Post on 31-Mar-2015
transcript
Model Checking for Survivability Evaluation Critical Infrastructures
Boudewijn R. HaverkortUniversity of Twente
Dutch Model Checking DayMay 9, 2014
Survivability evaluation of critical infrastructures
3
Contents
• Critical infrastructures• Survivability• A sewage cleaning facility example• Discussion
(C) BRH
Survivability evaluation of critical infrastructures
4
What are critical infrastructures?
• No formal “final” definition, however, every country maintains a list of what are considered the country’s CI’s
• In NL: 11 CI’s have been identified, among them, the water, gas, and electricity networks
(C) BRH
Survivability evaluation of critical infrastructures
5
Critical infrastructures are becoming more critical!
• Cascading failures in/between infrastructures• Heavy reliance on integrated ICT (SCADA), which is
never fault-free and susceptible to attacks
(C) BRH
Metro, May 7, 2014
Survivability evaluation of critical infrastructures
10
Questions & Challenges
• How to predict the effects of attacks or failures?
• On the critical infrastructures themselves, for its users? Economically?
• What are the changes upon occurrence?• Is there suitable measurement data available?• Are there models available? • How could such models help?
(C) BRH
Survivability evaluation of critical infrastructures
11
What is survivability?
• Widely studied in the literature, in many different application fields
• “the ability of a system to recover predefined service levels in a timely manner after the occurrence of a disaster”– System ability: system boundaries to be defined– Predefined levels of service: to be defined by user– Timely manner: user requirement (politics)– Disaster: any severe disturbance (from component
failure to heavy rain or a hurricane)
(C) BRH
Survivability evaluation of critical infrastructures
12
GOOD vs. ROOD models• GOOD: Given Occurrence Of Disaster• ROOD: Random Occurrence Of Disaster• GOOD models start with a disaster, hence,
there is no need to model the “failure process” or the “disaster probability”
• GOOD models avoid: – estimating rare-event disaster probabilities– estimating attack success probabilities– stiffness in model evaluations
(C) BRH
Survivability evaluation of critical infrastructures
13
Modelling challenges• What should be put into the models?– Physical processes (continuous)– ICT processes (discrete)– Randomness and/or non-determinism– Policy decisions– …
• How do you want to evaluate your models?– Analytically (fast but limited) model checking– Simulation (slower, but more general, hidden
complications)
(C) BRH
Stochastic hybrid models
Survivability evaluation of critical infrastructures
14
Three recent approaches• Electricity: combines behavioral decomposition, a Markovian
recovery process with measurement data to evaluate “expected energy not supplied, per hour”
• Gas: combines behavioral decomposition, a non-Markovian recovery process with fluid dynamic models to evaluate “time to recovery distribution”
• Water: integrated model, combining limited stochastic events with fluid-flow models to evaluate time-dependent survivability probabilities
• All models are GOOD(C) BRH
Survivability evaluation of critical infrastructures
26
Water infrastructure
(C) BRH
• Water provisioning is a legal task of water companies fines for non-delivery!
• Sewage cleaning is important for society• Very large-scale plants (large volumes/space)• Heavy use of SCADA networks and “limited”
cyber-security culture• Highly vulnerable for “events”
Survivability evaluation of critical infrastructures
27
Sewage cleaning facility in Enschede
(C) BRH
FC Twente
Twente kanaal
University of Twente.
Survivability evaluation of critical infrastructures
28
Severe flooding at heavy rain
(C) BRH
What are the changes of this not happening?
Survivability evaluation of critical infrastructures
29
Obtained the plant information…
(C) BRH
Survivability evaluation of critical infrastructures
30
Made the models as HPnG
(C) BRH
Deterministic failure time (a) of pump Tz
Random repair time
“street”
HPnG: Hybrid Petri Net with General One-Shot Transitions
Survivability evaluation of critical infrastructures
31
What do we want to know?
• Street should remain clean after occurrence of pump failure, and pump should be repaired quickly
• Prob{ “street clean” until “pump repaired” within “30 hours after failure” }
• In Stochastic Time Logic:• Prob{ (P0 = 0) Until[a, a+30] (Pr = 1) }
(C) BRH
safety condition within 30 hours after failure recovery condition
• Fully automated analytical approach for model checking STL on HPnG
Survivability evaluation of critical infrastructures
32
and computed results…
(C) BRH
Survivability evaluation of critical infrastructures
33
Remarks
• HPnG analysis done independently from distribution of random event
• Distribution of random events is brought in afterwards, via deconditioning very fast
• Initially limited to one random event only • Extension developed ( Formats 2014), but
exponential in #random events• Simple tool support available:
(https://code.google.com/p/fluid-survival-tool/)
(C) BRH
Survivability evaluation of critical infrastructures
34
To wrap-up
• Introduced: – critical infrastructures– notion of survivability and GOOD models
• Survivability is exactly what policy makers or utility companies want to know about
• Advocated the use of model checking for survivability evaluations (time-bounded until)
• Illustrated it for a sewage cleaning facility
(C) BRH
Survivability evaluation of critical infrastructures
35
Literature• B.R. Haverkort et al., “Survivability Evaluation of Gas, Water and Electricity Infrastructures”, Proceedings
Practical Applications of Stochastic Modeling, May 13, 2014, Newcastle (forthcoming in Electronic Notes in Theoretical Computer Science), features over 60 references!
• H. Ghasemieh, A.K.I. Remke, B.R. Haverkort.Survivability evaluation of fluid critical infrastructures using hybrid Petri nets. In: Proceedings of the 19th IEEE Pacific Rim International Symposium on Dependable Computing 2013, Vancouver, Canada. IEEE Computer Society.
• H. Ghasemieh, A.K.I.Remke, B.R. Haverkort.Analysis of a sewage treatment facility using hybrid Petri nets. In: Proceedings of the 7th International Conference on Performance Evaluation Methodologies and Tools, ACM VALUETOOLS 2013, Torino, Italy.
• H. Ghasemieh, A.K.I. Remke, B.R. Haverkort, M. GribaudoRegion-Based Analysis of Hybrid Petri Nets with a Single General One-Shot Transition. In: 10th International Conference on Formal Modeling and Analysis of Timed Systems (FORMATS 2012), London, UK. pp. 139-154. Lecture Notes in Computer Science 7595.
• L. Cloth, B.R. Haverkort.Model Checking for Survivability. Proc. QEST 2005: 145-154. IEEE Computer Society, 2005.
(C) BRH