Embed Size (px)
Citation preview
Vulnerabilities in Cyber-Physical
Systems – Implications for
Autonomous ships
Dr Gerasimos Theotokatos, DNV GL Reader of Safety of Marine Systems
Mr Victor Bolbot, PhD student
ISSAV 2018, Delft, 21 March 2018
• Complex system safety & security
• Dynamic barrier management
• Intact & damage stability of cruise ships
• Safety culture
• Fire protection & prevention
• Blackout prevention
• LSA
• Evacuation
• Accidents
• Navigational practices
• Safety of Autonomous ships
Maritime Safety Research Centre• Life-Cycle Risk Management• Cost-effective measures of risk
reduction • Sustainable cost-effective-
safety-improvement for new and existing ships and offshore assets
• Development of a modern regulatory framework to support and nurture safety culture
• Introduction
• The problem
• Implications for autonomous ships
• Methods for safety assurance
• The way forward
• Application example
Contents
22/03/2018 ISSAV – March 2018 3
22/03/2018 ISSAV – March 2018 4
Introduction
• Cyber-Physical Systems (CPSs) consist of physical, hardware, communication and control (software) components
• CPSs Classes – Industrial automation and control systems
– autonomous systems
– SCADA systems.
• CPSs advance in a number of application areas including maritime/marine industry
• Ship automation and control systems
• Power Management System (PMS)
• Integrated Propulsion System (IPS)
• Safety Monitoring and Control System
• Dynamic positioning system
• HVAC control systems
22/03/2018 ISSAV – March 2018 5
Examples of Marine CPSs
• CPSs combined with AI algorithms
– collision avoidance system
– autonomous ship controller
– automatic navigation system
– shore control centre
22/03/2018 ISSAV – March 2018 6
Autonomous vessels
• CPSs are complex systems and this creates additional
vulnerabilities, which need to be cost-effectively
addressed during design and operation.
• Complexity inability to identify and control the hazards
22/03/2018 ISSAV – March 2018 7
The problem
Sources of Complexity
Heterogeneity
Interoperability
Connectivity
Software-intensive character
Evolution in time
Dynamic reconfiguration and
adaptability
Autonomous
decision-making
Humans in the
loop
Figure 2 The different dimensions of complexity.
• Heterogeneity is related to integration of different component types (mechanical, electrical, control, communication).
– Need to understand the interactions between components
• Interoperability is related to integration of various mechatronic subsystems or integration of CPSs
– Increased number of complex interactions
• Connectivity and problems with cybersecurity
– Examples: Stuxnet malware, cyber attack on steel mill in Germany.
22/03/2018 ISSAV – March 2018 8
Sources of complexity
• Software-intensive character in CPSs.– Software bugs and inappropriate software requirements
– Therac-25, Airbus A400M airlifter.
• Evolution in time– Changes in system, development of new versions of system
components. Ariane 5 crash.
• Dynamic reconfiguration with the help of prognostics and diagnostics – Similar implementation in avionics and aerospace
– Verification and validation of prognostics and dynamic reconfiguration
22/03/2018 ISSAV – March 2018 9
Sources of complexity
• Autonomous decision-making
– Learning abilities of CPSs - A specific challenge with verification
of AI algorithms - Sophia robot.
– Context aware system requires addressing properly the
environmental hazards
• Humans-in-the-loop
– Deterioration of short-term and long-term situational awareness
– overreliance on technology
22/03/2018 ISSAV – March 2018 10
Sources of complexity
• Collision avoidance system (CAS)
– Interactions with actuators and physical processes
– Failure to integrate CAS with other systems
– Cyber-attack on CAS (Spoofing attack on GPS)
– Errors in software implementation
– Software updates and system variation with time
– Switch over to another redundant system - Prognostics for
electronic and control systems
– New behaviour due to AI capabilities - Not addressing all the
collision scenarios
22/03/2018 ISSAV – March 2018 11
Implications for autonomous shipsChallenges due to unexpected hazards
• Propulsion and powering system
– Interactions in the system
– Integration with other systems
– Cyber-attacks
– Errors in software implementation in safety and control systems
– Software updates and system variation with time
– Switch over to another redundant system - Prognostics for
mechanical and electrical components
– AI uncertainty
22/03/2018 ISSAV – March 2018 12
Implications for autonomous shipsChallenges due to unexpected hazards
• Shore control centre
– Integration and connectivity
– Remote access will lead to higher vulnerability to cyber-attacks
– Ability of on-shore personnel to intervene in critical situations
22/03/2018 ISSAV – March 2018 13
Implications for autonomous shipsChallenges due to unexpected hazards
22/03/2018 ISSAV – March 2018 14
Safety Assurance
Figure 10 Methods and their applicability to system engineering processes.Figure 4 Safety assurance activities and methods.
