1. Introduction
As the vision of an internet-centric and things-centric world for the near future has been progressively unfolding, numerous IoT applications across many domains have hitherto made successful market entries, or some of their prototypes have already been implemented [
1]. This technological development underpins the projection that the IoT innovations will add about
$5.5 trillion to
$12.6 trillion in value to the global economy by 2030 [
2]. Notably, some of the areas of modern life that have already witnessed the application of the IoT include smart homes and cities [
3,
4,
5], Industrial IoT (IIoT) [
6,
7], smart agriculture [
3,
8], intelligent medicine [
8,
9,
10,
11], smart transportation and autonomous vehicles [
3,
4,
12], and wearable fitness [
4,
8,
10] among others.
The IoT innovation has transformed traditional electronics and mechatronics systems across many fields into smart and intelligent systems by integrating intelligence-driven applications into them. This technological progress has facilitated a seamless integration of the sensing, processing, communication, reasoning, and actuation capabilities of modern systems [
1]. The IoT has ushered humanity into a technological paradigm, which has created a more efficient, intelligent, and convenient environment [
13]. While the breakthrough in IoT innovations has brought uncommon benefits for humanity, conversely, it has also opened new avenues for potential risk hazards capable of causing harm to the users and the environment. Some risks associated with intelligent and embedded internet-enabled systems were non-existent in traditional electronic or mechanical systems, which are not internet-enabled in their operations [
14]. Also, given the increasing autonomy of IoT systems in making decisions, the safety, security and ethical use of these smart devices are increasingly becoming a concern across the board [
15]. These and many other considerations underscore the need for the safety and security assurance of IoT innovations.
Safety and security are key non-functional properties (NFP) of IoT systems and constitute critical attributes of IoT dependability [
14,
16]. While system dependability deals with the system performing at its optimal functionality over a specified period [
14], safety attributes entail that devices are devoid of harm to their users or damage to the environment [
17,
18,
19]. Similarly, a system’s security attributes concerns how it performs its intended functions and mission despite the risk posed by security threats [
20,
21,
22]. Safety and security properties can affect one another in numerous ways. Notably, the two properties are both sources of hazards, and a breach of one can affect the other [
23].
The safety and security of IoT systems could be compromised through random hardware faults and errors, conflicting interactions, human errors, and deliberate security attacks against a system, components, or its operations [
5,
16,
24]. While it is difficult to guarantee a completely safe and secure system, it is a design requirement to ensure that safety and security thresholds are made to support the dependability of systems and certification standards. To meet these requirements, safety and security impediments, such as random and systematic system failures and security threats, need to be adequately identified, quantified, and mitigated. This analysis, if well carried out from the early stage of the system design, will guard against unacceptable levels of malfunctioning components and confer resilience against security threats that could adversely lead to a precarious and dangerous operating state of the systems [
24].
Based on the literature, numerous analysable models and tools have been developed to evaluate various safety and security metrics of mechatronics, industrial control systems, aerospace systems, automobile systems, and other embedded systems. The existing analysis methods derive their relevance based on their efficiency to identify, quantify, and mitigate various safety and security parameters of the systems [
14,
25,
26,
27,
28]. Notably, during the system development life cycle (SDLC), systems undergo various testing and verification processes, and one of these is to evaluate the functional safety and security properties of a proposed system. Based on this proactive system design philosophy, existing safety and security analysis models and frameworks provide insight into component failures, security threats, vulnerabilities, and other root causes of faults, errors, and failures. If effectively conducted with the right model or approach, this evaluation process can significantly ensure that design flaws are reduced so that the system development poses no safety or security hazards to its users, other stakeholders, or the environment.
The existing safety and security analysis methods and techniques in the literature have been categorised into informal manual frameworks and MBSE approaches. Some of the notable manual frameworks are the Failure Mode Effect Analysis (FMEA), Fault Trees Analysis (FTA), Dynamic Fault Trees, Petri nets, Attack Trees (AT), Attack–Fault Trees, Attack–Defence Trees, Quantitative Attack Defence Trees, and Bowties, among others [
29,
30,
31,
32]. On the other hand, to meet the continuous requirements of systems development, some of the safety-critical domains, such as the automobile [
33] and aerospace industries [
34], as well as industrial control systems [
35], have begun to explore the option of MBSE approaches. Notably, MBSE approaches have been used to analyse the various NFPs of system design, such as performance [
36,
37], safety [
38,
39,
40,
41,
42], reliability [
40,
42], and security properties [
43,
44,
45]. In the model-driven development paradigm, some of the classical analysable models such as FTA, AT, Petri nets, and other artefacts are fully or semiautomatically generated using software-based approaches. These approaches generate the artefacts based on detailed modelling of the systems’ static and dynamic behavioural patterns using methodologies drawn from the existing modelling languages (ML) functionalities. Existing MBSE frameworks have been developed using the unified modelling language/system modelling language (UML/SysML) [
35,
39], the Hierarchically Performed Hazard Origin and Propagation Studies (HiP-HOPS) [
41,
42,
44,
45], and the Architecture Analysis and Design Language (AADL) [
34,
36,
45].
