the presentation slides of Prof. Setola

Workshop
VULNERABILITY AND RESILIENCE OF CRITICAL
INFRASTRUCTURES: ISSUES, METHODS AND
APPLICATIONS
Interdependent systems
Prof. Roberto Setola
University Campus Bio-Medico of Rome
r.setola@unicampus.it
Complex Systems and Security Laboratory
Università Campus Bio-Medico di Roma - Via Álvaro del Portillo, 21 – 00128 Roma-Italia
25 February 2015
www.unicampus.it – www.coseritylab.it
Objectives of this lesson
•
•
•
What is the relevance of (inter-)dependencies?
How to model these phenomena?
Which are consequences if we neglect to capture
them?
r.setola@unicampus.it
25/02/2015
2
Dependency vs. interdependency
A
A
B
B
Dependency: is the capability of an infrastructure
to influence the state of an other infrastructure.
It is a unidirectional relationship.
Interdependency: is a bidirectional relationship
between two infrastructures through which the
state of each infrastructure is influenced or is
correlated to the state of the other.
Notice that in literature, with an abuse of notation,
the term “Interdependency” is used with a broad
meaning absorbing in part the “dependency”
meaning
25/02/2015
3
First and higher order dependency
A
B
A
B
•
• Second order dependency A -> C -> B
The concept can be easily generalized to the n-th
order dependency
C
A
B
C
First order dependency A -> B
When the sequence of influences creates a
loop, A -> C -> B -> A then ALL the involved
infrastructures are inter-dependent. Any event
is exacerbated.
In the presence of loops, there is no more a tree
structure (i.e. there is a root and the consequences go
only downstairs) but a graph structure (the
consequences have no more a preferential direction)
25/02/2015
4
Dimensions for describing infrastructure
interdependencies.
September 2011
January 2012
S. Rinaldi, J. Peerenboom, and T. Kelly, “Identifying Understanding and Analyzing Critical
Infrastructure Interdependencies,” IEEE Control System Magazine, pp. 11–25, 2001.
Dimensions for describing infrastructure interdependencies.
Physical Interd.: if the
operations of one
infrastructure depends on
the physical output(s) of
the other.
Cyber Interd.: if its state
depends on information
transmitted via cyberspace.
Geographical Interd.:
when elements are in close
spatial proximity.
Logical Interd.: any other
causes (e.g.
regulamentatory)
Sociologic Interd.: when coupling
effects are mediated by
(irrational) human behaviors
De Porcellinis, S., Setola, R., Panzieri, S., & Ulivi, G. (2008). Simulation of heterogeneous and
interdependent critical infrastructures. International Journal of Critical Infrastructures, 110-128.
Interdependency
Metrics
Complex Systems and Security Laboratory
Università Campus Bio-Medico di Roma - Via Álvaro del Portillo, 21 – 00128 Roma-Italy
www.unicampus.it – www.coseritylab.it
How to measure dependency
A cornerstone question is how to measure the degree
of (inter)dependency
existing among any two
infrastructure in order to qualify normal and
pathological situation
A general approach is those to evaluate the degree of
depency on a relative base, i.e. how much are amplified
the negative consequences
2/25/2015
8
Dependency Measurement
The dependency index is the ratio between the relative
increments of the inoperability in the depended
infrastructure with respect to those experienced in the
source Infrastructure :
Variation in the
«inoperability» of A due
the event occurred in B
Effect on B
Inter-Dependency Measurement
Complex Systems & Security Laboratory –
Interdependencie
s modelling
Complex Systems and Security Laboratory
Università Campus Bio-Medico di Roma - Via Álvaro del Portillo, 21 – 00128 Roma-Italy
www.unicampus.it – www.coseritylab.it
Modelling classification
Topological
based
approaches
Holistic
approaches
Simulation based
approaches
Implementation effort
Application Domain
High
Structural
Simulationbased
Operational
Holistic
Strategic
Functional
Low
Information elicitation
Input-output Models
Infrastructures are modeled as
black boxes
The emphasis is on interaction
(input and output )
•
Which inputs are needed ?
•
What is the effect of a lack
of resources?
Input-Output Inoperability Model
• Based on the economic equilibrium theory of
W. Leontief
• Each infrastructure has an inoperability q (% of
malfunctioning)
• The model considers constant external
perturbations and analyzes the domino effects
W. Leontief, Input-Output Economics, Oxford University Press, 1966.
Y. Haimes et al., Inoperability input-output model for interdependent infrastructure sectors
I: Theory and methodology, Journal of Infrastructure Systems, vol. 11(2), pp. 67-79, 2005.
