Unyfing Methods for DEPENDABILITY ANALYSIS of Networked Information Systems for

Critical InfrastructuresEster Ciancamerla, Michele Minichino

ENEA {ciancamerlae, minichino}@casaccia.enea.it

On behalf of SAFETUNNEL partners (CRF, Renault Trucks, TUV, TILAB, ENEA, Ben

Gurion University) and Italian Universities (Piemonte Orientale, La Sapienza)

IP DeSIRE – November 25, 26, 27 - 2002 – Pisa - Italy

The starting view

• SAFETUNNEL Project (IST - 2000 - 28099 - http://www.crfproject-eu.org/) is currently on going with the main objective to reduce the number of accident inside alpine mono tube road tunnels

– A preventive safety strategy is essentially implemented by a SAFETUNNEL

Demonstrator consisting of two Demonstrator Trucks, equipped with devices for diagnosis and tele control and a Tunnel Management Centre.

– The Demonstrator Trucks communicate with the Tunnel Management Centre by a public wireless telecommunication network (GSM/GPRS/UMTS).

– A technical analysis with the limited aim of validating Demonstrator main functionalities

• Dependability analysis of digital embedded systems (i.e. for process control; the last: ICARO gas turbine)

– Stochastic analysis (Fault Tree/Bayesian Nets/Stochastic PN)– Functional analysis (Model checking)

WIRELESS PUBLIC NETWORK

INFRASTRUCTURE: ALPINE ROAD TUNNEL (TO BE EXTENDED TO THE ITALIAN TRANSPORT HIGHWAY)

INSTRUMENTED TRUCKS

Rx/Tx

TUNNEL MANAGEMENT

CENTRE

Rx/TxLAN

SAFE TUNNEL demonstrator

WIRELESS PUBLIC NETWORK TUNNEL

MANAGEMENT CENTRE

Rx/Tx

SAFE TUNNEL demonstrator

INSTRUMENTED TRUCK

Instrumented trucks:

mobile nodes with embedded digital systems for prognostic, diagnostics and control

sensors:•water temperature •break status•speed •distance

actuators:

•engine;

•brakes;

CAN bus interfaces

Safetunnel demonstrator • Wireless and even public TLC network• Complex interactions of layered subsystems

– Tunnel management centre– Mobile nodes constituted by digital systems, sensors and

actuators, CAN bus interfaced– Tunnel infrastructure

• Poses unsolved problems of dependability analysis. – The mobility of nodes further complicates the analysis

because the network topology is dynamically changing

• Networked Information Systems could include different

layers of regulation, control, automation and also the human operators (the drivers and the tunnel operators).

– It reflects the technological pushing on migrating telecommunication network architectures from proprietary protocols towards standardised and open protocols (from GSM to UMTS).

• making NIS even more vulnerable to external attacks

• Critical Infrastructure degradation can entail severe consequences on security, public health, safety or economy (Fire tragedy inside the Monte Bianco tunnel).

SAFETUNNEL DEMONSTRATOR a Networked Information System

for a Critical Infrastructure (the tunnel)

• The novelty and the complexity of Networked Information Systems, make their development methodologies essentially euristics and suffering of the lack of a systematic approach

• Regulation, control and automation relying on NIS, expecially when they are based on a public wireless technology, is a boundless field, still basically unexplored.

Issues to be considered for NIS dependability analysis

Issues to be considered for NIS Dependability analysis

• The possibility of accidental internal events (including transient faults, design and operator errors) cannot be excludedm because of the strong interdependence of NIS components/ subsystems/systems

• adaptive reconfiguration of NIS components/ subsystems/systems to events and surroundings;

• systems belonging to NIS often spread across vast distances, heterogeneous, and highly interactive; each system may have hierarchical layers and may be distributed at each layer.

• NIS do not born at once, but they usually grow up along years.

