Industrial computer-based control systems are crucial to society, they control the water we drink, the power we use, the cars we drive as well as railways and air transportation. These systems need to be trusted and trustworthy. They are often networked into complex and interconnected systems of systems and control and protect the UK national infrastructure. An important aspect of infrastructures is their interactions and interdependencies: the functioning of one infrastructures service often depends on the functioning of another. As the infrastructure becomes layered and there are secondary services layered on top of these primary infrastructures and as the network becomes dynamic and controlled by computer networks and systems there is considerable potential for unforeseen interaction and dependencies. As Industrial control systems become more networked, the previous strategy of making them secure by isolating them from the world becomes ineffective. In addition those who might harm the system either out of maliciousness or misplaced curiosity proliferate and their expertise increases, so the importance of security for the availability and integrity of services and systems is becoming ever more significant. The research focuses on the importance of dependencies and interdependencies in this security context. These have been studied for a number of years and it is known that unforeseen interdependencies are a source of threat to systems and an important factor in our uncertainty of risk assessment, particularly risk due to cascade failures in which the rate and size of loss is amplified. However there two faces to interdependencies, while we are concerned about how they might make attacking the system easier and a source of unforeseen behaviours, it is also central to providing tolerance to attack and failure. Redundancy, diversity, defence in depth are deliberately engineered into control systems to increase dependability and are an important mechanism for adaptation and overall resilience. Any risk assessment of computer based control systems has to take into account uncertainty about the structure of the system. It is not just the uncertainty of when events might happen but uncertainty about the world, so-called epistemic uncertainty. For example, audits for the US DHS states that they find, on average, 11 unexpected connections between the SCADA system and the enterprise network for each audit A key part of risk assessment is communication to stakeholders and society as appropriate. We will develop a security informed (or cyber-informed) enhancement to evaluating and communicating business and other risks from lack of control system integrity and availability based on a claims, arguments, evidence (CAE) framework. Our focus will be to include cyber informed dependency analysis within these assessments. The research to do this will follow an impact driven, threat-informed and vulnerability-focused strategy. We will also develop probabilistic models that address explicitly the evolving relationship between an adversary and attacks on the one hand and of the consequences of a successful attack as well as the dependencies between the mitigations and barriers. We are particularly interested in modelling and evaluating defence in depth as a fundamental part of any resilient and trustworthy system yet estimating its effectiveness given uncertainties in the system structure and the attack space is enormously difficult. We will develop a modelling toolset based on existing tools we have developed within EU, Artemis and TSB projects that integrate stochastic and deterministic (e.g. of power flow). We will conduct case studies based on problems provided by our project partners Adelard (a specialist SME that evaluates ICS systems and components) and Alsthom.

Tacit knowledge / 'knowing more than we can tell' / is knowledge that we know we have but can't articulate, or knowledge that we don't know that we have but nevertheless use. We rely on tacit knowledge to communicate effectively: we need not make every assumption we hold explicit, allowing us to focus on the essence of what we wish to communicate. As engineers concerned with the development of software and systems, however, we are taught to make our assumptions explicit, and indeed any kind of knowledge that is not made explicit makes our systems analysis more difficult and error prone. This problem is particularly acute during requirements engineering (RE) / when knowledge about the problem world and stakeholder requirements is elicited, and precise specifications of system structure and behaviour are developed. Requirements are often first communicated in natural language (NL), and are often ambiguous, incomplete, and inevitably full of undocumented assumptions and other omissions. Effective analysis of such requirements needs to surface this tacit knowledge / automatically or semi-automatically where possible / to document more precise requirements that can be relied upon by stakeholders to communicate effectively. Our proposed project aims to investigate techniques for analysing NL requirements, in order to discover, manage, and mitigate the negative effects of tacit knowledge in requirements. We propose to adopt an empirical approach to characterise and elicit tacit knowledge, and a constructive, theoretically-grounded but user-driven approach to develop practical techniques and tools to guide analysts concerned with the development of precise requirements for software-intensive systems.Our proposed approach is to mitigate the negative consequences of tacit knowledge by developing techniques to discover its differential impact on the understanding and use of requirements artefacts. This will enable the management of the effects of tacit knowledge, helping analysts identify where knowledge needs to be made explicit and providing tools capable of resolving at least some of the harmful effects. The results of our work will comprise tools and techniques for: improving the management of requirements information through automatic trace recovery; discovering the presence of tacit knowledge from the tracking of presuppositions and unprovenanced requirements; and the detection of nocuous ambiguity in requirements documents that imply potential for misinterpretation. A number of robust, lightweight natural language processing (NLP) techniques already exist that we will extend to develop our tools. If successful, the results of the work may have tangible benefits to RE practice. More fundamentally, by focusing on the down-stream symptoms of tacit knowledge, our work will make an important contribution to deepening our understanding of the role played by tacit knowledge in RE.

Abstracts are not currently available in GtR for all funded research. This is normally because the abstract was not required at the time of proposal submission, but may be because it included sensitive information such as personal details.