The grid that keeps the lights on is not a single machine but a living choreography of devices, software, power lines, sensors, and people. It is resilient when it hums along through routine shifts and proactive protections, and it falters when a cascade of misconfigurations, failures, and clever intrusions send it off balance. A new line of thinking from researchers at the University of Twente offers a way to reason about safety, security, and defense as one grand system rather than as separate silos. The team, led by Reza Soltani with colleagues Stefano M. Nicoletti, Milan Lopuhaä-Zwakenberg, and Mariëlle Stoelinga, proposes a logic based framework called Attack-Fault-Defense Logic, or AFDL, along with a domain specific language LangAFDL that allows domain experts to pose and answer complex questions about how attacks, failures, and defenses interact in cyber-physical systems.
Think of it as a more honest map for risk. Traditional fault trees chart how a system might fail due to component malfunctions, while attack trees chart how an adversary might break in. But real-world systems live where those two worlds collide: the moment a fault is exploited by a cyberattack, or a defensive shield dampens both a fault and an intrusion. AFDTs, the broader family that includes Attack-Fault-Defense Trees, aim to capture that intersection. The new paper expands this idea into AFDL, a logic that can handle not just what could happen, but under what combinations of attacks, faults, and defenses those happenings actually occur or are prevented. The result is a language that translates domain knowledge into precise questions a computer can answer, and a way to explore all the edges of risk without getting lost in the details.
The work is rooted in a broader push to bring formal reasoning into mission-critical design workflows. The grid, the space sector, and other cyber-physical systems require guarantees, not just best-effort protections. The authors emphasize that the same abstract logic can be extended to quantitative analyses—probabilities, costs, and other metrics—while staying anchored in the concrete realities of safety and security. The study grounds its ideas in two real-world case studies, Gridshield for smart grid resilience and Ground Segment as a Service GSaaS for satellite ground stations, to show how a single framework can illuminate weak links across very different systems.
In short, this is not a single new gadget but a new way of thinking about risk. The framework is rigorous enough to formalize complex questions, yet its companion language is designed to be approachable for engineers and analysts who live in the weeds of field deployments. The research bridges mathematics and boots-on-the-ground engineering, and it starts from a simple, stubborn conviction: in an age of increasingly interconnected systems, your risk story must include attackers, accidental faults, and the defenses that stand between them—and between a healthy grid and a dark outage.
Section 1
A central idea behind AFDTs is to stop pretending risk lives in neat, separate compartments. A fault tree isolates failures as the root cause of a top-level disruption, and an attack tree isolates how an adversary might reach the same disruption. But many events in modern systems are powered by both forces: a cyber intrusion can cause a hardware fault to cascade, or a defensive action might block multiple threats at once. AFDTs are designed to capture this triad—attacks, faults, and defenses—in a single, coherent diagram. The new framework takes that diagram and gives it a mathematical logic that reasoners can manipulate. This means you can ask questions like whether a particular cyberattack alone is enough to topple a system, or whether a defense that blocks one trick could also keep other, more mundane faults in check.
AFDL, the Attack-Fault-Defense Logic, is the formal backbone. It introduces a risk state vector that explicitly separates attacks, faults, and defenses. An attacker might select a subset of attack steps; a system fault might involve a subset of component failures; and a defense includes a set of protective measures. By keeping these as distinct pieces, AFDL can explore every corner case where a confluence of actions could or could not produce a system failure. This separation is not pedantic window-dressing. It reflects the real engineering separation of concerns: attackers decide to take a step; a component might fail; a defense activates. The logic then asks: under which combinations do we reach a top-level system disruption, and under which do defenses reliably block that path?
Crucially, the paper does not stop at qualitative conclusions. It defines three families of queries to probe AFDTs: Boolean Queries that simply say yes or no a condition holds in a given risk scenario; Quantification Queries that explore whether a property holds across all or at least one risk configuration; and Satisfaction Set Queries that hunt for minimal risk scenarios—the smallest sets of attacks, faults, and defenses that still lead to a given outcome. In other words, the framework is designed to surface the failure modes that matter most while avoiding the distraction of less relevant corner cases. The authors call these Minimal Risk Scenarios, and they are the high-leverage targets for risk mitigation: the points where a small adjustment in defense or a small improvement in fault tolerance can have outsized effects on resilience.
Section 2
To make this logic useful to practitioners, the team pairs AFDL with LangAFDL, a domain specific language that translates real-world questions into precise, checkable templates. LangAFDL borrows the flavor of earlier fault-tree and attack-tree languages but is extended to handle the added complexity of defenses. The idea is to let a domain expert—an electrical engineer, a systems architect, or a cybersecurity analyst—express analytic goals in familiar terms, while the computer formalizes and traverses the space of possible risk configurations. No longer do analysts need to craft bespoke logical encodings from scratch; they can compose templates that capture what they care about and let the system do the heavy lifting of exploring all relevant scenarios.
LangAFDL is designed to be approachable without sacrificing rigor. It offers templates that support a spectrum of reasoning tasks: set evidence that a particular defense is active or not; specify an assumption about the status of several attack steps, component failures, or defenses; and request results such as all minimal risk scenarios that lead to a specified undesired state. There is even a mechanism, decorators, to apply a cluster of assumptions to a whole analysis without cluttering the main query. The result is a human-friendly way to specify what-if questions—such as what happens if a critical defense fails to activate and an insider attack occurs—while preserving the exactness needed for automated checks.
In practice, the LangAFDL language allows for both qualitative and, potentially, quantitative explorations. The authors point out that their framework could be extended to probability calculations or cost metrics, enabling a hybrid view where safety and security concerns are analyzed alongside risk, reliability, and resource tradeoffs. The qualitative core is already a powerful tool: it reframes the design problem as a structured negotiation among attackers, faults, and defenses, letting practitioners identify the precise combinations that cause trouble and those that reliably avert it.
