Resilience of Cyber-Physical Systems

“Cyber-Physical Systems or “smart” systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas.” (National Institute of Standards and Technology: Cyber-physical systems. [Online]. Available: https://​www.​nist.​gov/​el/​cyber-physical-systems. Accessed 31 Dec 2017, 2017). The concept of Smartness has been increasingly used as a marketing catchphrase. This study seeks to explain that smartness can be a serious indicator which can help to describe the machine intelligence level of different devices, systems or networks weighted by, among others, the usability index. The present study aims to summarize the implementation of complex, resilient and smart system on the level of devices, systems and complex system networks. The research should consider a smart device as a single agent, the system as a multi-agent system, and the network of complex systems has been envisaged as an ad hoc multi-agent system (Farid AM: Designing multi-agent systems for resilient engineering systems. In: Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics), vol 9266, pp 3–8, 2015) organised in a network. The physical incarnations of this latter could be, for example, the subsystems of a smart city. In order to determine the smartness of a certain system, the Machine Intelligence Quotient (MIQ) (Iantovics LB, Gligor A, Georgieva V: Detecting outlier intelligence in the behavior of intelligent coalitions of agents. In: 2017 IEEE congress on evolutionary computation (CEC), pp 241–248, 2017; Park H-J, Kim BK, Lim KY: Measuring the machine intelligence quotient (MIQ) of human-machine cooperative systems. IEEE Trans Syst Man Cybern – Part A Syst Humans 31(2):89–96, 2001; Park HJ, Kim BK, Lim GY: Measuring machine intelligence for human-machine coop-erative systems using intelligence task graph. In: Proceedings 1999 IEEE/RSJ international conference on intelligent robots and systems. Human and environment friendly robots with high intelligence and emotional quotients (Cat. No.99CH36289), vol 2, pp 689–694, 1999; Ozkul T: Cost-benefit analyses of man-machine cooperative systems by assesment of machine intelligence quotient (MIQ) gain. In: 2009 6th international symposium on mechatronics and its applications, pp 1–6, 2009), Usability Index (UI) (Li C, Ji Z, Pang Z, Chu S, Jin Y, Tong J, Xu H, Chen Y: On usability evaluation of human – machine interactive Interface based on eye movement. In: Long S, Dhillon BS (eds) Man-machine-environment system engineering: proceedings of the 16th international conference on MMESE. Springer, Singapore, pp 347–354, 2016; Szabó G: Usability of machinery. In: Arezes P (ed) Advances in safety management and human factors: proceedings of the AHFE 2017 international conference on safety management and human factors, July 17–21, 2017, The Westin Bonaventure Hotel, Los Angeles, California, USA. Springer International Publishing, Cham, pp 161–168, 2018; Aykin N (ed): Usability and internationalization of information technology. Lawrence Erlbaum Associates, Inc., Publishers, Mahwah, 2005) and Usability Index of Machine (UIoM), Environmental Performance Index (Hsu A et al: Global metrics for the environment. In: The environmental performance index ranks countries’ performance on high-priority environmental issues. Yale University, New Haven, 2016) of Machine (EPIoM) indexes will be considered. The quality of human life is directly influenced by the intelligence and smart design of machines (Farid AM: Designing multi-agent systems for resilient engineering systems. In: Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics), vol 9266, pp 3–8, 2015; Liouane Z, Lemlouma T, Roose P, Weis F, Liouane Z, Lemlouma T, Roose P, Weis F, Neu HMAG: A genetic neural network approach for unusual behavior prediction in smart home. In: Madureira AM, Abraham A, Gamboa D, Novais P (eds) Advances in intelligent systems and computing, vol 2016. Springer International Publishing AG, Porto, pp 738–748, 2017). Smartness of systems have an indispensable role to play in enabling the overall resilience of the combined cyber-physical system.

