1 / 22

Ester Ciancamerla, Michele Minichino ENEA {ciancamerlae, minichino}@casaccia.enea.it

Unyfing Methods for DEPENDABILITY ANALYSIS of Networked Information Systems for Critical Infrastructures. Ester Ciancamerla, Michele Minichino ENEA {ciancamerlae, minichino}@casaccia.enea.it On behalf of

Download Presentation

Ester Ciancamerla, Michele Minichino ENEA {ciancamerlae, minichino}@casaccia.enea.it

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Unyfing Methods for DEPENDABILITY ANALYSIS of Networked Information Systems for Critical Infrastructures Ester Ciancamerla, Michele Minichino ENEA {ciancamerlae, minichino}@casaccia.enea.it On behalf of SAFETUNNEL partners (CRF, Renault Trucks, TUV, TILAB, ENEA, Ben Gurion University) and Italian Universities (Piemonte Orientale, La Sapienza) IP DeSIRE – November 25, 26, 27 - 2002 – Pisa - Italy

  2. The starting view • SAFETUNNEL Project (IST - 2000 - 28099 - http://www.crfproject-eu.org/) is currently on going with the main objective to reduce the number of accident inside alpine mono tube road tunnels • A preventive safety strategy is essentially implemented by a SAFETUNNEL Demonstrator consisting of two Demonstrator Trucks, equipped with devices for diagnosis and tele control and a Tunnel Management Centre. • The Demonstrator Trucks communicate with the Tunnel Management Centre by a public wireless telecommunication network (GSM/GPRS/UMTS). • A technical analysis with the limited aim of validating Demonstrator main functionalities • Dependability analysis of digital embedded systems (i.e. for process control; the last: ICARO gas turbine) • Stochastic analysis (Fault Tree/Bayesian Nets/Stochastic PN) • Functional analysis (Model checking)

  3. TUNNEL MANAGEMENT CENTRE INSTRUMENTED TRUCKS Rx/Tx Rx/Tx SAFE TUNNEL demonstrator WIRELESS PUBLIC NETWORK LAN INFRASTRUCTURE: ALPINE ROAD TUNNEL (TO BE EXTENDED TO THE ITALIAN TRANSPORT HIGHWAY)

  4. Instrumented trucks: • mobile nodes with embedded digital systems for prognostic, diagnostics and control • sensors: • water temperature • break status • speed • distance • actuators: • engine; • brakes; • CAN bus interfaces TUNNEL MANAGEMENT CENTRE Rx/Tx SAFE TUNNEL demonstrator WIRELESS PUBLIC NETWORK INSTRUMENTED TRUCK

  5. Safetunnel demonstrator • Wireless and even public TLC network • Complex interactions of layered subsystems • Tunnel management centre • Mobile nodes constituted by digital systems, sensors and actuators, CAN bus interfaced • Tunnel infrastructure • Poses unsolved problems of dependability analysis. • The mobility of nodes further complicates the analysis because the network topology is dynamically changing

  6. SAFETUNNEL DEMONSTRATOR a Networked Information System for a Critical Infrastructure (the tunnel) • Networked Information Systems could include different layers of regulation, control, automation and also the human operators (the drivers and the tunnel operators). • It reflects the technological pushing on migrating telecommunication network architectures from proprietary protocols towards standardised and open protocols (from GSM to UMTS). • making NIS even more vulnerable to external attacks • Critical Infrastructuredegradation can entail severe consequences on security, public health, safety or economy (Fire tragedy inside the Monte Bianco tunnel).

  7. Issues to be considered for NIS dependability analysis • The novelty and the complexity of Networked Information Systems, make their development methodologies essentially euristics and suffering of the lack of a systematic approach • Regulation, control and automation relying on NIS, expecially when they are based on a public wireless technology, is a boundless field, still basically unexplored.