While there are numerous classical and model-based analysis frameworks in the safety and security domains, their viability to critically evaluate the dependability of IoT applications needs to be further studied. Although separate analyses of the safety and security properties could suffice in other fields, the case differs in cyber-physical systems (CPS). The peculiarity of CPS, for which the IoT is at the centre stage, demands a high consideration of the safety and cyber-security properties to develop dependable systems [
46]. In the IoT environment, safety and security requirements are becoming increasingly interwoven, and the systems are increasingly given autonomous, adaptive, and evolving features [
16]. Therefore, to guarantee the smooth operations of the IoT systems, evaluating the existing safety and security analysis approaches is necessary vis-a-vis the unique nature of IoT systems. This research effort will support the actualisation of the IoT 2030 vision for tremendous global value addition to the international economy. The motivation of this review is to evaluate the safety and security requirements of IoT applications, as well as the existing analysis frameworks. Finally, based on our findings, we suggest future research trends for develo** a trustworthy model-based safety and security analysis framework in the IoT domain. Specifically, the notable contributions of this article are summarised as follows:
The performance of a review of salient issues surrounding the safety and security requirements of IoT systems.
The provision of an overview and comparison of popular classical and MBSE approaches used for safety and security analysis and the discussion of their effectiveness in evaluating the dependability of IoT systems.
The suggestion for future research directions in develo** a viable dependability analysis framework for a unified treatment of safety and security requirements in the IoT environment.
After this brief introduction, the following section provides a conceptual overview of the IoT system dependability by critically examining safety and security attributes and their relationship. Next,
Section 3 discusses the safety and security requirements of the IoT systems by evaluating the critical requirements of the two properties across the IoT architecture. Furthermore,
Section 4 deals with the related works that have been conducted in areas of safety and security analysis frameworks. Finally,
Section 5 is a discussion of the survey and offers further insight into future research directions, and
Section 6 concludes the paper.
3. Safety and Security Challenges of the IoT System
The freedom to innovate any technology comes with the inherent responsibility of safeguarding the users and the environment from its harmful effects [
61]. With the greater acceptability of IoT in today’s modern space, safety and security continue to remain paramount for various reasons. While the environment is pervaded by the innovations of various applications of IoT systems, which are given the increasing autonomy of decision making, the possibility of safety hazards should not be ruled out if the safety requirements of the systems are not adequately evaluated [
5]. Moreover, in the area of standardisation, a functional safety threshold is a core prerequisite for the market entry and practical use of these modern devices, especially in safety-critical and mission-critical domains [
21,
62]. Therefore, for the IoT to be accepted and trusted, the systems must be relatively safe, secure, and devoid of harm to the users or harm to the environment [
51]. Based on these considerations, the development of dependable IoT applications necessitates careful attention to safety issues. The safety requirements that are put into design consideration are meant to reduce the possibility that a device could malfunction or enter into harmful or hazardous operating conditions as a result of design flaws. To guarantee this in the IoT design, a vigorous analysis of various factors and conditions that can compromise the safety of the systems must be conducted. Thus, safety issues are crucial design requirements that need to be given due attention from the SDLC stage in order to guard against the possible negative consequences [
5].
Conversely, security is a critical design challenge in the IoT domain for obvious reasons. The IoT technology extends internet connectivity to become pervasive, as everything (heterogeneous physical and virtual systems) with respect to the IoT systems will be connected to the internet and, at the same time, communicate with one another [
55,
63]. This makes the IoT ecosystem characterised by heterogeneity, the absence of defined limits regarding physical expansion, and the number and types of interconnected devices, all of which tend to create additional security risk hazards for the IoT systems [
5,
14]. The attack surfaces of IoT-Enabled applications tend to be higher due to the aforementioned reasons. Thus, the constraints open doors to increasing security breaches at a more significant proportion, which system developers need to cater to assure users of secure and dependable smart IoT-Enabled applications [
17,
55]. Therefore, in the design of dependable IoT systems, it is imperative to conduct safety and security analyses iteratively throughout the SDLC stage and to monitor the same processes during the operational stage to assure the safety and security of the end-users and the environment [
5]. To discuss the safety and security design requirements of the IoT system it is necessary to highlight the issues layer-wise, as each of the layers of the IoT architecture may have particular safety and security issues. Accordingly, the existing layers of the IoT architecture will be briefly highlighted prior to discussing their safety and security concerns.
3.1. The IoT Model
A generic IoT system is represented using a layer architectural framework that uses various standards and layer structures [
13]. Some of the most common frameworks are three-layer, four-layer, and five-layer architectures [
3,
13,
64,
65]. Accordingly, a four-layered IoT architecture is considered in this survey.
