by Ron Kelson, Pierluigi Paganini, David Pace
In last week’s article, we explored the issue of today’s high-speed computers and why their inability to consistently meet software deadlines causes serious problems to automotive applications, industrial control systems, (nuclear) power generators and other computer systems that interact with the real world.
In particular, we explored the observe-orient-decide-act (OODA) loop, a model developed by military strategist and former USAF Colonel John Boyd, which describes how humans and organisations interact with the physical world. To quote Boyd:
“In order to win [at war], we should operate at a faster tempo or rhythm than our adversaries … Such activity will make us appear ambiguous (unpredictable) thereby generate confusion and disorder among our adversaries − since our adversaries will be unable to generate mental images or pictures that agree with the menacing as well as faster transient rhythm or patterns they are competing against.”
A similar type of confusion and disorder occurs when a cyber-physical system cannot complete its observation and orientation tasks regularly on time. In this case the system will no longer be able to generate an accurate picture of the world around it, and consequently it can no longer keep track of the effect of its actions on the real-world. Not surprisingly, cyber attacks against critical infrastructure are designed to disable or interfere the OODA loops of computers for the purpose of disabling or destroying the physical systems they control.
What is particularly disconcerting is that this confusion and disorder can also occur in benign environments when inadequate engineering practices and technologies are used. Today’s fastest time predictable computers are now far too slow to meet the needs of modern cyber-physical applications.
According to the EU PROARTIS Project:
“Industry demands new functionality and higher levels of performance, together with reduced cost, weight and power dissipation, which can only be delivered by advanced hardware features. However, the timing behaviour of systems using these advanced hardware features is very hard [ed: and often impossible] to deal with by current timing analysis techniques.”
The FP7 PROARTIS Project is creating new technologies to try and address this problem. Unfortunately, market forces are “compelling” industries to use modern processors that are currently extremely difficult to use safely and correctly in cyber-physical systems.
Right now, the expert consensus is that civilian cyber-physical systems deployed today by many industries are frequently engineered using KNOWN UNSAFE practices. In this week’s article we look at the complex trends, dispositions, and behaviours, of organisations in the cyber-physical systems community today that limit the adoption of safety and security best practices. We will also explore the ICT Gozo Malta Project’s activities to overcome these barriers.
In the safety industry (IEC 61508 standard), hazards are naturally categorised by consequences, ranging from “Negligible” through to “Catastrophic” involving “Multiple loss of life”. The greater the consequence of failure, the higher the level of engineering rigour and controls which should be put in place to manage that hazard.
In industries like aviation and nuclear power, where a single catastrophic failure captures massive media attention, and could also damage those industries’ economic future, safety controls are taken extremely seriously. However, in industries where a catastrophic failures (multiple loss of lives) occur on a regular daily basis (e.g. car crashes), and those failures do not threaten those industries’ economic viability, safety controls may not be applied so diligently.
Safety controls that can be sold as optional extras, such as anti-skid brake systems and airbags, are popular as they can provide a market differentiator to the manufacturer. Crumple zones in cars are highly visible to customers and can also be used effectively as a market differentiator. However, safety features that are less visible to the customer, which do not provide a clear ROI at the point of sale and could expose the manufacturer, are typically shunned due to perverse market incentives. We are advised that most computer control systems in cars have no third party independent assessment of their safety or correctness. Furthermore, most cars do not have a “black box recorder”, making it hard to identify if there was a software or hardware fault that contributed to a car crash. To make the situation worse, some car manufacturers ask chip vendors to eliminate traditional safety features to reduce component costs (for techies: they remove the memory management unit [MMU] used for safety and security operations). This magnifies the difficulty in identifying, and safely controlling, the effect of software faults.
The authors have been advised that today many organisations developing real-time applications apply inadequate (“hand waving”) engineering practices to manage well-known timing problems in modern computer processors. A common approach is to use naive time measurement techniques (i.e. not using commercial testing and validation tools) and then add an arbitrary 20 per cent margin for measurement errors and hope that it’s enough. As we reported in our article last week, IBM has found that 50 per cent of the warranty costs in cars are related to electronics and their embedded software, and that 30 per cent of those costs are related to timing flaws.
