-
Application of Orthogonal Defect Classification for Software Reliability Analysis
Authors:
Edward Chen,
Han Bao,
Tate Shorthill,
Carl Elks,
Athira Varma Jayakumar,
Nam Dinh
Abstract:
The modernization of existing and new nuclear power plants with digital instrumentation and control systems (DI&C) is a recent and highly trending topic. However, there lacks strong consensus on best-estimate reliability methodologies by both the United States (U.S.) Nuclear Regulatory Commission (NRC) and the industry. In this work, we develop an approach called Orthogonal-defect Classification f…
▽ More
The modernization of existing and new nuclear power plants with digital instrumentation and control systems (DI&C) is a recent and highly trending topic. However, there lacks strong consensus on best-estimate reliability methodologies by both the United States (U.S.) Nuclear Regulatory Commission (NRC) and the industry. In this work, we develop an approach called Orthogonal-defect Classification for Assessing Software Reliability (ORCAS) to quantify probabilities of various software failure modes in a DI&C system. The method utilizes accepted industry methodologies for quality assurance that are verified by experimental evidence. In essence, the approach combines a semantic failure classification model with a reliability growth model to predict the probability of failure modes of a software system. A case study was conducted on a representative I&C platform (ChibiOS) running a smart sensor acquisition software developed by Virginia Commonwealth University (VCU). The testing and evidence collection guidance in ORCAS was applied, and defects were uncovered in the software. Qualitative evidence, such as modified condition decision coverage, was used to gauge the completeness and trustworthiness of the assessment while quantitative evidence was used to determine the software failure probabilities. The reliability of the software was then estimated and compared to existing operational data of the sensor device. It is demonstrated that by using ORCAS, a semantic reasoning framework can be developed to justify if the software is reliable (or unreliable) while still leveraging the strength of the existing methods.
△ Less
Submitted 24 May, 2022;
originally announced May 2022.
-
Failure Mechanism Traceability and Application in Human System Interface of Nuclear Power Plants using RESHA
Authors:
Edward Chen,
Han Bao,
Tate Shorthill,
Carl Elks,
Nam Dinh
Abstract:
In recent years, there has been considerable effort to modernize existing and new nuclear power plants with digital instrumentation and control systems. However, there has also been considerable concern both by industry and regulatory bodies for the risk and consequence analysis of these systems. Of concern are digital common cause failures specifically due to software defects. These failures by t…
▽ More
In recent years, there has been considerable effort to modernize existing and new nuclear power plants with digital instrumentation and control systems. However, there has also been considerable concern both by industry and regulatory bodies for the risk and consequence analysis of these systems. Of concern are digital common cause failures specifically due to software defects. These failures by the software can occur in both the control and monitoring of a system. While many methods have been proposed to identify software failure modes, such as Systems Theoretic Process Analysis, Hazard and Consequence Analysis for Digital Systems, etc., these methods are focused primarily on the control action pathway of a system. In contrast, the information feedback pathway lacks Unsafe Control Actions, which are typically related to software basic events; thus, assessment of software basic events in such systems is unclear. In this work, we present the idea of intermediate processors and Unsafe Information Flow (UIF) to help safety analysts trace failure mechanisms in the feedback pathway and how they can be integrated into a fault tree for improved assessment capability. The concepts presented are demonstrated in two comprehensive case studies, a smart sensor integrated platform for unmanned autonomous vehicles and another on a representative advanced human system interface for safety critical plant monitoring. The qualitative software basic events are identified, and a fault tree analysis is conducted based on a modified Redundancy guided Systems theoretic Hazard Analysis methodology. The case studies demonstrate the use of UIFs and intermediate processors in the fault tree to improve traceability of software failures in highly complex digital instrumentation feedback. The improved method clarifies fault tree construction when multiple component dependencies are present in the system.
△ Less
Submitted 24 May, 2022;
originally announced May 2022.