Figure 2 presents the IoT four-layer architecture. The layers are the perception, network, processing, and application layer.
3.1.1. Perception Layer
The perception layer of the IoT architecture is composed of various devices that primarily deal with the sensing of the environment and the actuation of physical processes. These devices, including sensor nodes and actuators, are expected to have a high reliability, an ease of use, a higher resolution, a high sensitivity, smart detection, and minimum power consumption, among others [
66]. At this layer, various sensor nodes perform sensing measurements of the environment and other physical parameters [
13,
66]. The data acquisition of physical parameters, such as object properties, biometrics, and physiological or environmental conditions, is made by various sensor nodes and data acquisition devices.
3.1.2. Network Layer
The network layer is the second layer in the IoT architecture, which is responsible for the reliable transmission of sensing data generated from the perception layer to the computational unit for information processing [
13,
63,
67]. The network layer conveys data across interfaces and gateways using communication technologies and protocols, especially the internet protocol [
63]. This layer of the IoT architecture sets the rules for data aggregation. The network layer integrates devices, such as hubs, switches, gateways, as well as communication technologies such as Bluetooth, Wi-Fi, and Long-Term Evolution (LTE) [
13].
3.1.3. Data-Processing Layer
The data-processing layer is the IoT system’s event-processing layer, which ensures seamless software interaction for the storage and processing of the IoT data [
3,
13,
64,
67]. This layer leverages many connected computing technologies in the form of cloud technology to store, compute, secure, and process various sensing data. The processing layer is a bridge between the application and network layer, which is responsible for data accumulation, abstraction, and analysis [
67,
68]. Data processing is carried out via cloud computing and multiparty computation, where mass data processing and intelligent processing are conducted [
63]. The layer processes the data obtained from the perception layer through numerous machine learning, deep-learning algorithms, and data processing elements to generate new insight and, in some cases, make projections and provide useful warnings of impending hazards and situations. Various types of technologies of the processing layer include wired, wireless, and satellite technologies, as well as cloud and other third-party computational systems [
46].
3.1.4. Application Layer
The application layer is the top layer of the IoT architecture that is responsible for providing personalised services according to the relevant needs of the end-users [
67]. The application layer acts as an interface between third-party applications. The layer serves as the primary link between the users and the applications. The layer receives the data sent through the network layer and uses it to perform the necessary activities or services that the customer needs. The layer is involved in decoding patterns in the IoT data and computing them into summarised patterns that are easily understandable by the users in the form of graphs, tables, and pictorial displays.
3.2. Safety and Security Issues across IoT Layered Architecture
As discussed in
Section 3.1, the IoT system architecture comprises various layers. Remarkably, there are a range of safety and security issues associated with each of these layers. A systematic survey of these safety and security studies gathered from various existing research is provided in this section. A summary of the notable safety and security issues across the IoT layered architecture is depicted below in
Figure 3 [
16,
37,
63,
67,
68].
3.2.1. Safety and Security Issues in the Perception Layer
The smooth operation of IoT systems demands that security and safety issues associated with the perception layer enabling technologies must be well taken into account. There are numerous security attacks associated with the perception layer. Notably, denial/distributed denial of service (DoS/DDoS), malicious code injection, false data injection, eavesdrop**/interference, jamming, sleep deprivations, booting attacks, and side-channel attacks are some common examples of security threats associated with the perception layer [
67]. On the other hand, regarding safety issues, there is the risk of hardware failure of large networks in some circumstances. Additionally, the heterogeneity of devices that have different flexibility on many occasions and are manufactured with different standards, failures, and reliability behaviours [
69] poses a safety risk. Furthermore, the resource-constrained nature of IoT systems often tends to affect some design considerations, especially those which could have enhanced the system’s safety [
13]. This challenge is affecting the safety consideration of the systems. Additionally, depending on the application domain, IoT applications can be deployed in harsh operating and unattended environments. This constraint makes the perception layer technologies more prone to failures, which have negative effects on the overall safety of the IoT system [
13].
3.2.2. Safety and Security Issues in the Network Layer
The network layer in an IoT architecture is prone to security issues, such as intended malicious cyber attacks against the confidentiality, integrity, and availability of sensing or actuation data [
14]. Notably, attacks such as phishing site access, man-in-the-middle attacks, selective forwarding, replay attacks, DoS/DDoSs, data transmission errors, data inconsistency, and routing attacks are most prevalent at this layer [
67,
70]. On the contrary, the safety issues are unintended environmental and climatic hazards, such as atmospheric fading, which could hinder the free flow of data communication in IoT systems [
50]. Likewise, human error, unauthorised access, restricted computing resources shared by IoT systems, and the challenging operating circumstances of specific IoT applications pose constraints to their safety and reliability [
13]. These issues could affect the efficient performance of the IoT system and, thus, could hinder the trustworthiness of the IoT applications.
