The availability models of two-zone physical security

system considering cyber attacks

Vyacheslav Kharchenko1,2[0000-0001-5352-077X], Yuriy Ponochovnyi3[0000-0002-6856-2013],

Al-Khafaji Ahmed Waleed1[0000-0002-5077-1036], Artem Boyarchuk1[0000-0001-7349-1371]

National Aerospace University KhAI, Kharkiv, Ukraine

1

[email protected], [email protected],
[email protected]
2 Research and Production Company Radiy, Kropyvnytskyi, Ukraine
3 Poltava State Agrarian Academy, Poltava, Ukraine

[email protected]

Abstract. Relevance of the paper is confirmed by the need to protect the security
systems themselves, not only from physical damage, but also from cyber attacks
by intruders. The paper explores the Markov model of the two-zone cyber-phys-
ical security system. Evaluation of the functioning of the multi-zone system was
carried out taking into account two degrees of degradation (operative condition -
the failure state of all zones). The state space of the model (or one fragment) has
a dimension of 9 states. In the proposed model, hardware failures caused by van-
dal attacks on objects of the first zone and software failures due to cyber attacks
on the functions of the second zone are considered. The simulation results illus-
trate different transition intervals of availability indicators of various levels of
degradation to a stationary state. For different degrees of degradation, the mini-
mum value of the availability function, the time interval of the transition of the
availability function to the stationary mode, and the value of the availability func-
tion in the stationary mode are determined. When eliminating software defects
and vulnerabilities, the increase in the availability function is 0.23% for a zero
level of system degradation.

Keywords: Cyberphysical Security System; Availability Indicators; Markov

Model; Degradation Levels; Multi-Zone Architecture.

1 Introduction

Modern physical protection systems have powerful cybernetic components that require
full or temporary connection to an open Internet network for full functioning. If before
there was a dilemma for ensuring the protection of physical security systems themselves
only against physical damage, now such systems are an object for cyber attacks by
cybercriminals.
2

The security system is represented by a set of subsystems, each of which is consid-

ered as a separate "zone". Each subsystem contains constituent elements. In aggregate,
such a hierarchy is presented in Fig. 1 [1]. Each subsystem is represented by the failure
state spaces of hardware components (HW, hardware) and software/functions (SW,
software), which arise due to the manifestation of physical defects (pf), design defects
(df), operator errors (hf), and interaction defects (if).

Physical security system

Subsystem of Subsystem of
motion access control
detection/
intrusion
C1 C2

Control unit of Control unit of Control unit of Control unit of

motion detection intrusion senor authorisation physical access
senor

C11 C12 C21 С22

Fig. 1. Two-zone architecture of physical security system

The zonal architecture of physical security systems (PSS, physical security systems),
their multifunctionality and functioning in an aggressive external environment require
appropriate adequate representation in the construction and analysis of models. The use
of the mathematical apparatus of Markov modeling [2,3], on the one hand, provides a
direct assessment of the resulting availability indicator, meets the requirements of
standards and normative documents [4,5]. But, on the other hand, Markov models are
limited by assumptions on the simplest flows of events [6], and are also prone to the
problem of increasing dimensionality when taking into account a large number of ex-
ternal factors. The use of multi-fragment modeling apparatus [7] allows us to study
systems with variable parameters, but does not solve the dimensional problem. In [8,9],
Markov and multi-fragment models of hardware and software systems for various pur-
poses for specific architectures are considered. However, the well-known papers did
not consider the influence of zonal architecture on the availability of the system from
the standpoint of both reliability and security.
The aim of this study is to develop and analyze the classic Markov model of two-
zone PSS availability. The development of the model is based on the determination of
many states and mechanisms of interaction taking into account the degree of degrada-
tion. Assessment of the availability functions of various degrees of degradation was
performed for various sets of input data.
The paper is structured as followed. Next section 2 describes two PSS availability
Markov models, their assumptions, states and transitions between them (subsections
2.1 and 2.2). The results of the PSS modeling and availability assessment are analyzed
in section 3. Section 4 concludes and describes future steps.
 3

