet of things (IoT) systems, but they emphasise the characteristics of real-time monitoring and control. Industrial control systems (ICSs) are essentially a typical CPS in industrial environments. In the past, ICSs were considered as isolated systems. As of the growing demand of computing resources and automation, they are becoming more and more networked, and closely connected to computer systems. There are not only different network-enabled hardware components involved such as sensors, actuators, and embedded systems, but also different collections of the software system, for control and monitoring. With the expansion of CPS complexity and the enhancement of the system openness, most of CPS become not only safety-critical but also security-critical since deeply involving both physical objects and computer networks. In the last decade, it is no longer rare to see safety incidents and security attacks happening in industries. As a consequence, safety and security become two particularly important aspects of CPS, which run through the entire life cycle of CPS including modelling, analysis, design, development, and maintenance.
ISA 99/IEC62443 [1] states that risk assessment and management for a complete ICS should cover three parts: functional safety, physical safety, and cybersecurity. Safety includes physical safety and functional safety. Physical safety issues are caused by hazards including explosions, fires, floods, chemical spills, biochemical spills and releases, potential crashes of vehicles etc. According to ISA 84/IEC61511 [2], functional safety is aimed at protecting and monitoring devices from accidental failures or failings in order to achieve or maintain a safe state of the process. Security refers to cybersecurity. According to ISA99, cybersecurity attempts to protect the cyber environment of the authorised users or organisation, including networks, devices, all software, processes, information in storage or transit etc. A white paper on cyber-physical system [3], published by the Ministry of Industry and Information Technology (MIIT), Standardisation Administration of the People's Republic of China (SAC), the China Electronics Standardisation Institute and the China Cyber-Physical Systems Development Forum, states that cybersecurity focuses on solving the problem of information collection, processing, and sharing in a high-promiscuous, largescale, and collaborative autonomous network environment, and control safety focuses on system safety control and other issues within loosely coupled and openly interconnected networks. In general, safety is composed of physical safety, control safety, and functional safety.
The purpose of this paper is to make an overall assessment of the up-to-date research status of CPS, with respect to safety, security, and their integration. The rest of the paper is organised as follows. Section 2 introduces typical safety risk assessment and management technologies in CPS. Section 3 introduces available security risk assessment and management technologies in CPS. Section 4 presents the approaches of integrating safety and security assessment. Section 5 discusses risk management standards, safetyrelated and security-related standards, and identifies the strengths and weakness among the features and functionality of the existing approaches. Finally, Section 6, as the conclusion, summarises the gaps in the existing countermeasures on safety and security integration, and presents some future directions on the safety and security risk assessment in CPS.

Safety risk assessment in CPS
Risk assessment and management are very important for CPS. In the early days of CPS development, system designers usually paid more attention to safety issues [4]. Safety risks are caused by interaction between the environment and CPS, within the CPS, and between the CPS and authorised users. Confidentiality, integrity, and availability, known as the CIA triad, represent the fundamental security objectives in CPS and IT systems [4,5,6]. Different from the traditional IT systems, availability is the most important objective in CPS. Table 1 shows that these fundamental objectives are important for CPS and IT systems, but priorities are not the same [7,8]. Safety and availability are aimed at maintaining a safe state below a predefined and acceptable threshold.

Safety risk assessment standards
Safety is an important issue that affects process industries. IEC 61508 [9] defines the safe failure fraction (SFF) and the safety integrity level (SIL) to confirm the degree of safety-related system fail-safe, and it sets out a risk-based approach for deciding the SIL for systems performing safety functions. Whereas IEC 61508 is considered as a basic safety standard applicable to all kinds of industries. The process industry has developed their own sectorspecific standard, ISA 84/IEC 61511. IEC 61508 and ISA 84/IEC 61511 require the quantification of the achieved risk reduction, expressed as SIL. The required SIL is based on a hazard and risk analysis, combined with risk acceptance criteria [10].

Safety risk assessment methods for CPS
Risk assessment and management focuses on the identification of assets, the analysis of vulnerabilities and the evaluation and measurement of possible damages. In general, we can roughly divide risk assessment into qualitative assessment and quantitative assessment. Qualitative assessment relies heavily on expert experience, while quantitative assessment can calculate the exact risk value of the system. Many methodologies of safety risk assessment have well developed for CPS so far, here are some typical technologies illustrating the current state of the art for CPS safety.

