Industrial computer-based control systems are crucial to society, they control the water we drink, the power we use, the cars we drive as well as railways and air transportation. These systems need to be trusted and trustworthy. They are often networked into complex and interconnected systems of systems and control and protect the UK national infrastructure. An important aspect of infrastructures is their interactions and interdependencies: the functioning of one infrastructures service often depends on the functioning of another. As the infrastructure becomes layered and there are secondary services layered on top of these primary infrastructures and as the network becomes dynamic and controlled by computer networks and systems there is considerable potential for unforeseen interaction and dependencies. As Industrial control systems become more networked, the previous strategy of making them secure by isolating them from the world becomes ineffective. In addition those who might harm the system either out of maliciousness or misplaced curiosity proliferate and their expertise increases, so the importance of security for the availability and integrity of services and systems is becoming ever more significant. The research focuses on the importance of dependencies and interdependencies in this security context. These have been studied for a number of years and it is known that unforeseen interdependencies are a source of threat to systems and an important factor in our uncertainty of risk assessment, particularly risk due to cascade failures in which the rate and size of loss is amplified. However there two faces to interdependencies, while we are concerned about how they might make attacking the system easier and a source of unforeseen behaviours, it is also central to providing tolerance to attack and failure. Redundancy, diversity, defence in depth are deliberately engineered into control systems to increase dependability and are an important mechanism for adaptation and overall resilience. Any risk assessment of computer based control systems has to take into account uncertainty about the structure of the system. It is not just the uncertainty of when events might happen but uncertainty about the world, so-called epistemic uncertainty. For example, audits for the US DHS states that they find, on average, 11 unexpected connections between the SCADA system and the enterprise network for each audit A key part of risk assessment is communication to stakeholders and society as appropriate. We will develop a security informed (or cyber-informed) enhancement to evaluating and communicating business and other risks from lack of control system integrity and availability based on a claims, arguments, evidence (CAE) framework. Our focus will be to include cyber informed dependency analysis within these assessments. The research to do this will follow an impact driven, threat-informed and vulnerability-focused strategy. We will also develop probabilistic models that address explicitly the evolving relationship between an adversary and attacks on the one hand and of the consequences of a successful attack as well as the dependencies between the mitigations and barriers. We are particularly interested in modelling and evaluating defence in depth as a fundamental part of any resilient and trustworthy system yet estimating its effectiveness given uncertainties in the system structure and the attack space is enormously difficult. We will develop a modelling toolset based on existing tools we have developed within EU, Artemis and TSB projects that integrate stochastic and deterministic (e.g. of power flow). We will conduct case studies based on problems provided by our project partners Adelard (a specialist SME that evaluates ICS systems and components) and Alsthom.

Tacit knowledge / 'knowing more than we can tell' / is knowledge that we know we have but can't articulate, or knowledge that we don't know that we have but nevertheless use. We rely on tacit knowledge to communicate effectively: we need not make every assumption we hold explicit, allowing us to focus on the essence of what we wish to communicate. As engineers concerned with the development of software and systems, however, we are taught to make our assumptions explicit, and indeed any kind of knowledge that is not made explicit makes our systems analysis more difficult and error prone. This problem is particularly acute during requirements engineering (RE) / when knowledge about the problem world and stakeholder requirements is elicited, and precise specifications of system structure and behaviour are developed. Requirements are often first communicated in natural language (NL), and are often ambiguous, incomplete, and inevitably full of undocumented assumptions and other omissions. Effective analysis of such requirements needs to surface this tacit knowledge / automatically or semi-automatically where possible / to document more precise requirements that can be relied upon by stakeholders to communicate effectively. Our proposed project aims to investigate techniques for analysing NL requirements, in order to discover, manage, and mitigate the negative effects of tacit knowledge in requirements. We propose to adopt an empirical approach to characterise and elicit tacit knowledge, and a constructive, theoretically-grounded but user-driven approach to develop practical techniques and tools to guide analysts concerned with the development of precise requirements for software-intensive systems.Our proposed approach is to mitigate the negative consequences of tacit knowledge by developing techniques to discover its differential impact on the understanding and use of requirements artefacts. This will enable the management of the effects of tacit knowledge, helping analysts identify where knowledge needs to be made explicit and providing tools capable of resolving at least some of the harmful effects. The results of our work will comprise tools and techniques for: improving the management of requirements information through automatic trace recovery; discovering the presence of tacit knowledge from the tracking of presuppositions and unprovenanced requirements; and the detection of nocuous ambiguity in requirements documents that imply potential for misinterpretation. A number of robust, lightweight natural language processing (NLP) techniques already exist that we will extend to develop our tools. If successful, the results of the work may have tangible benefits to RE practice. More fundamentally, by focusing on the down-stream symptoms of tacit knowledge, our work will make an important contribution to deepening our understanding of the role played by tacit knowledge in RE.

Abstracts are not currently available in GtR for all funded research. This is normally because the abstract was not required at the time of proposal submission, but may be because it included sensitive information such as personal details.

