In recent years, safety-critical infrastructures (CI) become widely adopted as part of digital transformation. These involve using computing systems, networks, and robotics to form the backbone of a nation’s economy. Technologies such as industrial control systems, embedded systems, IoT systems, artificial intelligence (AI), and cyber-physical systems (CPS) etc., emerged to improve performance, eficiency and users satisfaction. Protecting CI’s ecosystem against potential attacks is crucial as most legacy systems and infrastructures integrate emerging technologies while maintaining their original design and characteristics. For example, traditional infrastructures/systems (i.e. vehicles, homes, doors) that integrates advanced technology to operate as CPS (i.e. autonomous vehicles, smart-homes, smart-doors/locks) are visible everywhere. However, the threat analysis approach used for the legacy systems is still adopted for the CI (i.e. CPS), even though the threat environments, as well as the attacker’s knowledge about the new technology’s operations, difers [ 1, 2 ] (i.e. legacy assets are designed as single entity, while CI consists of diferent (sub)systems that can sometimes run concurrency).

One such approach for threat analysis methods is the attack trees [ 3 ], a popular approach used for threats [ 4 ], and risk analysis for diferent kinds of assets [ 5, 6, 7 ]. Using this formalism, varying ways an asset may be compromised are modelled as a tree. The root of the tree is the attack target, it is further broken down (decomposed) into smaller units that are easier to solve, known as internal nodes (sometimes referred to as sub-goals). This process is repeated until the

(a) Steal a car while parked, 1 Figure 1: A simple example of how to steal a car at diferent threat environments 1 and 2 (b) Steal a car while moving, 2 sub-goal(s) can no longer be broken down, and a set of leaf nodes is reached. The leaf nodes represent an atomic action that an attacker can execute to initiate an attack. Over the past years, attempts has been made to extend attack trees to analyse diferent kinds of assets and attack scenarios. Some of these extensions includes attack-defence trees, attack countermeasures, sequential and parallel attack trees, attack protection trees [ 5, 6, 8, 9, 10 ] etc. However, modern asset’s operations (e.g. autonomous vehicles) heavily depend on interacting with physical surrounding. For example, an autonomous vehicle can interact with the surrounding objects (i.e. cars, infrastructures, trafic signs) to perform diferent activities ranging from avoiding collision, energy synchronisation, and identifying danger. Even though these objects are not an integral part of the vehicle, they can be used as an attack vector to launch dangerous attacks such as DoS, message falsification attack, message spoofing [ 11, 12 ] etc.

Problem statements. An attack tree is a tree-based formalism inspired by fault trees [ 13 ], and they are used to model (mostly static) threats. On the other hand, assets nowadays are hybrid [ 14 ], integrating the physical world to the digital world. This integration poses a great challenge when applying attack trees for the threat modelling. The threat environment is everchanging due to agents behaviour (e.g. interaction with (sub)systems that are public or/and less secure), and the vulnerability landscape is erratic due to infrastructure updates (e.g. interaction with other components to complete a task). If such assets are to be analysed using attack trees, the estimated annotations of the tree (e.g. nodes) needs to be updated regularly to reflect both behaviours. 2. Dynamic attack trees (, ℰ ) is a tree, where = {0} ∪ ∪ is the sets of nodes in the tree. 0 ∈ denotes its root, denotes set of internal nodes (sometimes refer to as sub-goals), and denotes set of leaf nodes. These sets of nodes are connected by a set of edges ℰ ⊆ × . Each node in the attack tree (except for leaf nodes) has a gate refinement. A gate indicates (the fashion) how a node can be achieved (compromised). The interpretation of this fashion is on a node at a level above the current node (parent node). Two of the widely used gates refinement are the and gates. The gate required that all the child nodes linked to a parent node must be compromised before the parent node is reached, while an gate can be reached if any of the child nodes can be compromised. Formally we associate gates to nodes by the mapping : {0} ∪ → { , }.

We assume a set = { 1, ..., } of external systems/objects from the physical environment (i.e. IoT devices, trafic signs etc.) can communicate with an asset (for example, when they are within proximity via sensors). Intuitively, the sets of nodes in an attack tree represents areas/components of an asset that a malicious user can compromise to attain a malicious goal, this set of objects can also serve as attack vector to any asset they can interact with. For example, fake trafic signs can be malicious to vehicles.

Example 1. Shown in Figure 1 (a) is a simple tree describing how to steal a car. This can be done by either obtain key or short-circuit. Now let us focus on obtain key sub-goal. It can be achieved through steal key or make copy. However, vehicles nowadays can be operated with external devices such as remote starter and mobile phones to unlock doors, and start the engine. 0, 1 are time points (explain later) that shows default tree and when an external device is added respectively.