-
STPA-driven Multilevel Runtime Monitoring for In-time Hazard Detection
Authors:
Smitha Gautham,
Georgios Bakirtzis,
Alexander Will,
Athira V. Jayakumar,
Carl R. Elks
Abstract:
Runtime verification or runtime monitoring equips safety-critical cyber-physical systems to augment design assurance measures and ensure operational safety and security. Cyber-physical systems have interaction failures, attack surfaces, and attack vectors resulting in unanticipated hazards and loss scenarios. These interaction failures pose challenges to runtime verification regarding monitoring s…
▽ More
Runtime verification or runtime monitoring equips safety-critical cyber-physical systems to augment design assurance measures and ensure operational safety and security. Cyber-physical systems have interaction failures, attack surfaces, and attack vectors resulting in unanticipated hazards and loss scenarios. These interaction failures pose challenges to runtime verification regarding monitoring specifications and monitoring placements for in-time detection of hazards. We develop a well-formed workflow model that connects system theoretic process analysis, commonly referred to as STPA, hazard causation information to lower-level runtime monitoring to detect hazards at the operational phase. Specifically, our model follows the DepDevOps paradigm to provide evidence and insights to runtime monitoring on what to monitor, where to monitor, and the monitoring context. We demonstrate and evaluate the value of multilevel monitors by injecting hazards on an autonomous emergency braking system model.
△ Less
Submitted 22 June, 2022; v1 submitted 19 April, 2022;
originally announced April 2022.
-
Understanding and Fixing Complex Faults in Embedded Cyberphysical Systems
Authors:
Alexander Weiss,
Smitha Gautham,
Athira Varma Jayakumar,
Carl Elks,
D. Richard Kuhn,
Raghu N. Kacker,
Thomas B. Preusser
Abstract:
Understanding fault types can lead to novel approaches to debugging and runtime verification. Dealing with complex faults, particularly in the challenging area of embedded systems, craves for more powerful tools, which are now becoming available to engineers.
Understanding fault types can lead to novel approaches to debugging and runtime verification. Dealing with complex faults, particularly in the challenging area of embedded systems, craves for more powerful tools, which are now becoming available to engineers.
△ Less
Submitted 5 February, 2021;
originally announced February 2021.
-
Cyberphysical Security Through Resiliency: A Systems-centric Approach
Authors:
Cody Fleming,
Carl Elks,
Georgios Bakirtzis,
Stephen C. Adams,
Bryan Carter,
Peter A. Beling,
Barry Horowitz
Abstract:
Cyber-physical systems (CPS) are often defended in the same manner as information technology (IT) systems -- by using perimeter security. Multiple factors make such defenses insufficient for CPS. Resiliency shows potential in overcoming these shortfalls. Techniques for achieving resilience exist; however, methods and theory for evaluating resilience in CPS are lacking. We argue that such methods a…
▽ More
Cyber-physical systems (CPS) are often defended in the same manner as information technology (IT) systems -- by using perimeter security. Multiple factors make such defenses insufficient for CPS. Resiliency shows potential in overcoming these shortfalls. Techniques for achieving resilience exist; however, methods and theory for evaluating resilience in CPS are lacking. We argue that such methods and theory should assist stakeholders in deciding where and how to apply design patterns for resilience. Such a problem potentially involves tradeoffs between different objectives and criteria, and such decisions need to be driven by traceable, defensible, repeatable engineering evidence. Multi-criteria resiliency problems require a system-oriented approach that evaluates systems in the presence of threats as well as potential design solutions once vulnerabilities have been identified. We present a systems-oriented view of cyber-physical security, termed Mission Aware, that is based on a holistic understanding of mission goals, system dynamics, and risk.
△ Less
Submitted 9 October, 2021; v1 submitted 29 November, 2020;
originally announced November 2020.
-
Heterogeneous Runtime Verification of Safety Critical Cyber Physical Systems
Authors:
Smitha Gautham,
Abhilash Rajagopala,
Athira Varma Jayakumar,
Christopher Deloglos,
Erwin Karincic,
Carl Elks
Abstract:
Advanced embedded system technology is one of the key driving forces behind the rapid growth of Cyber-Physical System (CPS) applications. Cyber-Physical Systems are comprised of multiple coordinating and cooperating components, which are often software intensive and interacting with each other to achieve unprecedented tasks. Such complex CPSs have multiple attack surfaces and attack vectors that w…
▽ More
Advanced embedded system technology is one of the key driving forces behind the rapid growth of Cyber-Physical System (CPS) applications. Cyber-Physical Systems are comprised of multiple coordinating and cooperating components, which are often software intensive and interacting with each other to achieve unprecedented tasks. Such complex CPSs have multiple attack surfaces and attack vectors that we have to secure against. Towards this goal, we demonstrate a multilevel runtime safety and security monitor framework where there are monitors across the CPS for detection and isolation of attacks. We implement the runtime monitors on FPGA using a stream-based runtime verification tool called TeSSLa. We demonstrate our monitoring scheme for an Autonomous Emergency Braking (AEB) CPS system.
