The functional safety assessment of cyber-physical system operation process described by Markov chain.

The functional safety assessment is one of the primary tasks both at the design stage and at the stage of operation of critical infrastructure at all levels. The article's main contribution is the information technology of calculating the author's metrics of functional safety for estimating the instance of the model of the cyber-physical system operation. The calculation of metric criteria analytically summarizes the results of expert evaluation of the system in VPR-metrics and the results of statistical processing of information on the system's operation presented in the parametric space Markov model of this process. The advantages of the proposed approach are the following: the need to process orders of magnitude less empirical data to obtain objective estimates of the investigated system; taking into account the configuration scheme and architecture of the security subsystem of the investigated system when calculating the metric; completeness, compactness, and simplicity of interpretation of evaluation results; the ability to assess the achievability of the limit values of the metric criteria based on the model of operation of the investigated system. The paper demonstrates the application of the proposed technology to assess the functional safety of the model of a real cyber-physical system.

Introduction

Assessing the functional safety of cyber-physical systems is undoubtedly relevant because new vulnerabilities are constantly identified[1-5]. Numerous facts of successful cyber attacks indicate a lack of security of cyber-physical systems of all levels and classes. The reasons for this (if there is a relevant and rationally designed tiered protection subsystem) are the emergence of new vulnerabilities and the negligence of privileged users. In addition, the cause of malfunctions is the failure to consider the specifics of the functioning of sensor networks (Industrial) Internet of Things.

The only adequate response to new vulnerabilities is periodically or continuously updating protection mechanisms. The latter option involves accumulating large data sets and high costs for their storage and analysis. However, this is not a problem regarding the functional security of the critical infrastructure. The Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA) subsystems are responsible for storing and analyzing the results of the target cyber-physical system[6-11]. In the field of SIEM and UEBA already operates several commercial software products, including ArcSight ESM, QRadar SIEM, Splunk Enterprise Security, Micro Focus Security ArcSight UBA, Securonix UEBA, Splunk User Behavior Analysis. The practical experience of these solutions has revealed their imperfections in the analysis of causal relationships between the facts of failures and malfunctions and operative information about the operation of target systems.

Recognized information sources[12-14] such as the National Vulnerability Database (NVD), the Common Weakness Enumeration (CWE), the Common Attack Pattern Enumeration and Classification (CAPEC), MITER Att&ck, etc. are providers of benchmarks for known vulnerabilities. In addition to the essence of known vulnerabilities in these databases, there are metrics for ordering them by degree of danger. However, these metrics are reduced to a single indicator, the value of which can be objectively used only as an additional factor in expert analysis of the real cyber-physical system.

Ensuring the functional safety of cyber-physical systems is a complex problem. This thesis allows us to mention several methodologies related to our object of investigation. These are the following methodologies[15-19]:

the integration of information;

the security analysis;

the analysis of security policies;

the decisions support in the field of protection;

the automated control of the protection subsystem (including the based of Security Content Automation Protocol ones);

the correlation analysis of events;

the definition of security metrics.

Interestingly, apologists for expert methods of functional safety assessment[20,21] focus their efforts on developing methodologies to support decision-making and metrics in the field of investigation and summarize the results in the form of profile standards, such as ISO/IEC 61508, for example. Apologists of the methodology of automated control of the protection subsystem[15-17,19,22-24] define the core of such systems in the mathematical apparatus of probability theory and mathematical statistics, graph theory, and Petri nets, fuzzy logic, Markov chains, artificial intelligence and more. At the same time, the results obtained in this direction are of research interest because applying the obtained models and methods requires large amounts of empirical data and computing power.

The Markov process as a mathematical model for studying complex technical and information (cyber-physical) systems is well known[14,22-36]. Visibility, a high level of adequacy of the mathematical model and a deeply worked out mathematical apparatus of Markov processes make it possible to use it in such areas as control of operation processes, queuing systems, the operational reliability of these types of systems and their components. The main advantages of Markov processes are the ability to build predictively controlled models of the behaviour of a cyber-physical system or a group of its components in time based on statistical information or the results of operational observations. Most often, a Markov process is presented as a model with a probabilistic structure, which allows one to determine the probability of a cyber-physical system falling into one of the states of the process for a certain time or time interval.