• subject to attacks (security issues are recognized and put on the research agenda), • but “Nature” causing unintentional physical and logical faults may be more

inventive than man

• The additional cost of making a Networked Information System dependable could be similar to the cost of providing its basic functionalities

– Logical faults are embedded into a NIS; stay dormant until are activated by a combination of input/use or internal state of the system to cause an error

– Errors may persist in the system for a considerable period and could cause a burst of failures

– One error located in one part of a system may propagate (spread) to other parts

Logical faults and fault tolerance aimed at physical faults

The increasing logical complexity and interdependency of networks makes them more prone and vulnerable to logical faults

Fault tolerance, aimed at physical faults− Transport layer

− Control layer

Fault tolerance ( at transport layer)

• Redundant computing and/or storage capacity in the network nodes;the syncronization between replica incurs little or no delay; dedicated systems.They are vulnerable to environment failures like fire

• Service replicas in several network nodes; off-the shelf components; dependability tailorable to the application requirement. Management of groups of objects and the communication between them is required.

Fault tolerance (at control layer)

• Protection switching, fault tolerance of the transport service between to nodes establishing a dedicated spare path;

• Reconfiguration by a centralized management of the network which reconfigures the routing through the network when a network failure occurrs.

• Self Healing, distributed control with no dedicated pre-reserved trasmission capability

• Multi layer fault handling

NIS dependability analysis – a General Procedure to derive a Conceptual Model to

capture into a single framework all dependability facets of NIS by using an appropriate case study (i.e. SAFETUNNEL Demonstrator) (from one side)

– trying to unify the stochastic and functional analysis so that a same model could feed

• a stochastic analyser for performance evaluation • a functional analyser for model checking(from the opposite side)

– with the aim to reduce the gap between:• The required modelling power and the actual modelling

power of current tools for dependability analysis • design and evaluation tools

Conceptual model Conceptual model

refine existing design models in order to enable effective dependability analysis.

help in deriving the NIS scope and operational concept, and explain how NIS functions are allocated to systems/subsystems/components,

who is at the risk from the NIS, and how the environment might be affected by NIS internal events.

which are the chains of cause and effect of failures/intrusions of the NIS and its recovery behaviour.

Dependability modelling and analysis Dependability modelling and analysis

Dependability modeling and analysis, even at layer of digital embedded systems, is actually dominated by two main lines:

functional analysis based on the description of the system in terms of discrete/continuous state automata (whose goal is to ascertain for conformity and reachability properties);

stochastic analysis (whose aim is to provide performance and dependability measures).

Modelling dilemmasModelling dilemmas

There are two main dilemmas:

stochastic versus timed;

discrete versus continuous (or hybrid).

Stochastic modelsStochastic models

In stochastic models the timing of events is represented by means of random variables.

Typical fields of application:

Performance evaluation

Dependability analysis

The obtainable measures are: mean values and distributions.

Stochastic models

• explore the possibility of defining a chain of models of increasing semantical complexity:

– from combinatorial models (e.g Fault Tree) – to models with localized dependencies (e.g. dynamic FT

or Bayesian Networks) – to models based on the state space (Markov models and

Petri nets).

• provide automatic translation algorithms for converting one model into a model of higher semantical complexity

Timed ModelsTimed Models

In timed models the timing of events is represented by constant values or (non-deterministic) intervals.

Typical fields of application:

Real time and time critical systems

Safety critical systems

The obtainable measures are reachability properties and computer aided verification via model checking.

Discrete versus Hybrid ModelsDiscrete versus Hybrid Models

In discrete models the state space is discrete.

The dynamic evolution of the system in time is represented as a sequence of transitions among discrete states.

Hybrid models contain discrete as well as continuous variables in the same model.

Typical examples are discrete controllers that control continuous variables

The unified heterogeneous model

An unified view between formal methods and stochastic methods able to combine, in the same framework:

- stochastic and deterministic timing; - discrete and continuous (hybrid) variables and used to feed: - a functional analyser for model checking

- a stochastic analyzer for performance evaluation.

Final goalFinal goal

A complete modelling coverage, moving from top to down abstraction layers of NIS, made of a Conceptual Model which feed a set of Heterogenous Models

The aim is

to partially overcame the inadeguacy of the modelling power of current tools to afford the modelling power required for NIS dependability analysis

and to reduce the gap between current design and evaluation tools

MoreoverMoreover

• To try to include the cognitive approach, to try to minimise errors due to the operators behaviour (i.e the drivers and the tunnel operators)

• To implement a pilot version of computerised tools to

partially support the proposed methodology for the unified heterogenous modelling

• To set up appropriate experiments on the Case Study (i.e. The SAFETUNNEL Demonstrator), so that experimental data could be gathered and used as evidence for partially validating the models.