INVITED SPEAKERMarc Bouissou, Professor at École Centrale Paris and a Senior Research Engineer at EDF R&D, France
Dynamic Graphical Models for Security and Safety Joint Modeling
In order to be able to investigate interactions between security and safety in safety critical CPS (cyber-physical systems), one has to build models able to represent both aspects. Thanks to cross fertilization between those two research fields, some models have been adapted from safety to security and vice versa. Fault-trees (for safety) and attack trees (for security) are so similar that various ways to combine them have been proposed in the literature. The main limitation of such graphical representations is that it they are unable to take dependencies between basic events into account. Therefore their quantitative and even qualitative analysis yields very coarse results.
In order to overcome this limitation, one has to recur to dynamic models such as Petri nets and BDMP (Boolean logic Driven Markov Processes). Building such models for large and complex systems is a challenge. Petri nets can be used in a bottom-up approach, where elementary patterns are put together to build the model. On the other hand, BDMP are built (like fault trees) in a top-down manner, which allows to use the gates as various abstraction levels, a very important mechanism for mastering complexity. Examples will be given to show the advantages and limitations of each formalism and how they can be combined: a BDMP can have part of its leaves described as Petri nets. Finally, examples of qualitative and quantitative analysis of such models will be given, in order to demonstrate how such models can be used to help the decision maker to choose the best solution, in particular in the difficult case where security and safety would require incompatible measures.