Frank J. Furrer Safety and Security of Cyber-Physical Systems Engineering dependable Software using Principle-based Development Safety and Security of Cyber-Physical Systems Frank J. Furrer Safety and Security of Cyber-Physical Systems Engineering dependable Software using Principle-based Development Frank J. Furrer Computer Science Faculty Technical University of Dresden Dresden, Germany ISBN 978-3-658-37181-4 ISBN 978-3-658-37182-1 (eBook) https://doi.org/10.1007/978-3-658-37182-1 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2022 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. Responsible Editor: Leonardo Milla This Springer Vieweg imprint is published by the registered company Springer Fachmedien Wiesbaden GmbH, part of Springer Nature. The registered company address is: Abraham-Lincoln-Str. 46, 65189 Wiesbaden, Germany Foreword This book is about cyber-physical systems. A Google search for this term results in 405’000’000 hits in 0.64 seconds (25.01.2022). Together with the strongly linked use of the term and the concept with other related popular terms such as Industry 4.0 and (IoT) Internet of Things, this fact clearly shows the importance of cyber-physical systems in the present and the upcoming world! The NIST characterization: “Cyber-Physical Systems (CPS) comprise interacting dig- ital, analog, physical, and human components engineered for function through integrated physics and logic. These systems will provide the foundation of our critical infrastruc- ture, form the basis of emerging and future smart services, and improve our quality of life in many areas. Cyber-physical systems will bring advances in personalized health care, emergency response, traffic flow management, and many more” (https://www.nist. gov/el/cyber-physical-systems, [Last accessed: 16.06.2021]). Suffices by itself to underline the importance of the field. This characterization does not explicitly mention the correct operation and continuous availability of cyber-physical systems and is apparently taken for granted. However, we need and somehow expect such fundamental properties to become a “commodity” for the functioning of our modern CPS-based society. Unfortunately, reaching this goal will require a lot of effort, research, and practice. In fact, all existing cyber-physical systems are and will ever be under the continuous influ- ence of cyber-attacks, faults, and failures hitting their software or underlying hardware, possibly causing unavailability or improper behavior of their operating environment, human errors, or being impacted by malicious activities. This book precisely addresses those challenges that are at the basis of proper func- tioning of cyber-physical systems and the infrastructures they compose: It deals with the focused and fundamental issue of engineering principles for safety and security. The book is divided into two main parts, each providing significant contributions toward managing safety and security. The first addresses all the relevant concepts and explains their relations and links to the reader. Here the book offers many definitions and provides the conceptual framework for cyber-physical systems. All the facets of CPSs and the possible safety and security v vi Foreword implications are linked to the fundamental notion of risk. Finally, all the impairments to proper functioning at all possible locations are explored and exemplified so that the reader can have a comprehensive view of the complexity that needs to be managed appropriately. While the first part provides and structures the essential knowledge on safety, secu- rity, and risk, the second part elaborates on proper responses regarding a few paramount questions that must be asked: 1) How are good safety and security defined? 2) How is good safety and security formalized? 3) How is good safety and security taught? 4) How is good safety and security enforced? This book provides enlightening solutions by defining, formalizing, strictly applying, and enforcing safety and security principles. In fact, good safety and security principles provide reliable knowledge for the successful architecting of trustworthy cyber-physical systems. The second part of the book introduces and then details the concept of principle- based engineering to explain and justify a number of safety and security principles. This approach to architecting safe and secure systems is complemented and enriched by many instructive examples and practical observations, which add value to the book and allow the message to arrive clearly and sound. I also want to remark the high value of the book as an instrument for teaching and education. Given its style and the richness of the examples made, the book can be used both as a textbook for graduate students but also as a guideline for the practitioner and the engineer as a help for a correct application of the safety and security principles when architecting and implementing cyber-physical systems of any of the types and variations described in the book. The reader will appreciate how the book grew out of the long-running activities of the author and shows the admirable maturity he has achieved, both in the vastity of the mate- rial included and the presentation style. All this makes the book a source of inspiration. I wish the readers to enjoy reading this rewarding book as I had! June 2021 Prof. Dr. Andrea Bondavalli Head of the Resilient Computing Lab Department of Mathematics and Informatics University of Florence, Italy I-50134 - Firenze, Italy Preface Today, Cyber-Physical Systems (CPS) are at the core of our industrial society. We rely heavily on cyber-physical systems in all areas of work and life. Cyber-physical systems combine a cyber-part, i.e., a software-controlled computer system, with a physical part, i.e., a real system. The software operates the physical sys- tem. Examples of cyber-physical systems are cars, airplanes, trains, communications and energy infrastructures, heart pacemakers, medical diagnosis equipment, water treatment plants, and many more. Controlling a physical system by software has tremendous benefits: It allows nearly unlimited functionality, high flexibility for extensions and changes, and cost-effective implementations. Because of these benefits, a large, capable, and profitable software industry has evolved. However, cyber-physical systems introduce a new danger: Because they directly affect the real, physical world, they have the potential to cause harm, injury, or loss to the users of the CPS. A cyber-physical system's failure, malfunction, or unavailability may have grave consequences, such as accidents, loss of life, damage to property or the environment, or severe legal repercussions. A CPS's trustworthiness is the most crucial factor for its safe use and acceptance by its users. It is, therefore, the critical responsibil- ity of