Vulnerabilities in Cyber-Physical

Systems – Implications for

Autonomous ships

Dr Gerasimos Theotokatos, DNV GL Reader of Safety of Marine Systems

Mr Victor Bolbot, PhD student

ISSAV 2018, Delft, 21 March 2018

• Complex system safety & security

• Dynamic barrier management

• Intact & damage stability of cruise ships

• Safety culture

• Fire protection & prevention

• Blackout prevention

• LSA

• Evacuation

• Accidents

• Navigational practices

• Safety of Autonomous ships

Maritime Safety Research Centre• Life-Cycle Risk Management• Cost-effective measures of risk

reduction • Sustainable cost-effective-

safety-improvement for new and existing ships and offshore assets

• Development of a modern regulatory framework to support and nurture safety culture

• Introduction

• The problem

• Implications for autonomous ships

• Methods for safety assurance

• The way forward

• Application example

Contents

22/03/2018 ISSAV – March 2018 3

22/03/2018 ISSAV – March 2018 4

Introduction

• Cyber-Physical Systems (CPSs) consist of physical, hardware, communication and control (software) components

• CPSs Classes – Industrial automation and control systems

– autonomous systems

– SCADA systems.

• CPSs advance in a number of application areas including maritime/marine industry

• Ship automation and control systems

• Power Management System (PMS)

• Integrated Propulsion System (IPS)

• Safety Monitoring and Control System

• Dynamic positioning system

• HVAC control systems

22/03/2018 ISSAV – March 2018 5

Examples of Marine CPSs

• CPSs combined with AI algorithms

– collision avoidance system

– autonomous ship controller

– automatic navigation system

– shore control centre

22/03/2018 ISSAV – March 2018 6

Autonomous vessels

• CPSs are complex systems and this creates additional

vulnerabilities, which need to be cost-effectively

addressed during design and operation.

• Complexity inability to identify and control the hazards

22/03/2018 ISSAV – March 2018 7

The problem

Sources of Complexity

Heterogeneity

Interoperability

Connectivity

Software-intensive character

Evolution in time

Dynamic reconfiguration and

adaptability

Autonomous

decision-making

Humans in the

loop

Figure 2 The different dimensions of complexity.

• Heterogeneity is related to integration of different component types (mechanical, electrical, control, communication).

– Need to understand the interactions between components

• Interoperability is related to integration of various mechatronic subsystems or integration of CPSs

– Increased number of complex interactions

• Connectivity and problems with cybersecurity

– Examples: Stuxnet malware, cyber attack on steel mill in Germany.

22/03/2018 ISSAV – March 2018 8

Sources of complexity

• Software-intensive character in CPSs.– Software bugs and inappropriate software requirements

– Therac-25, Airbus A400M airlifter.

• Evolution in time– Changes in system, development of new versions of system

components. Ariane 5 crash.

• Dynamic reconfiguration with the help of prognostics and diagnostics – Similar implementation in avionics and aerospace

– Verification and validation of prognostics and dynamic reconfiguration

22/03/2018 ISSAV – March 2018 9

Sources of complexity

• Autonomous decision-making

– Learning abilities of CPSs - A specific challenge with verification

of AI algorithms - Sophia robot.

– Context aware system requires addressing properly the

environmental hazards

• Humans-in-the-loop

– Deterioration of short-term and long-term situational awareness

– overreliance on technology

22/03/2018 ISSAV – March 2018 10

Sources of complexity

• Collision avoidance system (CAS)

– Interactions with actuators and physical processes

– Failure to integrate CAS with other systems

– Cyber-attack on CAS (Spoofing attack on GPS)

– Errors in software implementation

– Software updates and system variation with time

– Switch over to another redundant system - Prognostics for

electronic and control systems

– New behaviour due to AI capabilities - Not addressing all the

collision scenarios

22/03/2018 ISSAV – March 2018 11

Implications for autonomous shipsChallenges due to unexpected hazards

• Propulsion and powering system

– Interactions in the system

– Integration with other systems

– Cyber-attacks

– Errors in software implementation in safety and control systems

– Software updates and system variation with time

– Switch over to another redundant system - Prognostics for

mechanical and electrical components

– AI uncertainty

22/03/2018 ISSAV – March 2018 12

Implications for autonomous shipsChallenges due to unexpected hazards

• Shore control centre

– Integration and connectivity

– Remote access will lead to higher vulnerability to cyber-attacks

– Ability of on-shore personnel to intervene in critical situations

22/03/2018 ISSAV – March 2018 13

Implications for autonomous shipsChallenges due to unexpected hazards

22/03/2018 ISSAV – March 2018 14

Safety Assurance

Figure 10 Methods and their applicability to system engineering processes.Figure 4 Safety assurance activities and methods.