  8. Issues to be considered for NIS Dependability analysis • The possibility of accidental internal events (including transient faults, design and operator errors) cannot be excludedm because of the strong interdependence of NIS components/ subsystems/systems • adaptive reconfiguration of NIS components/ subsystems/systems to events and surroundings; • systems belonging to NIS often spread across vast distances, heterogeneous, and highly interactive; each system may have hierarchical layers and may be distributed at each layer. • NIS do not born at once, but they usually grow up along years. • subject to attacks (security issues are recognized and put on the research agenda), • but “Nature” causing unintentional physical and logical faults may be more inventive than man • The additional cost of making a Networked Information System dependable could be similar to the cost of providing its basic functionalities

  9. Logical faults and fault tolerance aimed at physical faults The increasing logical complexity and interdependency of networks makes them more prone and vulnerable to logical faults • Logical faults are embedded into a NIS; stay dormant until are activated by a combination of input/use or internal state of the system to cause an error • Errors may persist in the system for a considerable period and could cause a burst of failures • One error located in one part of a system may propagate (spread) to other parts • Fault tolerance, aimed at physical faults • Transport layer • Control layer

  10. Fault tolerance ( at transport layer) • Redundant computing and/or storage capacity in the network nodes;the syncronization between replica incurs little or no delay; dedicated systems.They are vulnerable to environment failures like fire • Service replicas in several network nodes; off-the shelf components; dependability tailorable to the application requirement. Management of groups of objects and the communication between them is required.

  11. Fault tolerance (at control layer) • Protection switching, fault tolerance of the transport service between to nodes establishing a dedicated spare path; • Reconfiguration by a centralized management of the network which reconfigures the routing through the network when a network failure occurrs. • Self Healing, distributed control with no dedicated pre-reserved trasmission capability • Multi layer fault handling

  12. NIS dependability analysis • a General Procedure to derive a Conceptual Model to capture into a single framework all dependability facets of NIS by using an appropriate case study (i.e. SAFETUNNEL Demonstrator) (from one side) • trying to unify the stochastic and functional analysis so that a same model could feed • a stochastic analyser for performance evaluation • a functional analyser for model checking (from the opposite side) • with the aim to reduce the gap between: • The required modelling power and the actual modelling power of current tools for dependability analysis • design and evaluation tools

  13. Conceptual model • refine existing design models in order to enable effective dependability analysis. • help in deriving the NIS scope and operational concept, and explain how NIS functions are allocated to systems/subsystems/components, • who is at the risk from the NIS, and how the environment might be affected by NIS internal events. • which are the chains of cause and effect of failures/intrusions of the NIS and its recovery behaviour.

  14. Dependability modelling and analysis • Dependability modeling and analysis, even at layer of digital embedded systems, is actually dominated by two main lines: • functional analysis based on the description of the system in terms of discrete/continuous state automata (whose goal is to ascertain for conformity and reachability properties); • stochastic analysis (whose aim is to provide performance and dependability measures).

  15. Modelling dilemmas • There are two main dilemmas: • stochastic versus timed; • discrete versus continuous (or hybrid).

  16. Stochastic models • In stochastic models the timing of events is represented by means of random variables. • Typical fields of application: • Performance evaluation • Dependability analysis The obtainable measures are: mean values and distributions.

  17. Stochastic models • explore the possibility of defining a chain of models of increasing semantical complexity: • from combinatorial models (e.g Fault Tree) • to models with localized dependencies (e.g. dynamic FT or Bayesian Networks) • to models based on the state space (Markov models and Petri nets). • provide automatic translation algorithms for converting one model into a model of higher semantical complexity

  18. Timed Models • In timed models the timing of events is represented by constant values or (non-deterministic) intervals. • Typical fields of application: • Real time and time critical systems • Safety critical systems • The obtainable measures are reachability properties and computer aided verification via model checking.

  19. Discrete versus Hybrid Models • In discrete models the state space is discrete. • The dynamic evolution of the system in time is represented as a sequence of transitions among discrete states. • Hybrid models contain discrete as well ascontinuous variables in the same model. Typical examples are discrete controllers thatcontrol continuous variables

  20. The unified heterogeneous model An unified view between formal methods and stochastic methods able to combine, in the same framework: - stochastic and deterministic timing; - discrete and continuous (hybrid) variables and used to feed: - a functional analyser for model checking - a stochastic analyzer for performance evaluation.

  21. Final goal • A complete modelling coverage, moving from top to down abstraction layers of NIS, made of a Conceptual Model which feed a set of Heterogenous Models • The aim is • to partially overcame the inadeguacy of the modelling power of current tools to afford the modelling power required for NIS dependability analysis • and to reduce the gap between current design and evaluation tools

  22. Moreover • To try to include the cognitive approach, to try to minimise errors due to the operators behaviour (i.e the drivers and the tunnel operators) • To implement a pilot version of computerised tools to partially support the proposed methodology for the unified heterogenous modelling • To set up appropriate experiments on the Case Study (i.e. The SAFETUNNEL Demonstrator), so that experimental data could be gathered and used as evidence for partially validating the models.

More Related