About Dependability in Cyber-Physical Systems

Liviu Miclea, Teodora Sanislav Technical University of Cluj-Napoca

Liviu.Miclea@aut.utcluj.ro, teodora@automation.ro

Abstract

This paper presents definitions characterizing the

concepts regarding cyber-physical systems and dependability. Cyber-physical systems incorporate computing, communication and storage capabilities with monitoring and/or control of entities in the physical world in a dependably, securely, efficiently and real-time way. The challenges of cyber-physical system research are concerning: real-time system abstractions; robustness, safety and security; QoS composition; and nor least dependability. Dependability is first introduced as a global concept that subsumes the usual attributes of reliability, availability, safety, integrity and maintainability.

The paper aims to define research challenges to achieve the dependability in cyber-physical hydropower systems. The significant challenge of the dependability in cyber-physical hydropower systems is evaluation of the system behavior in terms of interdependencies between cyber and physical components of the system. 1. Introduction

The complexity of current information and communication systems, the improperly formalisms and tools used and the limited skills to deal with uncertain situations, impose the development of new scientific and engineering principles and methodologies that will be required to create the future systems - cyber-physical systems - upon which our lives will depend. The cyber-physical systems will transform how we interact with the physical world just like the internet transformed how we interact with one another.

In this paper sections, we (1) present the cyber-physical system and dependability basic concepts, (2) submit a case study towards cyber-physical hydropower system, and (3) propose a set of research challenges that need to be addressed to improve the dependability of cyber-physical hydropower systems.

2. Basic Concepts

This section gives the main definitions related to two concepts - cyber-physical systems and dependability - including some of their main characteristics and properties. 2.1. Cyber-Physical Systems

Cyber-Physical Systems (CPSs) is a new

technological revolution, more than networking and information technology, the information and the knowledge will be integrated into physical objects. By integrating perception, communication, learning, behavior and reasoning generation in the CPSs, a new generation of intelligent and autonomous systems will be developed.

The worldwide scientific community shows a keen interest in CPSs. Thus, the United States placed CPSs in the top list of priorities for investment in research, as evidenced by the report of the President’s Council of Advisors on Science and Technology – PCAST from august 2007, developed by Dan Reed and George Scalise. In Europe, the EU's Agenda 2020 represents the legislative document having beneficial effects on society and supporting R&D and innovation in the union countries. Ongoing European research programs (e.g. FP7) helps the CPSs research by objectives mentioned in work programs in the field of information technology and communications (e.g., Objective ICT-2011.3.3-New paradigms for embedded systems, monitoring and control towards complex systems engineering).

Some CPSs definitions are mentioned in the review literature: - “A cyber-physical system (CPS) integrates computing, communication and storage capabilities with monitoring and/or control of entities in the physical world, and must do so dependably, safety, securely, efficiently and real-time”, Shankar Sastry, University of California, Berkeley [1].

978-1-4577-1958-5/11/$26.00 ©2011 IEEE

- “Cyber-physical systems will transform how we interact with the physical world just like the Internet transformed how we interact with one another”, NSF CPS Workshop, Austin, 16-17 October 2006 [1]. - “Cyber-physical systems are "smart" technologies that are beginning to transform our lives”, NSF Briefing and Research Expo on Cyber-Physical Systems on Capitol Hill, July 1, 2009 [2]. - “Cyber-physical systems integrate social, information, and physical components in highly interconnected and complex ways, and produce data in amounts difficult to understand and exploit”, Department of Computer Science - CPS, University of Illinois [3].

- “Cyber-Physical Systems (CPS) are integrations of computation and physical processes. Embedded computers and networks monitor and control the physical processes, with feedback loops where physical processes affect computations and vice versa”, CHESS: Center for Hybrid and Embedded Software Systems, UC Berkeley [4]. - “Cyber Physical Systems (CPSs) are physical, biological and engineered systems whose operations are monitored, coordinated, controlled and integrated by computing and communication core”, see paper [5].

It should know that CPSS are not just desktop applications, are not the traditional embedded systems or real-time systems, and are not the today’s sensor networks. These systems have several characteristics that define them: - Present cyber capability in every physical component - Networked at multiple and extreme scales - Dynamically reorganizing and reconfiguring - High degrees of automation, control loops must close - Operation must be dependable, certified in some cases - Cyber and physical components are integrated for learning and adaptation, higher performance, self-organization, self-assembly [1].