One of the most effective ways to significantly reduce the cost of maintenance and repair of cyber-physical systems is the choice of the optimal strategy for their operation. When describing the model of the behaviour of a cyber-physical system using the analytical apparatus of the Markov process, it seems possible to link the probabilistic structure of the change in the state of the system with income or expenses that arise when the system passes from one state of the process to another (for example, the transition of a system from an unfunctional state to a functional one is accompanied by the cost of its repair). With this approach, labour costs for its maintenance are used as the main indicator for analyzing a system, and a model based on Markov processes allows us to estimate the total labour costs for maintaining a system for a certain period of operation, as well as to choose a control strategy in which the costs of operating the system under study will be optimal.

In addition, assessing the functional safety of the cyber-physical systems involves machine learning methods[25-27]. This trend is due to the need to automate the process of detecting in the logs with the results of the operation of the target system of features characteristic of known types of vulnerabilities. This task is semantically related to intelligent data analysis. However, the use of smart technologies in the field investigated in this article is risky because the first ones demonstrate high efficiency in processing the content of balanced and statistically representative data sets. Still, the content of real logs is far from these ideals. Also relevant is the question of the difference between qualitative metrics in intelligent data analysis (classification task in the field of pattern recognition theory) and the field of dependability theory.

Let's accumulate the mentioned information by defining the obligatory attributes of scientific investigation. Thus, the object of investigation is the operation process of the cyber-physical system. The subject of research is the mathematical apparatus of probability theory mathematical statistics, and the theory of Markov chains. This study aims to create information technology for assessing functional safety based on the Markov model of cyber-physical system operation. The main contribution of this paper are the following:

we have described the life cycle of the cyber-physical system in the context of determining its functional safety in the form of compact and informative metrics;

we have created the model of cyber-physical system operation using Markov chain, and have considered:

the situation of lack of the necessary mechanism in the protection subsystem (new vulnerability);

the situation when the protection subsystem neutralizes the failure caused by a known vulnerability in one cycle (normal operation of the protection subsystem);

the situation when the protection subsystem neutralizes the failure caused by a known vulnerability in more than one cycle (system in idle);

we have formalized the method of calculating the criteria of the created metric for an instance of the cyber-physical system operation model, taking into account information from etalon databases on known vulnerabilities and empirical information on the results of operation of the investigated system.

Models and methods

Research statement

Assume that the set of stable states of the investigated cyber-physical system in discrete time is defined as , where is the operational state and is the set of intermediate inoperational states of the system response to i-th failure . From the -th state, the cyber-physical system can either (if the protection mechanisms neutralize the failure) return to the operational state , or (otherwise) move to the corresponding final inoperational state (states of the set differ in consequences from the implementation of the corresponding failures).

Suppose that at the initial moment of the interval of censored observation, the investigated cyber-physical system is in the state . Then:

A cyber-physical system in state at a time can at the time : (a) with probability move to state if the i-th failure is realized; (b) with probability will remain in state .

A cyber-physical system in state at a time can at the time : (a) with probability move to state (protection mechanisms have neutralized the failure); (b) with the probability will remain in the state (counteraction of protection mechanisms of failure proceeds); (c) with probability move to state (failure is not neutralized, so the system becomes inoperational).

The cyber-physical system in state at the time will remain in this state throughout the censored observation interval.

These initial provisions indicate that the state of the investigated cyber-physical system at an arbitrary discrete moment of time is recognized only as the state in which it was at the previous moment of time. Thus, the semantic relationship between the states of the set is determined by the provisions of the theory of Markov chains and can be clearly represented in the form of UML state diagram, visualized in Fig. 1.

Figure 1

UML state diagrams of the model of the investigated cyber-physical system operation.

The stochastic input parameters of the model of the investigated cyber-physical system operation are organized into such sets with power as:

set , which characterizes the probabilities of the corresponding failures;

set , which characterizes the probabilities of neutralization of the respective failures by protection mechanisms for one cycle ;

the set indicates the probabilities that protection mechanisms' counteraction to the respective failures will last more than one cycle ∆t.

