Modelling and Simulation of the response process for an emergency at the Great Belt bridge
1 like1,300 views
The document summarizes an experience report on modelling and simulating railway emergency response plans. It discusses using declarative process models and collaborative simulation to study how emergency plans may be impacted by combined physical and cyber attacks. Key steps involved collaboratively mapping out emergency response procedures with experts, and then simulating scenarios using the process model to explore vulnerabilities and make recommendations. The approach was tested on a case study of the Great Belt Bridge incident, and conclusions were that collaborative mapping and simulation is a viable way to study cyber-physical vulnerabilities in critical infrastructure.
Modelling and Simulation of the response process for an emergency at the Great Belt bridge
- 1. Experience Report: Modelling and Simulation of Railway Emergency Response Plans ITU ProSec, May 2nd, 2016 Søren Debois Joint work with Thomas Hildebrandt & Lene Sandberg
- 2. Plan • Cyber-threats to Critical Infrastructure • The method • The Great Belt Bridge incident case • Collaborative mapping & simulation • Conclusions
- 4. Cyber-physical attacks on Critical Infrastructure • Operators (DSB, BaneDanmark) robust against physical incidents, including terrorism. • Operators IT system landscape very large and varied. • However, traditional “No-IT” approach to train operators still form foundations of day-to-day operations.
- 5. The potential weakness • Cyber-physical assault: Combined physical & cyber attack. • Do emergency response plans hold up when both IT and physical infrastructure is physically attacked?
- 6. How to investigate? • Extensive emergency response plans exist. Drills are performed regularly. • Let’s simulate! • But wait! Paper-based rehearsals don’t actually use ICT systems. How to simulate? • We need to simulate both the actions of drill participants and breakdowns of IT systems. • We have to be sure no-one “cheats” by accidentally assuming some system is functioning.
- 7. Declarative Process Models • Formal model of emergency response process. • Give enormous freedom within a set of rules. • No-one cheats accidentally; the model won’t allow it.
- 8. Example
- 9. How do we try this out? How do we get the process model?
- 10. Case: Great Belt Bridge
- 11. Collaborative mapping • Extensive documentation of emergency response procedures exists. • We sat down with domain experts from DSB & BaneDanmark and constructed a model based on that documentation.
- 13. How do we know whether this model is meaningful?
- 14. Collaborative simulation • Simulation gives the ability to explore un- anticipated paths and “what-if” scenarios. • Collaborative simulation brings a new level of realism, especially for coordination problems of emergency response scenarios.
- 15. Simulation study, Metropol • At Metropol, students of Emergency and Risk Management as participants. • Tool provided insufficient overview. • Tool did not hide available and executed actions of other participants .
- 16. Simulation study, DSB • At DSB, with DSB emergency response team lead and experienced train driver. • Recommendations: Pictures, text, documentation in-tool.
- 17. Conclusions
- 18. Conclusions • Collaborative mapping and simulation of emergency response processes is a viable means of studying ICT/Cyber-physical vulnerabilities. • DCR Formalism accessible to domain experts (with assistance) • DCR Tooling almost there.
- 19. Future work • Integrating the IT system landscape into the model.