Fault tree analysis:
Fault tree analysis (FTA) [11] is the earliest technology in the safety risk assessment, and it is also a graphical technique widely used for hazard and risk assessment in CPS. The main goal of FTA is to present the possible normal and faulty events that can cause the top-level undesired event. The fault tree consists of the following components: nodes (undesired events in the system), gates (relations between nodes; can be AND or OR gates), and edges (path of the undesired events through the system). Fig. 1 represents how to build a simple fault tree with a top undesired event of 'fire' by AND gates and OR gates.

Failure modes and effects analysis:
The failure modes and effects analysis (FMEA) is a structured and team-based method for system safety analysis to recognise, evaluate, and score potential failures and their effects. Failure mode refers to the way in which something might fail, effect analysis is used to score the severity of various failure modes. The term risk priority number (RPN) is a part of FMEA quantitative analysis; it is the product of the severity, probability of occurrence, and detection probability [13]. Grunske et al. [14] proposed 'the probabilistic FMEA', which is an extension to the original FMEA. It helps safety engineers to identify if a failure mode occurs with a probability higher than its tolerable hazard rate. FMEA is carried out in the early design phase of the system life circle. FMEA is well explained in [15]. Fig. 2 depicts the steps of the FEMA.

Hazard and operability methodology: HAZard and
Operability (HAZOP) [16] methodology is a process hazard analysis (PHA) technique used worldwide for studying not only the hazards of a system but also its operability problems, by exploring the effects of any deviation from design conditions. This analysis technique can identify how a process deviates from its design intent and enters a fault or error state by identifying possible hazards and potential operational problems in facilities [17]. In [18], the most common HAZOP analysis procedure consists of eight steps, the detailed procedure is described in Fig. 3.

Model-based engineering:
Model-based engineering (MBE) [19] is a method of developing behavioural models of realtime systems and analysing the models for requirement verification in order to ensure safety of CPS. First, the procedure considers the system safety to determine a set of expected properties, then extracts properties of the physical environment, computing units and the cyber-physical interactions, and finally, analyses on the abstract model to evaluate the expected properties and verify safety requirements.

Goal tree-success tree and master logic diagram:
The goal tree-success tree and master logic diagram (GTST-MLD) [20] is a function-based reliability and risk analysis framework. It consists of GT, ST and MLD. Fig. 4 conceptually describes the combined GTST-MLD model. In the framework, qualities are functions and goals, whereas objects and relationships can be represented by STs and the MLD using Boolean, physical, and fuzzy logic. This model can represent the complex physical systems in terms of logical, physical, and fuzzy relationships. Brissaud et al. [21] proposed a three-step model for reliability analysis, which is an extended GTST-MLD model that integrates faults and failures. In addition to the relationship between functions and structures, this model also represents the relationship between faults and failures. These relationships can assess the impact of faults or failures within the components or the functions.

System theoretic process analysis:
The traditional risk analysis techniques mentioned above have been difficult to be adapted in many complex systems with software-intensive, so system theoretic process analysis (STPA) was proposed. STPA is a new technique of hazard analysis, based on system-theoretic accident model and processes (STAMP), which is a new causality structure control model developed by Leveson in [22]. When STAMP is carried out, the system is treated as a hierarchical control structure. Interactions between each layer of control structure enforce required constraints on the behaviour of components at the next lower layer, these constraints can affect system behaviour. The operation at each layer of this control structure is based on a feedback control loop. The STPA's goal is achieved by identifying accident scenarios that contain not only the electro-mechanical components but also the entire accident process. It does not distinguish the hazards of a system but causations of hazards. The technique provides the users a systematic guidance to achieve better results.

Security risk assessment in CPS
In the CPS, earlier design stage security risk has not been taken into account [4]. With the widespread application of CPS, there is more and more frequent data transmission. Security risk assessment and management becomes a more and more important issue in CPS. When CPS are hacked by unauthorised users or under other malicious attacks, it could lead to the disclosure of important data and trigger a series of other major security issues. Security issue should be treated as important as safety issue in CPS. The security risk management frameworks/standards and the up-to-date security risk assessment approaches are reviewed in this section.

