Multi-level dependability modeling of interdependencies between the Electricity and Information Infrastructures

International audienceThe interdependencies between infrastructures may be the cause of serious problems in mission/safety critical systems. In the CRU- TIAL project the interdependencies between the electricity infrastruc- ture (EI) and the information infrastructure (II) responsible for its con- trol; maintenance and management have been thoroughly studied, more- over countermeasures to substantially reduce the risk to interrupt the service have been developed in the project. The possible interdependen- cies have been investigated by means of model at this abstraction levels. In this paper, we present high level models describing the various interde- pendencies between the EI and the II infrastructures, then we illustrate on a simple scenario how these models can be detailed to allow the eval- uation of some measures of dependability

Multi-level dependability modeling of interdependencies between the electricity and information infrastructures

The interdependencies between infrastructures may be the cause of serious problems in mission/safety critical systems. In the CRUTIAL project the interdependencies between the electricity infrastructure (EI) and the information infrastructure (II) responsible for its control, maintenance and management have been thoroughly studied; moreover countermeasures to substantially reduce the risk to interrupt the service have been developed in the project. The possible interdependencies have been investigated by means of model at different abstraction levels. In this paper, we present high level models describing the various interdependencies between the EI and the II infrastructures, then we illustrate on a simple scenario how these models can be detailed to allow the evaluation of some measures of dependability

Strategic and Stochastic Approaches to Modeling the Structure of Multi-Layer and Interdependent Networks

Examples of complex networks abound in both the natural world (e.g., ecological, social and economic systems), and in engineered applications (e.g., the Internet, the power grid, etc.). The topological structure of such networks plays a fundamental role in their functioning, dictating properties such as the speed of information diffusion, the influence of powerful or vulnerable nodes, and the ability of the nodes to take collective actions. There are two main schools of thought for investigating the structure of complex networks. Early research on this topic primarily adopted a stochastic perspective, postulating that the links between nodes are formed randomly. In an alternative perspective, it has been argued that optimization (rather than pure randomness) plays a key role in network formation. In such settings, edges are formed strategically (either by a designer or by the nodes themselves) in order to maximize certain utility functions. The classical literature on the structure of networks has predominantly focused on single layer networks where there is a single set of edges between nodes. However, there is an increasing realization that many real-world networks have either multi-layer or interdependent structure. While the former considers multiple layers of relationships between the same set of nodes, the latter deals with networks-of-networks consisting of interdependencies between different subnetworks. This thesis focuses on the analysis of the structure of multi-layer and interdependent networks via strategic and stochastic approaches. In the strategic multi-layer network formation setting, each layer represents a different type of relationship between the nodes and is designed to maximize some utility that depends on its own topology and those of the other layers. By viewing the designer of each layer as a player in a multi-layer network formation game, we show that hub-and-spoke networks that are commonly observed in transportation systems arise as a Nash equilibrium. Extending this analysis to interdependent networks where there are different sets of nodes, we introduce a network design game where the objective of the players is to design the interconnections between the nodes of two different networks, G1 and G2. In this game, each player is associated with a node in G1 and has functional dependencies on certain nodes in G2. Besides showing that finding a best response of a player is NP-hard and characterizing some useful properties of the best response actions of the players, we prove existence of pure Nash equilibria in this game under certain conditions. In order to obtain further insights into the structure of interdependent networks with an arbitrary number of subnetworks, we consider a model for random interdependent networks where each edge between two different subnetworks is formed with probability p. We investigate certain spectral and structural properties of such networks, with corresponding implications for certain variants of consensus dynamics on those networks. In particular, we study a property known as r-robustness, which is a strong indicator of the ability of a network, including interdependent networks, to tolerate structural perturbations and dynamical attacks

Modélisation conjointe de la sûreté et de la sécurité pour l’évaluation des risques dans les systèmes cyber-physiques