IIM - Example
B
0,4
A
é 0 0 0.3 ù
é 0 ù
ú * ê
ú
* ê
A = ê 0.4 0 0 ú;c = ê 0 ú
ê 0.2 0.6 0 ú
ê 0.12 ú
ë
û
ë
û
0,6
0,2
0,3
Leontief coefficient
Leontief Matrix.
Coefficients are
the fraction of
transmitted
inoperability
C
0,12
Infrastructure
External perturbation
External
perturbation
q(k +1) =A q(k)+ c
*
*
IIM example (2)
Infrastructure #1 is
affected by a failure
of 12%
0.14
0.12
CI1
CI2
CI3
0.1
This induces
degradation in #2
and #3
0.08
0.06
0.04
0.02
0
0
2
4
6
8
10
12
14
16
18
20
é 0 0 0.3 ù
é 0 ù
é 0 ù
ê
ú
ê
ú
ê ú
A d = ê 0.4 0 0 ú;c d = ê 0 ú;q(0) = ê 0 ú
ê 0.2 0.6 0 ú
ê 0.12 ú
ê 0 ú
ë
û
ë
û
ë û
This exacerbates the
consequences on #
up to 14%
Impact of 10% IP
network failure
Modern Hospital
Traditional Hospital
R. Setola, “Availability of Healthcare services in a network-based
scenario”, Int. J. Networking and Virtual Organization (IJNVO) 4, n. 2, pp.
130-144, 2007.
Dependency index & Influnce gain
0

*

A
*

*
* * *

0 * *
* 0 *

* * 0
 j   aij
dependency index Is a measurement of
 i   aij
j
the robustness with
respect to the
transmitted
inoperability
Steady-state solution
i
influence gain
Is a measurement of
the influence that a
specific infrastructure
has on the global
system
If A is positive and stable, then
Overall depencey index and influence gain
Setola, R., De Porcellinis, S., & Sforna, M. (2009). Critical infrastructure dependency
assessment using the input–output inoperability model.International Journal of Critical
Infrastructure Protection, 170-178.
IIM with Technician point of view
Ask to experts the follow question
Which is the impact on your infrastructure of
the complete absence of services provided by
yyy Identify
infrastructure
for a time
of of
zzz
IIM parameters
on period
the base
operative technicians’ expertise
(operators’ perceptions)
In this way we try to acquire directly from their
expertise an estimation about the dependency
parameters to set-up a technical oriented IIM
R. Setola, S. De Porcellinis, and M. Sforna “Critical Infrastructure Dependency
Assessment Using Input-output Inoperability Model”, Int. J. Critical
Infrastructure Protection (IJCIP), pp. 170 - 178, 2009.
The scenario
In our case study we consider 11 critical sectors
Time dependencies
We asked to the expert to provide their estimation
considering an outage of
a) less than 1 h
b) from 1 to 6 h
c) from 6 to 12 h
d) from 12 to 24 h
e) from 24 to 48 h
Setola, R., Oliva, G., & Conte, F. (2012). Time-Varying Input-Output
Inoperability Model. Journal of Infrastructure Systems, 19(1), 47-57.
22
Time varying IIM
To manage the variation
of the Leontief coefficient
with the outage time, we
introduce the
«unavilibility time»
and, consequently, expand the
model
Time-outage coefficients
Coefficient behavior
Linear + Costant
The coefficient grows up to a limit
Single Knee
Initially a buffer limits the impact. After the
buffer is expired the dependency reaches its
maximum value.
Double Knee
The buffer is used in different moments for
instance some basic functions are granted (e.g.,
cooling for a nuclear power plant)
Time varying index
Normalised dependency index
Fuel &
Petroleum
0,25
0,2
Air
transportation
0,15
Naval Ports
0,1
0,05
Finance
0
<1h
1h-6h
Air Transportation
TLC Wired
Water Management
Finance
Fuel & Petroleum Grid
Satellite Communication & Navigation
6h-12h
12h-24h
24h-48h
Electricity
TLC Wireless
Rail Transportation
Naval Ports
Natural Gas
The curves cross each others, i.e. they
relevance/fragility varies with the outage time
How experts answer
The experts have to use
linguistic value extracted
from a predefined scale
They have also to express
a grade of confidence
(accuracy) about each
one of their estimation
Triangular Fuzzy Number
To manage the collected information, we adopt
Fuzzy Number using a triangular representation
Confidence Scale
Criticality Scale
Nothing
(Certain)
Circumscribed
Significant
Limited
Quite Catastrophic
(Relative Confidence) (Excellent Confidence) (Relative Confidence) (Excellent Confidence)
IIM Fuzzy System (difference inclusion system)
H is a nxn fuzzy-value matrix, i.e.