The values of the elements of these sets must correspond to the conditions:

In order to determine the Markov chain presented in Fig. 1, it is necessary to calculate the probabilities of all of its states from the set at time :. The classical formula can describe the process of this calculation in matrix form:

For presented in Fig. 1 of the Markov chain, the matrix of transition probabilities mentioned in expression (2) is defined as

For real cyber-physical systems characterized by large values of and , the need to raise the matrix (3) to the power of makes calculating the required values of the set according to expression (2) computationally inefficient. But there are two exceptions:

If the protection mechanisms of the cyber-physical system do not function, i.e. . In this case, the elements of the set can be defined as

If the protection mechanisms of the cyber-physical system have managed to neutralize the failure in one cycle : . In this case, the elements of the set can be defined as:where: is a controlled parameter that characterizes the generalized efficiency of the reaction of protection mechanisms and .

For and , expressions (4), (5), (6) and (7), (8), (9) coincide in pairs. For both described exceptions, the marginal relationshipholds, i.e., with a sufficiently large value of , the values of the probabilities of the investigated system in the states of the combined set are extremely small.

The corresponding boundary relations for the states defined by expressions (6) and (9) from the set are formalized as follows:

It is seen that the limit values of the probabilities of realization of states from the set are determined by the values of the initial parameters of the investigated system operation model, i.e., laid at the stage of its design.

Functional safety assessment technology based on the model of cyber-physical system operation

To determine the claimed technology, it is necessary to formalize the qualitative metrics and the concept of its calculation for an arbitrary instance of the model of cyber-physical system operation in the parametric space of the corresponding attribute of dependability, i.e. functional safety.

According to the material presented in “Research statement”, it can be stated that the set of states of the model of the investigated cyber-physical systems operation is a conglomerate of sets of states , , : , the probabilities of realization of which elements are formalized in the transition matrix (3). If we analyze the conglomerate of sets from the standpoint of the structure shown in Fig. 1 of the graph, it can be stated that the states , , are transient and the states , are finite.

We define in the matrix of transient probabilities (3) fragments, which, respectively, characterize the transient and final states of the model of the investigated system operation:

Considering the content of matrices (11) and (12), we present a matrix of transition probabilities in block form:where is a unit matrix of dimension .

Considering the limit relations (10), for we write: , where it is obvious that the absolute values of the eigenvalues of the matrix are strictly less than one. This, in turn, means that the inverse form of the nondegenerate matrix can be represented as follows:

The element's value shows how many times the studied Markov process from the state will reach the state . We interpret this definition in the context of the task of finding the metrics of functional safety assessment based on the model of the cyber-physical system operation.

Let the process of the investigated cyber-physical system operation start from the state . Then we estimate the time of the inoperation of this process to consider the stochastic value of the parameter , which is equal to the number of transitions between states from the combined set until the process enters one of the states from the set . The mathematical expectation of the stochastic parameter is determined by interpreting the contents of the matrix (13): .

In the transition from the block representation of the matrix to the form (11), the newly obtained expression can be redefined as follows:where is the corresponding Kronecker delta.

If the set of potential failures is a priori defined in the form , then the parameter can be expressed as some function in the form , continuous in the domain of its arguments. The range of valid values of the parameter is defined as , where or .

As noted earlier, the probability of inoperation of the investigated cyber-physical system due to the implementation of the i-th failure despite the opposition of protective mechanisms is equal to . Let us estimate the losses from realizing such an event by a positive discrete value . Let us summarize these values as the corresponding risk factor . The mathematical expectation of such a stochastic quantity as a risk factor is defined as .

We formalize the expression for calculating the parameter in terms of the Markov chain visualized in Fig. 1. Let's raise the matrix of transition probabilities presented in block form to the power :

The absolute values of the eigenvalues of the matrix are strictly smaller than unity, so for the following boundary relations are satisfied: , , where we have already mentioned the matrix in expression (13). We define the form of the matrix (15) for :

Let the Markov model of the investigated system at time be in the state , then, at , we write:

Based on expression (16) for the parameter we write:

Expressions (14) and (17) allow calculating the value of the required metric ( is the mathematical expectation of the time till the cyber-physical system inoperation, is the mathematical expectation of risk factor) for an instance of the Markov model of the operation of investigated cyber-physical system characterized by the content of the sets conglomerate . Also, an important parameter is the positive integer value of the duration of the cycle , which means the minimum time interval after which the investigated system can change its state.