The design of Cyber-Physical Systems (CPS) poses a number of challenges, in particular for cyber-security. Eliciting Security Requirements is a key aspect in the early system design stages; however it is important to assess which requirements are more stringent and grant protection against the higher-value assets. Cyber-security Risk Assessment (SecRA) has a key role in determining threat scenarios and evaluating the risks associated to them but it is a practice that has been principally developed for IT systems, thus focusing on cyber threats. In this chapter, we discuss the state of the art in SecRA methodologies and the challenges to be addressed for developing new CPS-oriented SecRA methodologies. Based on the most relevant standards for industrial control systems and automotive domain (such as the ISA/IEC-62443 and the J3061), we propose the adoption of an asset-driven viewpoint and a model-based approach to SecRA, and we identify current gaps. In particular we discuss (i) CPS (security) modeling languages and methodologies, (ii) vulnerabilities cost models and the network of public repositories of vulnerabilities, (iii) attacker models and profiles, and (iv) complex cyber-physical attack chains. Finally, we discuss our vision, focusing on assets and leveraging model-based design practices can provide a more rigorous approach to SecRA for CPS, allow taking into consideration their peculiarities, and support to manage the large complexity involved in their operation. The desired outcome is to provide the system design team with methods and tools to identify complex attacks and perform a cost/benefit tradeoff analysis to justify the adoption of specific Security Requirements and the necessary costs implied by the corresponding mitigations.

Cyber Physical Systems are facing huge and diverse set of security risks, especially cyber-attacks that can cause disruption to physical services or create a national disaster. Information and communication technology (ICT) has made a remarkable impact on the society. As a Cyber Physical System (CPS) relies basically on information and communication technology, this puts the system’s assets under certain risks especially cyber ones, and hence they must be kept under control by means of security countermeasures that generate confidence in the use of these assets. And so there is a critical need to give a great attention on the cybersecurity of these systems, which consequently leads to the safety of the physical world. This goal is achieved by adopting a solution that applies processes, plans and actions to prevent or reduce the effects of threats. Traditional IT risk assessment methods can do the job, however, and because of the characteristics of a CPS, it is more efficient to adopt a solution that is wider than a method, and addresses the type, functionalities and complexity of a CPS. This chapter proposes a framework that breaks the restriction to a traditional risk assessment method and encompasses wider set of procedures to achieve a high level strategy that could be adopted in the risk management process, in particular the cybersecurity of cyber-physical systems.

The chapter presents a case study demonstrating how security requirements of an Industrial Automation and Control System (IACS) component can be represented in a form of Protection Profile that is based on IEC 62443 standards and how compliance assessment of such component can be supported by explicitly representing a conformity argument in a form based on the OMG SACM metamodel. It is also demonstrated how an advanced argument assessment mechanism based on Dempster-Shafer belief function theory can be used to support assessors while analyzing and assessing the conformity argument related to an IACS component. These demonstrations use a NOR-STA tool for representing, managing and assessment of evidence-based arguments, which have been developed in our research group.

This chapter reports on a model-based approach to assessing cyber-risks in a cyber-physical system (CPS), such as power-transmission systems. We demonstrate that quantitative cyber-risk assessment, despite its inherent difficulties, is feasible. In this regard: (i) we give experimental evidence (using Monte-Carlo simulation) showing that the losses from a specific cyber-attack type can be established accurately using an abstract model of cyber-attacks – a model constructed without taking into account the details of the specific attack used in the study; (ii) we establish the benefits from deploying defence-in-depth (DiD) against failures and cyber-attacks for two types of attackers: (a) an attacker unaware of the nature of DiD, and (b) an attacker who knows in detail the DiD they face in a particular deployment, and launches attacks sufficient to defeat DiD. This study provides some insight into the benefits of combining design-diversity – to harden some of the protection devices in a CPS – with periodic “proactive recovery” of protection devices. The results are discussed in the context of making evidence-based decisions about maximising the benefits from DiD in a particular CPS.