3.2.3. Safety and Security Issues in the Processing Layer
The data processing layer is critical to providing reliable IoT applications. It is susceptible to threats that are capable of affecting the integrity and quality of data processing, among others. The safety challenges in the data processing layer include but are not limited to third-party processing reliance, corrupt data due to noise, signal attenuation, and hardware failure. Some of the identified cyber-security attacks in the middle layer are SQL injection, signature wrap**, man-in-the-middle, cloud malware injection, and flooding attacks, among others [
67].
3.2.4. Safety and Security Issues in the Application Layer
The most crucial requirement of the application layer in the IoT ecosystem is the ability to provide reliable services to meet the end-users’ personal or business needs. The security issues in the application layer are sometimes specific to different applications [
67]. In general, the major security issues of the application layer include malicious code injection, access control, service interruptions, data theft, snip**, and reprogram attacks [
67]. Conversely, the safety challenges arising from this layer include the possibility of conflicting interactions among various colocated IoT applications, as well as human errors and the performance of the software aspect of the application [
5,
13]. For instance, the potential for conflicting the interactions between two IoT applications, namely, the smart flood detection system and fire detection system in a smart home system, were illustrated in the literature [
5]. This conflicting interaction could jeopardise safety, even while the two IoT applications are within their nominal behaviours. Therefore, beyond device failure and unintended cyber attacks as sources of hazards to the environment, the conflicting relationship of IoT systems also brings an emerging challenge to the safety of the IoT ecosystem.
4. Safety and Security Analysis Frameworks and Related Work
This section reviews notable analysable models for safety and security analysis across various domains. Basically, these analysis models are grouped as classical safety and security analysis approaches, unified safety and security analysis approaches, and MBSE approaches. Based on these frameworks, some of the recent surveys conducted in both safety and security domains will also be highlighted.
4.1. Classical Safety Analysis Methods
There are numerous approaches used for the safety and security evaluation of systems. In the safety domain, some of the most common and widely used approaches are FTA, FMEA, the Reliability Block Diagram (RBD), Event Tree Analysis (ETA), and the Markov Chain (MC), among others. Some of the prominent safety analysis approaches in the various literature are described as follows.
4.1.1. Fault Tree Analysis
The FTA is one of the most widely used approaches for evaluating systems’ safety and reliability in different domains, including the IoT [
71,
72]. Bell Phone Laboratories developed the approach in 1962 [
73]. The FTA is a deductive approach that quantifies and evaluates the combination of basic component failures that can lead to a top event (critical events that can cause the overall system failure upon its occurrence). The tree starts with the system’s undesired state, represented as the top event, and deductively identifies all the possible paths leading to this undesired state. A graphical illustration of the FT diagram is shown in
Figure 4.
The main cause of a system failure is the top event in the FT structure. The proceeding branches and leaves of the tree are represented as the intermediate and basic events, respectively. The basic faults, which are represented as basic events in the tree, are linked together by Boolean logic gates, such as
AND and
OR gates, based on how the subsequent events can cause the occurrence of proceeding events in the tree [
29].
The relevance of the FT to the safety analysis of IoT systems is in the expressiveness of the technique for both qualitative and quantitative analyses. These two analyses, which are possible via the FT framework, can help design engineers ascertain the safety of a proposed system and ensure that a minimum safety threshold is achieved to guarantee the safe use of the system and also meet the certification standards of various IoT design innovations. The qualitative analysis helps establish the minimal cut sets, which represent all the basic events for the top event. On the other hand, the quantitative analysis provides probabilistic assessments of the system’s safety based on the failure probability of the basic events (components). These two analyses support the iterative system design, where configuration modification or a change in the proposed components can be suggested based on safety considerations.
In the existing literature, various extensions and modifications of the FTA have been developed over the years. These extensions involve the addition of other gates to depict different fault behaviours and operating states of the systems. Notable extensions include the Dynamic FT, Component FT, Pandora Temporal FT, and State/Events FT [
28,
74,
75,
76]. The FTA framework has been used extensively across various safety-critical domains for safety analysis. In the IoT domain, the FTA framework was used in the safety analysis of smart homes [
71], smart grid system [
77], smart aquaculture [
78] and CPS, in general [
46,
79]. Although the studies of IoT safety design evaluation using FTA are in progress, the manual process of the approach still needs to be improved. This has been characterised as time-consuming and being performed based on cumbersome informal system models that are subject to human errors, thereby leading to inconsistency or incompleteness [
28,
75]. Another limitation of the FTA framework is that its combinatorial approach is mostly represented using the Boolean gates ‘AND’ and ‘OR’. Some of the modifications, such as the Dynamic Fault Tree [
80] and Pandora Temporal FT [
81,
82], have added such gates as the functional dependency (‘FDEP’), priority AND (‘PAND’) gate, and a host of others to represent the various dynamic behaviours of modern system [
28,
75,
83]. Nevertheless, despite the relevance of the FT as one of the famous safety analysis approaches, its manual nature has left much to be desired in the analysis of IoT systems [
16]. Additionally, the basic events in the tree are assumed to be statistically independent, which, in some dynamic IoT system configurations, may not be the case [
28]. These challenges suggest further research into IoT safety.
