Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking for Survivability Evaluation Critical Infrastructures Boudewijn R. Haverkort University of Twente Dutch Model Checking Day May 9, 2014.

Similar presentations


Presentation on theme: "Model Checking for Survivability Evaluation Critical Infrastructures Boudewijn R. Haverkort University of Twente Dutch Model Checking Day May 9, 2014."— Presentation transcript:

1 Model Checking for Survivability Evaluation Critical Infrastructures Boudewijn R. Haverkort University of Twente Dutch Model Checking Day May 9, 2014

2 Recent joint work! Alberto Avritzer Laura Carnevali Hamed Ghasemieh Lucia Happe Boudewijn Haverkort Anne Koziolek Daniel Menasche Anne Remke Sahra Sedigh Sarvestani Enrico Vicario (C) BRH Survivability evaluation of critical infrastructures 2

3 Contents Critical infrastructures Survivability A sewage cleaning facility example Discussion (C) BRH Survivability evaluation of critical infrastructures 3

4 What are critical infrastructures? No formal final definition, however, every country maintains a list of what are considered the countrys CIs In NL: 11 CIs have been identified, among them, the water, gas, and electricity networks (C) BRH Survivability evaluation of critical infrastructures 4

5 Critical infrastructures are becoming more critical! Cascading failures in/between infrastructures Heavy reliance on integrated ICT (SCADA), which is never fault-free and susceptible to attacks (C) BRH Survivability evaluation of critical infrastructures 5 Metro, May 7, 2014

6 (Figure from Jeremy Bradley, Imperial College, 2014) (C) BRH Survivability evaluation of critical infrastructures 6

7 (C) BRH Survivability evaluation of critical infrastructures 7 (Figure from Jeremy Bradley, Imperial College, 2014)

8 (C) BRH Survivability evaluation of critical infrastructures 8

9 (Figure from Jeremy Bradley, Imperial College, 2014) (C) BRH Survivability evaluation of critical infrastructures 9

10 Questions & Challenges How to predict the effects of attacks or failures? On the critical infrastructures themselves, for its users? Economically? What are the changes upon occurrence? Is there suitable measurement data available? Are there models available? How could such models help? (C) BRH Survivability evaluation of critical infrastructures 10

11 What is survivability? Widely studied in the literature, in many different application fields the ability of a system to recover predefined service levels in a timely manner after the occurrence of a disaster – System ability: system boundaries to be defined – Predefined levels of service: to be defined by user – Timely manner: user requirement (politics) – Disaster: any severe disturbance (from component failure to heavy rain or a hurricane) (C) BRH Survivability evaluation of critical infrastructures 11

12 GOOD vs. ROOD models GOOD: Given Occurrence Of Disaster ROOD: Random Occurrence Of Disaster GOOD models start with a disaster, hence, there is no need to model the failure process or the disaster probability GOOD models avoid: – estimating rare-event disaster probabilities – estimating attack success probabilities – stiffness in model evaluations (C) BRH Survivability evaluation of critical infrastructures 12

13 Modelling challenges What should be put into the models? – Physical processes (continuous) – ICT processes (discrete) – Randomness and/or non-determinism – Policy decisions –…–… How do you want to evaluate your models? – Analytically (fast but limited) model checking – Simulation (slower, but more general, hidden complications) (C) BRH Survivability evaluation of critical infrastructures 13 Stochastic hybrid models

14 Three recent approaches Electricity: combines behavioral decomposition, a Markovian recovery process with measurement data to evaluate expected energy not supplied, per hour Gas: combines behavioral decomposition, a non- Markovian recovery process with fluid dynamic models to evaluate time to recovery distribution Water: integrated model, combining limited stochastic events with fluid-flow models to evaluate time- dependent survivability probabilities All models are GOOD (C) BRH Survivability evaluation of critical infrastructures 14

15 Electricity: Approach (C) BRH Survivability evaluation of critical infrastructures 15 Recovery process known as FDIR: failure detection, isolation and recovery Interest in transient analysis of time to recovery, after injected disaster (GOOD) Assumptions: – All times exponentially distributed – Known discrete state distribution at disaster occurrence instant – Aggregation of states simple models

16 Electricity: System sketch (C) BRH Survivability evaluation of critical infrastructures 16

17 Phased FDIR model (C) BRH Survivability evaluation of critical infrastructures 17

18 Energy not supplied/hour (C) BRH Survivability evaluation of critical infrastructures 18 Use ENS/h as reward-rate in Markov-reward analysis: compute expected cumulative reward until time t (using uniformization) Information from measurements on a feeder line failure in Virginia, USA

19 E[ENS/h] at time t (C) BRH Survivability evaluation of critical infrastructures 19

20 Gas (C) BRH Survivability evaluation of critical infrastructures 20 From vertical to horizontal companies: gas network operators, no sales, etc. (like for electricity), just transport & storage of gas Gas network dealt with flow rates, volumes and pressure In steady-state (fixed load and no failures): well-known fluid dynamic equations Randomness comes in after the occurrence of disasters (GOOD) in failure management and recovery process FMRP described in UML and as stochastic/timed Petri net