To solve, we have to translate the fuzzy-equation into a
family of discrete difference inclusions
Oliva, G., Panzieri, S., & Setola, R. (2011). Fuzzy dynamic input–
output inoperability model. International Journal of Critical
Infrastructure Protection,4(3), 165-175.
Results IIM Fuzzy
Consequences of a «severe
failure» in the electric grid
(c2=[0,5, 0,6, 0,7]) in
conjuction with a
«moderate failure» in the
wired TLC network (c3=[0,2,
0,3, 0,35])
Overall
dependency
index and
influence gain
Criticality map
To identify most critical
infrastructures (e.g. those on
which prioritarise the
resource)
dependency index
Oliva, G., Setola, R., & Barker, K. (2014). Fuzzy
Importance Measures for Ranking Key
Interdependent Sectors Under
Uncertainty. Reliability, IEEE Transactions
on, 42-57.
influence gain
Topological approaches
Coupled network
Electric grid
Rij
TLC
Coupling of heterogeneous networks
Flow model peculiar for each type of network
Electric Grid - DC Power Flow
Fkm=(θk-θm) / xkm
Pk = Σm Fkm = θk Σmxkm-1 - Σm θm / xkm
P=B θ
con Bkm = -1/xkm e Bkk=Σl 1/xkl
i Pi=0
With constraints on maxima
power flow on each link and
maxima angle shift
The network is perturbed
eliminating 1 or more links
The solution is calculating
considering also a reallocation of the load
min
TLC model
•
•
•
•
The network delivery paketes
At each time instant, each node generates a packet,
with probability λ, addressed to a random destination
node
The packet flow via adjacent nodes following static
routing table via random route
Any node can manage just a packet each time and all
the nodes have the same throughput
Complex network analysis
High-Voltage grid
GARR
Cascade effect
S. De Porcellinis, L. Issacharoff, S. Meloni, V. Rosato, R. Setola, F.Tiriticco,
“Modelling interdependent infrastructures using interacting dynamical models”,
Int. J. Critical Infrastructure (IJCI), pp. 63-79, 2008
Accoppiamento GARR-Rete elettrica
TLC
delivery
time
ξ=3
ξ=2
ξ=1
ξ=0
QoSTLC=
QoSEl.= 1-
m
M
<T>
<T0>
ΔPi
ΣPi0
Number of
faulted links
in the electric
network
Cyber-Physical Systems
Application level
Remote level
Field level
Malicious manipulations/faults may happen at all levels
Distributed detection
A single node, exploiting only local information
able to communicate only with its neighbors is able
to detect (and restore) faults in the network ?
Specifically we want to detect:
• Node(s) fault (how any all over the network)
• Link(s) fault (how many all over the network)
• Presence of cycle (and resolve them by links
swapping)
• System controllability (and restore it by link
swapping)
25 February 2015
39
Distributed detection
We develop an distributed approach where each node
performs a set of max-, min-, and average consensus to
locally calculate the information and to perform the
links’ swap needed to restore the nominal condition
The Consensus problem is to manipulate the inputs for ith
node provided only by its neighbors
In order to guarantee that ALL the noes converges to a
given function of the initial condition stored indipendently
by each single node
25 February 2015
40
Algorithm
We develop a set of
algorithm that in at
least n steps is able
to detect any faults,
detecting also the
presence of cycle
(and restoring it) so
as if the system is
controllable (and
eventually restore it)
25 February 2015
41
Case study: IEEE118 Bus Case
Faulted Network (2 generators and 7 links
faulted/swapped).
The system is no
more controllable
and there are some
cycles
G. Oliva, R. Setola, L. Glielmo and C. Hadjicostis, “Distributed Failure and Attack
Detection and Response in Cyber-Physical Systems”, Automatica, Submitted.
Distributed
detection
#2 nodes loss
#7 links loss
25 February 2015
43
Aciclycity & Controllability Restored
The swaps occur all over the network
The FACIES European Project
http://facies.dia.uniroma3.it/
With the financial support of the
“Prevention, Preparedness and
Consequence Management of
Terrorism and other Securityrelated Risks Programme”
European Commission
Directorate-General Home
Affairs
25 February 2015
3
How identify failures/attacks having a partial and limited vision of the
process in the presence of interdepenencies and taking into account
also the possible cyber-data manipulation and cyber failure?
