Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems

Wood, Richard Thomas; Belles, Randy; Cetiner, Mustafa Sacit; Holcomb, David Eugene; Korsah, K.; Loebl, Andy; Mays, G.T.; Muhlheim, Michael David; Mullens, J.A.; Poore, Willis; Qualls, A. L.; Wilson, Thomas L.; Waterman, Michael E.

doi:10.2172/1000417

Cited by 21 publications

(23 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For a nuclear power plant, one situation in which software diversity might be considered is that of a diverse digital system for reactor shutdown. A recent NRC-sponsored study on diversity strategies for digital instrumentation and control systems [Wood 2010] considers software diversity as a part of the overall digital system's diversity, that is, software diversity is considered jointly in hardware-related diversity strategies. It identifies a number of software diversities, such as usage of different algorithms, logic, program architectures, operating systems, and computer languages.…”

Section: Quantification Methods For Software Diversitiesmentioning

confidence: 99%

Review of Quantitative Software Reliability Methods

Chu¹,

Yue²,

Martinez-Guridi³

et al. 2010

View full text Add to dashboard Cite

Section: Quantification Methods For Software Diversitiesmentioning

confidence: 99%

Review of Quantitative Software Reliability Methods

Chu¹,

Yue²,

Martinez-Guridi³

et al. 2010

View full text Add to dashboard Cite

“…the size of the keyspace subset to search), and we consider the probability of an attacker achieving a goal (discovery of one, or two, or three channel keys) as a function of the number of attempts t. Assuming that the keys are allocated to channels by choosing randomly and independently from the whole keyspace (as is reasonable) 2 , the event "the r-th key tried by the attacker is the right key for channel i" is independent of any event of the same form affecting other channels. This set of independence properties underlies the following results.…”

Section: Ivcryptanalysis Attacks Via Random Search and Defence By Kmentioning

confidence: 99%

“…If we believe our adversary to consider worthwhile an attack that gives a probability of success of -say -10%, then, using the fact that = = and the approximation Q2 ≈ (τ) 2 , we can observe that a probability of success that with one key is given by effort τ requires, with diverse keys, effort √2 : larger than for any search short of a complete search of both key spaces. To consider which conditions favour the defender over the attacker, we can rewrite this expression without the normalization: the level of Q1 achieved in t attempts with a onekey system requires, with two keys, 2 T .…”

Section: Ivcryptanalysis Attacks Via Random Search and Defence By Kmentioning

confidence: 99%

Diversity, Safety and Security in Embedded Systems: Modelling Adversary Effort and Supply Chain Risks

Gashi

Povyakalo

Strigini

2016

2016 12th European Dependable Computing Conference (EDCC)

View full text Add to dashboard Cite

Abstract-We present quantitative considerations for the design of redundancy and diversity in embedded systems with security requirements. The potential for malicious activity against these systems have complicated requirements and design choices. New design trade-offs have arisen besides those already familiar in this area: for instance, adding redundancy may increase the attack surface of a system and thus increase overall risk. Our case study concerns protecting redundant communications between a control system and its controlled physical system. We study the effects of using: (i) different encryption keys on replicated channels, and (ii) diverse encryption schemes and implementations. We consider two attack scenarios, with adversaries having access to (i) ways of reducing the search space in attacks using random searches for keys; or (ii) hidden major flaws in some crypto algorithm or implementation. Trade-offs between the requirements of integrity and confidentiality are found, but not in all cases. Simple models give useful design insights. In this system, we find that key diversity improves integrity without impairing confidentiality -no trade-offs arise between the two -and it can substantially increase adversary effort, but it will not remedy substantial weaknesses of the crypto system. Implementation diversity does involve design trade-offs between integrity and confidentiality, which we analyse, but turns out to be generally desirable for highly critical applications of the control system considered.

show abstract

“…For example, given the values of pfd A , pfd B , d AB (0), we could see how many test cases need to be executed (and show no failures) to obtain a particular value of pfd AB (N): in many cases, such as reactor protection systems, the cost of generating test cases may be high so that a large N may be infeasible. Alternatively, given the values of pfd A , pfd B , N (where here N is regarded as the size of the largest practically feasible test set), we could calculate the required d AB (0) and ask whether such a belief could be trusted (for example, supported by evidence about the diversity-seeking decisions (Littlewood and Strigini 2000;Wood, Belles et al 2010) taken during system design and build). We believe that using our approach to challenge parts of safety cases in this way may be its most useful contribution.…”

Section: Practical Implications Of the Model: Examplesmentioning

confidence: 99%

“…Such design-diverse fault tolerant systems have been used successfully in some safety critical applications: see (Littlewood, Popov et al 2002;Wood, Belles et al 2010). …”

Section: Introductionmentioning

confidence: 99%

Conservative Bounds for the pfd of a 1-out-of-2 Software-Based System Based on an Assessor's Subjective Probability of "Not Worse Than Independence"

Littlewood

Povyakalo

2013

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Citation: Littlewood, B. & Povyakalo, A. A. (2013). Conservative bounds for the pfd of a 1-out-of-2 software-based system based on an assessor's subjective probability of "not worse than independence". IEEE Transactions on Software Engineering, 39(12), pp. 1641 -1653 . doi: 10.1109 /TSE.2013 This is the accepted version of the paper.This version of the publication may differ from the final published version. Copyright and reuse: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. City Research Online: http://openaccess.city.ac.uk/ publications@city.ac.uk Permanent repository link: City Research OnlineConservative bounds for the pfd of a 1-out-of-2 softwarebased system based on an assessor's subjective probability of "not worse than independence"Bev Littlewood, Andrey PovyakaloCentre for Software Reliability, City University, London EC1V 0HB AbstractWe consider the problem of assessing the reliability of a 1-out-of-2 software-based system, in which failures of the two channels cannot be assumed to be independent with certainty. An informal approach to this problem assesses the channel pfds (probabilities of failure on demand) conservatively and then multiplies these together in the hope that the conservatism will be sufficient to overcome any possible dependence between the channel failures. Our intention here is to place this kind of reasoning on a formal footing. We introduce a notion of "not worse than independence" and assume that an assessor has a prior belief about this, expressed as a probability. We obtain a conservative prior system pfd, and show how a conservative posterior system pfd can be obtained following the observation of a number of demands without system failure. We present some illustrative numerical examples, discuss some of the difficulties involved in this way of reasoning, and suggest some avenues of future research.KEY WORDS: System reliability; Software fault tolerance; 1-out-of-2 system; Dependent failures; Subjective probability. BackgroundWe consider the problem of assessing the reliability of a 1-out-of-2 system in which the two software-based channels are "diverse" as a result of having been developed independently of one another (indeed, their designs may have been forced to be diverse by imposing diverse development procedures upon their designers). Such design-diverse fault tolerant systems have been used successfully in some safety critical applications: see (Littlewood, Popov et al. 2002;Wood, Belles et al. 2010).Whilst there is some general evidence that this kind of design-diverse fault tolerance is a good way of achieving high reliability -for example from experiments -there are serious difficulties in assessing the reliability of a particular system. An important problem arises from the fact that we can never be certain that the channels in such a system will fail...

show abstract

Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems

Cited by 21 publications

References 35 publications

Review of Quantitative Software Reliability Methods

Review of Quantitative Software Reliability Methods

Diversity, Safety and Security in Embedded Systems: Modelling Adversary Effort and Supply Chain Risks

Conservative Bounds for the pfd of a 1-out-of-2 Software-Based System Based on an Assessor's Subjective Probability of "Not Worse Than Independence"

Contact Info

Product

Resources

About