We introduce the Model-Based Safety & Security Analysis (MBSSA),
a method to derive and validate security requirements for
safety-critical systems. To this end, a set of architectural annotations
has been developed that allows the designer to abstractly specify
the security architecture of a system. On the one hand, this
specification can be used to guide a top-down development process by
providing design constraints for the implementation of the system.
On the other hand, it can be validated by an automatic fault and
attack injection analysis to assess the robustness of the design in the
sense that the safety impact of attacks and faults is sufficiently
mitigated by the safety and security concept.