In general, the number of fixed parameters for calculating the metric is equal to , where is the number of potential categorized failures, which in modern cyberspace exceeds . However, this impressive number is an absolute one. More specifically, current failures for cyber-physical systems are justified and ranked according to the degree of danger in such open vulnerability assessment systems[14,28,29] as Damage, Reproducibility, Exploitability, Affected users, Discoverability (DREAD); Common Vulnerability Scoring System (CVSS); Vulnerability Priority Rating (VPR).

In the future, the authors will focus on the VPR system. Here is analytical information in favour of this choice. Not only publicly available technical data but also cyber intelligence is used to address vulnerabilities in the VPR system. Empirical studies[28,29] have shown that the upgrade of the information and communication system to address 400 critical vulnerabilities detected by VPR has shown the same effect on increasing functional safety as the upgrade of the base version of the same system to address 9000 critical vulnerabilities, detected using the CVSSv3 system. This result convincingly proves that the catalogue of vulnerabilities in the VPR system is organized more rationally than analogues.

Let the vulnerabilities be identified in the investigated cyber-physical system at the pre-release testing stage[30-32]. Let be the value of the base VPR metric for vulnerability , which can lead to failure (this cause-and-effect relationship we identify as ), where , , (each vulnerability can lead to only one failure i). It is possible to predict the existence of a certain functional relationship between the probability of i-th failure and the value of the VPR-metric . Naturally, the more vulnerabilities that can cause the i-th failure, the greater the probability against the background of analogues will be (remember that ). In the first approximation, we formalize this functional dependence as follows:where is the positive weighting coefficient, and the parameter is calculated by the expression

Analysis of expression (19) allows us to state that the parameter and available in the presented in Fig. 1 Markov chain[33,34], the probability of neutralization of the i-th failure are also functionally related, which in the first approximation is described by the expression: where is a positive weighting coefficient.

We connect the author's metric with the VPR metric by summarizing expressions (14) and (18) and (17) and (20). In accordance:

Expressions (21), (22) are formulated taking into account the rationing . Note that in the expression (22) for the calculation of the mathematical expectation of the risk factor , the parameters and are absent.

The values of weighting coefficients , and parameters are proposed to be determined by expert evaluation (at the design stage of the investigated cyber-physical system), or as a result of statistical analysis of the results of the censored period of its operation (for already accepted into operation cyber-physical system). Let's explore the latter option in more detail.

Let the content of the logs of the investigated cyber-physical system be sufficiently statically representative to calculate:

the mathematical expectation of the number of cycles between failures ;

the mathematical expectation of the number of cycles required by the protective mechanisms to neutralize the i-th failure ;

share of successfully neutralized failures .

In terms of presented in Fig. 1 the Markov chain, the estimation of these parameters can be indirectly calculated by the relevant expressions:

Substituting expressions (23) into expressions (18), (20), we determine the estimates for the weighting coefficients , β and parameters :based on which we analytically express the estimates for the metric :

If inequality (26) holds, then expressions (25), (27) can be used to calculate the metric . Constraintis formulated due to the extension to the parameters calculated by expression (23) the condition (1).

Finally, the values of the parameters , which characterize the losses associated with the inability of the protective mechanisms of the investigated instance (class) of cyber-physical systems to neutralize the i-th failure, should be assessed purely by an expert method[35-37].

Results

As an example, we use the technology presented in “Models and methods” to assess the functional safety of the model of a real cyber-physical system at the Situation Center of the Department of Information Technology (DIT) of Vinnytsia City Council (VCC) (Vinnytsia, Ukraine). This information and communication system was taken into operation in 2018 and is constantly evolving to improve the implemented services and add new ones. Currently, this information and communication system manages traffic lights on the roads of Vinnytsia. It supports the uninterrupted operation of the data center, which stores video streams from more than 1 k video cameras located in the city.

Collected of confidential information in the system is open only to authorized employees of the Vinnytsia City Council, the National Police of Ukraine, the Security Service of Ukraine, etc. In order for these privileged persons to have prompt access to the relevant information, a local network was created consisting of data center servers, communication equipment, workstations, and software. In normal operation, this LAN is not isolated from the WWW. However, the processing, storage, and audit of confidential information are carried out by a specialized relational database management system, access to which is organized through a specialized web interface. Data, databases and management system, web interface—all these components are located on dedicated servers.

