Abstract
Many safety and security co-analysis methods have been proposed to assure the safety of critical systems, including autonomous systems. One example of safety and security co-analysis approach is Systems-Theoretic Process Analysis (STPA) plus STPA-Sec. When using STPA combined with STPA-Sec, the security analysis is performed as part of the causal factor analysis, which is after the safety risk analysis. Few studies have questioned whether such an approach can be improved and how to improve it. In our study, we tried to answer two research questions (RQs): RQ1) Could we improve STPA-Sec by complementing it with threat modeling approaches? RQ2) Could we find more safety risks if we perform security analysis before safety analysis? We performed safety and security co-analysis of an autonomous boat to answer these research questions. Results of the study show that performing security analysis before safety analysis identifies more safety risks than the other way around. To be combined with STPA-Sec, threat modeling based on the data flow diagram outperforms other threat modeling approaches we evaluated.