A Zero Trust Hybrid Security and Safety Risk Analysis Method

Nikolaos Papakonstantinou, Douglas L. Van Bossuyt, Joonas Linnosmaa, Britta Hale, Bryan O’Halloran

Research output: Contribution to journalArticleScientificpeer-review

16 Citations (Scopus)


Designing complex, socio-technical, cyber-physical systems has become increasingly challenging in recent years. Interdependencies between engineering domains can lead to emergent behavior that is difficult to predict and manage. The recent shift toward model-based design has demonstrated significant advantages for minimizing these challenges (McDermott et al. 2020. Benchmarking the benefits and current maturity of model-based systems engineering across the enterprise. results of the model-based systems engineering (MBSE) maturity survey, part 1: Executive summary. Technical Report SERC-2020-SR-001, Systems Engineering Research Center.). Further, the early identification of safety and security design weaknesses in safety-critical systems leads to reduced redesign costs in later design phases (Yang and EI-Haik, 2003. Design for Six Sigma. McGraw-Hill, New York City; Clausing and Frey, 2005. Improving system reliability by failure-mode avoidance including four concept design strategies. Systems Engineering, 8(3), pp. 245–261.). As a result, this article contributes the Multidisciplinary Early Design Risk Assessment Framework (MEDRAF) methodology for early combined safety and security assessment based on interdisciplinary dependency models of a system. The focus is on factors contributing to the estimation of the probabilities of successful attacks on system components. The Zero Trust paradigm is applied in which all humans, hardware, and processes interacting with the system are considered to pose a security risk. A calculation of security-related probability estimates is presented which is dependent on the current global security environment. Subsequently, security and safety probability estimates are combined to present an overall safety-security risk calculation using hybrid safety-security trees. The risk values help designers assess the loss of specific key components and safety functions. The methodology is demonstrated with a case study of a spent fuel pool cooling system in a nuclear reactor. The results of the case study show that the risk of losing one key system component doubles when combining security and safety compared to only assessing safety events. This paper is based on a paper presented at the CIE 2020 conference (Papakonstantinou et al., 2020. Towards a zero trust hybrid security and safety risk analysis method. In International Design Engineering Technical Conferences and Computers and Information in Engineering Conference, American Society of Mechanical Engineers.).
Original languageEnglish
Article number050907
Number of pages10
JournalJournal of Computing and Information Science in Engineering
Issue number5
Early online date13 May 2021
Publication statusPublished - Oct 2021
MoE publication typeA1 Journal article-refereed


  • cyber physical system design and operation
  • model-based systems engineering
  • Cyber physical system design and operation
  • Model-based systems engineering


Dive into the research topics of 'A Zero Trust Hybrid Security and Safety Risk Analysis Method'. Together they form a unique fingerprint.

Cite this