According to the article “This car runs on code” published in IEEE Spectrum online (2009), these instances of incorrect operation cost industry billions of euros annually. This issue affects many industries!
The problem with regard to software deadlines is particularly hard because:
To quote Dr Benoit Triquet of Airbus France: “One challenge for European safety-critical industries is to … gather sufficient momentum to influence the microprocessor market.” In fact, this is a worldwide problem in the safety-critical and information security-critical domains. We need to overcome the current inertia.
So how do we achieve improved safety and security in cyber-physical systems with a win-win approach that is economically viable? We believe existing and emerging technical solutions must be synergistically combined in a way that creates a compelling computing platform that simultaneously addresses many pain points for different industries in the one convergent solution, whilst also being backward compatible as much as possible with existing software.
This requires global canvassing and technical exploration with leading vendors and academic experts.
The ICT Gozo Malta Project, part funded in 2011 by the Ministry for Gozo, is doing just that. This is very notable achievement when one considers that many vendors are fierce commercial competitors.
One of the authors of this article, Benjamin Gittins, as CTO of Synaptic Laboratories and representing the ICT Gozo Malta project, was recently invited to attend the “closed-door” Industrial Advisory Board meeting of the EU FP7 PROARTIS project held in Barcelona. PROARTIS partners include organisations such as the Barcelona Supercomputing Centre, Rapita Systems Ltd UK, University of Padua Italy, Institut National de Recherche en Informatique et Automatique (INRIA) France, and Airbus France. The Industrial Advisory Board includes the following world-class organisations: AdaCore, BMW Group, European Space Agency, IBM Haifa Research Lab, Infineon, NXP, and SYSGO. In private meetings with the representatives of all those organisations, convergence was a recurring theme: in particular the convergence of real-time, safety, security and other performance requirements on computer chips. If done correctly, these chips could service both the aerospace and automotive industries.
Through ongoing international collaboration on its new universal computer architecture proposal, Synaptic Labs and the ICT GM Project seek to address the inertia and momentum issue raised by Dr Triquet. Through collaboration with many different organisations with different “pain points”, we seek to ensure each pain point is addressed comprehensively and at the lowest overall cost. By addressing multiple pain points in one solution, we make it easier for organisations to increase their return on investment.
The ICT Gozo Malta Project continues to put Malta-sourced cutting edge design and leadership on the world stage. It is the centre of collaboration with more than eight world-class real-time operating system vendors that have products deployed in several billions of devices, all the top vendors in the worst case execution timing tools market, several universities across Europe, the USA and other countries, and some of the most advanced semiconductor organisations in the world. Experts from several organisations currently involved with PROARTIS have expressed interest to participate as Industry Advisory Board members and are exploring further collaboration. This progress is all centred around Synaptic Labs’ designs.
While progress is being made at this deeper level, with regard to your safety you can help today by placing pressure on manufacturers of cyber-physical systems at point of sale, by asking them: “Are you cutting corners in computer safety?” and “Has an expert third party safety organisation independently checked your computer system design and implementation for correctness and safety?” Be sure to let them know you are not interested in short cuts that put your personal safety and security at risk ANYWHERE in their shiny new product.
Be sure to read our next article and join us in taking the next steps together to secure (y)our world!
Co-author Pierluigi Paganini has 20+ years of security experience and many years of in-depth investigative cyber security journalism on important cyber events.
ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu has links to free cyber awareness resources for all age groups.
All our past articles in this cyber awareness series can be accessed on malta-independent.com.mt, ictgozomalta.eu, and securityaffairs.co ,which is rated one of the 10 best security blogs in the world, with an international viewing audience exceeding 40,000. To continue promoting Maltese ICT to the world, we encourage all ICT professionals to register on the ICT GM Skills Register to keep abreast of developments, both in Cyber Security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at [email protected] .
by Ron Kelson, Pierluigi Paganini, David Pace
Mr Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited.
Mr Gittins is CTO of the ICT Gozo Malta Project and Synaptic Laboratories Limited.
Sig. Paganini, Security Specialist CISO Bit4ID Srl, is a CEH − Certified Ethical Hacker, EC Council and founder of Security Affairs
Mr Pace is Project Manager of the ICT Gozo Malta Project and an IT consultant
References