1 Cyber-Physical SystemsOxford University – 20Mar2017 Dr. E. R. Griffor, Associate Director US National Institute of Standards and Technology
2 National Institute of Standards and Technology (NIST)About NIST Part of the U.S. Department of Commerce NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, MD Boulder, CO Priority Research Areas Cyber-Physical Systems IT and Cybersecurity Disaster Resilience Advanced Manufacturing Healthcare Forensic Science Advanced Communications Donna provides NIST overview and NIST cyber overview
3 NIST Labs and Research ActivitiesCPS Framework CPS Testbed UCEF Trustworthiness
4 Cyber-Physical SystemsExamples include a smart gird, a self-driving car, a smart manufacturing plant, an intelligent transportation system, a smart city, and Internet of Things (IoT) instances connecting new devices for new data streams and new applications. Common notions of IoT have emphasized networked sensors providing data streams to applications. CPS concepts complete these IoT notions, providing the means for conceptualizing, realizing and assuring all aspects of the composed systems of which sensors and data streams are components. Cyber- Physical Systems (CPS) comprise interacting digital, analog, physical, and human components engineered for function through integrated physics and logic. The Framework for Cyber-Physical Systems was released by the NIST CPSPWG on May 26, 2016
5 CPS and IoT Cyber-Physical Systems (CPS) comprise interacting digital, analog, physical, and human components engineered for function through integrated physics and logic. Examples of a CPS that are not instances of IoT Segway Scooter Smart Spoon enabling Parkinson’s patients to feed themselves (see https://www.liftware.com/) Autonomous vehicle operating without wired or wireless connections outside the vehicle, e.g. a Mars rover operating between messages from Earth the original vehicles in the first DARPA Challenge cruise missile/smart bomb in flight to target Generally, any CPS that is fully contained with no outside network connections
6 CPS vs. IoT: Motion Activated LightSensors INs OUTs Communication Channel (Network) Aggregator (Fusion) Computation (e-utility) Decision (Software) Actuators CPS IoT Scope of Research Model of Motion Physical Interaction Logical Interaction Framework Schema: Phys-Log-Log-Log-Log-Phys Testbed: Experiment, Measurement and Assurance Challenges: Interoperability, Composition and Composition Types, Trustworthiness, etc.
7 Type Theoretic Assurance of CPSproperty-Tree of a CPS semantics of CPS Framework … defines composition of concerns formal methods for assurance of a CPS
8 Apply Aspects/ConcernsApplying CPS Framework to Decomposition Functional Decomposition/Allocation Business Case Use Case ‘feature’ CPS (Therm, HVAC, Sensor) Physical Logical Msg Info CPS/Function Types Influence Energy AEB – vehicle provides automated collision safety function AEB – vehicle provides/maintains safe stopping AEB –braking function reacts as required AEB – friction function provides appropriate friction AEB – stopping algorithm provided safe stopping AEB – distance and speed info is understood by braking function AEB – messaging function receives distance to obstacles and speed from propulsion function Safety “Properties” of a Function: AEB Generate System Properties Apply Aspects/Concerns
9 Apply Aspects/ConcernsApplying Concerns to Functions AES OAuth A secure, privacy protected CAN BUS Message may consist of these properties: {Trustworthiness.Security.Cybersecurity.Confidentiality.Encryption.AES, Trustworthiness.Privacy.Predictability.Controls.Authorization.OAuth} Generate ‘Properties’ Redundant Torque Request for ASIL>QM Concern 2 Concern 1 Trustworthiness Safety Reliability Security Resilience Privacy Cyber Security Physical Security Confidentiality Integrity Availability Predictability Manageability Dissociability Controls Transparency Innovation Authorization Encryption SME Taxonomies Functional Safety Concern1 Concern2 Severity Frequency Controllability Hazard Apply Aspects/Concerns CPS Function Function/Feature
10 (NIST-SAE) Applying CPS Framework to Autonomous VehiclesAutomotive Trustworthiness Framework Automotive Trustworthiness Testbed Pilot Enumerate, define, document Automotive System Trustworthiness Concerns NIST/SAE/OEM Define Mapping of System Properties to Assurance Processes (standards, etc.) SAE/OEM Enumerate, define, document Automotive System Properties Specify Automotive UCEF Testbed with SIM-Wrappers and Configuration Select targeted Use Cases (Automotive Systems) and Test Cases DRAFT System Trustworthiness Report and integrate into J3061 SAE/OEM Update Automotive System Development Process Models and Simulations Experiment Design Run and Publish Annotate System Trustworthiness Report Go/No-Go: Evaluate potential for Pilot (Optional) Evaluate potential for additional CPS Aspects beyond Trustworthiness Repeat above for selected Aspects Extend Automotive CPS Framework Model Go/No-Go NIST/SAE/OEM
11 CPS Framework: Concern-Property InteractionsPrivacy.Predictability(Ctrls, …, Ct) Authentication Controls Security.Cybersecurity(C,I,A) Confidentiality Encryption Integrity Availability Concern Tree [+/-]f AES OAuth Interactions Properties/Requirements [+/-]g Interactions i1 i2 . ik Legend ‘meets’ ‘addresses’ Example Impact of one concern on another: Calculated using pathways through the up- or down-regulation relationships between the Properties of the CPS These correspond to derivatives (an incremental change in one results in a negative or positive impact on the other) Impact is the ‘integral’ over all interaction pathways; T0 topological definition of integral/differential calculus
12 IT- vs CPS-Based Risk MitigationPrimary Impact of Failure Digital Physical Mitigation Mechanisms Digital Analog Physical IT System IoT/CPS “Better cybersecurity through physics!”