2 Development and research of the availability model of

physical security systems

2.1 Development of the initial model

The availability model of a two-zone cyberphysical security system allows us to study
the simultaneous effect of failures of the hardware component of zones and their func-
tions implemented through software. The paper considers a two-zone PSS model
(Fig.1), in which the first zone has an external perimeter and is susceptible to vandal
attacks, and the second zone implements access control functions via a remote connec-
tion (therefore, it is susceptible to cyber attacks).
The main assumptions of the MPSS0 model are:
– the flow of events that transfers the system from one functional state to another
has the properties of stationarity, ordinaryness and the absence of aftereffect, the input
parameters of the model are assumed to be constant;
– the probability of failure of the cloud service is negligible;
– acts of vandalism (γHW) are committed on the objects of the first zone, which are
located outside the protected perimeter;
– vulnerability attacks (γSW) are carried out on the functions of the second zone,
which are accessible through a public network.

1 1h 2h 1s 2s 0
2 1h 2h 1s 2s
3 1h 2h 1s 2s
I
4 1h 2h 1s 2s
5 1h 2h 1s 2s
6 1h 2h 1s 2s
7 1h 2h 1s 2s
II
8 1h 2h 1s 2s
9 1h 2h 1s 2s

Fig. 2. Combinations of zone failures that determine the states of the MPSS0 model and degrada-
tion levels

The state space of the model has a dimension of 9 states (Fig. 2), according to com-
binations of hardware and functional component failures in each of the zones. Also, in
Fig. 2, three levels of degradation of the system (0, I and II) are highlighted.
Figure 3 shows the marked graph of the model, which has end-to-end numbering of
states and is developed using the modified grPlot_marker function [10].
4

bs2*mus
ah1*lah
alfa*gamh beta*gams

bh2*muh as1*las
ah2*lah
bh1*muh as2*las
bs1*mus

2 ah1*lah 3 4 5
bs1*mus
alfa*gamh ah1*lah
as1*las3

alfa*gamh bs2*mus
bh2*muh
as1*las
beta*gams beta*gams
ah2*lah bh2*muh bs1*mus
bs2*mus ah2*lah as2*las
as2*las
bh1*muh
bh1*muh

6 7 8 9

Fig. 3. Marked oriented graph of the two-zone MPSS0 model

When constructing the model graph (Fig. 3), a vertical hierarchy of states was used
to display the levels of degradation. The upper level is S1 state. It indicates a operative
system without failures. The second stage is S2, S3, S4, S5 states. They indicate the
state of the first level of system degradation, in which either hardware or functional
(software) failure occurred in one of the zones. At the lower level (states S5, S6, S7,
S8), the states of complete failure of all zones of the system are indicated. When mark-
ing the graph and compiling a system of differential equations, we used the weight
coefficients ah1, ah2, as1, as2 to distinguish the failure rates of different zones; and to
distinguish the recovery rates, the coefficients bh1, bh2, bs1, bs2 were used.
Hardware failures caused by vandal attacks on objects of the first zone are modeled
by transitions - arrows weighted by the index α*γHW. Software failures caused by
cyberattacks on the functions of the second zone are modeled by transitions — arrows,
weighted by β*γSW.
Availability functions for different levels of degradation are defined as:
5
A( ) ( t ) P= ( I) t
0
= 1 (t); A () ∑ Pi ( t ) (1)
i =1

Baseline conditions: t = 0, P0 (t) = 1.

2.2 Development of a multi-fragment model for updating software functions

In the previous MPSS0 model, the assumption was made that the parameters of the func-
tional components of individual zones of the cyberphysical security system are con-
stant. However, modern systems can receive updates and patches of the software com-
ponent as part of the development and modification cycles. After installing the update
 5

or patch, the program code and/or configuration files change, which directly affects the
value of the input parameters of the failure flows and cyberattacks. In [7,9], such
changes are modeled using the multi-fragment approach, which is the basis of the MPSSм
model.
The assumptions of this MPSSм model are expanded (in comparison with the assump-
tions of MPSS0):
– the flow of events that transfers the system from one functional state to another
one within the same fragment has the properties of stationarity, ordinaryness and the
absence of aftereffect, the model parameters within one fragment are assumed to be
constant;
– during the upgrade process, the elimination of software defects and vulnerabilities
occurs, new defects and vulnerabilities are not introduced.
The state space of the MPSSм model within one fragment, like MPSS0, has a dimension
of 9 states (Fig. 2) and three levels of system degradation.
Figure 4 shows a marked graph of three fragments of the MPSSм model. Each frag-
ment of the model is a mapping of the MPSS0 graph (Fig. 3), but for compactness, a
vertical arrangement of states was performed.
When constructing the graph of the model (Fig. 4), the color marking of the states
(“Red”, “Green”, “White”) was used to indicate that the states belong to different levels
of degradation. Additionally, a “blue” marker was used to highlight SW update states
(S10, S20), the system is inoperative in these states.
Availability functions for different levels of degradation are defined as:
Nf Nf 5
A( ) ( t ) P10i −9 ( t ); A( ) ( t ) ∑ ∑ P(10i −10) + j ( t )
0 I
= ∑
= (2)
=i 1 =i 1 =j 1

