Transcript ENEA-Unyfing Methods for Dependability Analysis of

Unyfing Methods for DEPENDABILITY ANALYSIS
of Networked Information Systems for
Critical Infrastructures
Ester Ciancamerla, Michele Minichino
ENEA
{ciancamerlae, minichino}@casaccia.enea.it
On behalf of
SAFETUNNEL partners (CRF, Renault Trucks, TUV, TILAB, ENEA, Ben
Gurion University) and Italian Universities (Piemonte Orientale, La Sapienza)
IP DeSIRE – November 25, 26, 27 - 2002 – Pisa - Italy
The starting view
• SAFETUNNEL Project (IST - 2000 - 28099 - http://www.crfprojecteu.org/) is currently on going with the main objective to reduce the
number of accident inside alpine mono tube road tunnels
– A preventive safety strategy is essentially implemented by a SAFETUNNEL
Demonstrator consisting of two Demonstrator Trucks, equipped with devices for
diagnosis and tele control and a Tunnel Management Centre.
– The Demonstrator Trucks communicate with the Tunnel Management Centre by a
public wireless telecommunication network (GSM/GPRS/UMTS).
– A technical analysis with the limited aim of validating Demonstrator main
functionalities
• Dependability analysis of digital embedded systems (i.e. for process
control; the last: ICARO gas turbine)
– Stochastic analysis (Fault Tree/Bayesian Nets/Stochastic PN)
– Functional analysis (Model checking)
SAFE TUNNEL demonstrator
TUNNEL
MANAGEMENT
CENTRE
LAN
Rx/Tx
WIRELESS PUBLIC
NETWORK
INSTRUMENTED
TRUCKS
Rx/Tx
INFRASTRUCTURE: ALPINE ROAD TUNNEL
(TO BE EXTENDED TO THE ITALIAN TRANSPORT HIGHWAY)
SAFE TUNNEL demonstrator
Instrumented trucks:
WIRELESS PUBLIC NETWORK
mobile nodes with embedded digital systems for prognostic, diagnostics and control
sensors:
TUNNEL
•water temperature
MANAGEMENT
•break status
CENTRE
•speed
•distance
Rx/Tx
actuators:
•engine;
•brakes;
CAN bus interfaces
INSTRUMENTED
TRUCK
Safetunnel demonstrator
• Wireless and even public TLC network
• Complex interactions of layered subsystems
– Tunnel management centre
– Mobile nodes constituted by digital systems, sensors
and actuators, CAN bus interfaced
– Tunnel infrastructure
• Poses unsolved problems of dependability
analysis.
– The mobility of nodes further complicates the analysis
because the network topology is dynamically changing
SAFETUNNEL DEMONSTRATOR
a Networked Information System
for a Critical Infrastructure (the tunnel)
• Networked Information Systems could include different
layers of regulation, control, automation and also the human
operators (the drivers and the tunnel operators).
– It reflects the technological pushing on migrating telecommunication network
architectures from proprietary protocols towards standardised and open protocols (from
GSM to UMTS).
• making NIS even more vulnerable to external attacks
• Critical Infrastructure degradation can entail severe
consequences on security, public health, safety or economy
(Fire tragedy inside the Monte Bianco tunnel).
Issues to be considered for NIS dependability analysis
• The novelty and the complexity of Networked Information
Systems,
make their development
methodologies
essentially euristics and suffering of the lack of a
systematic approach
• Regulation, control and automation relying on NIS,
expecially when they are based on a public wireless
technology, is a boundless field, still basically unexplored.
Issues to be considered for NIS Dependability analysis
•
The possibility of accidental internal events (including transient faults, design and
operator errors) cannot be excludedm because of the strong interdependence of NIS
components/ subsystems/systems
•
adaptive reconfiguration of NIS components/ subsystems/systems
surroundings;
•
systems belonging to NIS often spread across vast distances, heterogeneous, and
highly interactive; each system may have hierarchical layers and may be distributed at
each layer.
•
NIS do not born at once, but they usually grow up along years.
