INTRODUCTION

Cyber-physical systems (CPS) is a technological concept, which provides a close coordination between computing and physical resources. In general, CPS support the maintenance of real world processes using regular monitoring and a feedback loop [ 1-4 ]. As a result, physical processes influence on information processes and vice versa.

Vivid examples of CPS are industrial systems associated with critical areas of human activity [ 5, 6 ]. Unauthorized interference with such systems can lead to disastrous consequences; therefore, the question about CPS security is extremely important nowadays.

The close integration of physical and information processes leads to the fact that CPS security do not provide by classical concepts of confidentially, integrity and availability of information circulated in system [ 7 ]. The CPS protection from destructive impact is also important, since the physical processes implemented by system are irreversible. In this regard, the problem of maintaining the functional sustainability

The study was carried out as part of the scholarship of the President of the Russian Federation to young scientists and graduate students SP-1689.2019.5. of CPS in the context of destructive interventions comes to the fore.

II.

There are many approaches to maintain sustainability of CPS [ 8-19, 22 ]. One of promising approach uses a biology concept of homeostasis – mechanism that provide constancy of internal organism processes. This approach provides adaptation and self-regulation mechanisms of complex dynamic systems. Such features of the approach allow autonomous control and maintenance of the state of the system. Homeostatic approach for CPS was proposed in [ 11, 12 ] as an ability of selfadaptation. However, authors of these papers were focused on the operation correctness, but not on security aspects. Moreover, proposed model is not applicable because of high monitoring algorithm complexity in case of large dynamic systems. One more paper [ 13 ] focused from self-adaptive architectures to self-learning architectures to learn and improve QoS parameters over a time. However, such approach do not take into account structural parameters of CPS, but only time series and data stream.

Thus, due to dynamic behavior of CPS, homeostatic strategy can be separate on three stages: system monitoring, sustainability estimating and making decision to system recovery. To implement this strategy, a method is needed to evaluate the sustainability of the CPS at the current time, as well as to predict the maximum destructive load, which will lead to a complete loss of system functionality. Thus, second stage can be realized by different methods using mathematical statistics, game theory and so on. Paper [ 14 ] proposed novel algorithm for estimation of system state that resilient to different types of attacks. Proposed method uses principles of robust optimization and give a “frequentist” robust estimator. However, such method do not take into account structure of the CPS which can be represented as a network of devices. Paper [ 15 ] proposed game-theoretic concept to estimating system sustainability. This approach defined sustainability as powerform product of the survival probabilities of cyber and physical spaces, each with a corresponding correlation coefficient. Such method do not take into account a structure of the system and might not be as flexible as it needed for providing cybersecurity. Paper [ 16 ] proposes methodology to estimate environmental sustainability of CPS. This approach is scalable, economic perspective, however due to simplifications some failures can be missed. In addition, this method do not consider structural features of heterogeneous systems. In [ 17, 19 ] authors proposed to estimate CPS as rate of system recovery, however this method is posteriori, so this model allow only restoring system after destructive influences.

III.

APPROACH TO CPS SECURITY

Homeostasis strategy was applied to security of CPS in [ 20 ]. The method of estimating CPS sustainability is determined by the way the system is presented and simulated. In case of CPS, one of the most common is a model based on graph theory. Graph theory allows us to consider not only the network of devices within an integrated CPS, but also the interaction of CPS components with each other. Since the processes in the CPS are carried out by exchanging data between devices, each process can be represented as a route on a graph. The presence of a large number of such routes, as well as their quality, determine the system's ability to function, thereby giving an assessment of its stability.

Paper [ 18 ] proposed graph model, according to which CPS is a graph G=<V, E>, where V={v1,v2,…,vn} − is set of graph vertices representing the devices, and E={e1,e2,…,en} − set of edges representing connections between system components.

Each vertex is characterized by a tuple, which contains the characteristics, depending on its type. The important parameter of vertex is capacity of device performance(vi), where i is the node identifier. In addition to typical parameters, each vertex corresponds to a set of functions that it can perform F(vi)=(f1,f2,…,fk). The set of functions that can be performed by components of the CPS is not homogeneous: it can include both trivial and more complex in terms of function implementation. Therefore, it is advisable to enter a measure for each of the functions that determines its complexity fi→ complexity(fi). Knowing the node performance and the complexity of the functions it performs, you can find the execution time of the function fj on the device vi through the equation (1).

time(vi, fj)= complexity(fj)/ performance(vi) (1)

Each edge also has a parameter characterizing the data rate between vertices vi and vj: time(vi, vj).

A process running in a CPS is characterized by a sequence of functions that are performed by the vertices of the graph Rprocess={f1,f2,…,fm}. It should be noted that complex functions can be decomposed as a sequence of simpler ones, which allows to effectively reconfigure the route in terms of destructive effects. This fact, as well as the fact that each function can correspond to several vertices of the graph with different performance, leads to the fact that each processi in the CPS corresponds to a set of working routes pathj from Rprocess differing in their characteristics.

As parameters of the routes, it is proposed to consider:  route length.  total route complexity.  total route performance.  time of route execution.     energy characteristics of the vertex, determined by device type.

Thus, when calculating the characteristics of the route, all connections between the components of the system are taken into account, as well as the characteristics of the vertices that perform the functions included in the process. Intermediate nodes are not counted in the summation.

The presence of high-quality routes, for example, with a short execution time, determines the stability of the CPS in terms of destructive influences, since the reduction of such routes will lead to system downtime, which can lead to failures and of the target function - that is, to lose sustainability.

IV.