△ Less
Submitted 20 September, 2020;
originally announced September 2020.
-
An Attacker Modeling Framework for the Assessment of Cyber-Physical Systems Security
Authors:
Christopher Deloglos,
Carl Elks,
Ashraf Tantawy
Abstract:
Characterizing attacker behavior with respect to Cyber-Physical Systems is important to assuring the security posture and resilience of these systems. Classical cyber vulnerability assessment approaches rely on the knowledge and experience of cyber-security experts to conduct security analyses and can be inconsistent where the experts' knowledge and experience are lacking. This paper proposes a fl…
▽ More
Characterizing attacker behavior with respect to Cyber-Physical Systems is important to assuring the security posture and resilience of these systems. Classical cyber vulnerability assessment approaches rely on the knowledge and experience of cyber-security experts to conduct security analyses and can be inconsistent where the experts' knowledge and experience are lacking. This paper proposes a flexible attacker modeling framework that aids in the security analysis process by simulating a diverse set of attacker behaviors to predict attack progression and provide consistent system vulnerability analysis. The model proposes an expanded architecture of vulnerability databases to maximize its effectiveness and consistency in detecting CPS vulnerabilities while being compatible with existing vulnerability databases. The model has the power to be implemented and simulated against an actual or virtual CPS. Execution of the attacker model is demonstrated against a simulated industrial control system architecture, resulting in a probabilistic prediction of attacker behavior.
△ Less
Submitted 16 March, 2021; v1 submitted 6 June, 2020;
originally announced June 2020.
-
Fundamental Challenges of Cyber-Physical Systems Security Modeling
Authors:
Georgios Bakirtzis,
Garrett L. Ward,
Christopher J. Deloglos,
Carl R. Elks,
Barry M. Horowitz,
Cody H. Fleming
Abstract:
Systems modeling practice lacks security analysis tools that can interface with modeling languages to facilitate security by design. Security by design is a necessity in the age of safety critical cyber-physical systems, where security violations can cause hazards. Currently, the overlap between security and safety is narrow. But deploying cyber-physical systems means that today's adversaries can…
▽ More
Systems modeling practice lacks security analysis tools that can interface with modeling languages to facilitate security by design. Security by design is a necessity in the age of safety critical cyber-physical systems, where security violations can cause hazards. Currently, the overlap between security and safety is narrow. But deploying cyber-physical systems means that today's adversaries can intentionally trigger accidents. By implementing security assessment tools for modeling languages we are better able to address threats earlier in the system's lifecycle and, therefore, assure their safe and secure behavior in their eventual deployment. We posit that cyber-physical systems security modeling is practiced insufficiently because it is still addressed similarly to information technology systems.
△ Less
Submitted 30 April, 2020;
originally announced May 2020.
-
Self-Repairing Hardware Architecture for Safety-Critical Cyber-Physical-Systems
Authors:
Shawkat Khairullah,
Carl Elks
Abstract:
Digital embedded systems in safety-critical cyber-physical-systems (CPSs) require high levels of resilience and robustness against different fault classes. In recent years, self-healing concepts based on biological physiology have received attention for the design and implementation of reliable systems. However, many of these approaches have not been architected from the outset with safety in mind…
▽ More
Digital embedded systems in safety-critical cyber-physical-systems (CPSs) require high levels of resilience and robustness against different fault classes. In recent years, self-healing concepts based on biological physiology have received attention for the design and implementation of reliable systems. However, many of these approaches have not been architected from the outset with safety in mind, nor have they been targeted for the safety-related automation industry where the significant need exists. This study presents a new self-healing hardware architecture inspired by integrating biological concepts, fault tolerance techniques, and IEC 61131-3 operational schematics to facilitate adaption in automation and critical infrastructure. The proposed architecture is organised in two levels: the critical functions layer used for providing the intended service of the application and the healing layer that continuously monitors the correct execution of that application and generates health syndromes to heal any failure occurrence inside the functions layer. Finally, two industrial applications have been mapped on this architecture to date, and the authors believe the nexus of its concepts can positively impact the next generation of critical CPSs in industrial automation.