Functional and technical cyber-resilience gain increasing relevance for the health and integrity of connected and interoperating systems. In this chapter we demonstrate the power and flexibility of extreme model-driven design to provide holistic security to security-agnostic applications. Using C-IME, our integrated modelling environment for C/C++, we show how easily a modelled application can be enhanced with hardware security features fully automatically during code generation. We illustrate how to use this approach and design environment to make any modelled application ready to securely store its data in potentially insecure environments. The same approach can be used to secure communication over potentially insecure channels. In fact, our approach does not require any changes of the application model. Rather, our integrated modelling environment provides a dedicated modelling language for code generators which resorts to a Domain Specific Language for security. It is realized as a palette of security primitives whose implementation is based on underlying hardware security technology. The code generator injects security appropriately into the models of the applications under development. We illustrate the use of this security-injecting code generator on the case study of a to-do list management application. The code generator is generic and can be used to secure the file handling of any application modelled in the C-IME.

Industrial control system malware campaigns, such as BlackEnergy and Dragonfly, targeted electrical substations at various ranges relative to the computers that pushed the attacks into substation relays after being infected. Worm-like propagation of industrial control system malware in the Internet traverses paths along computers that may be far from their target, and that often are completely unrelated to power grid functions. Industrial control system malware hop from computer to computer until landing on one that has access to a target industrial environment. Industrial control system malware enabled by spear-phishing or website redirection attacks exploit web browser vulnerabilities coupled with human factors of energy company personnel. Watering hole attacks cause the installation of industrial control system malware on the computers of power grid operators, and sometimes even on the protective relays of an electrical substation. In this chapter we present a line of work that creates and operates industrial mirages, i.e., phantom substation targets for industrial control system malware to pursue, to intercept such malware bound for the power grid. The discussion focuses on decoy I/O. We also generally describe other key elements of industrial mirage at large, and explain how decoy I/O and those elements work together as integral components of the industrial mirage capability. Industrial mirage is able to actively redirect industrial control system malware to decoys, and can sustain prolonged interaction with such malware. We validated this line of work against numerous malware samples involved in recent industrial control system malware campaigns.

Extreme weather events such as heavy rains and floods are becoming more frequent and severe due to global warming, therefore leading to an increasing interest in methods to evaluate environmental consequences and mitigation strategies. Water supply systems (WSS) represent a class of safety-critical infrastructure prone to damage, with direct impact on public health. They can be cast in the class of cyber-physical systems, since their operation is governed by their physical behaviour—related to topology, fluid-dynamics and technology—which in turn is steered by operation policies and user behaviour—pump and valve management, demand–response mechanisms, etc. In this context, we propose an approach to estimate resilience in the indirect damage caused by a flood on a Water Supply System (WSS). To this end, we combine analysis of an inundation model, which computes the floodwater depth over time on the studied territory, and evaluation of a hydraulic network model by a Pressure-Driven Demand (PDD) approach, which also allows for demand–response mechanisms. Flood damage is assessed in terms of both lack of service experienced by inhabitants and length of pipeworks contaminated by floodwater. The approach is experimented on the WSS of Florence, Italy, which serves about 380,000 users and lies in a flood-prone territory. A sensitivity analysis is with respect to demand–response efficiency, speed, and start time.

Both stochastic failures and cyber attacks can compromise the correct functionality of Cyber-Physical Systems (CPSs). Cyber attacks manifest themselves in the physical system and, can be misclassified as component failures, leading to wrong control actions and maintenance strategies. In this chapter, we illustrate the use of a nonparametric cumulative sum (NP-CUSUM) approach for online diagnostics of cyber attacks to CPSs. This allows for (i) promptly recognizing cyber attacks by distinguishing them from component failures, and (ii) guiding decisions for the CPSs recovery from anomalous conditions. We apply the approach to the Advanced Lead-cooled Fast Reactor European Demonstrator (ALFRED) and its digital Instrumentation and Control (I&C) system. For this, an object-oriented model previously developed is embedded within a Monte Carlo (MC) engine that allows injecting into the I&C system both components (stochastic) failures (such as sensor bias, drift, wider noise and freezing) and cyber attacks (such as Denial of Service (DoS) attacks mimicking component failures).