Quantitative evaluation of Pandora Temporal Fault Trees via Petri Nets

© 2015, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Using classical combinatorial fault trees, analysts are able to assess the effects of combinations of failures on system behaviour but are unable to capture sequence dependent dynamic behaviour. Pandora introduces temporal gates and temporal laws to fault trees to allow sequence-dependent dynamic analysis of events. Pandora can be easily integrated in model-based design and analysis techniques; however, the combinatorial quantification techniques used to solve classical fault trees cannot be applied to temporal fault trees. Temporal fault trees capture state and therefore require a state space solution for quantification of probability. In this paper, we identify Petri Nets as a possible framework for quantifying temporal trees. We describe how Pandora fault trees can be mapped to Petri Nets for dynamic dependability analysis and demonstrate the process on a fault tolerant fuel distribution system model

Rich Interfaces for Dependability: Compositional Methods for Dynamic Fault Trees and Arcade models

This paper discusses two behavioural interfaces for reliability analysis: dynamic fault trees, which model the system reliability in terms of the reliability of its components and Arcade, which models the system reliability at an architectural level. For both formalisms, the reliability is analyzed by transforming the DFT or Arcade model to a set of input-output Markov Chains. By using compositional aggregation techniques based on weak bisimilarity, significant reductions in the state space can be obtained

On cost-effective reuse of components in the design of complex reconfigurable systems

Design strategies that benefit from the reuse of system components can reduce costs while maintaining or increasing dependability—we use the term dependability to tie together reliability and availability. D3H2 (aDaptive Dependable Design for systems with Homogeneous and Heterogeneous redundancies) is a methodology that supports the design of complex systems with a focus on reconfiguration and component reuse. D3H2 systematizes the identification of heterogeneous redundancies and optimizes the design of fault detection and reconfiguration mechanisms, by enabling the analysis of design alternatives with respect to dependability and cost. In this paper, we extend D3H2 for application to repairable systems. The method is extended with analysis capabilities allowing dependability assessment of complex reconfigurable systems. Analysed scenarios include time-dependencies between failure events and the corresponding reconfiguration actions. We demonstrate how D3H2 can support decisions about fault detection and reconfiguration that seek to improve dependability while reducing costs via application to a realistic railway case study

DBNet, a tool to convert Dynamic Fault Trees into Dynamic Bayesian Networks

The unreliability evaluation of a system including dependencies involving the state of components or the failure events, can be performed by modelling the system as a Dynamic Fault Tree (DFT). The combinatorial technique used to solve standard Fault Trees is not suitable for the analysis of a DFT. The conversion into a Dynamic Bayesian Network (DBN) is a way to analyze a DFT. This paper presents a software tool allowing the automatic analysis of a DFTexploiting its conversion to a DBN. First, the architecture of the tool is described, together with the rules implemented in the tool, to convert dynamic gates in DBNs. Then, the tool is tested on a case of system: its DFT model and the corresponding DBN are provided and analyzed by means of the tool. The obtained unreliability results are compared with those returned by other tools, in order to verify their correctness. Moreover, the use of DBNs allows to compute further results on the model, such as diagnostic and sensitivity indices

Model-based Safety and Security Co-analysis: a Survey

We survey the state-of-the-art on model-based formalisms for safety and security analysis, where safety refers to the absence of unintended failures, and security absence of malicious attacks. We consider ten model-based formalisms, comparing their modeling principles, the interaction between safety and security, and analysis methods. In each formalism, we model the classical Locked Door Example where possible. Our key finding is that the exact nature of safety-security interaction is still ill-understood. Existing formalisms merge previous safety and security formalisms, without introducing specific constructs to model safety-security interactions, or metrics to analyze trade offs

A pragmatic method for integrated modeling of security attacks and countermeasures

In recent years, research efforts in cyber security have steadily increased as a result of growing concerns for cyber attacks and also increasing trend in cyber attack incidents. One of the important areas of research that is gaining importance is modeling of attacks and countermeasures to quantify survivability and other security measures of interest. In this context, on one extreme, attack trees model has received attention due to its simplicity and ease of analysis, and on the other extreme, stochastic models have been advocated. While attack trees model does not capture complex dependencies among events and also is not amenable for modeling dynamic nature of the attacks and countermeasures, the fitness of stochastic models is yet to be established as there is not sufficient evidence to show that attack and defense behaviors follow some known distributions. With this motivation, a new attack modeling approach based on Petri nets, called PENET, is developed in this thesis whose goal is to significantly enhance the modeling power of attack trees. PENET introduces relevant concepts such as dynamic nature of attack, repairability of a system, and the existence of recurring attacks. Moreover, it attempts to find a balance between ease of use and representation power by providing set of constructs, parameters, performance metrics, and time domain analysis of attack progress. Time domain analysis produces valuable output such as time to reach the main goal and the path taken by the attacker. This output helps to evaluate system survivability and defense strategies. This approach is implemented as a software tool, called PENET Tool, which lets users draw model diagrams of a given system through intuitive user interface, perform time domain simulations and carry out security evaluations, and enable interactive ways to improve the survivability of the system

Methodologies synthesis

This deliverable deals with the modelling and analysis of interdependencies between critical infrastructures, focussing attention on two interdependent infrastructures studied in the context of CRUTIAL: the electric power infrastructure and the information infrastructures supporting management, control and maintenance functionality. The main objectives are: 1) investigate the main challenges to be addressed for the analysis and modelling of interdependencies, 2) review the modelling methodologies and tools that can be used to address these challenges and support the evaluation of the impact of interdependencies on the dependability and resilience of the service delivered to the users, and 3) present the preliminary directions investigated so far by the CRUTIAL consortium for describing and modelling interdependencies

Model-based Joint Analysis of Safety and Security:Survey and Identification of Gaps

We survey the state-of-the-art on model-based formalisms for safety and security joint analysis, where safety refers to the absence of unintended failures, and security to absence of malicious attacks. We conduct a thorough literature review and - as a result - we consider fourteen model-based formalisms and compare them with respect to several criteria: (1) Modelling capabilities and Expressiveness: which phenomena can be expressed in these formalisms? To which extent can they capture safety-security interactions? (2) Analytical capabilities: which analysis types are supported? (3) Practical applicability: to what extent have the formalisms been used to analyze small or larger case studies? Furthermore, (1) we present more precise definitions for safety-security dependencies in tree-like formalisms; (2) we showcase the potential of each formalism by modelling the same toy example from the literature and (3) we present our findings and reflect on possible ways to narrow highlighted gaps. In summary, our key findings are the following: (1) the majority of approaches combine tree-like formal models; (2) the exact nature of safety-security interaction is still ill-understood and (3) diverse formalisms can capture different interactions; (4) analyzed formalisms merge modelling constructs from existing safety- and security-specific formalisms, without introducing ad hoc constructs to model safety-security interactions, or (5) metrics to analyze trade offs. Moreover, (6) large case studies representing safety-security interactions are still missing