the CPS industry to build, maintain, and evolve trustworthy cyber-physical systems (TwCPS). Unfortunately, all cyber-physical systems today cannot operate undisturbed: They are under the continuous influence of negative factors, such as cyber-attacks, faults, and fail- ures in their software or underlying hardware, unavailability or dysfunction of their oper- ating environment, human errors, or malicious activities. Therefore, the task of creating a trustworthy CPS is a considerable one! Because of a CPS’s possibility to generate harm, the concept of risk and risk manage- ment becomes central. All sources of negative impact on and within the CPS must be methodically, ultimately, and competently identified, assessed, mitigated, and reduced to an acceptable residual risk. Therefore, the science of “dealing with risks” is the founda- tion of a trustworthy CPS. vii viii Preface Trustworthiness is a CPS property: It is an umbrella term that heads a taxonomy of constituent properties. The most important are safety and security, embedded in a legal framework. This monograph focuses exclusively on safety and security. Safety and security are properties of the complete CPS, i.e., including the hardware, networks, systems and communications software, application software, the operat- ing environment, and the users. This monograph's focus is additionally narrowed to the application software, i.e., the software providing the control functionality of the CPS. This monograph is not a “cookbook” for creating and evolving safe and secure CPS’s. The objective is to provide fundamental engineering principles which are proven and powerful for building trustworthy cyber-physical systems. Quote “I would advise students to pay more attention to the fundamental ideas rather than the latest technology. The technology will be out-of-date before they graduate. Fundamental ideas never get out-of-date” David L. Parnas, 2001 (in [Hoffman01]) The literature contains thousands of principles and patterns applicable to safe and secure applications software for CPSs—here, the most general and influential are chosen. Wherever necessary, the monograph points specifically to valuable literature that delves deeper into a specific subject matter—this is the reason for the extensive list of references. A note on terminology: Unfortunately, the formidable knowledge available in the ref- erences uses a lot of unprecise and even conflicting terminology. This monograph, there- fore, precisely defines all terms used—as part of the conceptual integrity. This “guidebook” addresses safety and security teams in the CPS industry, as well as software engineers, both in practice and during university education. It is also well suited to a one-semester, graduate-level lecture at Technical universities. This monograph relies on and has some overlap with the author’s previous book: “Future-Proof Software-Systems—A Sustainable Evolution Strategy”, Springer Vieweg- Verlag, 2019, ISBN 978-3-658-19937-1 ([Furrer19]). Some parts are reused here. A final observation: This book contains hundreds of principles on more than 600 pages. Which do we apply to a specific project or product? The answer is: risk analysis! The risk analysis identifies the threats, the possible failure modes, uncovers the vulner- abilities, specifies the mitigation measures, and estimates the acceptable residual risks. The required risk mitigation measures to reach acceptable residual risk dictate the applicable principles. No more, no less! Stein am Rhein (Switzerland) Frank J. Furrer in June 2022 Acknowledgments A book is never the achievement of one person. This book grew out of my lectures as Honorary Professor at the faculty of Computer Science at the Technical University of Dresden (Germany), which started in the winter term of 2013/2014. Special thanks go to the chair of the software technology, Prof. Dr. Uwe Aßmann, for his continued sup- port. In addition, my numerous students contributed to the quality of the content and the didactic flow by their active participation during the lectures and their valuable engage- ment in my seminars. I repeat my sincere thanks to Stephan Murer and Bruno Bonati, who started me on this journey ([Murer11], [Furrer19]). A book is never the achievement of one author: He stands on the shoulders of giants—of which the extensive reference section for each chapter of the book is proof. Authoring an English-language book for a German-native speaker is not a sim- ple task. I would like to acknowledge the invaluable help from the language checker “Grammarly” (https://www.grammarly.com). Finally, I wish to express my gratitude to Springer-Verlag for the extensive sup- port during the creation of this monograph and especially to my editors Sybille Thelen, David Imgrund, Leonardo Milla, Heike Jung, and the copy-editor Roopashree Polepalli for their highly valuable assistance. They all made the publication process a successful pleasure. Finally, thanks go to you—my reader—for investing your valuable time reading this book. Frank J. Furrer [email protected] ix Contents Part I Foundation 1 Introduction .................................................... 3 1.1 Cyber-Physical Systems ..................................... 3 1.2 Risk in Cyber-Physical Systems .............................. 5 References ...................................................... 7 2 Cyber-Physical Systems .......................................... 9 2.1 Cyber-Physical Systems ..................................... 9 2.2 Cyber-Physical Systems-of-Systems ........................... 12 2.3 Emergence ............................................... 14 2.4 Infrastructure ............................................. 17 2.4.1 Introduction ...................................... 17 2.4.2 ICS Architecture ................................... 18 2.5 Autonomous Cyber-Physical Systems .......................... 21 2.6 Internet of Things .......................................... 22 2.7 Cloud-Based Cyber-Physical Systems .......................... 23 2.7.1 Conceptual Architecture ............................. 23 2.7.2 Cloud Safety, Security, and Real Time ................. 27 2.8 Token Economy ........................................... 29 2.9 Cyber-crime and Cyber-war .................................. 31 2.9.1 Cyber-crime ...................................... 32 2.9.2 Cyber-war ........................................ 35 2.10 Diffuse Computer Crime .................................... 39 2.10.1 Supply Chain Dangers .............................. 39 2.10.2 Insider Crime ..................................... 41 2.11 Cyber-Physical Systems Engineering .......................... 42 2.11.1 Safety- and Security-Aware Development Process ........ 42 2.11.2 Governance ...................................... 45 2.11.3 Competence Center ................................ 46 xi