Security risk assessment standards
The NIST Special Publication (SP) 800-82 [4] provides a comprehensive cybersecurity approach for securing ICS, while addressing unique performance, reliability, and safety requirements, including implementation guidance for NIST SP 800-53 controls. The Cybersecurity Framework (CSF) [23], which aims to improve the security of the nation's critical infrastructure from cyberattacks, sets out a risk-based approach for managing cyber-security risk and reducing cybersecurity risks to critical infrastructure. ISA 99/IEC 62443 provides standards for analysing cyber risk and to specify the design, installation, inspection, maintenance, and testing of cybersecurity countermeasures. IEC 62351 [24] is an industry standard aimed at improving security in power system control operations. The standard currently provides 11 parts for addressing security measures for authentication, integrity, confidentiality, and role-based access control.

Attack trees analysis:
Attack trees analysis (ATA) [25] is a technique widely used for security risk assessment. Attack tree presents the steps of the attack process in the form of a graph. It uses the same basic symbols as fault trees: nodes (represent attacks), gates (AND or OR gates), and edges (path of attacks through the system). Based on attack trees, attack countermeasure trees (ACT) [26] take into account attacks as well as countermeasures in the form of detection mechanisms and mitigation techniques. This ACT analytic model allows users to comprehensively perform qualitative and probabilistic analysis of the security status of CPS.

Cyber physical security:
CYber physical security (CYPSec) solutions are proposed for pervasive health monitoring system security by Krishna et al. in [19]. It considers the properties of the computing components and the interaction of the components with the physical environment. CYPSec solutions are performed by combining traditional security primitives with environmental knowledge. The core of this approach is to utilise the monitoring capability of CPS to protect the system from threats. CYPSec solutions can make full use of the complex and dynamic characteristics of the physical environment to ensure the CPS security.

STPA-sec
: STPA-sec [27] is an extension of STPA described in Section 2.2.6, and a new cybersecurity analysis technique based on functional control model. The basic process steps of STPA-sec analysis are similar to STPA: (i) identify threats and vulnerabilities; (ii) develop control units for the system; (iii) identify control operations that place CPS in a dangerous state or information leakage; (iv) determine how control actions perform under the threats and disruptions. STPA-sec is applied on the basis of the same control loops with its safety counterpart, STPA. Based on the system-theoretic causality model, STPA-sec can be applied in the earlier stage in the design process and in situations where specific component data are unavailable. STPA-sec is currently used in the security domain of CPS only.

Traditional security technology:
Traditional security technologies of IT systems are adapted to protect CPS security such as firewall and intrusion detection technology. CPS should design tailored firewall that supports real-time status detection and status analysis. Once unusual traffic or access is observed, filtering rules are dynamically generated to reduce workload and ensure security. The threats from the CPS cyberspace are mostly unpredictable, irresistible, and untenable. The traditional reliability theory and fault-tolerant technology cannot completely prevent the system from failures or even crashes. The intrusion detection technology acknowledges the existence of system vulnerabilities and assumes that some vulnerabilities could be exploited by the attackers aiming to destroy the system. The research of the intrusion detection technology should pay more attention on how to reduce the losses for the damaged system and restore the healing and regeneration of the target system as soon as possible.

Bayesian network approaches:
A unified risk assessment framework [28] was proposed in SCADA networks, which integrate attack tree, fault tree, and event tree to construct a Bayesian network (BN) model. Most of quantitative security risk assessment (SRA) methods in CPS rely on expert experience and knowledge. This type of approaches can adjust model parameters from limited historical data by self-learning, and dynamically assess the risk of SCADA under known or unknown attacks. Dealing with the lack of abundant historical data, a fuzzy probability BN (FPBN) approach was presented for dynamic cybersecurity risk assessment in industrial control systems (ICS) [29]. The complexity of the CPS network structure poses some problems for evaluating security, but BN can easily describe the interdependencies between network components. In the work in [29], the FPBN model is used to analyse and predict cybersecurity risk, the fuzzy approximate dynamic inference algorithm is aimed at dynamically evaluating cybersecurity risk. The architecture of this approach is given in Fig. 5. The FPBN approach is explained in detail in the work [29]. Zhang et al. [30] designed a novel multimodel-based incident prediction and dynamic cybersecurity risk assessment approach for industrial control systems. Their method is based on a multilevel Bayesian network as well. An asset-based dynamic impact assessment approach was presented in [31] for risk analysis in ICS. This approach consists of two parts: dynamic-and object-oriented asset model and cyberattack impact propagation model, where asset model is constructed based on petri nets (PNs), which are a graphical and mathematical modelling tool, and cyberattack impact propagation model is built by integrating cyberattacks into the asset model, which can deduce how the cyberattacks spread.

