@inproceedings{hite_symple_2021,
	title = {{SymPLe}: {Complexity}-{Aware} {Design} for {Safety} {Critical} {I}\&{C} {Systems}},
	booktitle = {Proc. 51tst {Annual} {IEEE}-{IFIP} {International} {Conference} on {Dependable} {Systems} and {Networks}-{Supplemental} {Volume}},
	author = {Hite, Richard and Rajagopala, Abhi and Gautham, Smitha and Deloglos, Christopher and Jayakumar, Athira and Collins, Aidan and Elks, Carl and Gibson, Matt},
	year = {2021},
}

@article{hite_symple_2021-1,
	title = {{SymPLe}: {A} {Complexity}-{Aware} {Approach} for {Realizing} {Verifiable} {FPGA}-{Based} {Digital} {I}\&{C} for {Safety} {Critical} {Applications}},
	journal = {Nuclear Science and Engineering},
	author = {Hite, Richard and Deloglos, Christopher and Jayakumar, Athira and Gautham, Smitha and Collins, Aidan and Rajagopala, Abhi and Elks, Carl and Gibson, Matt},
	year = {2021},
}

@article{weiss_understanding_2021,
	title = {Understanding and {Fixing} {Complex} {Faults} in {Embedded} {Cyberphysical} {Systems}},
	volume = {54},
	issn = {0018-9162, 1558-0814},
	url = {http://arxiv.org/abs/2102.03420},
	doi = {10.1109/MC.2020.3029975},
	abstract = {Understanding fault types can lead to novel approaches to debugging and runtime verification. Dealing with complex faults, particularly in the challenging area of embedded systems, craves for more powerful tools, which are now becoming available to engineers.},
	number = {1},
	urldate = {2021-02-09},
	journal = {Computer},
	author = {Weiss, Alexander and Gautham, Smitha and Jayakumar, Athira Varma and Elks, Carl and Kuhn, D. Richard and Kacker, Raghu N. and Preusser, Thomas B.},
	month = jan,
	year = {2021},
	note = {arXiv: 2102.03420},
	keywords = {Computer Science - Software Engineering},
	pages = {49--60},
}

Understanding fault types can lead to novel approaches to debugging and runtime verification. Dealing with complex faults, particularly in the challenging area of embedded systems, craves for more powerful tools, which are now becoming available to engineers.

@article{jayakumar_systematic_2020,
	title = {Systematic {Model}-based {Design} {Assurance} and {Property}-based {Fault} {Injection} for {Safety} {Critical} {Digital} {Systems}},
	url = {https://scholarscompass.vcu.edu/etd/6239},
	doi = {https://doi.org/10.25772/Z555-M644},
	journal = {Theses and Dissertations},
	author = {Jayakumar, Athira Varma},
	month = jan,
	year = {2020},
}

@article{jayakumar_application_2020,
	title = {On the {Application} of {Systematic} t-way {Software} {Testing} for {Safety} {Critical} {Embedded} {Digital} {Devices} in {Nuclear} {Power}},
	journal = {submitted to The 31st International Symposium on Software Reliability Engineering(ISSRE), waiting decision},
	author = {Jayakumar, Athira and Gautham, Smitha and Kuhn, Richard and Simons, Brandon and Collins, Aidan and Dirsch, Thomas and Kacker, Raghu and Elks, Carl},
	year = {2020},
}

@inproceedings{gautham_finding_2020,
	title = {Finding {Synergy} {Between} {Design}-time {Assurance} and {Runtime} {Verification} by {Means} of {Model} {Based} {Engineering}},
	booktitle = {Submitted to 20th {International} {Conference} on {Runtime} {Verification}, 2020, waiting decision},
	author = {Gautham, Smitha and Jayakumar, Athira and Elks, Carl},
	year = {2020},
}

@article{gautham_experiences_2020,
	title = {Experiences on {Applying} {IEC} 61508 {Compliant} {Model}-based {Verification} to an {FPGA} based {System} for {Nuclear} {Power} {Applications}},
	journal = {submitted to IEEE Transactions on Nuclear Science, in revision},
	author = {Gautham, Smitha and Jayakumar, Athira and Hite, Richard and Deloglos, Christopher and Moore, Jason and Tantawy, Ashraf and Gibson, Matt and Elks, Carl},
	year = {2020},
}