1 10 11 20 21

2 6 12 16 22 26

3 7 13 17 23 27

4 8 14 18 24 28

5 9 15 19 25 29

Fig. 4. Marked graph of the three-fragment MPSSм model

6

3 Simulation and comparative analysis

The primary input parameters of Markov models were determined on the basis of
certification data [1,8] for the previous CPSS versions samples. Their values are pre-
sented in table 1. To build the matrix of Kolmogorov-Chapman system of differential
equations (SDE) in Matlab, matrix A function was used [11]. The SDE solution is ob-
tained using the ode15s function [12]. The simulation results are shown in Fig.5. The
graphs of the MPSS0 model (Fig. 5, a) illustrate the typical nature of the change in the
availability function with a decrease to a stationary coefficient during the first 10 hours
of operation. Thus, in further analysis of the results, it is necessary to take into account
the values of two levels of availability degradation:
- A(0) MPSS0 = 0,9638;
- A(I) MPSS0 = 0,9997.
The graphs of the MPSSм model (Fig. 5, b) illustrate the typical nature of the change
in the availability function for multi-fragment models [7,9,11]. In the initial period of
operation, the availability of the system is reduced to a minimum, and then, as the elim-
ination of SW defects and vulnerabilities, strive for a stationary value.

Table 1. Values of simulation processing input parameters

# Sym Parameter Base value

1 λhw HW failure rate due to unintentional physical and de- 1e-3 (1/hour)
sign defects (pf and df)
2 λsw SW failure rate due to design defects of an unintentional 5e-3 (1/hour)
nature (df)
3 γhw HW failure rate due to intentional actions (if, vandal- 1e-3 (1/hour)
ism)
4 α The coefficient of "aggression" of physical attackers, 1..100
depends on external factors
5 γsw SW failure rate due to intentional actions (if, viruses, 5e-3 (1/hour)
cyberattacks)
6 β The coefficient of "aggression" of cyber attackers, de- 1..10
pends on external factors
7 μhw HW recovery rate after failure, averaging is performed 1 (1/hour)
in the research and recovery is considered for all causes
of failures (pf, df, hf, if)
μsw SW recovery rate after failure, , averaging is performed 2 (1/hour)
in the research and recovery is considered for all causes
8
of failures (pf, df, hf, if), the recovery does not provide
for the elimination of the causes of failure

In further analysis of the results, it is necessary to take into account the following
groups of values of the resulting indicators for two levels of availability degradation:
а) for zero degradation level A(0)Mpssm
- availability function minimum value A(0)Mpssmmin = 0.9544;
 7

- availability function value in stationary mode A(0)Mpssmconst = 0.9661;

- time interval for the transition of the availability function to the stationary mode
T(0)Mpssm = 3383,4 hours.
b) for the first degradation level A(I)Mpssm
- availability function minimum value A(I)Mpssmmin = 0.9898;
- availability function value in stationary mode A(I)Mpssmconst = 0.9997;
- time interval for the transition of the availability function to the stationary mode
T(I)Mpssmconst = 3328,3 hours.
1 1

0.995
0.99995

0.99
0.9999

0.985
0.99985
(t)

A ( I ) (t)

0.98

0.975
0.9998
a)
0.99975
0.97

0.9997
0.965

0.96 0.99965
0 10 20 30 40 50 0 10 20 30 40 50

t, hours t, hours

1 1

0.998
0.99

0.996
0.98
(t)

(t)

0.994
(0 )