• Identify, analyse and control hazardous scenarios

• Identification and analysis methods

– Traditional methods for hazard identification and analysis

(FMEA, HAZOP, PHA)

– Failure Logic Synthesis and Analysis (Model-Based approaches)

– Systemic methods (FRAM, STPA)

– Human reliability analysis

22/03/2018 ISSAV – March 2018 15

Methods for safety assurance

22/03/2018 ISSAV – March 2018 16

Available methods

Figure 10 Methods and their applicability to system engineering processes.

22/03/2018 ISSAV – March 2018 17

Available methodsHazard Identification Verification

THIM STPA FLSA HRA FI MC ATP T RT

Heterogeneity ++ +++ ++ NA +++ ++ +++ +++ +++

Interoperability - ++ +++ NA +++ ++ + ++ +++

Connectivity ++ +++ ++ NA ++ +++ +++ +++ +++

Software-intensive ++ +++ ++ NA ++ +++ +++ +++ +++

Evolution in time - - ++ ++ ++ ++ ++ ++ +++

Dynamic Reconfiguration ++ ++ +++ NA +++ ++ + ++ +++

Autonomous decision-making + + NA + ++ ++ ++ +++ +++

Humans in the loop - + NA +++ + ++ ++ ++ +

THIM: Traditional Hazard Identification Methods

STPA: System-Theoretic Process Analysis

FLSA: Failure Logic Modelling

HRA: Human Reliability Analysis

RA: Risk Assessment

FI: Fault Injection

MC: Model Checking

ATP: Automated Theorem Proving

T: Testing

RT: Runtime Verification

Advantageous +++

Applicable ++

Applicable with changes +

Not advantageous -

Not applicable NA

• Identify, analyse and control hazardous scenarios

• Control

– Fault injection

– Model checking

– Theorem proving

– Testing

– Runtime verification

– Quality assurance process

– High reliability organisation

22/03/2018 ISSAV – March 2018 18

Methods for safety assurance

• Better and new methods for hazard identification and analysis in autonomous vessels

• Usage of formal methods coming from computer science and other engineering fields

• Model-based and systemic approaches.

• Combined models for safety and cybersecurity of ships

• Usage of advanced Human Reliability Analysis methods

• Quality assurance for diagnostics and prognostics

• AI algorithms verification and validation

• Stricter requirements for ship operations

22/03/2018 ISSAV – March 2018 19

Way forward

• Hazard identification and analysis techniques

– Need to capture the functions, architecture, behaviour and context of a CPS

– A combination of methods can be used to address the need

– System-Theoretic Process Analysis (STPA) is capable of identifying inappropriate system behaviour

– STPA combined with Event Tree Analysis (ETA) and Fault Tree Analysis (FTA) (where necessary) results in more detailed and complete analysis of the system behaviour

– Quantitative assessment in context of performance-based assurance framework is realisable

22/03/2018 20

Application Example

STPA ETA FTA FT

22/03/2018 21

Application Example

22/03/2018 22

Application Example

• Application study focusing on blackout incidence for a

Diesel Electric Propulsion system of a cruise ship

– 5 main Hazardous states considered

– 80 Unsafe Control Actions identified

– More than 300 causal factors identified

– Quantitative assessment ongoing

22/03/2018 23

Application Example

22/03/2018 24

Application Example

• Complexity

• Vulnerabilities

• Hazardous scenarios

• Safety assurance

• Practical considerations

– Superiority against traditional methods

– Effective developments od system components requirements/specifications improved system design

– Dynamic risk estimation decision making throughout ship operation

22/03/2018 25

Conclusions and practical

considerations