• Identify, analyse and control hazardous scenarios
• Identification and analysis methods
– Traditional methods for hazard identification and analysis
(FMEA, HAZOP, PHA)
– Failure Logic Synthesis and Analysis (Model-Based approaches)
– Systemic methods (FRAM, STPA)
– Human reliability analysis
22/03/2018 ISSAV – March 2018 15
Methods for safety assurance
22/03/2018 ISSAV – March 2018 16
Available methods
Figure 10 Methods and their applicability to system engineering processes.
22/03/2018 ISSAV – March 2018 17
Available methodsHazard Identification Verification
THIM STPA FLSA HRA FI MC ATP T RT
Heterogeneity ++ +++ ++ NA +++ ++ +++ +++ +++
Interoperability - ++ +++ NA +++ ++ + ++ +++
Connectivity ++ +++ ++ NA ++ +++ +++ +++ +++
Software-intensive ++ +++ ++ NA ++ +++ +++ +++ +++
Evolution in time - - ++ ++ ++ ++ ++ ++ +++
Dynamic Reconfiguration ++ ++ +++ NA +++ ++ + ++ +++
Autonomous decision-making + + NA + ++ ++ ++ +++ +++
Humans in the loop - + NA +++ + ++ ++ ++ +
THIM: Traditional Hazard Identification Methods
STPA: System-Theoretic Process Analysis
FLSA: Failure Logic Modelling
HRA: Human Reliability Analysis
RA: Risk Assessment
FI: Fault Injection
MC: Model Checking
ATP: Automated Theorem Proving
T: Testing
RT: Runtime Verification
Advantageous +++
Applicable ++
Applicable with changes +
Not advantageous -
Not applicable NA
• Identify, analyse and control hazardous scenarios
• Control
– Fault injection
– Model checking
– Theorem proving
– Testing
– Runtime verification
– Quality assurance process
– High reliability organisation
22/03/2018 ISSAV – March 2018 18
Methods for safety assurance
• Better and new methods for hazard identification and analysis in autonomous vessels
• Usage of formal methods coming from computer science and other engineering fields
• Model-based and systemic approaches.
• Combined models for safety and cybersecurity of ships
• Usage of advanced Human Reliability Analysis methods
• Quality assurance for diagnostics and prognostics
• AI algorithms verification and validation
• Stricter requirements for ship operations
22/03/2018 ISSAV – March 2018 19
Way forward
• Hazard identification and analysis techniques
– Need to capture the functions, architecture, behaviour and context of a CPS
– A combination of methods can be used to address the need
– System-Theoretic Process Analysis (STPA) is capable of identifying inappropriate system behaviour
– STPA combined with Event Tree Analysis (ETA) and Fault Tree Analysis (FTA) (where necessary) results in more detailed and complete analysis of the system behaviour
– Quantitative assessment in context of performance-based assurance framework is realisable
22/03/2018 20
Application Example
STPA ETA FTA FT
22/03/2018 21
Application Example
22/03/2018 22
Application Example
• Application study focusing on blackout incidence for a
Diesel Electric Propulsion system of a cruise ship
– 5 main Hazardous states considered
– 80 Unsafe Control Actions identified
– More than 300 causal factors identified
– Quantitative assessment ongoing
22/03/2018 23
Application Example
22/03/2018 24
Application Example
• Complexity
• Vulnerabilities
• Hazardous scenarios
• Safety assurance
• Practical considerations
– Superiority against traditional methods
– Effective developments od system components requirements/specifications improved system design
– Dynamic risk estimation decision making throughout ship operation
22/03/2018 25
Conclusions and practical
considerations