•
subject to attacks (security issues are recognized and put on the research agenda),
•
but “Nature” causing unintentional physical and logical faults may be more
inventive than man
•
The additional cost of making a Networked Information System dependable could be
similar to the cost of providing its basic functionalities
to events and
Logical faults and fault tolerance aimed at
physical faults
The increasing logical complexity and interdependency of
networks makes them more prone and vulnerable to logical
faults
– Logical faults are embedded into a NIS; stay dormant until are
activated by a combination of input/use or internal state of the
system to cause an error
– Errors may persist in the system for a considerable period and
could cause a burst of failures
– One error located in one part of a system may propagate (spread)
to other parts
Fault tolerance, aimed at physical faults
− Transport layer
− Control layer
Fault tolerance ( at transport layer)
• Redundant computing and/or storage capacity in the
network nodes;the syncronization between replica incurs
little or no delay; dedicated systems.They are vulnerable to
environment failures like fire
• Service replicas in several network nodes; off-the shelf
components; dependability tailorable to the application
requirement. Management of groups of objects and the
communication between them is required.
Fault tolerance (at control layer)
• Protection switching, fault tolerance of the transport
service between to nodes establishing a dedicated spare
path;
• Reconfiguration by a centralized management of the
network which reconfigures the routing through the
network when a network failure occurrs.
• Self Healing, distributed control with no dedicated prereserved trasmission capability
• Multi layer fault handling
NIS dependability analysis
– a General Procedure to derive a Conceptual Model to
capture into a single framework all dependability facets
of NIS by using an appropriate case study (i.e.
SAFETUNNEL Demonstrator) (from one side)
– trying to unify the stochastic and functional analysis so
that a same model could feed
• a stochastic analyser for performance evaluation
• a functional analyser for model checking
(from the opposite side)
– with the aim to reduce the gap between:
• The required modelling power and the actual modelling power
of current tools for dependability analysis
• design and evaluation tools
Conceptual model
 refine existing design models in order to
dependability analysis.
enable effective
 help in deriving the NIS scope and operational concept, and
explain
how
NIS
functions
are
allocated
to
systems/subsystems/components,
 who is at the risk from the NIS, and how the environment might
be affected by NIS internal events.
 which are the chains of cause and effect of failures/intrusions of
the NIS and its recovery behaviour.
Dependability modelling and analysis
Dependability modeling and analysis, even at layer
of
digital embedded systems,
is actually
dominated by two main lines:
 functional analysis based on the description of
the system in terms of discrete/continuous state
automata (whose goal is to ascertain for
conformity and reachability properties);
 stochastic analysis (whose aim is to provide
performance and dependability measures).
Modelling dilemmas
There are two main dilemmas:
 stochastic versus timed;
 discrete versus continuous (or hybrid).
Stochastic models
In stochastic models the timing of events is represented by
means of random variables.
Typical fields of application:
 Performance evaluation
 Dependability analysis
The obtainable measures are: mean values and
distributions.
Stochastic models
• explore the possibility of defining a chain of models
of increasing semantical complexity:
– from combinatorial models (e.g Fault Tree)
– to models with localized dependencies (e.g. dynamic FT
or Bayesian Networks)
– to models based on the state space (Markov models and
Petri nets).
• provide automatic translation algorithms for
converting one model into a model of higher
semantical complexity
Timed Models
In timed models the timing of events is represented by
constant values or (non-deterministic) intervals.
Typical fields of application:
 Real time and time critical systems
 Safety critical systems
The obtainable measures are reachability properties
and computer aided verification via model checking.
Discrete versus Hybrid Models
In discrete models the state space is discrete.
The dynamic evolution of the system in time is represented as a
sequence of transitions among discrete states.
Hybrid models contain discrete as well as continuous variables
in the same model.
Typical examples are discrete controllers that control
continuous variables
The unified heterogeneous model
An unified view between formal methods and stochastic
methods able to combine, in the same framework:
- stochastic and deterministic timing;
- discrete and continuous (hybrid) variables
and used to feed:
- a functional analyser for model checking
- a stochastic analyzer for performance evaluation.
Final goal
 A complete modelling coverage, moving from top to down
abstraction layers of NIS, made of a Conceptual Model
which feed a set of Heterogenous Models
 The aim is
to partially overcame the inadeguacy of the modelling
power of current tools to afford the modelling power
required for NIS dependability analysis
and to reduce the gap between current design and
evaluation tools
Moreover
•
To try to include the cognitive approach, to try to
minimise errors due to the operators behaviour (i.e the
drivers and the tunnel operators)
•
To implement a pilot version of computerised tools to
partially support the proposed methodology for the unified
heterogenous modelling
•
To set up appropriate experiments on the Case Study (i.e.
The SAFETUNNEL Demonstrator), so that experimental
data could be gathered and used as evidence for partially
validating the models.