@article{khairullah_self-repairing_2020,
	title = {Self-repairing hardware architecture for safety-critical cyber-physical-systems},
	volume = {5},
	issn = {2398-3396},
	doi = {10.1049/iet-cps.2019.0022},
	abstract = {Digital embedded systems in safety-critical cyber-physical-systems (CPSs) require high levels of resilience and robustness against different fault classes. In recent years, self-healing concepts based on biological physiology have received attention for the design and implementation of reliable systems. However, many of these approaches have not been architected from the outset with safety in mind, nor have they been targeted for the safety-related automation industry where the significant need exists. This study presents a new self-healing hardware architecture inspired by integrating biological concepts, fault tolerance techniques, and IEC 61131-3 operational schematics to facilitate adaption in automation and critical infrastructure. The proposed architecture is organised in two levels: the critical functions layer used for providing the intended service of the application and the healing layer that continuously monitors the correct execution of that application and generates health syndromes to heal any failure occurrence inside the functions layer. Finally, two industrial applications have been mapped on this architecture to date, and the authors believe the nexus of its concepts can positively impact the next generation of critical CPSs in industrial automation.},
	number = {1},
	journal = {IET Cyber-Physical Systems: Theory Applications},
	author = {Khairullah, Shawkat S. and Elks, Carl R.},
	year = {2020},
	keywords = {IEC 61131-3 operational schematics, IEC standards, biocomputing, biological concepts, critical function layer, critical infrastructure, cyber-physical systems, digital embedded systems, embedded systems, factory automation, failure analysis, failure occurrence, fault classes, fault tolerance techniques, fault tolerant computing, healing layer, industrial automation, programmable controllers, reliable systems, safety-critical CPS, safety-critical cyber-physical-systems, safety-related automation industry, self-healing hardware architecture},
	pages = {92--99},
}

Digital embedded systems in safety-critical cyber-physical-systems (CPSs) require high levels of resilience and robustness against different fault classes. In recent years, self-healing concepts based on biological physiology have received attention for the design and implementation of reliable systems. However, many of these approaches have not been architected from the outset with safety in mind, nor have they been targeted for the safety-related automation industry where the significant need exists. This study presents a new self-healing hardware architecture inspired by integrating biological concepts, fault tolerance techniques, and IEC 61131-3 operational schematics to facilitate adaption in automation and critical infrastructure. The proposed architecture is organised in two levels: the critical functions layer used for providing the intended service of the application and the healing layer that continuously monitors the correct execution of that application and generates health syndromes to heal any failure occurrence inside the functions layer. Finally, two industrial applications have been mapped on this architecture to date, and the authors believe the nexus of its concepts can positively impact the next generation of critical CPSs in industrial automation.

@inproceedings{jayakumar_property-based_2020,
	address = {Cham},
	series = {Lecture {Notes} in {Computer} {Science}},
	title = {Property-{Based} {Fault} {Injection}: {A} {Novel} {Approach} to {Model}-{Based} {Fault} {Injection} for {Safety} {Critical} {Systems}},
	isbn = {978-3-030-58920-2},
	shorttitle = {Property-{Based} {Fault} {Injection}},
	doi = {10.1007/978-3-030-58920-2_8},
	abstract = {With the recent popularity of model-based design and verification (MBDE), fault injection testing at the functional model level is gaining significant interest. The reason for this interest is it aids in detecting design errors and incorrect requirements on fault detection and tolerance features, very early in the development lifecycle. This is evidenced by the fact that functional safety standards like IEC 61508 and ISO 26262 identify fault injection testing as a highly recommended technique for SIL-3 and SIL-4. The main challenges to date with model-based fault injection are lack of completeness in the fault injection space, semi-manual integration and insertion of fault injection modules into the models and manual identification of fault activation conditions. The work presented in this paper describes a novel model-based fault injection technique that is property-based and applies formal model checking verification methods at the functional model level of design thereby guaranteeing a near-exhaustive state, input and fault space coverage. This method also introduces the usage of properties and model checking capabilities to automate the identification of fault activation conditions for all the faults within the fault space. We describe the workflow and implementation of the property-based Fault injection using Simulink Design Verifier and its application on the functional model of a representative safety-critical system.},
	language = {en},
	booktitle = {Model-{Based} {Safety} and {Assessment}},
	publisher = {Springer International Publishing},
	author = {Jayakumar, Athira Varma and Elks, Carl},
	editor = {Zeller, Marc and Höfig, Kai},
	year = {2020},
	keywords = {Fault injection, Fault tolerance assessment, Model-based fault injection, Model-checking, Safety-critical systems},
	pages = {115--129},
}