We imitate a situation where attackers exert a deliberate influence on the information and communication system of the Situation Center, which threatens the functional safety of the latter. Attackers seek information about network architecture, workstations, servers, operating systems, user accounts and more. Analysis of this information can identify hardware and software vulnerabilities, some of which may not fall within the scope of the protection subsystem.

In the realities of modern cyberspace, exploits are often created based on data collected as a result of:

(Apache): analysis of internal and outgoing network traffic, the mechanism for supporting remote access;

: buffer overflow;

: SQL injection.

The analysis of the logs of the information and communication system of the Situation Center revealed the following categorized vulnerabilities[38-40]:

: (a) CVE-2019-9511, (b) CVE-2015-5206, (c) CVE-2019-9512, (d) CVE-2020-9481, (e) CVE-2020-17509;

: (a) CVE-2008-0127, (b) CVE-2007-6593, (c) CVE-2021-36301, (d) CVE-2019-18805, (e) CVE-2017–6745;

: (a) CVE-2021-45253, (b) CVE-2022-22055, (c) CVE-2021-45814, (e) CVE-2021-44599, (e) CVE-2020-0060.

A full description of these vulnerabilities can be found at https://www.cvedetails.com/. Note that at the request of VCC administration, the sets – do not contain a complete list of vulnerabilities identified in the investigated system. However, these data are sufficient to demonstrate the functionality of the technology presented in “Models and methods”. The values of the VPR metric for the vulnerabilities listed in the sets – are clearly presented in Fig. 2.

Figure 2

Values of VPR metrics for vulnerabilities mentioned in sets –.

Using the presented in Fig. 2 data , , , by expression (19) we calculate the values of the coefficients : . For further calculations, it is necessary to determine the duration of the cycle . Analysis of the logs of the investigated system allows us to establish it as equal to the day: 24 [h]. Based on the known description of the identified vulnerabilities, the involved experts estimated the average duration of the impact of each i-th type of vulnerabilities, , on the investigated system as follows: [h], and the estimated loss from their implementation as follows: [c.u.] We substitute the obtained values into expressions (24), (25) and get object-oriented expressions for estimating the criteria of the author's metric :

Now we define the object-oriented condition (26) for the application of estimates (27): .

By changing the parameter's value at a fixed value of the parameter , we calculate the dependence of for the investigated system using expression (27) and present the results in Fig. 3.

Figure 3

Calculated dependences .

The dependence is chosen not by chance because it has an application, which is to determine the minimum threshold value , at which the value of the criterion will not be less than the specified value . For the investigated information and communication system, this definition is embodied in the expression

By changing the parameter's value , we calculate the dependence of for the investigated system using expressions (28) and present the results in Fig. 4.

Figure 4

The calculated dependence in the confidence interval .

As we noted in the formalization of expression (17), the change in the parameter does not affect the value of the criterion . The dependence also has an application, which is to determine the minimum threshold value , at which the value of the criterion will not be less than the specified value of . For the investigated information and communication system, this definition is embodied in the expression

Thus, as an experiment, we investigated the model of operation of the cyber-physical system of the Situation Center of DIT of VCC in the metrics of functional safety, formalized in “Models and methods”.

Discussion

Let's start the discussion of the results presented in “Results” with a brief excursion into their theoretical background. Thus, we calculated the estimates of the metric ( is the mathematical expectation of the time till the cyber-physical system inoperation, φ is the mathematical expectation of risk factor that describes the losses from the probable fact of implementation of the failure despite the operation of protection mechanisms that cause inoperation) for the cyber-physical system of the Situation Center of DIT of VCC. It is characterized by the content of the conglomerate of sets and the value of the duration of the cycle (the minimum time interval after which the investigated system can change its state).

The availability of a statistically representative amount of information on the operation of the investigated system allowed experts to classify potential failures in the VPR metric. These circumstances allowed us to move from the direct calculation of the criteria of the metric by expressions (21), (22) to the calculation of estimates of these criteria by expressions (24), (25). To calculate the estimates for the investigated system by expressions (23), the elements of the sets:— (mathematical expectations of the number of cycles between the respective failures), (mathematical expectations of the number of cycles required by protection mechanisms to neutralize the corresponding failures), (share of successfully neutralized failures); were previously calculated for the investigated system by expressions (23).