Now, before we formulate how this new nodes can be added to the tree, we first assume that the threat environment of an asset can change due to agent(s) behaviour. Informally, a threat environment is a state of operation which exposed an asset to a (new) set of vulnerabilities and, these vulnerabilities can only be exploited while the asset remains in that state. For example, Figure 1 (a) shows how to steal a car while it is parked. A change in the threat environment e.g the car starts moving, an attacker can steal the car via other means i.e shown in Figure 1 (b).

Let ∆ = { 0, 1, ..., ℎ} be a set of (analysis) time points. We will use this set of time points to mark when a new vulnerability emerged in the asset (i.e. external device connect, disconnect). Definition 1. Let {0} ∪ be a root node and a set of internal nodes in an attack tree, be a set of external objects from the physical environment, and ∆ be a set of analysis time points. A connection between the nodes in the tree and external objects is given as a function mapping : ({0} ∪ ) × × R+ → {0, 1} and (, , ) = (, , ) for ≤ < +1, for 0 ≤ < ℎ, i.e. value of changes with time points from ∆ .

If (, , ) = 1, for simplicity we write ( ), interpreting as connection via an intermediate node ∈ of the tree with an external system ∈ and is the time point at which the connection occur. And if (, , ) = 0, we simply write to denote that the node (sub-goal) does not connect with any external system/object. In a case of ( ), the internal node is said to include as a child (leaf) node (an edge linking the sub-goal of the asset with external system/object). The attack tree in Figure 1 (a) shows some external devices which can connect to the sub-goal and be used as attack vectors.

Example 2. Let’s refer back to Figure 1 (a), the analysis time points 0 and 1 indicate when the external device(s) shown in dotted lines connects to the car. As such, become possible ways (when exploited) to reach the root node. At 0, there is no connected objects to the car. Definition 2. A dynamic attack tree is a tuple = (, 0, ℰ , , ∆ , Λ , ) where, is a set of potential nodes that always create a tree, 0 is a fixed root node that represents the attacker’s target, ℰ ⊆ × is a set of potential edges that linked the nodes, : {0} ∪ → { , } is a mapping that associate the root node and set of sub-goals with the gates refinement, ∆ is a set of analysis time points for the connections, Λ is a set of objects from the physical environment, and is a function such that for each time point ∈ ∆ and each device ∈ Λ , the sub-tree of (, ℰ ) consisting of 1. ) all the nodes ∈ such that (, , ) = 1 and, 2. ) all the leaves to which these are connected (together with the corresponding restriction of ℰ ) still forms a tree, 3. ) attack tree at time point will be denoted as a threat environment .

Example 3. Given a set of threat environment {1, 2..., }, notice that the attack paths in each threat environment difers. For instance, Obtain key or short-circuit are set of leaf nodes that represents atomic actions to steal a car while it is parked, these same vulnerabilities cannot be exploited in another threat environment (e.g moving).

Now, let be a set of attack actions, an attack actions are set of eforts that a malicious user can perform in order to compromise vulnerabilities. Let be a set of leaf nodes that represent vulnerabilities/attack paths. We define an attack as a function : ( × ∆) → ∪ { }, associating leaf nodes in the tree at a given (analysis) time point with a set of actions or Nil (when no action). An attack will not succeed if an attacker cannot complete executing the attack actions and the threat environment changed. Suppose an attacker fails to complete an attack process while the asset is at a particular threat environment (i.e. car parked), any change in the threat environment to +1 (i.e. car moving) means that, the attack process started at previous threat environment will be terminated since the vulnerabilities are no longer in existence at threat environment +1.

The Work in [ 15 ] introduced how attack trees can be translated into a network of parallel timed automata (TA), with each automaton representing a linear path from a leaf node to the root node. The sets of nodes in the tree represents a set of states in the timed automata, the root node represents a final state, the set of edges represents a set of transition relations, and the set of attack actions represents a set of events. There exists an integrated formal verification tool UPPAAL [ 16 ], that accepts a version of TA as its formal language. Using UPPAAL, we can check whether an attacker ℬ can reach the root node (in other words, whether the asset can be compromised) by the means of reachability checking in the TA. We can also perform other queries to see if the tree/attacker satisfies some properties such as; if an attacker ℬ will always/eventually reach the root node when the asset is at a particular threat environment or when some external device is connected. This attacker ℬ can also be modelled as a (separate) timed automaton. In our previous work [ 10 ], we demonstrated how attack trees can be translated into a network of parallel timed automata. Given a dynamic attack tree , a set of threat environment {1, ..., }, and an attacker ℬ. The root node of the tree is reachable by ℬ if corresponding TA plus timed automaton running with the attacker can reach the final location.

Conclusion and future work. The work described here is still in-progress, additional work is being conducted. An attack tree for a big and complex asset is usually very big; adding set of external objects that can be incorporated to the tree over time adds more complexity and number of states. In our next work, we will formally define, and extend dynamic attack trees translate that will include multiple threat environments. We will model (using UPPAAL) and analyse some working projects.