CPSs applications will have a potential impact in the following areas: the control of the critical infrastructures (electric energy, water resources), control and efficient transport, alternative energies, environment control, telepresence, medical devices and systems, telemedicine, assisted living, social networking and games, manufacturing [1], [6]. These systems will respond more quickly, will be more precise, will work in dangerous or inaccessible environments, will provide large-scale, distributed coordination, will be highly efficient, augment human capabilities, and will enhance societal wellbeing [2].

Cyber-physical systems, as well as all information and communication systems, are characterized by the following fundamental properties: functionality, performance, dependability, security and cost. Other

properties that affect system dependability and security are: usability, administration, and adaptability. 2.2. Dependability

The concept of dependability, met in the definition of CPSs as their property, is increasingly found in the life cycle of a system. In the scientific literature the dependability has several definitions: - Dependability represents “the collective term used to describe the availability performance and its influencing factors: reliability performance, maintainability performance and maintenance support performance”, ISO/TC 176/SC 1 N 93 [7]. - Dependability is “the extent to which the system can be relied upon to perform exclusively and correctly the system task(s) under defined operational and environmental conditions over a defined period of time, or at a given instant of time”, IEC 1069-5 Publication [8]. - “Dependability is the ability to deliver service that can justifiably be trusted”, see paper [9]. - “The dependability of a system is the ability to avoid service failures that are more frequent and more severe than is acceptable”, see paper [9].

A exposure of the concepts of dependability consists of three parts: attributes, threats, and means by which dependability is attained [10].

In [9], [10], [11] the authors mention that dependability includes the following attributes (ways to assess the dependability of a system): - Availability – readiness for the correct service - Reliability – continuity of the correct service - Safety – absence of the disastrous consequences on users and environment - Integrity – absence of the inappropriate system alterations - Maintainability – ability to go through changes and repairs.

Threats can affect a system during its life cycle and cause a drop in dependability. There are three main threats highlighted in the dependability tree [9], [10, [11]: - Fault - a defect in a system. The presence of a fault in a system may or may not lead to a failure. A fault is the adjudged or hypothesized cause of an error. There are development faults (e.g. software, hardware errata), physical faults (e.g. production defects) and interaction faults (e.g. external attacks) - Error - a disagreement between the intended behavior of a system and its actual behavior inside the system boundary. An error is that part of the system state that may cause a subsequent failure: a failure occurs when

an error achieves the service interface and changes the service. - Failure - an instance in time when a system displays behavior that is contrary to its specification.

The means (ways to increase the dependability of a system) to achieve the dependability property of a system, have been defined as: - Fault Prevention - FP – means of preventing the occurrence or introduction of faults. FP can be accomplished by use of development methodologies and good implementation techniques. - Fault Tolerance - FT – means to avoid service failures in the presence of faults. - Fault Removal - FR – means to reduce the number and severity of faults. FR can be sub-divided into two sub-categories: removal during development and removal during use. Removal during development requires verification so that faults can be detected and removed before the system’s release in production. - Fault Forecasting - FF – means to estimate the present number, the future incidence of faults and their consequences.

FP and FT aim to provide the ability to deliver a trusted service, while FR and FF aim to reach confidence in that ability by justifying that the functional, security and dependability specifications are adequate and the system is able to fulfill them [9]. 3. Cyber-Physical Hydropower System - Case Study

CPSs integrate computing communication and control capabilities with monitoring and control of entities in the physical world. CPSs must provide this integration dependably, safely, securely, efficiently and in real-time. These systems are usually composed by a set of sensors, actuators (RTUs – Remote Terminal Units), control processing units (PLCs – Programmable Logic Controllers) and communication devices (routers, GSM modems). CPSs increase the role of some existing systems such as Supervisory Control and Data Acquisition (SCADA) systems [12]. A possible CPSs architecture is presented in the figure 1.

CPSs (and SCADA systems, in particular) perform vital functions in national critical infrastructures, such as electric power production and distribution, water and waste-water distribution systems, transportation systems, etc. The temporary malfunction of these control systems could have a significant impact on public health, safety population and economic sector, which requires a qualitative and quantitative representation of the dependability of these systems.

Figure 1. CPSs architecture

This section of the paper contains the presentation

of a CPS from hydropower (CPHS) production field that incorporates a number of monitoring and control devices to act as a distributed, fault-tolerant, and real-time constrained control system to cooperatively adjust power flows [13], [14].

