From Security Informed Safety to Safety Informed Security: Methodology and Case for PLC-based I&C Assessment
Keywords:
Functional Safety, Cybersecurity, Industrial Control Systems, PLC, Safety-Informed Security, Security-Informed Safety, Cyber-Physical Systems, Risk AnalysisAbstract
The paper introduces the Safety-Informed Security (SfISc) concept, which proposes that a system's functional safety (FS) properties can inherently enhance its cybersecurity (CS). The main goal is to show that the self-diagnostics and fault-tolerance mechanisms of safety-critical programmable logic controllers (PLCs) and PLC-based instrumentation and control systems (ICSs), designed for high FS, can effectively detect and mitigate cyberattacks and decrease efforts to assess cybersecurity metrics against requirements to ICSs. The study presents a methodology based on a "three-equivalence principle": 1) the equivalence of the consequences of dangerous failures and cyberattacks; 2) the equivalent perception of consequences caused by CS by self-diagnostic tools, which are initially oriented towards supporting FS; 3) equivalent actions (countermeasures) related to transitioning the PLC into a protected state. Two theorems are formulated to justify concept SfISc. Industrial cases are described to demonstrate how FS evaluation results can be used to significantly simplify and reduce the cost of CS analysis.
References
“2024 Global threat roundup report,” Forescout reseach, Veder Labs. [Online]. Available at: https://static.rainfocus.com/rsac/us25/exh/1435012077880001wh3P/exhibitorboothresource/2024%20Global%20Threat_1742234299083001M3n8.pdf
R. Bloomfield, K. Netkachova, and R. Stroud, “Security-informed safety: If it’s not secure, it’s not safe,” in Lecture Notes in Computer Science. Berlin, Heidelberg: Springer Berl. Heidelberg, 2013, pp. 17–32. https://doi.org/10.1007/978-3-642-40894-6_2.
R. Bloomfield, “Security informed safety why its easy, why its hard,” cyber.southampton.ac.uk. [Online]. Available: https://cyber.southampton.ac.uk/sites/cyber.southampton.ac.uk/files/bloomfield_ncsc_workshop2019v01d.pdf
R. E. Bloomfield, P. G., Bishop, E. Butler & R. Stroud, “Security-informed safety - supporting stakeholders with codes of practice,” City University of London Institutional Repository. [Online]. Available at: https://openaccess.city.ac.uk/id/eprint/20338/1/Security-Informed%20Safety%20Pre%20 Publication.pdf
National Protective Security Authority, “Rail code of practice for security-informed safety,” [Online]. Available at: https://www.npsa.gov.uk/system/files/documents/npsa-rail-code-practice-security-informed-safety.pdf
R. Bloomfield, P. Bishop, E. Butler, and R. Stroud, “Security-Informed safety: Supporting stakeholders with codes of practice,” Computer, vol. 51, no. 8, pp. 60–65, 2018. https://doi.org/10.1109/MC.2018.3191260.
O. Ivasiuk and V. Kharchenko, “Principles of mutual information in analyzing the functionality and cybersecurity of information management systems based on programmable logic controllers,” Aerospace Technic and Technology, no. 2, pp. 108–119, 2025. https://doi.org/10.32620/aktt.2025.2.10. (in Ukrainian).
V. Greiman, “Nuclear cyber attacks: A study of sabotage and regulation of critical infrastructure,” Proceedings of the International Conference on Cyber Warfare and Security, vol. 18, no. 1, pp. 103–110, 2023. https://doi.org/10.34190/iccws.18.1.1042.
W. Alsabbagh and P. Langendörfer, “Security of programmable logic controllers and related systems: Today and tomorrow,” IEEE Open Journal of the Industrial Electronics Society, pp. 1–35, 2023. https://doi.org/10.1109/OJIES.2023.3335976.
M. Da Silva, M. Puys, H. Thevenon, and S. Mocanu, “PLC logic-based cybersecurity risks identification for ICS,” Proceedings of the 18th ACM International Conference on Availability, Reliability and Security ARES 2023, Benevento, Italy, 2023. https://doi.org/10.1145/3600160.3605067.
H. Cui, J. Hong, and R. Louden, “An overview of the security of programmable logic controllers in industrial control systems,” Encyclopedia, vol. 4, no. 2, pp. 874–887, 2024. https://doi.org/10.3390/encyclopedia4020056.
M. Medvedík, J. Ždánsky, K. Rástočný, J. Hrbček, and M. Gregor, “Safety of control systems with dual architecture based on plcs,” Applied Sciences, vol. 12, no. 19, p. 9799, 2022. https://doi.org/10.3390/app12199799.