The presented in Fig. 2 information shows that defined in the VPR-metrics of the risk assessment of the identified threats to the investigated system differ significantly in terms of the values of this general characteristic and the mechanisms for implementing the relevant failures. Direct analysis of this information without the mathematical apparatus presented in “Models and methods” does not allow to establish a functional relationship between the information in Fig. 2 and the values of the indicators of the functional safety attribute. Thus, the relevance of our research was reaffirmed.

The presented in Fig. 3 information shows that the increase in the values of both parameter and parameter positively affect the value of the criterion , which characterizes the assessment of the mathematical expectation of the time till the investigated cyber-physical system inoperation. Obviously, the greater the parameter value , the greater the interval between failures, i.e., the intensity of the negative impact on the investigated system decreases. At the same time, the growth of the parameter indicates an increase in the share of successfully neutralized failures, i.e., positively characterizes the configuration scheme and architecture of the protection subsystem of the investigated system.

The condition (29) defined for the investigated system also positively affects the practical orientation of the criterion . With its help, for example, it is easy to see that for the value of the criterion τ for the investigated system to be greater than [h], it is necessary that the inequality be satisfied, i.e., at [h] we has and at [h] we have . But unfortunately, the parameter is a general qualitative characteristic of the protection subsystem. In this research, we do not give recommendations on how to organize this subsystem and do not assess whether the calculated value is achievable in principle.

The presented in Fig. 4 information shows that the risk factor acquires its maximum value at , i.e. if the protection subsystem functions perfectly or negative effects on the investigated system are completely absent (relatively close to reality example of such a situation is the operation of the investigated system isolated from the global network) then the risk factor acquires the minimum value of for the investigated system at .

The result proves the obvious fact that even an ideal protection subsystem is not a basis for claiming that the target system is guaranteed against inoperation. Thus, the antagonism of the “second law of thermodynamics vs. perpetuum mobile” also works for cyber-physical systems. Another advantage of Fig. 4 is clear—the more convex the curve , the more efficient the protection subsystem.

So, we have described two functional security metrics based on the Markov model for the operation of a cyber-physical system. We have also shown that using the general VPR vulnerability system, the parameters of this model can be effectively estimated based on a small amount of empirical data, which is an undeniable advantage compared to, for example, the expert assessment method. Of course, the model we have considered has several assumptions related, in particular, to the impossibility of the simultaneous occurrence of several failures, as well as their independence from each other. Our further work will be aimed at weakening these assumptions and obtaining a more complex and generalized model, the dynamics of which will be as close as possible to the behaviour of real systems.

Finally, it should be noted that the technology of functional safety assessment based on the Markov model of cyber-physical system operation proposed in the article is based on generally accepted, valid, updated VPR-metrics and proved to be an adequate mathematical apparatus of Markov chains. These facts, and the rigor and reversibility of the analytical transformations made in the formalization of the metric substantiate the adequacy of the mathematical apparatus presented in the article.

Conclusions

The assessment of functional safety is one of the primary tasks both at the design stage and at the stage of operation of critical infrastructure at all levels. The article's main contribution is the information technology of calculating the author's metrics of functional safety for estimating the instance of the model of the cyber-physical system operation. The calculation of metric criteria (mathematical expectation of cyber-physical system operation to failure and risk factor) analytically summarizes the results of expert evaluation of the system in VPR-metrics and the results of statistical processing of information on the system's operation presented in the parametric space Markov model of this process. The advantage of the author's approach over analogues is:

the need to process orders of magnitude less empirical data to obtain objective estimates of the investigated system;

taking into account the configuration scheme and architecture of the security subsystem of the investigated system when calculating the metric;

completeness, compactness, and simplicity of interpretation of evaluation results;

the ability to assess the achievability of the limit values of the metric criteria based on the model of operation of the investigated system.

As an example, the article demonstrates the author's technology to assess the functional safety of the model of a real cyber-physical system of the Situation Center of the Department of Information Technology of Vinnytsia City Council (Vinnytsia, Ukraine).

However, in formalizing the Markov model of cyber-physical system operation, attackers believed that vulnerabilities used to lead to failures or inoperation were independent. The probable situation of simultaneous exploitation of one vulnerability by more than one attacker was also not considered. Considering these circumstances in the mathematical apparatus presented in the article is the direction of further research.