21 Failure management and recovery process (C) BRH Survivability evaluation of critical infrastructures 21

22 Approach Study one particular failure (disaster) occurrence: failure of one pipe Follow steps of the FMRP (in which the state residence times might be non-exponential) In each state of the FMRP: solve fluid dynamic equations gives rewards and settlement times Analyze stochastic process with rewards and settlement times Compute: Prob {node not served, t time units after disaster} (C) BRH Survivability evaluation of critical infrastructures 22

23 Gas: Example Network (C) BRH Survivability evaluation of critical infrastructures 23 Valve opens FMRP steps

24 Per-station results (C) BRH Survivability evaluation of critical infrastructures 24

25 Global results on FMRP (C) BRH Survivability evaluation of critical infrastructures 25

26 Water infrastructure (C) BRH Survivability evaluation of critical infrastructures 26 Water provisioning is a legal task of water companies fines for non-delivery! Sewage cleaning is important for society Very large-scale plants (large volumes/space) Heavy use of SCADA networks and limited cyber-security culture Highly vulnerable for events

27 Sewage cleaning facility in Enschede (C) BRH Survivability evaluation of critical infrastructures 27 FC Twente Twente kanaal University of Twente.

28 Severe flooding at heavy rain (C) BRH Survivability evaluation of critical infrastructures 28 What are the changes of this not happening?

29 Obtained the plant information… (C) BRH Survivability evaluation of critical infrastructures 29

30 Made the models as HPnG (C) BRH Survivability evaluation of critical infrastructures 30 Deterministic failure time (a) of pump Tz Random repair time street HPnG: Hybrid Petri Net with General One-Shot Transitions

31 What do we want to know? Street should remain clean after occurrence of pump failure, and pump should be repaired quickly Prob{ street clean until pump repaired within 30 hours after failure } In Stochastic Time Logic: Prob{ (P 0 = 0) Until [a, a+30] (P r = 1) } (C) BRH Survivability evaluation of critical infrastructures 31 safety condition within 30 hours after failure recovery condition Fully automated analytical approach for model checking STL on HPnG

32 and computed results… (C) BRH Survivability evaluation of critical infrastructures 32

33 Remarks HPnG analysis done independently from distribution of random event Distribution of random events is brought in afterwards, via deconditioning very fast Initially limited to one random event only Extension developed ( Formats 2014), but exponential in #random events Simple tool support available: (https://code.google.com/p/fluid-survival-tool/) (C) BRH Survivability evaluation of critical infrastructures 33

34 To wrap-up Introduced: – critical infrastructures – notion of survivability and GOOD models Survivability is exactly what policy makers or utility companies want to know about Advocated the use of model checking for survivability evaluations (time-bounded until) Illustrated it for a sewage cleaning facility (C) BRH Survivability evaluation of critical infrastructures 34

35 Literature B.R. Haverkort et al., Survivability Evaluation of Gas, Water and Electricity Infrastructures, Proceedings Practical Applications of Stochastic Modeling, May 13, 2014, Newcastle (forthcoming in Electronic Notes in Theoretical Computer Science), features over 60 references! H. Ghasemieh, A.K.I. Remke, B.R. Haverkort.Survivability evaluation of fluid critical infrastructures using hybrid Petri nets. In: Proceedings of the 19th IEEE Pacific Rim International Symposium on Dependable Computing 2013, Vancouver, Canada. IEEE Computer Society.Survivability evaluation of fluid critical infrastructures using hybrid Petri nets. H. Ghasemieh, A.K.I.Remke, B.R. Haverkort.Analysis of a sewage treatment facility using hybrid Petri nets. In: Proceedings of the 7th International Conference on Performance Evaluation Methodologies and Tools, ACM VALUETOOLS 2013, Torino, Italy.Analysis of a sewage treatment facility using hybrid Petri nets. H. Ghasemieh, A.K.I. Remke, B.R. Haverkort, M. GribaudoRegion-Based Analysis of Hybrid Petri Nets with a Single General One-Shot Transition. In: 10th International Conference on Formal Modeling and Analysis of Timed Systems (FORMATS 2012), London, UK. pp. 139-154. Lecture Notes in Computer Science 7595.Region-Based Analysis of Hybrid Petri Nets with a Single General One-Shot Transition. L. Cloth, B.R. Haverkort. Model Checking for Survivability. Proc. QEST 2005: 145-154. IEEE Computer Society, 2005. (C) BRH Survivability evaluation of critical infrastructures 35


Download ppt "Model Checking for Survivability Evaluation Critical Infrastructures Boudewijn R. Haverkort University of Twente Dutch Model Checking Day May 9, 2014."

Similar presentations


Ads by Google