4.1.2. Failure Mode Effect Analysis
The Failure Mode Effect and Criticality Analysis (FMECA) approach is a classical inductive safety assessment framework developed by the US military in 1980 to systematically identify potential failures in a system in addition to their causes and effects [
28]. Unlike FTA, in the FMECA framework, the process starts from the root causes of the failure (basic component failure) and proceeds bottom-up to establish the undesired event or events (overall system failure). The FMEA framework is organised in a tabular form containing columns such as Function, Failure Mode, Cause, Effect, Severity, and Detection, among others. Systematically, the technique considers all the possible combinations of effects of a single component mode [
84,
85]. By using FMEA, system safety engineers can determine the effects of various components and the criticality of failure modes in a system. Similar to FTA, the FMEA approach is also a manual process that inherently has the disadvantages of reusability constraints, incorrectness, and an informal nature, among others.
4.1.3. Reliability Block Diagram
As with the FTA, the Reliability Block Diagram (RBD) is also a deductive and graphical safety analysis framework that is used to find the reliability of the overall system from the reliability of its constituent units. Using the RBD framework, safety, alongside other attributes such as reliability, availability, and maintainability, are modelled based on failure relationships between the systems and components. The overall system is modelled into several blocks and connectors (lines), which denote system components and their configurations, respectively. The components are represented either in a series or in parallel configurations [
86]. As the safety of a system can be deduced from the reliability of the components, the RBD gives the failure characteristics of a system based on the failure rate of the components parts that make the system and the design configuration of the system [
86]. The relevance of the RBD in safety analysis is similar to FTA. System development can be analysed to evaluate the impact of component failures on overall system safety. Furthermore, it enables safety design optimisation and trade-offs based on the components’ specifications and system configurations. However, the approach also suffers the manual-based limitations of the safety analysis process.
4.1.4. Markov Chain Analysis
The Markov Chain Analysis (MCA) framework is also an inductive safety analysis technique, which is based on stochastic models [
87]. The MCA is based on mathematical modelling, wherein the failure states of a system are dependent only on the current state and time lapsed [
88]. Despite MCA being stochastic in nature, the state of the systems is assumed to be memoryless, because the probability of future states is not dependent upon steps that led to the present states. The initial state and the probability represent the starting state and the transition probability from state to state, respectively. In MCA, a transition matrix is formed that correlates the past state and the next future state with constant failure and repair rates. Notably, in IoT-based systems, as with other electronic systems, the components fail at a constant rate that is effectively modelled by MCA. The two categories of MCA in the literature include Discrete Time Markov Chain Analysis (DTMCA) and Continuous Time Markov Chain Analysis (CTMCA). In the literature, the life cycle of a CPS was characterised on the basis of CTMCA and derived reliability metrics, therein deriving the mean time to failure (MTTF) of the system [
87]. Unlike FTA or RBD, the MCA can be used in safety analysis to evaluate system failure or availability at any point along the system. Therefore, this is one of the advantages of MCA, which gives both the reliability and the availability of repairable components in a system.
4.2. Classical Security Analysis Frameworks
At the conceptual phase of the IoT design, systematic security analysis, validation, and verification are conducted by the security team to develop a robust and resilient system against security attacks [
44]. Accordingly, various threat modelling frameworks were developed to identify, quantify, and address vulnerabilities and threats against the systems to handle the cyber-security challenges of IoT systems [
52]. Based on the various threat models, some of these attributes, such as availability and reliability, are defined quantitatively, and their analyses are conducted accordingly [
14,
27,
89]. The common security analysis frameworks in various studies include attack trees, attack–defence trees and quantitative attack–defence trees.