Block-chain:
With the deepening of integration between information technology and industrialisation, the security boundary of CPS is getting blurred, the number of entities and the network scale is greatly increased, and security protection in the whole life cycle of CPS becomes more difficult. A co-governance strategy based on block-chain technology [32] has become a new hot area in security protection. Block-chain technology enables fault tolerance of block-chain networks and maintains integrity, consistency, authenticity, and non-repudiation of stored and transmitted data, which is a distributed peer-to-peer shared intelligent ledger technology based on cryptography. Block-chain technology can be applied to identification, authentication, decentralised industrial site networks, industrial big data security, abnormal behaviour detection, and threat early warning in intelligent manufacturing. Currently, there are many defects in the interoperability and security standards of block-chain, and the technical cost is high as well. In the block-chain-based SRA research, identifying new computing and storage structures and lightweight security methods form a new research direction for security assurance in intelligent manufacturing CPS.

Integration of safety and security risk assessment in CPS
Safety and security share identical goals, which are protecting CPS from failing. There are four types of relationships among them, ranging from mutual reinforcements, conditional dependencies, or independence to complete antagonisms, in which contradictions between security and safety are safety-critical to CPS. Weakening safety could enable malicious attackers and cause serious security incidents. On the other hand, the vulnerability in the CPS security protection could disable the system functions and lead to a degraded process performance, or even a disaster in the operations. If safety and security can work well together, there will be a solid foundation for invincible CPS. Safety and security issues are increasingly converging on CPS, leading to new situations in which these two closely interdependent issues should now be considered together, rather than separately or in sequence.

Boolean logic driven markov processes
Originally, Boolean logic-driven Markov processes (BDMP) are a graphical modelling approach initially conceived for safety and reliability assessment [33]. This approach is inclusive of four types of events: basic events, safety events, security events, and instantaneous events. There are two terminologies MTTF and MTTS used in BDMP, where MTTF means the mean time to failure for safety events and MTTS means the mean time to success for security events. BDMPs model is built by associating the basic events with the estimation of MTTF for safety events, MTTS for security events and the probability for instantaneous events. It provides good readability, hierarchical representation, and advanced quantitative capabilities by combining fault trees and Markov processes. Different from static fault trees, BDMPs can model the failing dynamically with a trigger. Fig. 6 shows a graphical representation of BDMP formalism, the first one refers to the theoretical representation and the second one refers to the more familiar representation, which is very close to fault tree [34]. The trigger means that when the output of G1(f1 or f2) is true (resp. False) the part of the system related to G2 (f3 or f4) is required (resp. not required). The triggered Markov processes (TMP) can be used to represent the transition between various states of every basic event. A TMP is depicted in Fig. 7, which comprises four states: S (Standby), F1 (Faulty during standby), W (Working), and F2 (Faulty during working). The detailed definition and basic properties of BDMP can be found in [35]. The BDMP approach has stronger analysis capabilities and is more suitable for a realtime system. The BDMP approach is also applied in the field of security, defending against attacks through modelling detection and response mechanisms [36]. The attack success rate will be reduced whenever the detection is in place. What the designer needs to do is to set the global options of the model by adding the detection rate and the post-detection implementation rate in the cybersecurity leaf nodes. In recent years, the BDMP approach has been used to create models for integrated safety and security risk analysis [37]. The qualitative and quantitative capabilities of BDMP provide a direction for studying the combination and inter-dependencies of safety and security risks [37,38].

STPA-SafeSec
STPA-sec [39] described in Section 3.2.3 believes that security is only related to its impact on safety; it does not extend the causal relationship from the safety domain to the security domain, which is not conducive to analysing risk, and limits the comparability of different analysis results, and furthermore it does not provide an integrated solution to the current well-established security analysis. Once a critical part is identified in CPS, STPA-sec will not provide any guidance for security analysis. Taking into account both safety and security, STPA-SafeSec is proposed in [40]. It is a analysis methodology that integrates STPA-and STPA-sec into one concise framework. STPA-SafeSec provides a unified analysis approach relying on the system refinement loop and feedback control analysis loop. In the outer loop, the dynamic evolution characteristics of CPS are managed in an iterative manner, and the complexity of the system is managed in the inner loop. The detailed process can be summarised into Fig. 8 as follows. The green box represents the inner loop of STPA-SafeSec analysis and the blue box indicates the outer loop.

