SafeSecRETS: A Safety and Security Requirements Tool for Critical IoT Systems
Resumo
[Context] Assuring safety and security from the earliest stages of development is essential, particularly for critical systems. However, addressing these requirements in complex and heterogeneous systems such as those based on the Internet of Things (IoT) is challenging. These systems often operate in dynamic and diverse environments, where vulnerabilities can lead to severe consequences if not effectively mitigated. [Objective] This paper presents SafeSecRETS, a tool supporting safety and security Requirements Engineering (RE) for critical IoT systems. [Method] The tool features a collaborative pipeline with a strategic canvas-based IoT project planning and an extended Systems-Theoretic Process Analysis (STPA) method for safety and security. [Results] SafeSecRETS assists requirements engineers, domain experts, and other stakeholders in collaboratively defining project scope and eliciting, analyzing, and specifying system requirements. Its interconnected visual components guide users through this process, fostering engagement among information, people, and decision-making. A case study on an automated insulin delivery system illustrates the tool’s applicability and presents its structured and integrated approach to RE safer and more secure critical IoT systems. SafeSecRETS demo video: https://zenodo.org/records/17000378
Referências
Luigi Atzori, Antonio Iera, and Giacomo Morabito. 2010. The Internet of Things: A survey. Computer Networks 54, 15 (2010), 2787–2805. DOI: 10.1016/j.comnet.2010.05.010
Sunil Deshpande, Jordan E Pinsker, Stamatina Zavitsanou, Dawei Shi, Randy Tompot, Mei Mei Church, Camille Andre, Francis J Doyle III, and Eyal Dassau. 2019. Design and Clinical Evaluation of the Interoperable Artificial Pancreas System (iAPS) Smartphone App: Interoperable Components with Modular Design for Progressive Artificial Pancreas Research and Development. Diabetes Technology & Therapeutics 21, 1 (2019), 35–43. DOI: 10.1089/dia.2018.0278
José Finocchio-Júnior. 2013. Project Model Canvas: Gerenciamento de Projetos sem Burocracia. Elsevier Brasil. [link]
Ivo Friedberg, Kieran McLaughlin, Paul Smith, David Laverty, and Sakir Sezer. 2017. STPA-SafeSec: Safety and security analysis for cyber-physical systems. Journal of Information Security and Applications 34 (2017), 183–196. DOI: 10.1016/j.jisa.2016.05.008
Jon Arne Glomsrud and J Xie. 2019. A Structured STPA Safety and Security Co-analysis Framework for Autonomous Ships. In 29th European Safety and Reliability conference. 38–45. DOI: 10.3850/978-981-11-2724-3_0105-cd
Alojz Gomola and Ingrid Bouwer Utne. 2024. A novel STPA approach to software safety and security in autonomous maritime systems. Heliyon 10, 10 (30 May 2024), 1–34. DOI: 10.1016/j.heliyon.2024.e31483
Nancy G Leveson and John Thomas. 2018. STPA Handbook. MIT. [link]
Xiaorong Lyu, Yulong Ding, and Shuang-Hua Yang. 2019. Safety and security risk assessment in cyber-physical systems. IET Cyber-Physical Systems: Theory & Applications 4, 3 (2019), 221–232. DOI: 10.1049/iet-cps.2018.5068
Quelita Ribeiro and Jaelson Freire Brelaz de Castro. 2022. Safety & Security Alignment in Requirements Engineering Process for Autonomous Vehicles. In Proceedings of the Workshop on Requirements Engineering (WER ’22). 1–10. DOI: 10.29327/1298262.25-25
Jennifer L Sherr, Lutz Heinemann, G Alexander Fleming, Richard M Bergenstal, Daniela Bruttomesso, Hélène Hanaire, Reinhard W Holl, John R Petrie, Anne L Peters, and Mark Evans. 2023. Automated insulin delivery: benefits, challenges, and recommendations. A Consensus Report of the Joint Diabetes Technology Working Group of the European Association for the Study of Diabetes and the American Diabetes Association. Diabetologia 66, 1 (Jan. 2023), 3–22. DOI: 10.1007/s00125-022-05744-z
Fellipe G.R. Souza, Daniel P. Pereira, Rodrigo M. Pagliares, Simin Nadjm-Tehrani, and Celso M. Hirata. 2019. WebSTAMP: a Web Application for STPA & STPASec. MATEC Web of Conferences, ICSC-ESWC 2018 273 (2019), 1–12. DOI: 10.1051/matecconf/201927302010
Ernesto Fonseca Veiga and Renato Freitas Bulcão Neto. 2023. Toward a Method for Safety and Security Requirements Alignment in Critical IoT Systems. In Proceedings of the XXXVII Brazilian Symposium on Software Engineering (Campo Grande, Brazil) (SBES ’23). ACM, 452–457. DOI: 10.1145/3613372.3613373
Ernesto Fonseca Veiga, Taciana Novo Kudo, and Renato Freitas Bulcão Neto. 2024. Linking Agile Planning and Safety and Security Analysis in Critical IoT Systems: An Approach based on ISO/IEC/IEEE 15288. In Proceedings of the XXIII Brazilian Symposium on Software Quality (SBQS ’24). ACM, 81–91. DOI: 10.1145/3701625.3701648
Ernesto Fonseca Veiga, Taciana Novo Kudo, and Renato Freitas Bulcão-Neto. 2024. A Canvas Metamodel to Bridging Agile Project Planning and Requirements Engineering. In Proceedings of the Workshop on Requirements Engineering (WER ’24). 1–14. DOI: 10.29327/1407529.27-18
Ernesto Fonseca Veiga, Karlla Loane Santos Lima, Taciana Novo Kudo, and Renato Freitas Bulcão-Neto. 2025. SafeSecRETS: A Project Planning Tool for Critical IoT Systems. In Proceedings of the Workshop on Requirements Engineering (WER ’25). 1–8.
Xiang-Yu Zhou, Zheng-Jiang Liu, Feng-Wu Wang, and Zhao-Lin Wu. 2021. A system-theoretic approach to safety and security co-analysis of autonomous ships. Ocean Engineering 222 (2021). DOI: 10.1016/j.oceaneng.2021.108569