(I )

b)
A
A

0.97
0.992

0.96
0.99

0.95 0.988
0 500 1000 1500 2000 2500 0 500 1000 1500 2000 2500

t, hours t, hours

Fig. 5. Results of availability simulations of two-zone CPSS for different levels of degradation:
a) model MPSS0, b) model MPSSм

4 Conclusion
The article describes two models for assessing the availability of a two-zone physical
security system, taking into account vandal and cyber attacks on objects of different
zones.
In the MPSS0 model, the availability functions of different levels of degradation de-
crease to stationary values A(0) = 0,9638 and A(I) = 0.9997 during the first 10 hours of
operation.
In the MPSSм model, the availability function decreases to stationary values A(0)const=
= 0.9661 and A(I)const = 0.9997 after 3300 hours of operation. Thus, the increase in the
availability function while eliminating software defects and vulnerabilities is 0.23% for
a zero level of system degradation.
Further research should be directed to the studies of the impact of reducing the failure
8

rate (and recovery) of HW and SW on the resulting indicators, as well as the develop-
ment and research of both Markov and multi-fragment CPSS availability models, in
which the assumption of high reliability of the cloud service is removed.

References
1. Waleed, A., Kharchenko, V., Uzun, D., Solovyov, O.: IoT-based physical security systems:
Structures and PSMECA analysis. 2017 9th IEEE International Conference on Intelligent
Data Acquisition and Advanced Computing Systems: Technology and Applications
(IDAACS). pp. 870-873. (2017). doi: 10.1109/IDAACS.2017.8095211
2. Zheng, Z., Trivedi, K., Wang, N., Qiu, K.: Markov Regenerative Models of WebServers for
Their User-Perceived Availability and Bottlenecks. IEEE Transactions on Dependable and
Secure Computing. 17, 92-105 (2020). doi: 10.1109/TDSC.2017.2753803
3. Boano, C., Römer, K., Bloem, R., Witrisal, K., Baunach, M., Horn, M.: Dependability for
the Internet of Things—from dependable networking in harsh environments to a holistic
view on dependability. e & i Elektrotechnik und Informationstechnik. 133, 304-309 (2016).
doi: 10.1007/s00502-016-0436-4
4. IEC 61508-1:2010 Functional safety of electrical/electronic/programmable electronic
safety-related systems - Part 1: General requirements. https://webstore.iec.ch/publica-
tion/5515. last accessed 2020/01/21
5. IEC 60050-192:2015 International Electrotechnical Vocabulary (IEV) - Part 192: Dependa-
bility. https://webstore.iec.ch/publication/21886. last accessed 2020/01/21
6. IEC 61703:2016 Mathematical expressions for reliability, availability, maintainability and
maintenance support terms. https://webstore.iec.ch/publication/25646. last accessed
2020/01/21
7. Kharchenko, V., Butenko, V., Odarushchenko, O., Sklyar, V.: Multifragmentation Markov
Modeling of a Reactor Trip System. Journal of Nuclear Engineering and Radiation Science.
1, (2015). doi: 10.1115/1.4029342
8. Liu, B., Chang, X., Han, Z., Trivedi, K., Rodríguez, R.: Model-based sensitivity analysis of
IaaS cloud availability. Future Generation Computer Systems. 83, 1-13 (2018). doi:
10.1016/j.future.2017.12.062
9. Kharchenko, V., Ponochovnyi, Y., Abdulmunem, A., Andrashov, A.: Availability Models
and Maintenance Strategies for Smart Building Automation Systems Considering Attacks
on Component Vulnerabilities. Advances in Dependability Engineering of Complex Sys-
tems. 186-195 (2017). doi: 10.1007/978-3-319-59415-6_18
10. Iglin, S. grTheory - Graph Theory Toolbox – File Exchange – MATLAB Central.
https://www.mathworks.com/matlabcentral/fileexchange/4266-grtheory-graph-theory-
toolbox. last accessed 2020/01/21.
11. Kharchenko, V., Ponochovnyi, Y., Boyarchuk, A.: Availability Assessment of Information
and Control Systems with Online Software Update and Verification. Information and Com-
munication Technologies in Education, Research, and Industrial Applications. 300-324
(2014). doi: 10.1007/978-3-319-13206-8_15
12. Solve stiff differential equations and DAEs – variableorder method – MATLAB ode15s.
https://www.mathworks.com/help/matlab/ref/ode15s.html. last accessed 2020/01/21