With the recent popularity of model-based design and verification (MBDE), fault injection testing at the functional model level is gaining significant interest. The reason for this interest is it aids in detecting design errors and incorrect requirements on fault detection and tolerance features, very early in the development lifecycle. This is evidenced by the fact that functional safety standards like IEC 61508 and ISO 26262 identify fault injection testing as a highly recommended technique for SIL-3 and SIL-4. The main challenges to date with model-based fault injection are lack of completeness in the fault injection space, semi-manual integration and insertion of fault injection modules into the models and manual identification of fault activation conditions. The work presented in this paper describes a novel model-based fault injection technique that is property-based and applies formal model checking verification methods at the functional model level of design thereby guaranteeing a near-exhaustive state, input and fault space coverage. This method also introduces the usage of properties and model checking capabilities to automate the identification of fault activation conditions for all the faults within the fault space. We describe the workflow and implementation of the property-based Fault injection using Simulink Design Verifier and its application on the functional model of a representative safety-critical system.

@inproceedings{bakirtzis_fundamental_2020,
	title = {Fundamental {Challenges} of {Cyber}-{Physical} {Systems} {Security} {Modeling}},
	doi = {10.1109/DSN-S50200.2020.00021},
	abstract = {Systems modeling practice lacks security analysis tools that can interface with modeling languages to facilitate security by design. Security by design is a necessity in the age of safety critical cyber-physical systems, where security violations can cause hazards. Currently, the overlap between security and safety is narrow. But deploying cyber-physical systems means that today's adversaries can intentionally trigger accidents. By implementing security assessment tools for modeling languages we are better able to address threats earlier in the system's lifecycle and, therefore, assure their safe and secure behavior in their eventual deployment. We posit that cyber-physical systems security modeling is practiced insufficiently because it is still addressed similarly to information technology systems.},
	booktitle = {2020 50th {Annual} {IEEE}-{IFIP} {International} {Conference} on {Dependable} {Systems} and {Networks}-{Supplemental} {Volume} ({DSN}-{S})},
	author = {Bakirtzis, Georgios and Ward, Garrett and Deloglos, Christopher and Elks, Carl and Horowitz, Barry and Fleming, Cody},
	month = jun,
	year = {2020},
	keywords = {Analytical models, Data models, Safety, Security, Temperature sensors, Tools, cyber-physical system security modeling, information technology systems, modeling languages, n/a, safe behavior, safety critical cyber-physical systems, safety-critical software, secure behavior, security analysis tools, security assessment tools, security violations, systems modeling practice},
	pages = {33--36},
}

Systems modeling practice lacks security analysis tools that can interface with modeling languages to facilitate security by design. Security by design is a necessity in the age of safety critical cyber-physical systems, where security violations can cause hazards. Currently, the overlap between security and safety is narrow. But deploying cyber-physical systems means that today's adversaries can intentionally trigger accidents. By implementing security assessment tools for modeling languages we are better able to address threats earlier in the system's lifecycle and, therefore, assure their safe and secure behavior in their eventual deployment. We posit that cyber-physical systems security modeling is practiced insufficiently because it is still addressed similarly to information technology systems.