4.2.1. Attack Trees
The attack tree (AT) was developed by Schneier in 1999 to model threats against a system using a deductive tree-like structure similar to FTA [
90]. The AT framework depicts various ways in which a system can be compromised by a malicious agent [
90]. The approach decomposes the various possibilities for a system’s attack in multi-level steps. The different ways to compromise a system are represented as the root, leaves, and children nodes. These nodes intuitively indicate various hierarchies of attacks against a system. The root node corresponds to an attacker’s overall goal. The lower nodes in the tree represent the refinement of the root node’s goals, which involves some basic actions to be executed by the attacker to achieve his main goal [
31,
91]. The dependencies between different nodes on the same level of the tree are modelled using Boolean ‘AND’ and ‘OR’ gates. In the ‘AND’ conditions, the attackers set goals, which must all be achieved to compromise its parent node, whereas the ‘OR’ conditions could be achieved if any one of the goals is accomplished. Quantitatively, the overall security metrics of the system can be estimated from the values of the children nodes and their various Boolean logic conditions. Consider the example attack tree adapted from [
92], which is illustrated in
Figure 5. The tree deductively illustrates how cyber-security threats could be premeditated to compromise one of the system’s CIA triads and eventually undermine the IoT system’s dependability. Step by step, the framework establishes the steps needed to be followed by malicious agents to exploit several vulnerabilities before compromising the confidentiality of the IoT data. Furthermore, subjective quantitative metrics can be added to each step based on various known techniques, such as fuzzy logic and vulnerability quantification. This approach can assist security engineers in evaluating and prioritising security design to develop safe and dependable systems.
Based on the AT framework, the necessary steps that malicious agents require to compromise the system can be developed. Accordingly, the framework will help determine where it is necessary to make design modifications and improvements to strengthen the system’s security. In general, the AT gives a clue as to the attack vector optimisation, which can help develop stronger built-in security mechanisms from the design abstraction stage of the system. In addition, through the various amendments of the AT approach, the quantitative analysis of potential attack scenarios can be conducted to evaluate the feasibility of a successful attack against a system. Insight into the likelihood of an attack, cost, and the impact of an attack can be ascertained. This useful information can help determine the low or high probability of attacks against a system, as well as the appropriate resources that can be channelled towards the countermeasures.
4.2.2. Attack–Defence Trees
Attack–Defence trees (ADT) involve a deductive node-labelled rooted tree, which extends the AT framework with defensive measures [
90]. Basically, the framework models the security of a system using two types of nodes: the attack nodes and defence nodes. The attack nodes represent the measures an attacker might take to compromise the system, while the defence nodes are the actions defenders can employ to protect the system [
63]. The unique features of ADT are, therefore, the representations of refinement and countermeasures. The basic nodes are the nonrefined nodes, which are similar to basic events in the FTA framework. In the ADT framework, the attack nodes are graphically represented as circles, while the defence nodes are depicted as rounded rectangles. The refinement relationships are represented using the solid edges of trees, and countermeasures are represented by the dotted edges. The same refinement relationship using Boolean logic ‘AND’ and ‘OR’ conditions, as with AT, are used to systematically map the relationship between leaf nodes, intermediate nodes, and root nodes. The parent node attack is considered successful if at least one of its children’s conditions is true [
93].
4.2.3. Quantitative Attack–Defence Trees
Quantitative attack–defence trees (QADT) entail a further refinement that was proposed to extend the qualitative description of ADT with quantitative metrics. Basically, some degree of quantitative information, such as the likelihood and impact of security im**ement vis-a-vis the cost, skills, and benefits an attacker might derive from compromising a system, can be computed with some level of subjectivity. Some metrics for the quantification of the system vulnerability can be factored into quantitative ADT to enrich the validation of the subjective nature of cyber-security attacks [
93]. In the IoT environment, attack risk attributes on attack–defence nodes were developed to quantitatively evaluate the risk of smart systems being attacked [
94].
The various threat modelling frameworks discussed, including AT, ADT, and quantitative ADT approaches, contribute to the security analysis of dependable systems in general, including the IoT systems. Some of the studies conducted using the AT framework and its extensions in evaluating the IoT security vulnerabilities are found in [
29,
95,
96]. In general, across the two domains, classic analysis frameworks tend to inherit one or more limitations, such as a manual nature, a state-based nature, a static nature, being time-consuming, being prone to errors, and lacking of reusability, which make them not the most viable option for the analysis of IoT-Based systems [
16,
42,
44]. In areas of security analysis, the approaches only provide static analysis primarily using the Boolean logic conditions ‘AND’ and ‘OR’. Other dynamic conditions, such as dependencies between security attacks, sequencing, and the conditional characteristics of complex security environments, are yet to be captured. Additionally, unlike FTA, in which the reliability of the failure of the basic component event can be obtained from its design specification, security quantification, on the other hand, is subject to various subjective opinions. Furthermore, the threat modelling frameworks discussed are manual and informal analysis systems, which are inherently deficient due to the cumbersome nature of the manual process and their being subject to human errors. Accordingly, computerised model-based approaches are needed to describe the behaviour of the systems and the attack patterns in order to develop fully or semiautomatic frameworks. Efforts in this direction are ongoing in academia and in the industry. However, an integrated approach that brings new constructs to evaluate the coanalysis of safety and security in the IoT environment is yet to be established.
