Model Checking for Survivability Evaluation Critical Infrastructures

Model Checking for Survivability Evaluation Critical Infrastructures

Boudewijn R. HaverkortUniversity of Twente

Dutch Model Checking DayMay 9, 2014

Survivability evaluation of critical infrastructures

3

Contents• Critical infrastructures• Survivability• A sewage cleaning facility example• Discussion

(C) BRH


4

What are critical infrastructures?• No formal “final” definition, however, every

country maintains a list of what are considered the country’s CI’s

• In NL: 11 CI’s have been identified, among them, the water, gas, and electricity networks

(C) BRH


5

Critical infrastructures are becoming more critical!

• Cascading failures in/between infrastructures• Heavy reliance on integrated ICT (SCADA), which is

never fault-free and susceptible to attacks

(C) BRH

Metro, May 7, 2014


10

Questions & Challenges• How to predict the effects of attacks or

failures?• On the critical infrastructures themselves, for

its users? Economically?• What are the changes upon occurrence?• Is there suitable measurement data available?• Are there models available? • How could such models help?

(C) BRH


11

What is survivability?• Widely studied in the literature, in many different

application fields• “the ability of a system to recover predefined

service levels in a timely manner after the occurrence of a disaster”– System ability: system boundaries to be defined– Predefined levels of service: to be defined by user– Timely manner: user requirement (politics)– Disaster: any severe disturbance (from component

failure to heavy rain or a hurricane)

(C) BRH


12

GOOD vs. ROOD models• GOOD: Given Occurrence Of Disaster• ROOD: Random Occurrence Of Disaster• GOOD models start with a disaster, hence,

there is no need to model the “failure process” or the “disaster probability”

• GOOD models avoid: – estimating rare-event disaster probabilities– estimating attack success probabilities– stiffness in model evaluations

(C) BRH


13

Modelling challenges• What should be put into the models?– Physical processes (continuous)– ICT processes (discrete)– Randomness and/or non-determinism– Policy decisions– …

• How do you want to evaluate your models?– Analytically (fast but limited) model checking– Simulation (slower, but more general, hidden complications)

(C) BRH

Stochastic hybrid models


14

Three recent approaches• Electricity: combines behavioral decomposition, a Markovian

recovery process with measurement data to evaluate “expected energy not supplied, per hour”

• Gas: combines behavioral decomposition, a non-Markovian recovery process with fluid dynamic models to evaluate “time to recovery distribution”

• Water: integrated model, combining limited stochastic events with fluid-flow models to evaluate time-dependent survivability probabilities

• All models are GOOD

(C) BRH


26

Water infrastructure

(C) BRH

• Water provisioning is a legal task of water companies fines for non-delivery!

• Sewage cleaning is important for society• Very large-scale plants (large volumes/space)• Heavy use of SCADA networks and “limited”

cyber-security culture• Highly vulnerable for “events”


27

Sewage cleaning facility in Enschede

(C) BRH

FC Twente

Twente kanaal

University of Twente.


28

Severe flooding at heavy rain

(C) BRH

What are the changes of this not happening?


29

Obtained the plant information…

(C) BRH


30

Made the models as HPnG

(C) BRH

Deterministic failure time (a) of pump Tz

Random repair time

“street”

HPnG: Hybrid Petri Net with General One-Shot Transitions


31

What do we want to know?• Street should remain clean after occurrence of pump failure,

and pump should be repaired quickly• Prob{ “street clean” until “pump repaired”

within “30 hours after failure” }• In Stochastic Time Logic:• Prob{ (P0 = 0) Until[a, a+30] (Pr = 1) }

(C) BRH

safety condition within 30 hours after failure recovery condition

• Fully automated analytical approach for model checking STL on HPnG


32

and computed results…

(C) BRH


33

Remarks• HPnG analysis done independently from

distribution of random event• Distribution of random events is brought in

afterwards, via deconditioning very fast• Initially limited to one random event only • Extension developed ( Formats 2014), but

exponential in #random events• Simple tool support available:

(https://code.google.com/p/fluid-survival-tool/)

(C) BRH


34

To wrap-up• Introduced: – critical infrastructures– notion of survivability and GOOD models

• Survivability is exactly what policy makers or utility companies want to know about

• Advocated the use of model checking for survivability evaluations (time-bounded until)

• Illustrated it for a sewage cleaning facility

(C) BRH


35

Literature• B.R. Haverkort et al., “Survivability Evaluation of Gas, Water and Electricity Infrastructures”, Proceedings

Practical Applications of Stochastic Modeling, May 13, 2014, Newcastle (forthcoming in Electronic Notes in Theoretical Computer Science), features over 60 references!

• H. Ghasemieh, A.K.I. Remke, B.R. Haverkort.Survivability evaluation of fluid critical infrastructures using hybrid Petri nets. In: Proceedings of the 19th IEEE Pacific Rim International Symposium on Dependable Computing 2013, Vancouver, Canada. IEEE Computer Society.

• H. Ghasemieh, A.K.I.Remke, B.R. Haverkort.Analysis of a sewage treatment facility using hybrid Petri nets. In: Proceedings of the 7th International Conference on Performance Evaluation Methodologies and Tools, ACM VALUETOOLS 2013, Torino, Italy.

• H. Ghasemieh, A.K.I. Remke, B.R. Haverkort, M. GribaudoRegion-Based Analysis of Hybrid Petri Nets with a Single General One-Shot Transition. In: 10th International Conference on Formal Modeling and Analysis of Timed Systems (FORMATS 2012), London, UK. pp. 139-154. Lecture Notes in Computer Science 7595.

• L. Cloth, B.R. Haverkort.Model Checking for Survivability. Proc. QEST 2005: 145-154. IEEE Computer Society, 2005.

(C) BRH

http://eprints.eemcs.utwente.nl/24178/








Model Checking for Survivability Evaluation Critical Infrastructures

Documents

Transcript of Model Checking for Survivability Evaluation Critical Infrastructures