△ Less
Submitted 25 March, 2020; v1 submitted 30 October, 2019;
originally announced October 2019.
-
Data Driven Vulnerability Exploration for Design Phase System Analysis
Authors:
Georgios Bakirtzis,
Brandon J. Simon,
Aidan G. Collins,
Cody H. Fleming,
Carl R. Elks
Abstract:
Applying security as a lifecycle practice is becoming increasingly important to combat targeted attacks in safety-critical systems. Among others there are two significant challenges in this area: (1) the need for models that can characterize a realistic system in the absence of an implementation and (2) an automated way to associate attack vector information; that is, historical data, to such syst…
▽ More
Applying security as a lifecycle practice is becoming increasingly important to combat targeted attacks in safety-critical systems. Among others there are two significant challenges in this area: (1) the need for models that can characterize a realistic system in the absence of an implementation and (2) an automated way to associate attack vector information; that is, historical data, to such system models. We propose the cybersecurity body of knowledge (CYBOK), which takes in sufficiently characteristic models of systems and acts as a search engine for potential attack vectors. CYBOK is fundamentally an algorithmic approach to vulnerability exploration, which is a significant extension to the body of knowledge it builds upon. By using CYBOK, security analysts and system designers can work together to assess the overall security posture of systems early in their lifecycle, during major design decisions and before final product designs. Consequently, assisting in applying security earlier and throughout the systems lifecycle.
△ Less
Submitted 6 September, 2019;
originally announced September 2019.
-
A Multilevel Cybersecurity and Safety Monitor for Embedded Cyber-Physical Systems
Authors:
Smitha Gautham,
Georgios Bakirtzis,
Matthew T. Leccadito,
Robert H. Klenke,
Carl R. Elks
Abstract:
Cyber-physical systems (CPS) are composed of various embedded subsystems and require specialized software, firmware, and hardware to coordinate with the rest of the system. These multiple levels of integration expose attack surfaces which can be susceptible to attack vectors that require novel architectural methods to effectively secure against. We present a multilevel hierarchical monitor archite…
▽ More
Cyber-physical systems (CPS) are composed of various embedded subsystems and require specialized software, firmware, and hardware to coordinate with the rest of the system. These multiple levels of integration expose attack surfaces which can be susceptible to attack vectors that require novel architectural methods to effectively secure against. We present a multilevel hierarchical monitor architecture cybersecurity approach applied to a flight control system. However, the principles present in this paper apply to any CPS. Additionally, the real-time nature of these monitors allow for adaptable security, meaning that they mitigate against possible classes of attacks online. This results in an appealing bolt-on solution that is independent of different system designs. Consequently, employing such monitors leads to strengthened system resiliency and dependability of safety-critical CPS.
△ Less
Submitted 8 December, 2018;
originally announced December 2018.
-
Looking for a Black Cat in a Dark Room: Security Visualization for Cyber-Physical System Design and Analysis
Authors:
Georgios Bakirtzis,
Brandon J. Simon,
Cody H. Fleming,
Carl R. Elks
Abstract:
Today, there is a plethora of software security tools employing visualizations that enable the creation of useful and effective interactive security analyst dashboards. Such dashboards can assist the analyst to understand the data at hand and, consequently, to conceive more targeted preemption and mitigation security strategies. Despite the recent advances, model-based security analysis is lacking…
▽ More
Today, there is a plethora of software security tools employing visualizations that enable the creation of useful and effective interactive security analyst dashboards. Such dashboards can assist the analyst to understand the data at hand and, consequently, to conceive more targeted preemption and mitigation security strategies. Despite the recent advances, model-based security analysis is lacking tools that employ effective dashboards---to manage potential attack vectors, system components, and requirements. This problem is further exacerbated because model-based security analysis produces significantly larger result spaces than security analysis applied to realized systems---where platform specific information, software versions, and system element dependencies are known. Therefore, there is a need to manage the analysis complexity in model-based security through better visualization techniques. Towards that goal, we propose an interactive security analysis dashboard that provides different views largely centered around the system, its requirements, and its associated attack vector space. This tool makes it possible to start analysis earlier in the system lifecycle. We apply this tool in a significant area of engineering design---the design of cyber-physical systems---where security violations can lead to safety hazards.