4.3. Unified Safety and Security Analysis Frameworks
Several studies have been conducted, and frameworks have been proposed for safety and security coanalysis. Notably, safety and security interactions were evaluated using Boolean Logic-Driven Markov Processes (BDMP) formalism through a case study of the hypothetical pipeline control system and emergency lock door [
17]. The study demonstrated conflicting interactions between safety and security properties. However, the approach over-simplified these complex dependability interactions. For instance, the case study of the emergency door was used to depict conflicting interactions between safety and security. However, while this is a good illustration, it only looks at the physical security instead of the cyber-security properties of the system. In the case of the IoT systems with both physical components and cyber elements, thorough analyses of both components are essential.
Furthermore, a unified framework called the attack fault tree (AFT) was proposed in [
17]. The approach attempts to unify safety and security properties by using the traditional reliability framework based on the fault tree analysis framework and the security formalism based on the attack tree analysis framework. The observed limitations of the approach are based on its manual nature and, at the same time, that it only gives a qualitative analysis. Similarly, Kumar et al. [
19] developed the qualitative and quantitative analysis of the AFT using stochastic model-checking techniques. Nonetheless, no new construct was created to handle complex interactions, and the quantitative analysis was only for a few aspects of cyber-security properties. Alternatively, for instance, the authors could have achieved a critical analysis of the CIA properties and the reliability of the components parts. Similarly, an attack–defence tree framework was developed for the risk quantification of IoT-Based smart-grid systems [
94]. The framework modelled the system and enabled the computation of the proposed risk attributes that assessed the system risks by propagating the risk attributes in the tree nodes. While the study captured security strategies concerning risk minimisation, the work can be extended to evaluate the safety attributes of the same IoT-Based safety-critical system. However, that is yet to be achieved.
The noncoherent fault tree approach was proposed for modelling safety and security coanalysis [
97]. The authors considered stochastic safety events such as random component failures, human error, and intentional cyber-security events. As with coherent FTA, this approach deals with the modelling and quantification of top events. The authors used the binary decision diagram (BDD) approach to validate the approach. Nevertheless, the interactions and interdependencies between the two properties need to be adequately analysed to define the accurate dependability of the system. Similarly, attempts were made to integrate cyber attacks within fault trees as a framework [
61,
91,
98]. The works qualitatively integrated attack trees into preexisting FTA structures, thereby increasing the framework’s usability to consider potential intentional attacks. In [
98], the authors introduced a new concept of the macroattack tree, thereby allowing a multilayered view of the attack process. The integration followed conventional FTA methods, and the probability of a top event was computed when one or more events were outcomes of malicious attacks. However, the framework needed to address the quantitative analysis of the unification comprehensively. Furthermore, no new constructs were developed to evaluate the interactions of the properties. Similarly, the component fault trees approach was developed for security and safety coanalysis [
99]. The authors extended the statistical FTA, wherein they focused on the system components and reusability to analyse safety and security qualitatively. However, an extension of their work to quantify the system’s dependability has yet to be achieved. Another related work has been presented recently by Stoelinga et al. [
51], which discussed the significant challenges in unifying the safety and security properties. Some of the highlighted challenges include the complex interaction between safety and security, the lack of practical algorithms to compute system-level risk metrics, and the lack of proper risk quantification methods. A summary of a comparison of widely used manual approaches for safety and security analysis is presented in
Table 1. In the table, QL and QT denote qualitative and quantitative, respectively. The approaches were compared in terms of their expressiveness of analysis, their capacity to evaluate qualitative and quantitative safety and security parameters, and their major weaknesses in adaptation to the IoT dependability analysis.
4.4. Model-Based Safety and Security Analysis Frameworks
As part of the development of model-based system engineering (MBSE), several approaches were developed for modelling systems’ safety and security properties using domain-specific models or general models with domain-specific profiles. The MBSE approaches involve more formal computer-based system design and verification approaches, which are used to model both the functional and nonfunctional properties of systems [
39]. Various studies have been conducted using MBSE to develop methodologies for the analysis of performance [
36,
37], safety [
39,
40,
41,
42], reliability [
40,
42], and security properties [
43,
44,
45]. In the realm of model-driven development, classical analysable models such as fault trees, attack trees, Petri nets, and other artefacts are automatically or semiautomatically generated using software-based approaches. The software-driven approaches generate the artefacts based on painstaking modelling of systems’ static, dynamic, and behavioural patterns using methodologies drawn from the existing modelling languages’ (ML) functionalities. Subsequently, the modelled system is further transformed or mapped into safety and security analysis models. The MBSE approaches can be used to manage a system’s complexity and to perform formalised, structured, and rigorous system design evaluations. In exploring the richness of MBSE methodologies, various studies have been conducted to automate analysable safety and security artefacts such as FT, Component FT, and Petri nets among others. Notably, studies [
101,
102,
103,
104,
105] used UML functionalities, namely, the activity, class, sequence, and used-case diagrams (AD, CD, SD, UCD) to automate FMEA, FT and GSPN. The methodologies were evaluated using automotive, control systems, and generic case studies. In close comparison to UML-based methodologies, SysML was used in both the safety and security domains. For instance, refs. [
33,
39,
40,
41,
42] used SysML and BDD, IBD, AD, SMD to develop FT and FMEA safety analysis frameworks using embedded systems and generic system case studies. Conversely, an attack tree was generated for security analysis based on industrial control case studies using SysML BDD, IBD, and SMD by [
35].