Non-functional requirements
Non-functional requirements (NFRs) [41] is a systematic and pragmatic approach for specifying how the system works, covers systems quality attributes, such as performance, availability, reliability, maintainability, security, and usability, and also considers functional objectives and system constraints. Thus, it can be used to assess whether CPS meet safety requirements and security requirements. NFRs have been applied to evaluate simultaneously the safety and security properties in a typical oil pipeline control SCADA system [42]. The case study shows that the NFRs is feasible for integrated analysis of safety and security in CPS.

Bayesian belief network
Bayesian belief network (BBN) has been applied in the past two decades in industrial fields for decision-making, dealing with uncertainty and risk assessment. BBN [43] uses the pre-defined likelihood estimation to quantitatively assess whether CPS satisfies safety requirements and security requirements, and whether it achieves the goals in both safety and security domains. Likelihood estimation includes failure rates between components and connections, possible accidents etc.
Huang et al. [44] proposed a concise quantitative risk assessment framework in CPS, which is based on the BBN and stochastic hybrid system (SHS) model. BBN is used to model the attack propagation process in the cyber layer and calculate the probability of system assets to be compromised. SHS model is used to quantify the risk by evaluating the system availability under attack. In particular, the method focuses on the risk of cyberattack in the physical layer, referred to cyber-to-physical (C2P) risk in [44]. The proposed risk assessment framework from the work is given in Fig. 9.

SSM and IFD integration approach
As described in Section 2.2.4 GTST-MLD [20] and three-Step Model [21] are the effective tools for functional safety analysis of physical systems, but there are many vulnerabilities and threats in CPS except failings and failures. Sabaliauskaite et al. [45] proposed the six-step model (SSM) and information flow diagram (IFD) integration approach. The six-step model describes the relationship between the information exchanged among various components. The details of these information flows can be captured by extended IFDs. The SSM and IFD integration approach can provide significant information for communication channel vulnerabilities and be helpful to select safety and security  countermeasures. Integration of SSM steps with IFD phases is described in Fig. 10.

Other approaches
Sun et al. [46] proposed a general technical framework that can be used to detect conflicts between requirements in security domain and safety domain. To ease the conflict between these two domains, this approach allows safety and security requirements loosely coupled at the beginning of design, and provides automated tools to handle coupled requirements. Conflicts between safety requirements and security requirements can make CPS unreliable, Gu et al. [47] proposed an integrated requirement analysis method for safety and security in CPS, which can be divided into two types, a goal-based interdependent requirements extraction method and a severity-based requirement conflict resolution method, respectively, as shown in Fig. 11.

Discussion
Safety and security risk management in CPS is a very active research area, and a significant number of research works have been published in this area. In this section, we will discuss risk assessment standards and conclude existing risk assessment methods separately.

Risks management standards
There are widely accepted risk management standards such as ISO 31000 and ISO 31010. ISO 31000 [48] provides principles and generic guidelines for risk management activities which also consider risk management as an integral part of the overall organisational processes, including strategic planning and management processes. IEC/ISO 31010 [49] is also another recognised risk management standard, it supports standard for ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment. However, it is worth noting that both IEC/ISO 31010 and ISO 31000 standards do not deal specifically with safety and security. They are a generic risk management standard and any references to safety or security are purely of an informative nature. IEC 61508 and IEC 61511 are two of the more important international standards for safety-critical systems, they are based upon on safety lifecycle. IEC 61508 and IEC 61511 state that safety risk assessment is carried out by performing independent reviews and technical safety audits at predefined stages of the safety life cycle. The major difference is that IEC 61511, which targets safety-critical systems in the process industry, provides guidelines for and places responsibility on the instrument users instead of their manufacturers.
The existing security standards that are considered for the risk management process include the NIST framework, CSF, IEC 62433, and IEC 62351. The NIST SP 800-82 presents typical ICS architectures and topologies, then discusses main threats and vulnerabilities of these systems and provides also security countermeasures to mitigate the risk associated to the ICS vulnerabilities and threats. So far, the NIST SP 800-82 was the most detailed and specific guideline to secure industrial control systems for security owners. CSF provides a prioritised, flexible, repeatable, performance-based, and cost-effective approach to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. The IEC 62443 defines SAL in terms of four different levels, each with an increasing level of security. It will be used to select CPS devices and countermeasures to be used within a zone and to identify and compare security of zones in different organisations across industry segments [50]. IEC62443.3.x series are adopted by most of ICS vendors, while IEC 62351 is only a specification of security mechanisms applicable to the power systems.
In this section, we present a variety of safety-related and security-related standards on CPS, but there is no a single comprehensive standard or norm covering comprehensively safety and cybersecurity.