@article{gautham_multilevel_2020,
	title = {Multilevel {Runtime} {Security} and {Safety} {Monitoring} for {Cyber} {Physical} {Systems} using {Model}-based {Engineering}},
	journal = {submitted to SafeComp DevOps Workshop on Safety and Security},
	author = {Gautham, Smitha and Jayakumar, Athira and Elks, Carl},
	month = sep,
	year = {2020},
	note = {Acceptance rate 30\%},
}

@inproceedings{deloglos_attacker_2020,
	address = {Cham},
	series = {Lecture {Notes} in {Computer} {Science}},
	title = {An {Attacker} {Modeling} {Framework} for the {Assessment} of {Cyber}-{Physical} {Systems} {Security}},
	isbn = {978-3-030-54549-9},
	doi = {10.1007/978-3-030-54549-9_10},
	abstract = {Characterizing attacker behavior with respect to Cyber-Physical Systems is important to assuring the security posture and resilience of these systems. Classical cyber vulnerability assessment approaches rely on the knowledge and experience of cyber-security experts to conduct security analyses and can be inconsistent where the experts’ knowledge and experience are lacking. This paper proposes a flexible attacker modeling framework that aids in the security analysis process by simulating a diverse set of attacker behaviors to predict attack progression and provide consistent system vulnerability analysis. The model proposes an expanded architecture of vulnerability databases to maximize its effectiveness and consistency in detecting CPS vulnerabilities while being compatible with existing vulnerability databases. The model has the power to be implemented and simulated against an actual or virtual CPS. Execution of the attacker model is demonstrated against a simulated industrial control system architecture, resulting in a probabilistic prediction of attacker behavior.},
	language = {en},
	booktitle = {Computer {Safety}, {Reliability}, and {Security}},
	publisher = {Springer International Publishing},
	author = {Deloglos, Christopher and Elks, Carl and Tantawy, Ashraf},
	editor = {Casimiro, António and Ortmeier, Frank and Bitsch, Friedemann and Ferreira, Pedro},
	year = {2020},
	note = {Acceptance rate 20\%},
	keywords = {Attacker modeling, CPS, Security},
	pages = {150--163},
}

Characterizing attacker behavior with respect to Cyber-Physical Systems is important to assuring the security posture and resilience of these systems. Classical cyber vulnerability assessment approaches rely on the knowledge and experience of cyber-security experts to conduct security analyses and can be inconsistent where the experts’ knowledge and experience are lacking. This paper proposes a flexible attacker modeling framework that aids in the security analysis process by simulating a diverse set of attacker behaviors to predict attack progression and provide consistent system vulnerability analysis. The model proposes an expanded architecture of vulnerability databases to maximize its effectiveness and consistency in detecting CPS vulnerabilities while being compatible with existing vulnerability databases. The model has the power to be implemented and simulated against an actual or virtual CPS. Execution of the attacker model is demonstrated against a simulated industrial control system architecture, resulting in a probabilistic prediction of attacker behavior.

@techreport{elks_realization_2019,
	title = {Realization of a {Automated} {T}-{Way} {Combinatorial} {Testing} {Approach} {For} a {Software} {Based} {Embedded} {Digital} {Device}},
	url = {https://www.osti.gov/biblio/1606019},
	abstract = {The U.S. Department of Energy's Office of Scientific and Technical Information},
	language = {English},
	number = {INL/EXT-19-54096-Rev000},
	urldate = {2021-02-18},
	institution = {Idaho National Lab. (INL), Idaho Falls, ID (United States)},
	author = {Elks, Dr Carl and Deloglos, Christopher and Jayakumar, Athira and Tantawy, Dr Ashraf and Hite, Rick and Gautham, Smitha},
	month = jun,
	year = {2019},
	doi = {https://doi.org/10.2172/1606019},
}

The U.S. Department of Energy's Office of Scientific and Technical Information

@book{elks_realizing_2019,
	title = {Realizing {Verifiable} {I}\&{C} and {Embedded} {Digital} {Devices} for {Nuclear} {Power} {Design}, {Verification} and {Demonstration} of the {SymPLe} {Architecture}},
	abstract = {This report describes the design, development, and Prototype implementation of the SymPle FPGA architecture for safety critical Nuclear Power Applications. We used Model based design and engineering tools (Simulink) to achieve rigorous design assurance with respect to IEC 61508 SIL 3 and 4.},
	author = {Elks, Carl and Tantawy, Ashraf and Hite, Richard and Gautham, Smitha and Jayakumar, Athira and Deloglos, Christopher},
	month = jun,
	year = {2019},
}

This report describes the design, development, and Prototype implementation of the SymPle FPGA architecture for safety critical Nuclear Power Applications. We used Model based design and engineering tools (Simulink) to achieve rigorous design assurance with respect to IEC 61508 SIL 3 and 4.

