Inadequate Risk Analysis Might Jeopardize The Functional Safety of Modern Systems

In the early 90s, researchers began to focus on security as an important property to address in combination with safety. Over the years, researchers have proposed approaches to harmonize activities within the safety and security disciplines. Despite the academic efforts to identify interdependencies and to propose combined approaches for safety and security, there is still a lack of integration between safety and security practices in the industrial context, as they have separate standards and independent processes often addressed and assessed by different organizational teams and authorities. Specifically, security concerns are generally not covered in any detail in safety standards potentially resulting in successfully safety-certified systems that still are open for security threats from e.g., malicious intents from internal and external personnel and hackers that may jeopardize safety. In recent years security has again received an increasing attention of being an important issue also in safety assurance, as the open interconnected nature of emerging systems makes them susceptible to security threats at a much higher degree than existing more confined products.This article presents initial ideas on how to extend safety work to include aspects of security during the context establishment and initial risk assessment procedures. The ambition of our proposal is to improve safety and increase efficiency and effectiveness of the safety work within the frames of the current safety standards, i.e., raised security awareness in compliance with the current safety standards. We believe that our proposal is useful to raise the security awareness in industrial contexts, although it is not a complete harmonization of safety and security disciplines, as it merely provides applicable guidance to increase security awareness in a safety context.

💡 Research Summary

The paper addresses a critical gap in modern industrial practice: safety standards such as IEC 61508, ISO 26262, EN 50126, and IEC 62061 focus on failures and foreseeable misuse, but they largely ignore intentional malicious actions that arise from cyber‑security threats. Consequently, a system can be “safety‑certified” yet remain vulnerable to hacking, sabotage, or other hostile activities that can directly cause hazardous situations. The authors argue that this separation of safety and security disciplines—different standards, different organizational teams, and separate certification authorities—poses a systemic risk, especially as more safety‑critical products become network‑connected (e.g., modern cars, industrial robots, medical devices).

To bridge the gap without demanding a wholesale rewrite of existing safety standards, the authors propose a pragmatic extension of the safety risk‑analysis workflow that incorporates security considerations. The approach is illustrated by aligning IEC 62061 (Safety of Machinery) with ISA/IEC 62443 (Industrial Automation and Control Systems Security). The methodology consists of four tightly coupled steps:

1. Extended System Definition – The traditional safety‑oriented system boundary is broadened to explicitly include actors (internal staff, contractors, hackers, terrorists, etc.) and assets/interfaces (fieldbuses, USB ports, wireless links, cloud services, infotainment interfaces, etc.). This requires a joint effort between safety engineers and security specialists to capture a more realistic “attack surface.”

2. Extended Hazard Analysis – Conventional hazard analysis techniques (FMEA, Fault Tree, Event Tree) are supplemented with security threat modeling methods (attack trees, STRIDE, MITRE ATT&CK). The result is a unified hazard list that contains both failure‑induced hazards and security‑induced hazards (e.g., unauthorized remote start of a machine, malicious firmware injection).

3. Unified Risk Classification & Mitigation Planning – All identified hazards, regardless of origin, are classified using the safety‑standard risk‑assessment scheme (SIL, ASIL, PL, etc.). This ensures that the product can still be certified under the existing safety standard while acknowledging security‑derived risks. Mitigation measures are then selected from either the safety domain (redundancy, fail‑safe design) or the security domain (authentication, network segmentation, patch management), or a combination thereof. The authors stress the importance of documenting the origin of each hazard to justify the chosen mitigation path.

4. Assessment of Mitigations – The final step evaluates whether the selected mitigations satisfy the safety standard’s rigor. When a security‑driven mitigation is used, the authors propose a translation process that maps security controls onto safety‑level evidence (e.g., demonstrating that a firewall configuration provides a SIL‑equivalent reduction in risk).

The methodology is applied to a real‑world industrial case study: a machine tool governed by IEC 62061, with its communication network secured according to IEC 62443. By extending the system definition, the authors identified five previously unnoticed security‑related hazards (e.g., malicious remote command injection). These hazards were classified using the SIL scheme, and appropriate mitigations—such as hardened authentication, network zoning, and secure boot—were introduced. The final safety case satisfied IEC 62061 certification requirements while also addressing the newly identified security risks.

The paper highlights several broader implications. First, it demonstrates that safety‑certified products can be made more resilient without violating existing standards, simply by enriching the early phases of safety work with security awareness. Second, it underscores the need for standards bodies to eventually embed explicit security references into safety standards, because ad‑hoc extensions rely on the goodwill and expertise of cross‑disciplinary teams. Third, it points out organizational challenges: safety teams alone lack the knowledge to enumerate all relevant actors and assets, and security teams may not be familiar with safety‑level documentation requirements. Hence, a collaborative governance model is essential.

In conclusion, the authors argue that inadequate risk analysis—specifically, the omission of security threats—can jeopardize the functional safety of modern interconnected systems. Their proposed extension offers a concrete, standards‑compliant pathway to raise security awareness within safety processes, thereby reducing the likelihood of accidents caused by cyber‑attacks while preserving the existing certification infrastructure. This work serves as a practical bridge toward the long‑term goal of fully harmonized safety‑security standards.