Risk assessment methods
CPS safety and security issues would change from scenario to scenario. Therefore, there are many risk assessment approaches for CPS in different applications. Obviously, it is not convincing to directly compare the approaches used in these different applications. Instead, some differences among the features and functionalities of these existing approaches are discussed in this section. Table 2 provides a summary of part of many existing approaches. The rows present the types of these methods, the columns present the methods compared.
FTA technology models complex failure modes within the system in the logical relationship between component failure modes in a probability form. It is a qualitative and quantitative failure mode impact analysis; the numerical values of reliability and safety could be computed based on the incomplete system information. The development of this method is costly for the first time. Hence, it is difficult to find all possible paths for an accident. FTA is a top-down and deductive method, while FMEA is a bottom-up, proactive and iterative analysis approach, which is based on reliability theory. FMEA is carried out to alleviate late changes, reduce future failures by collecting information, and record and track corrective actions. Although it can shorten the timing and resource cost of system development, it still spends sufficient time on tracking failures. It cannot take into consideration the relationship between different failure components. FMEA is limited to analysing the single cause of impact. HAZOP is able to conduct comprehensive and systematic analysis and review for industrial processes. It analyses and predicts the consequences under the pre-defined deviated operations and provides targeted defence measures. Due to the dependence on expertise, the quality of the method's analysis and forecasting is not objective. In addition, the wide coverage of the analysis does not highlight the issues that the system should focus on. The interactions within the CPS are numerous and complex, and it is extremely difficult to cover all interactions.
GTST-MLD is a goal-oriented system analysis method that can make full use of prior knowledge to identify hazards and decompose complex systems and hierarchically represent the relationship between the various elements of the system according to reduction theory. However, GTST-MLD only focuses on the desired interactions that support the system's goals but ignores undesired interactions. It does not adequately analyse CPS vulnerabilities, failures, and errors. STAMP highlights the constraint concept, which makes the CPS in a safe state by imposing appropriate constraints on the system behaviour. The STAMP does not explain how to identify these constraints. Since the system control structure and its causal relationship are needed when STPA is applied, and the two key elements are clearly domain-specific, the process of developing the system and identifying the hazard is difficult, and the analyst needs to have a good understanding and comprehension of the system.
The advantage of ATA is that as an independent module, it can be filtered and integrated to build a larger attack tree. Like FTA, it requires experts to have certain expertise to organise the tree. This attack tree only contains known and being considered attacks by experts. A broad understanding of the various types of attacks on the system could help to build a relatively complete tree. There are no standards for attack tree construction. At present, CPS in some applications have established a standard attack library, which will weaken the inherent limitations of ATA to some extent. As a quantitative analysis method, the analysis relies on analysts' experience and historical data. Similar to the security approaches of traditional IT systems, ATA does not take time into account when abstracting physical processes. CYPSec solutions rely on the physical environment to ensure security. If the physical environment is unattended, this allows attackers to attack the physical environment and cause CYPSec running abnormally.
STPA-sec is an extension of STPA, but only considers security issue. STPA-SafeSec treats safety and security equally and performs comprehensive analysis to get the best results. Compared with STPA-Sec, it could extend the causality influence factor of the safety domain to the security domain, make analysis relatively easy, and to some extent relax the limitation of comparing the risk analysis results of the two domains. STPA-SafeSec is not a simple overlap of STAMP and STPA-Sec, but considers safety and security in a single framework. STPA-SafeSec can only be used to Fig. 9 Integration of BBN and SHS model [44] 228 IET Cyber-Phys. Syst