△ Less
Submitted 23 October, 2018; v1 submitted 24 August, 2018;
originally announced August 2018.
-
MISSION AWARE: Evidence-Based, Mission-Centric Cybersecurity Analysis
Authors:
Georgios Bakirtzis,
Bryan T. Carter,
Cody H. Fleming,
Carl R. Elks
Abstract:
Currently, perimeter-based approaches are the mainstay of cybersecurity. While this paradigm is necessary, there is mounting evidence of its insufficiency with respect to sophisticated and coordinated attacks. In contrast to perimeter-based security, mission-centric cybersecurity provides awareness of how attacks can influence mission success and therefore focuses resources for mitigating vulnerab…
▽ More
Currently, perimeter-based approaches are the mainstay of cybersecurity. While this paradigm is necessary, there is mounting evidence of its insufficiency with respect to sophisticated and coordinated attacks. In contrast to perimeter-based security, mission-centric cybersecurity provides awareness of how attacks can influence mission success and therefore focuses resources for mitigating vulnerabilities and protecting critical assets. This is strategic as opposed to tactical perimeter-based cybersecurity. We propose MISSION AWARE, which assists in the identification of parts of a system that destabilize the overall mission of the system if compromised. MSSION AWARE starts with a structured elicitation process that leads to hazards analysis. It employs hierarchical modeling methods to capture mission requirements, admissible functional behaviors, and system architectures. It then generates evidence---attacks applicable to elements that directly correlate with mission success. Finally, MISSION AWARE traces evidence back to mission requirements to determine the evidence with the highest impact relative to mission objectives.
△ Less
Submitted 4 December, 2017;
originally announced December 2017.
-
A Systems Approach for Eliciting Mission-Centric Security Requirements
Authors:
Bryan Carter,
Georgios Bakirtzis,
Carl Elks,
Cody Fleming
Abstract:
The security of cyber-physical systems is first and foremost a safety problem, yet it is typically handled as a traditional security problem, which means that solutions are based on defending against threats and are often implemented too late. This approach neglects to take into consideration the context in which the system is intended to operate, thus system safety may be compromised. This paper…
▽ More
The security of cyber-physical systems is first and foremost a safety problem, yet it is typically handled as a traditional security problem, which means that solutions are based on defending against threats and are often implemented too late. This approach neglects to take into consideration the context in which the system is intended to operate, thus system safety may be compromised. This paper presents a systems-theoretic analysis approach that combines stakeholder perspectives with a modified version of Systems-Theoretic Accident Model and Process (STAMP) that allows decision-makers to strategically enhance the safety, resilience, and security of a cyber-physical system against potential threats. This methodology allows the capture of vital mission-specific information in a model, which then allows analysts to identify and mitigate vulnerabilities in the locations most critical to mission success. We present an overview of the general approach followed by a real example using an unmanned aerial vehicle conducting a reconnaissance mission.
△ Less
Submitted 2 November, 2017;
originally announced November 2017.
-
A Model-Based Approach to Security Analysis for Cyber-Physical Systems
Authors:
Georgios Bakirtzis,
Bryan T. Carter,
Carl R. Elks,
Cody H. Fleming
Abstract:
Evaluating the security of cyber-physical systems throughout their life cycle is necessary to assure that they can be deployed and operated in safety-critical applications, such as infrastructure, military, and transportation. Most safety and security decisions that can have major effects on mitigation strategy options after deployment are made early in the system's life cycle. To allow for a vuln…
▽ More
Evaluating the security of cyber-physical systems throughout their life cycle is necessary to assure that they can be deployed and operated in safety-critical applications, such as infrastructure, military, and transportation. Most safety and security decisions that can have major effects on mitigation strategy options after deployment are made early in the system's life cycle. To allow for a vulnerability analysis before deployment, a sufficient well-formed model has to be constructed. To construct such a model we produce a taxonomy of attributes; that is, a generalized schema for system attributes. This schema captures the necessary specificity that characterizes a possible real system and can also map to the attack vector space associated with the model's attributes. In this way, we can match possible attack vectors and provide architectural mitigation at the design phase. We present a model of a flight control system encoded in the Systems Modeling Language, commonly known as SysML, but also show agnosticism with respect to the modeling language or tool used.
△ Less
Submitted 10 June, 2018; v1 submitted 31 October, 2017;
originally announced October 2017.