The control of the hydropower plants includes many tasks distributed to hydraulic engines, electric generators, specific power and voltage controller units, connecting devices, control loops and utilities. The CPHS that implements these tasks has to meet a lot of important requirements: • Up and down openness. CPHS is open and

includes different computer based hardware equipment, managed by a software application developed under programming environment from different suppliers.

• Adaptability. CPHS is able to configure its components according to precise requirements, even if these are modified during its lifetime.

• Real time operating. CPHS provides the measured data values and event sample to the remote operator within a very short time to ensure its relevant processed actions in time.

CPHS for hydropower plan dispatching connected 8 hydropower (each with its proper local systems) and all the measured data and the commands are controlled by a dispatcher located in a big city. At local control & connection level – the hydroelectric power plant unit includes transducers, actuators, RTUs (power meters and level measurement blocks) and a PLC used in parameters measurement, supervising and control of the process. The local control level equipment processes the electrical measurements acquired from the hydroelectric power plants’ electric equipment. The digital inputs signals represent the function status of switching equipment and the real-time protection loops status. The analogue signals include electric parameters, such as: voltage, currents, power factor,

frequency and energy parameters: active, reactive and apparent power and energies. Data communication structure is implemented by a computing system, attached to the local control structure using a serial data communication network RS485 (Modbus and Standard); this level provides the HMI (human machine interface), data logging, events recording, process parameters plotting. The system located at the dispatcher is connected to the hydroelectric power plant equipment using leased/dial-up telephone lines or GSM/radio communication.

The Central level consists of an Ethernet computing systems network using TPC/IP protocol under the Windows operating system. Each computer from the network is dedicated to a special department. There is a Main Dispatcher computer, which is the communication processor, connected to the local level by multiple-port interfaces, which manage the seven communication channels.

The Dual Dispatcher computer is the acquisition data base host. Concerning the remote operating process the two dispatcher stations are equivalent. The other network computers ensure the visibility of the measured parameters, own for each department, but cannot generate commands and remote control for the hydroelectric plants.

CPHS can be described as: trends viewer (historical or online trends of various measured parameters can be displayed individually or in groups in configuration modules), events and alarms (signaled immediately in an especially reserved area of the screen, and the confirmation by the operator is also controlled. Status information and history (date, time, and event) can be accessed according to various freely definable categories), reports (with information about process quality or plant alarms can be generated and displayed or printed. These reports include high speed events and can be either requested by the operator, or automatically generated, or triggered by the program) [15]. 4. Dependability in Cyber-Physical Hydropower System

A cyber-physical system for the control of

hydropower plants is a large-scale complex system that is expected to be highly dependable. In order to achieve the property of dependability the CPHS has to satisfy the following: • Availability and correctness (accuracy) - CPHS

has to rapidly detect the network faults: the availability of the plants, the status of the communication channels for all devices.

• Self-test capability - the self-test indicates or isolates a defective device or subdivision. In order to detect its correct functionality, a special test is done with each separate element. In case of error the component is declared nonfunctional and the system works without it.

• Data security and reliability - CPHS eliminates the intruders’ access to the remote computer network.

The most significant problem in the study of dependability in CPS and CPHS in particular is quantifying the interdependencies between cyber and physical components of the system. In order to do this there are the challenges: system complexity, low probability of critical events occurrence, difficulty of gathering data needed for accurate modeling [16]. Some modeling and simulation techniques for critical infrastructure are enumerated in [17] and rely upon semantics to represent the relations between cyber and physical layers of the CPSs. 5. Research Challenges

The method proposes to achieve the dependability

property of the CPHS consists in a system behavior evaluation having two aspects: - Qualitative evaluation – having the goal to identify, classify, and rank the failure modes, or the event combinations that would lead to system failures - Quantitative evaluation - having the goal to evaluate in terms of probabilities the degree to which some of the attributes are satisfied. 5.1. Qualitative evaluation

The failure modes or combinations of events leading to failure will be identified and classified to achieve an ontology that will provide qualitative representation of the CPHS’ interdependencies. The measurable attributes necessary to evaluate system behavior will be also identified.