L. Ozirkovskyy, B. Volochiy, O. Shkiliuk, M. Zmysnyi, and P. Kazan, “Functional safety analysis of safety-critical system using state transition diagram,” Radioelectronic and Computer Systems, no. 2, pp. 145–158, 2022. https://doi.org/10.32620/reks.2022.2.12.
A. Yanko, V. Krasnobayev, and A. Martynenko, “Influence of the number system in residual classes on the fault tolerance of the computer system,” Radioelectronic and Computer Systems, no. 3, pp. 159–172, 2023. https://doi.org/10.32620/reks.2023.3.13.
H. Cui, J. Hong, and R. Louden, “An overview of the security of programmable logic controllers in industrial control systems,” Encyclopedia, vol. 4, no. 2, pp. 874–887, 2024. https://doi.org/10.3390/encyclopedia4020056.
A. Tetskyi, A. Perepelitsyn, O. Illiashenko, O. Morozova, and D. Uzun, “Ensuring cybersecurity of FPGA as a service with the use of penetration testing of components,” Radioelectronic and Computer Systems, vol. 2024, no. 2, pp. 160–172, 2024. https://doi.org/10.32620/reks.2024.2.13.
X. Zhang et al., “Binary-Level formal verification based automatic security ensurement for PLC in industrial IoT,” IEEE Transactions on Dependable and Secure Computing, pp. 1–16, 2024. https://doi.org/10.1109/tdsc.2024.3481433.
H. Unniyankal, D. Ancona, A. Ferrando, F. Parodi, A. Alessi, and F. Bottino, “Runtime verification of program organization units in safe programmable logic controller systems,” Proceedings of the 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S), Naples, Italy, Jun. 23–26, 2025, pp. 112–118. https://doi.org/10.1109/dsn-s65789.2025.00050.
A. Elmarkez, S. Mesli-Kesraoui, P. Berruet, and F. Oquendo, “Security by design for industrial control systems from a cyber–physical system perspective: A systematic mapping study,” Machines, vol. 13, no. 7, p. 538, 2025. https://doi.org/10.3390/machines13070538.
P. Bhosale, W. Kastner, and T. Sauter, “Integrated safety-security risk assessment for industrial control system: An ontology-based approach,” Proceedings of the 2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA), Sinaia, Romania, Sep. 12–15, 2023. https://doi.org/10.1109/etfa54631.2023.10275530.
A. Nouri and J. Warmuth, “IEC 61508 and ISO 26262 – A comparison study,” Proceedings of the 2021 IEEE 5th International Conference on System Reliability and Safety (ICSRS), Palermo, Italy, Nov. 24–26, 2021. https://doi.org/10.1109/icsrs53853.2021.9660661.
G. B. Gaggero, A. Armellin, P. Girdinio, and M. Marchese, “An IEC 62443-based framework for secure-by-desing energy communities,” IEEE Access, p. 1, 2024. https://doi.org/10.1109/access.2024.3492316.
Areva NP Inc., “The digital I&C system for functions important to safety in Nuclear Power Plants. Firmendruck,” Nuclear Regulatory Commission. [Online]. Available at: https://www.nrc.gov/docs/ML0910/ML091050576.pdf.
O. Illiashenko, V. Kharchenko, I. Babeshko, H. Fesenko, and F. Di Giandomenico, “Security-Informed safety analysis of autonomous transport systems considering AI-powered cyberattacks and protection,” Entropy, vol. 25, no. 8, p. 1123, 2023. https://doi.org/10.3390/e25081123.
K.-L. Lu, Y.-Y. Chen, “Safety-oriented system hardware architecture exploration in compliance with ISO 26262,” Applied Sciences, vol. 12, issue 11, p. 5456, 2022. https://doi.org/10.3390/app12115456.
M. Monopoli, M. Biondi, P. Nannipieri, S. Moranti, and L. Fanucci, “RADSAFiE: A netlist-level fault injection user interface application for fpga-based digital systems,” IEEE Access, p. 1, 2025. https://doi.org/10.1109/access.2025.3539932.
Z. Gao et al., “Detect and replace: Efficient soft error protection of fpga-based CNN accelerators,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, pp. 1–9, 2024. https://doi.org/10.1109/tvlsi.2024.3443834.
Downloads
Published
How to Cite
Issue
Section
License
International Journal of Computing is an open access journal. Authors who publish with this journal agree to the following terms:• Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
• Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
• Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.