Requirements and Life Cycle Model-Based Assessment of NPP I&C Systems Cyber Security and Safety

Introduction

Nowadays safety-critical systems are widely used by the world industry in various areas in forms of I&C systems, including those for NPPs, on-board computer-based systems, electronic medical systems, etc. Moreover, FPGA technology is now being trend in safety-critical systems implementation that inevitably leads to new challenges in various aspects of such systems design, operation and maintenance requiring new approaches, techniques and appropriate requirements. First goal of this chapter is to customize the elements of gap analysis (GA), Intrusion Modes and Effects Criticality Analysis (IMECA) technique and analysis of development processes related to the developer (human), technique, and tool (HTT) to develop an approach, which can be used in analysis and assessment of safety-critical systems (Kharchenko, V. et al. (2012,c), NUREG/CR-7006).

Design and development processes for any safety-critical I&C systems, including complex ones, require predetermined and formalized processes for all types of activities, including design, verification and validation (V&V). There are some set of proposed life cycle representations in a form of appropriate models, including waterfall, incremental, spiral, agile, prototyping, star, hybrid, Y, etc. (Isaias, P. et. al. (2015), Bhuvaneswari1, T. et. al. (2013)).

One of the most convenient forms of design life cycle representation for a safety-critical I&C system is so-called “V-model”, which involves the phased development of certain artifacts (components of the future system), and each artifact is subject to formal verification intended to prevent unauthorized changes in design or functionality. (Kharchenko, V. et. al. (2017)).

V-model is a conveniently organized formalized sequence of development phases of the final product, typically complex. It implies stating the requirements in the beginning, and allows correlating the design stages with the appropriate tests. The basic principle of a V-model is that the detailing of the project increases when it moves from left to right, as the time passes. Iterations in the project are executed horizontally, between the left (descending) and the right (ascending) branches. This allows for support during the planning and implementation of the project.

In addition, a V-model can be generalized in several directions to meet the requirements and reflect the complexity layers of the product.

The main disadvantages of existing V-models include the following:

• •

  Lack of support for parallel events.

• •

  Lack of support for the introduction of dynamic changes at different stages of the product's life cycle.

• •

  Too late testing of requirements in the life cycle, which makes it impossible to make changes without affecting the schedule of project implementation.

• •

  Some results can only be obtained after the complete performance of the activities described by the left branch.

In order to consider and take into account all the features of modern complex safety-critical I&C systems and their underlying technologies, it is necessary to analyze the attributes of a system. For this purpose, a development life cycle (DLC) of a system can be represented in the form a V-submodels set that are partially superimposed and corresponding to each of the DLCs associated with the specific components of the system, thus covering the development stages of the components along with the appropriate return points (Shamraev, A. et. al. (2017)).

Given the fact that, in a general case, both the starting point and the length of the DLC are specific for the components, so all V-submodels can be separated to perform a comprehensive evaluation. The complete set of all component-related V-submodels for safety-critical I&C forms a component-oriented (two-coordinate) V-model of the DLC.

In order to link the DLC of a specific attribute to each of the components of a safety-critical I&C system into a component-oriented V-model, consider additional attribute-related plane (formed by a set of attributes of the component). Thus, it can be stated that there are already three coordinates due to the addition of the attribute to a component-oriented (two-coordinate) V-model of DLC. In addition, in conjunction with the DLC, it is already possible to analyze a certain aspect in the three-dimensional space determined by the three coordinates associated with certain system’s component, its attribute and the stage of the DLC.