Fig. 11
Integrated requirement analysis method for safety and security in ICS [47] (a) Logic steps in extracting interdependent requirements, (b) Basic steps for identifying and resolving conflicted requirements Table 2 Summary of part of many existing approaches These existing approaches Safety-oriented approaches Security-oriented approaches Integrated approaches FTA [3,4] FMEA [5,6,7] HAZOP [8,9,10] GTST-MLD [12,13] STPA [14,15] ATA [16,17] CYPSec [11] STPAsec [15] BDMPs [23,24,25,26,27,28] NFRs [31,32] BBN [33,34] STAP-SafeSec [29,30] SSM and IFD [35] quantitative risk assessment analyse the interdependence of safety and security of a specific CPS, and it does not have the ability to quantify the risk, but allows to introduce existing quantification methods. BDMPs can derive quantitative and qualitative results for safety and security risk assessment, not just represent attack sequences. The dynamic properties of BDMPs satisfy the real-time characteristics of CPS. BDMP's high-quality mathematical properties make the model clearer and more intuitive. However, because the evaluation of each node of BDMPs depends largely on the actual situation and the assumption of network structure, which makes the quantitative analysis of results not accurate. NFRs is a qualitative evaluation approach, a system designer can conclude that system whether or not simultaneously achieves, and in which extend (good or bad), safety and security requirements. This approach has some drawbacks. When system design is updated, some factors of ensuring systems quality would change. Therefore, NFRs must be re-executed, which causes extra costs. BBN is a type of probabilistic graphical model that uses Bayesian inference for random probability computation according to conditional dependence. BBN could learn about the causal relationship between safety and security, not just derive-specific numerical values for safety and security risk assessment. Bayesian inference enables BBN to have the ability to assess the risk under unknown threats and hazards. There is certainly an obvious challenge in building the BBN model. In addition, the BBN method requires a priori knowledge of a large number of attacks for network training, but limited historical data confines the construction of the risk propagation model. BBN needs to be modified and improved on the basis of the original principle or combined with other methods to make up for this deficiency.

Conclusion
It is safer to say that the research on safety and security integration in CPS is still in infancy, and needs further improvement and supplementation. The gaps identified in the existing methodologies on safety and security integration assessment are as follows.
(i) Lack of algorithms to resolve safety and security conflicts. The existing integrated approaches rarely provide qualitative or quantitative conflict resolution algorithms. (ii) Lack of unified safety and security measurements. Safety is generally based on SIL for risk assessment, while security is generally based on SAL for risk assessment. They are difficult to apply for integrated risk analysis and assessment. (iii) The existing intrusion tolerant defence technologies need to comprehensively reduce safety and security risks by introducing a unified measure of information security and functional security. (iv) Most of the existing risk assessment approaches or frameworks are offline, which identify all system assets, find potential vulnerabilities, predict attacks scenarios, and evaluate the probability of attack actions to success. However, CPSs are a realtime system, dynamic risk assessment, and management method needs to be developed.
(v) Most of the research works are unable to distinguish errors of risk caused by incidents and malicious attacks. Is it really necessary or should they be combined together from the systemtheoretic analysis aspect?
In summary, safety control and security control are independent in most CPS. Due to the domain relevance of CPS, the direction of safety and security risk assessment research may still focus on certain specific areas. Risk analysis, assessment, and defence are conducted, respectively, from two perspectives of the traditional safety and the latest cybersecurity. Safety and security risk assessment should now be considered together, rather than separately or in sequence. The role of process engineers and control engineers in the safety and security risks analysis needs to be strengthened. There are many gaps between the demands of CPS and the existing approaches to safety and security risk assessment. Therefore, this paper encourages the researchers in the field paying more attention to the integrated risk assessment methods from the perspectives of both safety and security in the future. CPS test bed provides a platform for conducting some safety and security testing. It is difficult to build and maintain a physical simulation platform, which requires huge cost investment and long development cycle. Although the software simulation platform has strong flexibility and low cost, there is a certain gap with the actual system. The reliability and authenticity of the simulation test are controversial. The semi-physical simulation platform uses simulation software to implement physical processes, and the monitoring layer uses real equipment, which is very flexible. As this research becomes more and more concerned, there is a greater demand for CPS test bed. CPS test bed may also be a very important future research direction.