13 NIST Activities: CPS FrameworkDimensional Analysis of the Model of a CPS, e.g. Safety and HARA Concern-specific abstractions and methodology Concern Tree: Decomposition and Composition of Concerns CPS Framework Open Source Project UML/XML Composite Model: Framework + Use Case XSLT Presentation of XML Model to make (should be ‘two- way’, compare LaTeX vs. typeset text
14 Tools Enterprise Architect: UML Editor XMLSpy: XML/XMLSchema EditorTortoiseGit: Windows GitTool Notepadd++: Programmers Editor
15 Derivation of a Union of TechnologiesIEC Methodology NIST CPS Framework Methodology Standardized XML Schema Conceptualization Business Case Use Case Requirements Realization Design Traceability to Requirements Assurance Algorithmically Prove Design Meets Requirements
16 Word Use Case Template
17 CPS Framework Facets Aspects Activities Artifacts DomainsConceptualization Realization Assurance Functional Business Human Trustworthiness Timing Data Boundaries Composition Lifecycle Activities Artifacts Use Case, Requirements, … Model of a CPS Design / Produce / Test / Operate CPS Argumentation, Claims, Evidence CPS Assurance Manufacturing Transportation Energy Healthcare . . . Domain Domains
18 Framework OpenSource ProjectCommon XML format – Model of CPS CPS Assurance of CPS Requirements modeling tool CPS Framework Use Case/Aspects/Concerns Analysis Design Exploration / Model Driven Development / Continuous Integration Tools Design Verification and Validation and Assurance Tools
19 UML Model of Framework
20 Aspects and Concerns
21 Facets
22 IEC Model of a Use Case
23 XML Editor of a Use Case
24 NIST Activities: CPS TestbedCPS Testbed (Architecture and instance of HW and SW Tools) UCEF Control Room + Visualization Open Source Project 16May2017 at NIST CPS Testbed Science Testbed composition and its semantics (wrappers) Testing the concerns of the CPS Framework in the testbed Setup and Testing as in the case of requirements driven by the Timing concerns
25 NIST Activities: TrustworthinessTrustworthiness Concerns (Architecture and instance of HW and SW Tools) Decomposition Specific science and methodology Logical and Physical ‘Security Using physics to enhance cybersecurity (and other cyber concerns) Dependencies between concerns (holistics approach to the specifics of individual concerns) Merging the physical concept of dependency with a logical concept of dependency
26 The Category CyPhy The cyber-physical category CyPhy has as objects:Action/Actuation Sense Phys_State Decision The morphisms of CyPhy are given by: Mor(Act,Physical_State) = {phy_act-phys} Mor(Decision,Act) = {log_dec-act} Mor(Sense,Decision) = {log_sen-dec} Mor(Sense,Act) = {phys_sen-act} Mor(Phys_State,Sense) = {phy_Phys_State-Sense}.
27 Symmetric Monoidal CategoriesFor purposes here systems will be viewed as processes and interactions between them (process algebra in the sense of Milnor for example) We distinguish two sorts of interactions between processes: Logical interactions (exchanges of information) Physical interactions (exchanges of energy) Math model of physical interactions is algebraic systems of ODEs Math model of logical interactions are formalizations of agent- based models such as complex adaptive systems (J. Holland) We choose symmetric monoidal categories (SMC) as an example of a model of systems in category
28 CPS as Functors A cyber-physical system, in the sense of process algebra, can be represented as a functor from a symmetric monoidal category to the category CyPhy. Such a functor represents: Processes as instances of Sensing, Decision, Action or Physical Interactions as exchanges of information or exchanges of energy Benefit of this representation can be derived from: Structural representation of one CPS ‘in another’ (isomorphic with a sub-CPS)
29 The category CPS Given two representations of CPS as functors F and G, let SM(F)/SM(G) denote the symmetric monoidal categories that F and G map into CyPhy Mor(F,G) is the functors T from SM(F) to SM(G) such that the following diagram commutes: SM(F) SM(G) CyPhy F G T