IC #1
IC #4
IC #2
IC #3
FACIES Architecture
RISK
PREDICTOR
SWITCH
Sensors
FAULT
DETECTION
Pumps
PLC
SCADA (iFix)
HMI
IDS
EXPERT
SYSTEM
Valves
47
Physical, Cyber, Logic and Geographic dependenceis
Control
Service 2
Control
Service 1
Dam Water
Availability
SCADA
2
I.A. Water
Availability
SCADA
1
Pipe
4
Valve
2
Dam
Pump
1
Pump
2
Pipe
0
POWER
POVER
PLANT
CITY
DAM
Tank
2
NP Power
Availability
Pipe
5
PLC
1
Valve
4
Valve
1
SCADA
3
Pump
3
Pipe
4
Tank
1
Control
Service 3
Tank
3
Cooling
Towers
Valve
3
Pipe
2
Pipe
1
Pipe
3
Residential
2
Residential
1
Industrial
Plant
The FACIES Architecture
Physical
iFix
State of the System and Alarms
SCADA
CONTROL ROOM
Fault
Diagnosis
System
Possible
Faults
PLANT
IDS
Global Situation
Awareness and
Countermeasures
Diagnosed
Faults
Expert
System
Alarm Manager
Sender
Possible
Inoperabilities
Risk
Predictor
Alarm
Manager
Receiver
5 4 3 2 1
Cyber
Diagnosed
Faults
Operators
Interfaces
Countermeasures
25 February 2015
49
Critical Infrastructure Preparedness and
Resilience Research (NoE)
Network of Excellence, co-funded by FP7
Term: 1.3.2013–28.2.2017
Partners
1.Coordinator:
Fraunhofer IAIS, DE
2.ENEA, IT
3.TNO, NL
4.UIC, FR
5.CEA, FR
6.EC Joint Research Centre, EU
7. Deltares, NL
8. University of Cyprus, CY
9. University of Technology and Life
Sciences, PL
10.Università UCBM, IT
11.University of British Columbia, CA
12.ACRIS GmbH, CH
(Real-time) hazmat analysis
Direct impact analysis
First order impact analysis
CISIA (terminato)
0
200
400
600
800
1000
Residential 5 (FU)
Residential 1 (FU)
Minuto 10
Residential 4 (FU)
ctric
Residential 3 (FU)
Electricity
Ele
Electricity
Ele
ct
ric
ity
E
Electricity
Elect
ricity
ity
tio
n
icit
y
tricity
400
600
800
1000
1200
PS 2
r
Hospital 2 (FU)
Wa
te
Elec
Co
mm
un
ica
tio
n
ctr
ic
tion
nic
a
. ooo
y
Higher order impact analysis
Water Pump 2 (SAU)
Co
mm
u
200
icit
ctr
Ele
icity
Electr
Water Pump 1 (SAU)
SS8
y
Hospital 1 (FU)
Water
SS7
0
ity
r ic
ct
le
icit
Telco BTS 1 (PAU)
SS6
ctr
y
icit
ctr
Ele
SS5
Ele
Ele
Co
mm
un
ica
SS4
SS3
SS2
Ele
ctr
icit
y
SS1
Ele
ctr
PS 1
Livelli:
1200
Residential 6 (FU)
ity
Residential 2 (FU)
Telco BTS Master
(SAU)
Telco BTS 2 (PAU)
Communication
25 February 2015
51
Each geographical point is
associated with a “dynamical”
Threat Strength Matrix, containing
the predicted occurrence and the
strength expected for all the given
perturbation.
Each CI element is characterised by a
Vulnerability Matrix which indicates
the maximum perturbation strength
(originating from each considered
hazard) that it could sustain before
its physical failure.
FP7 NoE CIPRNet – GA N°312450 – Review 1
03/02/2015
52
Overlaying
the
Vulnerability and the
Threat
Strength
matrices will allow to
predict the level of
damage
that
the
predicted threat(s) will
produce on each CI
element present in the
different areas under
the DSS control.
Harm Scenario
Reported data are obtained through the collaboration with project RoMA
FP7 NoE CIPRNet – GA N°312450 – Review 1
03/02/2015
53
January 31, 2014
working
03/02/2015
In fault
54
ACEA
Rome
WP7 Questions & Answers
HT/MT/LT Control
Room
FP7 NoE CIPRNet – GA N°312450 – Review 1
03/02/2015
55
r.setola@unicampus.it
25/02/2015
56