Cyber physical systems (CPS) denote systems that embed programmable components in order to control a physical process or infrastructure. CPS are henceforth widely used in different industries like energy, aeronautics, automotive, medical or chemical industry. Among the variety of existing CPS stand SCADA (Supervisory Control And Data Acquisition) systems that offer the necessary means to control and supervise critical infrastructures. Their failure or malfunction can engender adverse consequences on the system and its environment.SCADA systems used to be isolated and based on simple components and proprietary standards. They are nowadays increasingly integrating information and communication technologies (ICT) in order to facilitate supervision and control of the industrial process and to reduce exploitation costs. This trend induces more complexity in SCADA systems and exposes them to cyber-attacks that exploit vulnerabilities already existent in the ICT components. Such attacks can reach some critical components within the system and alter its functioning causing safety harms.We associate throughout this dissertation safety with accidental risks originating from the system and security with malicious risks with a focus on cyber-attacks. In this context of industrial systems supervised by new SCADA systems, safety and security requirements and risks converge and can have mutual interactions. A joint risk analysis covering both safety and security aspects would be necessary to identify these interactions and optimize the risk management.In this thesis, we give first a comprehensive survey of existing approaches considering both safety and security issues for industrial systems, and highlight their shortcomings according to the four following criteria that we believe essential for a good model-based approach: formal, automatic, qualitative and quantitative and robust (i.e. easily integrates changes on system into the model).Next, we propose a new model-based approach for a safety and security joint risk analysis: S-cube (SCADA Safety and Security modeling), that satisfies all the above criteria. The S-cube approach enables to formally model CPS and yields the associated qualitative and quantitative risk analysis. Thanks to graphical modeling, S-cube enables to input the system architecture and to easily consider different hypothesis about it. It enables next to automatically generate safety and security risk scenarios likely to happen on this architecture and that lead to a given undesirable event, with an estimation of their probabilities.The S-cube approach is based on a knowledge base that describes the typical components of industrial architectures encompassing information, process control and instrumentation levels. This knowledge base has been built upon a taxonomy of attacks and failure modes and a hierarchical top-down reasoning mechanism. It has been implemented using the Figaro modeling language and the associated tools. In order to build the model of a system, the user only has to describe graphically the physical and functional (in terms of software and data flows) architectures of the system. The association of the knowledge base and the system architecture produces a dynamic state based model: a Continuous Time Markov Chain. Because of the combinatorial explosion of the states, this CTMC cannot be exhaustively built, but it can be explored in two ways: by a search of sequences leading to an undesirable event, or by Monte Carlo simulation. This yields both qualitative and quantitative results.We finally illustrate the S-cube approach on a realistic case study: a pumped storage hydroelectric plant, in order to show its ability to yield a holistic analysis encompassing safety and security risks on such a system. We investigate the results obtained in order to identify potential safety and security interactions and give recommendations.Les Systèmes Cyber Physiques (CPS) intègrent des composants programmables afin de contrôler un processus physique. Ils sont désormais largement répandus dans différentes industries comme l’énergie, l’aéronautique, l’automobile ou l’industrie chimique. Parmi les différents CPS existants, les systèmes SCADA (Supervisory Control And Data Acquisition) permettent le contrôle et la supervision des installations industrielles critiques. Leur dysfonctionnement peut engendrer des impacts néfastes sur l’installation et son environnement.Les systèmes SCADA ont d’abord été isolés et basés sur des composants et standards propriétaires. Afin de faciliter la supervision du processus industriel et réduire les coûts, ils intègrent de plus en plus les technologies de communication et de l’information (TIC). Ceci les rend plus complexes et les expose à des cyber-attaques qui exploitent les vulnérabilités existantes des TIC. Ces attaques peuvent modifier le fonctionnement du système et nuire à sa sûreté.On associe dans la suite la sûreté aux risques de nature accidentelle provenant du système, et la sécurité aux risques d’origine malveillante et en particulier les cyber-attaques. Dans ce contexte où les infrastructures industrielles sont contrôlées par les nouveaux systèmes SCADA, les risques et les exigences liés à la sûreté et à la sécurité convergent et peuvent avoir des interactions mutuelles. Une analyse de risque qui couvre à la fois la sûreté et la sécurité est indispensable pour l’identification de ces interactions ce qui conditionne l’optimalité de la gestion de risque.Dans cette thèse, on donne d’abord un état de l’art complet des approches qui traitent la sûreté et la sécurité des systèmes industriels et on souligne leur carences par rapport aux quatre critères suivants qu’on juge nécessaires pour une bonne approche basée sur les modèles : formelle, automatique, qualitative et quantitative, et robuste (i.e. intègre facilement dans le modèle des variations d’hypothèses sur le système).On propose ensuite une nouvelle approche orientée modèle d’analyse conjointe de la sûreté et de la sécurité : S-cube (SCADA Safety and Security modeling), qui satisfait les critères ci-dessus. Elle permet une modélisation formelle des CPS et génère l’analyse de risque qualitative et quantitative associée. Grâce à une modélisation graphique de l’architecture du système, S-cube permet de prendre en compte différentes hypothèses et de générer automatiquement les scenarios de risque liés à la sûreté et à la sécurité qui amènent à un évènement indésirable donné, avec une estimation de leurs probabilités.L’approche S-cube est basée sur une base de connaissance (BDC) qui décrit les composants typiques des architectures industrielles incluant les systèmes d’information, le contrôle et la supervision, et l’instrumentation. Cette BDC a été conçue sur la base d’une taxonomie d’attaques et modes de défaillances et un mécanisme de raisonnement hiérarchique. Elle a été mise en œuvre à l’aide du langage de modélisation Figaro et ses outils associés. Afin de construire le modèle du système, l’utilisateur saisit graphiquement l’architecture physique et fonctionnelle (logiciels et flux de données) du système. L’association entre la BDC et ce modèle produit un modèle d’états dynamiques : une chaîne de Markov à temps continu. Pour limiter l’explosion combinatoire, cette chaîne n’est pas construite mais peut être explorée de deux façons : recherche de séquences amenant à un évènement indésirable ou simulation de Monte Carlo, ce qui génère des résultats qualitatifs et quantitatifs.On illustre enfin l’approche S-cube sur un cas d’étude réaliste : un système de stockage d’énergie par pompage, et on montre sa capacité à générer une analyse holistique couvrant les risques liés à la sûreté et à la sécurité. Les résultats sont ensuite analysés afin d’identifier les interactions potentielles entre sûreté et sécurité et de donner des recommandations