5.2. Quantitative evaluation

The identified measurable attributes will be used to

model the probabilistic estimates of the CPHS behavior. The modeling can address physical faults, development faults or a combination of both and will be composed of two phases: the construction of a model of the CPHS from the elementary stochastic processes that model the behavior of the systems’ components and their interactions, processing of the model to obtain the expressions and the values of the dependability measures of the CPHS. The modeling

can have several approaches: multi-agent-based techniques, Markov models or Petri nets.

The result model will be implemented, optimized, and validated using simulation and real data, the evaluation of the solution could be done by fault injection. 6. Conclusions

The research proposed in this paper aims to provide a qualitative and quantitative understanding of the dependability in a CPHS by building a model able to combine the physical and cyber components and to facilitate the correct study of their interdependences.

A CPHS was chosen as a case study because this system is part of the critical infrastructures, having a significant impact on safety population and economic sector.

The main contributions will be related to: - Definition of an ontology that describes the qualitative representation of interdependencies in CPSs for critical infrastructure control – hydropower production - Building a system model that describes the quantitative representation of interdependencies in CPSs for critical infrastructure control – hydropower production - Processing the model for achieving expressions and values of the measurable attributes (which ensures the dependability) of the system

7. References [1] B. Huang, “Cyber Physical Systems: A Survey”, www.ux.uis.no/atc08/smarthome/CPS_A_Survey.pdf, 2008 [2] NSF Program Solicitations NSF 08-611-2009, NS F10-515-2010, www.nsf.gov/funding/pgm_summ.jsp?pims_id=503286, 2011 [3] Department of Computer Science, University of Illinois, http://cs.illinois.edu/research/themes/cyberphysical, 2011 [4] CHESS: Center for Hybrid and Embedded Software Systems, UC Berkeley, http://chess.eecs.berkeley.edu/, 2011 [5] I. Dumitrache, “The next generation of Cyber-Physical Systems”, Journal of Control Engineering and Applied Informatics, ISSN: 1454-865, vol.12, no.2, pp. 3-4, 2010 [6] E. A. Lee, “Cyber Physical Systems: Design Challenges”, Technical Report No. UCB/EECS-2008-8,

http://www.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-8.html, 2008 [7] “Quality Concepts and Terminology, part 1: Generic Terms and Definitions”, Document ISO/TC 176/SC 1 N 93, 1992. [8] “Industrial-Process Measurement and Control—Evaluation of System Properties for the Purpose of System Assessment, Part 5: Assessment of System Dependability”, Draft, Publication 1069-5, Int’l Electrotechnical Commission (IEC) Secretariat, 1992. [9] A. Avizienis, J.-C. Laprie, B. Randall, C. Landwehr, “Basic Concepts and Taxonomy of Dependable and Secure Computing”, IEEE Transactions On Dependable And Secure Computing, vol. 1, no. 1, pp. 11-33, 2004 [10] A. Avizienis, J.-C. Laprie, B. Randall, “Fundamental Concepts of Dependability”, Proceedings of the Third Information Survivability Workshop – ISW 2000, October 24-26, Boston, USA, 2000, www.cert.org/research/isw/isw2000/papers/56.pdf [11] J.C. Laprie, Dependability: Basic Concepts and Terminology, Springer-Verlag, 1992 [12] A. Cardenas, S. Amin, S. Sastry, “Secure Control: Towards Survivable Cyber-Physical Systems”, Proceedings of the 28th International Conference on Distributed Computing Systems Workshops, pp.495-500, 2008 [13] NERC-CIP, Critical Infrastructure Protection., North American Electric Reliability Corporation, http://www.nerc.com/page.php?cid=2|20, 2009 [14] A. K. Srivastava, A. J. Flueck, Contingency Screening Techniques and Electric Grid Vulnerabilities: Mathematical Modeling, Algorithm Development and Applications, VDM Verlag, ISBN-10: 3836487012, June, 2008 [15] D. Căpăţână, I. Stoian, T. Sanislav, O. Ghiran, E. Stâncel, I. Filip, “Integration Techniques of the Embedded Distributed Systems Using Programming Environments and Industrial Standard Communication Protocols”, Proceedings of International Conference on Automation, Quality and Testing, Robotics, Tome 1, pp. 430-435, 2006. [16] S. M. Rinaldi, “Modeling and simulating critical infra structures and their interdependencies,” in Proceedings of the 37th Hawaii International Conference on System Sciences, 2004. [17] P. Pederson, Critical infrastructure interdependency modeling: The survey of U.S. and international research, August 2006.