Furthermore, refs. [
34,
36,
45] developed an FT and an FMEA using AADL for aircraft digital system safety analysis. In another research conducted by [
43], the AADL methodology was used to automate an attack tree for the evaluation of a patient-controlled analgesic pump. The HiP-HOPS was used by [
41,
42,
45] to automate FT, Pandora FT, and DFT frameworks, as well as evaluate the safety analyses of automotive and embedded systems. Lastly, research by [
44] used Digital Dependability Identities [
106] for offline security analysis, and an attack tree was developed based on HiP-HOPS; the approach was evaluated using a web-based medical application. Notably, the MBSE approaches continue to address some of the limitations of informal system modelling, such as the lack of reusability, time consumption, and human errors. However, the existing semiautomated dependability assessment approaches in IoT environments, which are still in their infancy, focus more on the qualitative and independent analysis of safety and security properties. Furthermore, some MBDA approaches focus more on the physical security properties of systems design, and some of the studies often tend to oversimplify the interactions between the safety and cyber-security properties of IoT systems. To the best of our knowledge in this review, the existing MBSE approach has not developed a viable safety and security assessment methodology that has adequately captured cyber security, safety quantification, and the coanalysis of a robust IoT case study. Therefore, we consider the existing work in safety and security to be less viable for useful assessment in modern, dynamic, and evolving system design processes such as those found in IoT environments. A summary of comparisons of notable MBSE approaches for safety and security analysis is presented in
Table 2. The approaches were compared in terms of the analysable artefacts generated, the expressiveness to evaluate qualitative and quantitative safety and security parameters, the case studies applied, and their major weaknesses in the coanalysis of the two properties.
4.5. Related Work
Researchers have conducted notable surveys on safety and security analysis frameworks across many domains. Some surveys were based on individual safety or security analysis approaches; few considered their coanalysis. Regarding IoT safety, a recent and comprehensive survey was conducted by ** a more viable and trustworthy safety and security coanalysis in the IoT domain. Thus, it will provide remarkable opportunities for automation and integration with design models to simplify the analysis of IoT systems’ complex safety and security-critical requirements. The intended approach will further support reusability, reduce human error, increase robustness to perform complex dependability analysis unambiguously, and support the heterogeneity of IoT systems’ designs. Consequently, efforts to explore the features of these MBDA techniques to develop a safety and security coanalysis framework will be worthwhile.
6. Final Remarks
Given the widespread use of IoT systems in private and public domains, it is evident that the safety and security of IoT systems must be given appropriate consideration to avoid the catastrophic consequences of their aftermath. Safety and security as the NFPs of dependable IoT systems are traditionally viewed by different communities, with each focusing on different problems, methodologies, causes, and consequences. However, unlike traditional mechatronic systems, this approach is less viable in the IoT domain due to the complex interaction and interdependencies between the safety and security properties. Albeit research on the unified treatment of the safety and security of IoT systems is in the infancy stage, some modest contributions to investigating these complex interactions are ongoing in other domains.
The survey has shown that most existing safety and security analysis frameworks are centred on classical manual approaches, which independently evaluate the two properties. However, these approaches come with inherent limitations regarding informal system modelling, such as human error, time consumption, and a lack of support for reusability. On the other hand, the existing model-based safety and security approaches have been based on limited scenarios, which independently assess safety and security properties. Furthermore, the existing studies are yet to adequately address the safety/security interdependencies, cyber-security properties, quantification, and coanalysis of the safety and security properties of IoT applications. These limitations make the existing approaches less viable for a valuable assessment of the safety and security requirements of dynamic and iterated system design processes such as those found in IoT environments. These under-explored gaps present a viable research opportunity in the design of safety and security analysis frameworks.
In our future roadmap to address some of these identified gaps, we intend to explore modelling language methodologies to develop a software-based analysis framework for IoT systems’ robust safety and security requirements. We will rely on some of the studied functionalities of UML/SysML, such as internal block, activity, and state-machine diagrams, to model the static and behavioural patterns of complex IoT case studies. Additionally, three domain-specific profiles, which are DAM, MARTE, and DICE, will be helpful in annotating failure and security parameters such as fault, error, hazards, and their probabilities of occurrence. However, these profiles have reached stereotypes, and tag values, which are part of their extension mechanisms to model desired system features. Therefore, with further refinement, these profiles can aid annotations leading to new constructs, which could be used to model and quantify the safety and security coanalysis of the IoT environment. This will contribute to develo** a more viable and trustworthy safety and security coanalysis in the IoT domain.