@techreport{gibson_achieving_2019,
	title = {Achieving {Verifiable} and {High} {Integrity} {Instrumentation} and {Control} {Systems} through {Complexity} {Awareness} and {Constrained} {Design}. {Final} {Report}},
	institution = {Electric Power Research Institute (EPRI), Charlotte, NC (United States)},
	author = {Gibson, Matt and Elks, Carl and Tantawy, Ashraf and Hite, Richard and Gautham, Smitha and Jayakumar, Athira and Deloglos, Christopher},
	year = {2019},
}

@article{bakirtzis_data-driven_2019,
	title = {Data-{Driven} {Vulnerability} {Exploration} for {Design} {Phase} {System} {Analysis}},
	issn = {1937-9234},
	doi = {10.1109/JSYST.2019.2940145},
	abstract = {Applying security as a lifecycle practice is becoming increasingly important to combat targeted attacks in safety-critical systems. Among others, there are two significant challenges in this area: the need for models that can characterize a realistic system in the absence of an implementation and an automated way to associate attack vector information, that is, historical data, to such system models. We propose the cybersecurity body of knowledge (CYBOK), which takes in sufficiently characteristic models of systems and acts as a search engine for potential attack vectors. CYBOK is fundamentally an algorithmic approach to vulnerability exploration, which is a significant extension to the body of knowledge it builds upon. By using CYBOK, security analysts and system designers can work together to assess the overall security posture of systems early in their lifecycle, during major design decisions and before final product designs, consequently, assisting in applying security earlier and throughout the systems lifecycle.},
	journal = {IEEE Systems Journal},
	author = {Bakirtzis, Georgios and Simon, Brandon J. and Collins, Aidan G. and Fleming, Cody Harrison and Elks, Carl R.},
	year = {2019},
	keywords = {Analytical models, Computer security, Cyber-physical systems, Data models, Hardware, Safety, Software, model-based engineer-ing, safety, security},
	pages = {1--10},
}

Applying security as a lifecycle practice is becoming increasingly important to combat targeted attacks in safety-critical systems. Among others, there are two significant challenges in this area: the need for models that can characterize a realistic system in the absence of an implementation and an automated way to associate attack vector information, that is, historical data, to such system models. We propose the cybersecurity body of knowledge (CYBOK), which takes in sufficiently characteristic models of systems and acts as a search engine for potential attack vectors. CYBOK is fundamentally an algorithmic approach to vulnerability exploration, which is a significant extension to the body of knowledge it builds upon. By using CYBOK, security analysts and system designers can work together to assess the overall security posture of systems early in their lifecycle, during major design decisions and before final product designs, consequently, assisting in applying security earlier and throughout the systems lifecycle.

@techreport{elks_specification_2018,
	address = {Office of Nuclear Energy},
	type = {Technical {Report}},
	title = {Specification of a {Bounded} {Exhaustive} {Testing} {Study} for a {Software}-based {Embedded} {Digital} {Device}},
	language = {en},
	number = {INL/EXT-18-52032},
	institution = {U.S. Department of Energy},
	author = {Elks, Carl and Deloglos, Christopher and Tantawy, Dr Ashraf and Hite, Rick and Guatham, Smitha and Jayakumar, Athira},
	month = nov,
	year = {2018},
	pages = {38},
}