We all critically depend on and use digital systems that sense and control physical processes and environments. Electricity, gas, water, and other utilities require the continuous operation of both national and local infrastructures to deliver their services. Industrial processes, for example for chemical manufacturing, production of materials such as cement, steel, aluminium or fertilizers, and manufacturing chains for car production or pharmaceuticals similarly lie at this intersection of the digital and the physical. This intersection also applies in other CPS such as robots, autonomous cars, and drones. All such systems are exposed to malicious threats and have been the target of cyber-attacks by different threat actors ranging from disgruntled employees to hacktivists, terrorists, organised crime and nation states. The increasing fragility and vulnerability of our cyber-enabled society is rapidly approaching intolerable limits. As these systems become larger and more complex interruption of service in any of these infrastructures can cause significant cascading effects with safety, economic and societal impacts. Because we critically depend on the operation of such systems, disruption to their operations must be minimised even when they are under attack and have been partially compromised. Because they operate in a physical environment, the safety of such systems must be preserved at all times to avoid physical damage and even threat to life. Therefore, ensuring the resilience of such systems, their survivability and continued operation when exposed to malicious threats requires the integration of methods and processes from security analysis, safety analysis, system design and operation that have traditionally been done separately and that each involve specialist skills and a significant amount of human effort. This is not only costly, but also error prone and delays response to security events. The full integration and automation of such methodologies will be a challenge for many years to come. However, RESICS aims to significantly advance the state-of-the-art and deliver novel contributions that facilitate: a) risk analysis for such systems in the face of adversarial threats taking into account the impact of security events across the cascading inter-dependencies; b) characterising attacks that can have an impact on the safety of the system, identifying the paths that make such attacks possible; c) identifying countermeasures that can be applied to mitigate threats and contain the impact of attacks; and d) ensuring that such countermeasures can be applied whilst preserving the system's safety and operational constraints and maximising its availability. These contributions will be evaluated across several test beds, digital twins, a cyber range and a number of use-cases across different industry sectors. They will deliver increased automation, lower the skill requirements involved in the analysis and in mitigating threats and improve response times to security incidents. To achieve these goals RESICS will combine model-driven and empirical approaches across both security and safety analysis, adopting a systems-thinking approach which emphasises Security, Safety and Resilience as emerging properties of the system. RESICS leverages preliminary results in the integration of safety and security methodologies with the application of formal methods and the combination of model-based and empirical approaches to the analysis of inter-dependencies in ICSs and CPSs.

Mobile and autonomous robots have an increasingly important role in industry and the wider society; from driverless vehicles to home assistance, potential applications are numerous. The UK government identified robotics as a key technology that will lead us to future economic growth (tinyurl.com/q8bhcy7). They have recognised, however, that autonomous robots are complex and typically operate in ever-changing environments (tinyurl.com/o2u2ts7). How can we be confident that they perform useful functions, as required, but are safe? It is standard practice to use testing to check correctness and safety. The software-development practice for robotics typically includes testing within simulations, before robots are built, and then testing of the actual robots. Simulations have several benefits: we can test early, and test execution is cheaper and faster. For example, simulation does not require a robot to move physically. Testing with the real robots is, however, still needed, since we cannot be sure that a simulation captures all the important aspects of the hardware and environment. In the current scenario, test generation is typically manual; this makes testing expensive and unreliable, and introduces delays. Manual test generation is error-prone and can lead to tests that produce the wrong verdict. If a test incorrectly states that the robot has a failure, then developers have to investigate, with extra cost and time. If a test incorrectly states that the robot behaves as expected, then a faulty system may be released. Without a systematic approach, tests may also identify infeasible environments; such tests cannot be used with the real robot. To make matters worse, manual test generation limits the number of tests produced. All this affects the cost and quality of robot software, and is in contrast with current practice in other safety-critical areas, like the transport industry, which is highly regulated. Translation of technology, however, is not trivial. For example, lack of a driver to correct mistakes or respond to unforeseen circumstances leads to a much larger set of working conditions for an autonomous vehicle. Another example is provided by probabilistic algorithms, which make the robot behaviour nondeterministic, and so, difficult to repeat in testing and more difficult to characterise as correct or not. We will address all these issues with novel automated test-generation techniques for mobile and autonomous robots. To use our techniques, a RoboTest tester constructs a model of the robot using a familiar notation already employed in the design of simulations and implementations. After that, instead of spending time designing simulation scenarios, the RoboTest tester, with the push of a button, generates tests. With RoboTest, testing is cheaper, since it takes less time, and is more effective, because the RoboTest tester can use many more tests, especially when using a simulation. To execute the tests, the RoboTest tester can choose from a few simulators employing a variety of approaches to programming. Execution of the tests also follows the push of a button. Yet another button translates simulation to deployment tests. So, the RoboTest tester can trace back the results from the deployment tests to the simulation and the original model. So, the RoboTest tester is in a strong position to understand the reality gap between the simulation and the real world. The RoboTest tester knows that the verdicts for the tests are correct, and understands what the testing achieves; for example, it can be guaranteed to find faults of an identified class. So, the RoboTest tester can answer the very difficult question: have we tested enough? In conclusion, RoboTest will move the testing of mobile and autonomous robots onto a sound footing. RoboTest will make testing more efficient and effective in terms of person effort, and so, achieve longer term reduced costs.