To estimate the CPS sustainability, the information system was modeled as a graph. The graph was constructed using Erdos-Renyi model [ 21 ] with the number of nodes equal to 30, and the probability, and the probability of edge appearance equal to 0.35. Each vertex of the graph was mapped: set functions that the vertex can perform and its complexity.

performance of the device.

time of function execution of the device.

Each edge is associated with a time rate between vi and vj time: time(vi, vj).

While ensuring the CPS security, important parameters are times of attacks detection and CPS rebuilding to neutralize destructive impacts. Therefore, as the characteristics of the quality of the route were chosen the time of the route execution and its total performance.

As a part of study, a working route was defined, represented as a sequence of functions. To estimate CPS sustainability an algorithm was developed that performs a search for various routes on a graph, including a sequence of vertices that perform functions from the working route. The characteristics of the intermediate vertices were not taken into account. For each route found, time and performance were calculated. The bar plot for the values obtained are shown in Fig. 1.

To estimate the number of routes depending on the time of their execution, a cumulative function was built (Figure 2). The argument of this function is an ordered set of time values, and the function values are the number of routes that have a time execution less than the value of the argument. Thus, judging from Fig. 2, the number of routes that have an execution time less than 19 is approximately 100,000.

In a case of performance estimation, the best quality route will have a large total performance value. Therefore, the cumulative function for the performance of routes is constructed as follows: the number of routes whose performance is greater than the value of the performance taken as the value of function (Fig. 3).

For further analysis, the normalization of the values of performance and execution time of the route was carried out. The graphs for both characteristics were combined, and then the intersection point was found (Fig.4).

The left area of the graph corresponds to routes with lowest performance; the right area corresponds to routes with longest execution time. Thus, routes in the middle part of plot on Fig. 4 can be interpreted as area of system sustainability. It is proposed to limit the sustainability area by symmetric intervals of length 0.25 from the intersection point. The right boundary refers to the execution time of the routes — that is, routes from the sustainability area should not run for longer than a certain time. The left border, respectively, refers to route performance.

For fix values of execution time and performance of working route on x axis the number of routes suites to such characteristics was calculated. The largest value observed at the intersection point of two curves (Fig. 5). Since the number of routes is also a quality criterion, to limit the area of sustainability, it is proposed to cut off a part with characteristics for which the number of routes is less than 20,000.

Thus, the paper proposed the criterion for CPS sustainability, which is number of working routes in system with optimal values of execution time and performance. In order to check the applicability of the criterion, it is necessary to simulate destructive influences and to check reaction of criterion to changes in system structure.

As part of the study, an attack was modeled, consisting in sequential removal of half of the vertices. For the resulting graph, number of routes was calculated, characteristics of time and performance that was in area of the system sustainability (Fig. 6).

The second model of the attack influence is to delete the vertex, which has a certain degree of criticality. As an indicator of the vertex criticality, is it proposes to use the ratio of working routes number passing through the vertex to the total number of working routes. Number of routes depending on criticality of deleted vertex was evaluated for fixed values of execution time and performance of routes (Fig. 7).

As experiments show, at a certain criticality of vertex, number of routes in the sustainability area reaches zero, which indicates the complete inability of system to function along a given sequence of functions.

During the simulation of attacking influences, proposed criterion of sustainability showed high sensitivity to structural changes in CPS.

VI.

APPROACH TO SYSTEM RECOVERY

Taking into account the proposed criterion, recovery of system functionality is reduced to problem of changing the graph in such a way that number of routes satisfying the given characteristics increases. An increase in the number of routes is possible through implementation of various scenarios:   

Rebuilding and reconfiguration of CPs to improve the graph connectivity, which will lead to emergence of new routes or change their length.

Definition of new sequence of performing target function due to possibility of representing the functions as a decomposition of other functions.

Improving device characteristics, in particular, increasing the performance of certain type devices.

The tasks of reconfiguring the network structure and setting new routes can be associated with high computational costs for implementing mathematical algorithms, as well as time costs for rebuilding the system, which can lead to system downtime and, consequently, affect the speed of the target function. Therefore, these methods are recommended in most serious cases. The approach of changing the characteristics of devices implies the allocation of additional resources to increase devices performance.

Obviously, due to varying complexity of functions performed by devices, an increase in performance of different types of vertices affect the number of suitable routes in different ways. As part of the work, an experiment consists in increasing performance of certain type vertex twice, was conducted. Results are presented in Figure 8.

Abscissa axis indicates type of functions that can be performed by system components, arranged in order of increasing complexity. The first point on the plot corresponds to the initial value of number of routes in graph without changing the performance of devices of a particular type.

It should be noted that in Figure 8, the observed linear relationship is determined by the fact that the sequence of functions includes all the functions performed by system. If, however, we increase length of working route and duplicate occurrence of f3 function, then a small jump will be observed precisely with an increase in performance of devices implementing this function, as shown in Fig. 9.

Thus, for effective CPS recovery and increasing number of suitable routes that satisfy the specified characteristics, it is necessary to give preference to types of devices that perform more complex functions if the ratio of functions of different types in a given sequence is approximately the same.

CPS security reduces to maintaining system sustainability. For solving this problem criterion on sustainability is needed. This criterion should take into account not only information and physical parameters of system devices, but also structural characteristics of CPS network.

Using graph representation of CPS, the processes in the system can be represented as a set of routes that include a given sequence of vertices, each of which performs set of specific functions. Mapping set of qualitative characteristics to vertices and connections, leads to simple evaluating the optimality of the route as total value of vertices and links characteristics containing in the route.

Thus, number of routes with optimal value of quality characteristics determines sustainability of CPS. Applicability of this criterion was verified by modeling destructive effects, as a result of which proposed sustainability assessment demonstrated high sensitivity to changes in the graph describing CPS.