Section 3
The paper grounds its ideas in two real-world case studies that help readers feel the stakes beyond abstraction. The first is Gridshield, a defense mechanism designed to keep the power grid stable while it accommodates charging electric vehicles. Gridshield sits in the critical path between a dynamic load-management system and the charging infrastructure that actually pulls power from the grid. It is a classic cyber-physical tension: commands travel from control centers to sensors and chargers, and a misstep anywhere along the chain can ripple outward. AFDTs are used to map out where the network could falter—either through a fault in sensors or through malicious manipulation of control messages—and, importantly, how defenses such as redundant messaging and secure channels interact with these paths. The Gridshield AFDT is used to show that large-scale attacks become unlikely without insider involvement, a nuanced reminder that resilience rests as much on human and organizational factors as on technical safeguards.
Beyond qualitative insights, Gridshield queries translated into LangAFDL demonstrate the practical power of the framework. Analysts can pose natural questions such as whether activating Gridshield alone is always enough to prevent a physical overload, or whether a certain type of attacker can drive the system to an undesired state unless a defense is actively engaged. The work shows that these questions can be answered in a way that reveals the exact minimal risk configurations. In short, the toolset helps engineers see not just what could go wrong, but what specific combinations of events would push the system over the edge and how robust their defenses are against those particular combinations.
The second case study examines Ground Segment as a Service GSaaS, a cloud-based model for satellite ground stations. In GSaaS, operators access ground-leg infrastructure on demand via cloud interfaces, trading traditional fixed hardware footprints for flexibility and cost savings. But cloud-first architectures introduce new fault and attack vectors: software supply chains, dependency scanning tools, insider threats, and human errors can all converge to compromise mission-critical operations. The AFDT lens lets analysts trace how a scheduling failure might emerge from tiny misalignments between a software update, a human decision, and a defense that could have disrupted the chain earlier but did not. The authors show that under certain conditions, even if several defenses are in place, certain human errors paired with particular attack steps might still cascade to trigger a faulty payload reception or a flight operation disruption. The GSaaS analysis underscores a sobering point: resilience is not just about locking doors but about ensuring that people and processes remain in sync with the system’s safeguards.
Section 4
What makes the AFDT and LangAFDL approach feel especially timely is not just the ability to talk about attacks and faults in the same breath, but the explicit incorporation of defenses into the risk calculus. The paper argues for a shift in how engineers design and validate critical systems: move from post hoc risk assessments to an integrated, model-based process that weaves safety, security, and defenses into the earliest design decisions. The language is deliberately approachable, but its promise is formidable: if you can describe the system, you can query it for resilience under a wide range of plausible worlds, including the ones you haven’t anticipated yet. And because the framework supports the idea of minimal risk configurations, it helps teams prioritize countermeasures where they matter most, rather than chasing every imaginable threat in an endless quest for perfect protection.
The work also carries a practical invitation to industry. The authors envision tool integration that could plug LangAFDL-driven analyses into design workflows, testing regimes, and certification processes for critical infrastructure. In a world where outages can cascade across power networks, aviation, and space operations, building such automated safety-security groundwork could become a standard part of how systems are engineered, evaluated, and trusted. The two case studies show that the framework scales from the grid to the cloud-based ground segment, suggesting a path toward broader adoption in any cyber-physical domain where defense in depth, human factors, and complex interdependencies collide.
Ultimately the paper is both a technical theorem about what is knowable and a practical manifesto about what engineers should demand from their tools. It asks not just whether a particular malicious action can compromise a system, but whether there exists a chain of events—an attack, a fault, and a defense configuration—that makes that outcome inevitable or avoidable. The answer, in short, is that there is a way to reason through the tangled web in a single, coherent framework, one that honors the complexity of real systems while giving practitioners a compass for hard design choices. The authors remind us that resilience is not a single feature but a conversation among those who build, defend, and operate the systems that keep our world running.
In the end, the study is a call for a more disciplined, more expressive way to think about risk. It places the university and its collaborators at the frontier of how we design safer, smarter infrastructures for the next era of cyber-physical power. The University of Twente and its partners are not merely cataloging vulnerabilities; they are offering a language and a method for making the decisions that ultimately determine whether lights stay on when the grid is stretched, or when a satellite mission depends on a complex chain of cloud services, software, and human judgment. It is a quiet revolution in how to talk about risk, and a tangible invitation to embed resilience at the core of engineering work rather than treating it as an afterthought.
As the authors note, the framework is ready to grow. The next steps involve weaving quantitative analyses into the already rich qualitative tapestry, and building tools that can bring LangAFDL from academic papers into everyday design rooms. If their vision takes shape, teams may soon be able to run structured, multi-domain risk analyses as a routine part of system development—an insurance policy with a brain, guiding engineers toward safer, more reliable futures for the grids, satellites, and networks that power modern life.
Universities, industries, and policy makers alike would do well to watch this space. The work from the University of Twente and Radboud University is not just a theoretical exercise; it offers a practical playground where theory meets real-world stakes. It asks a bold question: can we model safety, security, and defense in a single, navigable tree, and ask the right questions in a language that engineers actually use? The early answers suggest yes, and they could redefine how we design, test, and safeguard the technologies that modern civilization depends on.
Lead researchers and institution
The study comes from the University of Twente in the Netherlands, with lead authors Reza Soltani and Stefano M. Nicoletti, alongside Milan Lopuhaä-Zwakenberg and Mariëlle Stoelinga, representing a collaboration that also spans Radboud University. The work stands as a joint effort to merge safety, security, and defense into a single, actionable framework for cyber-physical systems.