@article{khairullah_bio-inspired_2018,
	title = {A {Bio}-{Inspired}, {Self}-{Healing}, {Resilient} {Architecture} for {Digital} {Instrumentation} and {Control} {Systems} and {Embedded} {Devices}},
	volume = {202},
	issn = {0029-5450},
	url = {https://doi.org/10.1080/00295450.2018.1450014},
	doi = {10.1080/00295450.2018.1450014},
	abstract = {One of the essential concepts being postulated for next generation nuclear power plants (NPPs) that could include Gen IV reactors—small modular reactors—is the notion of resilient and survivable instrumentation and control (I\&C) systems. Resilience at the system and plant level will rely on highly robust and fault-tolerant digital embedded devices as a foundation. This paper presents a new self-healing programmable digital I\&C architecture, BioSymPLe, inspired from the way nature responds, defends, and heals: the stem cells in the immune system of living organisms and the pathway from DNA to protein. The BioSymPLe is organized in a four-layered approach: (1) cellular layer that includes four sublayers, with each sublayer allocating two functional B cells which represent the building block that executes the local functionality of NPP critical application based on the expression for DNA genetic codes stored inside each cell; (2) tissue layer that embeds eight redundant T cells and eight routing units to facilitate coordination and organized behavior among a network of four cellular sublayers; (3) internal healing layer that monitors the correct execution of functions at the cellular level and activates healing mechanism at the tissue level; and (4) external healing layer using a concept of embryonic stem cells by differentiating this type of cell to repair the faulty T cells. Finally, the BioSymPLe is capable of tolerating a significant number of faults (transient, permanent, or hardware common cause failures) that can stem from environmental disturbances, and we believe it can positively impact the operation of next generation digital I\&C systems in NPPs.},
	number = {2-3},
	urldate = {2020-11-10},
	journal = {Nuclear Technology},
	author = {Khairullah, Shawkat S. and Elks, Carl R.},
	month = jun,
	year = {2018},
	note = {Publisher: Taylor \& Francis
\_eprint: https://doi.org/10.1080/00295450.2018.1450014},
	keywords = {Instrumentation and control, living organisms, nuclear power plant, resilience, self-healing},
	pages = {141--152},
}

One of the essential concepts being postulated for next generation nuclear power plants (NPPs) that could include Gen IV reactors—small modular reactors—is the notion of resilient and survivable instrumentation and control (I&C) systems. Resilience at the system and plant level will rely on highly robust and fault-tolerant digital embedded devices as a foundation. This paper presents a new self-healing programmable digital I&C architecture, BioSymPLe, inspired from the way nature responds, defends, and heals: the stem cells in the immune system of living organisms and the pathway from DNA to protein. The BioSymPLe is organized in a four-layered approach: (1) cellular layer that includes four sublayers, with each sublayer allocating two functional B cells which represent the building block that executes the local functionality of NPP critical application based on the expression for DNA genetic codes stored inside each cell; (2) tissue layer that embeds eight redundant T cells and eight routing units to facilitate coordination and organized behavior among a network of four cellular sublayers; (3) internal healing layer that monitors the correct execution of functions at the cellular level and activates healing mechanism at the tissue level; and (4) external healing layer using a concept of embryonic stem cells by differentiating this type of cell to repair the faulty T cells. Finally, the BioSymPLe is capable of tolerating a significant number of faults (transient, permanent, or hardware common cause failures) that can stem from environmental disturbances, and we believe it can positively impact the operation of next generation digital I&C systems in NPPs.

@inproceedings{khairullah_toward_2017,
	title = {Toward biologically inspired self-healing digital embedded devices: {Bio}-{SymPLe}},
	shorttitle = {Toward biologically inspired self-healing digital embedded devices},
	booktitle = {10th {International} {Topical} {Meeting} on {Nuclear} {Plant} {Instrumentation}, {Control}, and {Human} {Machine} {Interface} {Technologies}, {San} {Francisco}, {CA}},
	author = {Khairullah, Shawkat S. and Bakker, Tim and Elks, Carl R.},
	year = {2017},
}

@inproceedings{elks_symple_2017,
	title = {{SymPLe} 1131: {A} novel architecture solution for the realization of verifiable digital {I}\&{C} systems and embedded digital devices},
	shorttitle = {{SymPLe} 1131},
	booktitle = {10th {Int}. {Topical} {Meeting} on {Nuclear} {Plant} {Instrumentation}, {Control}, and {Human} {Machine} {Interface} {Technologies}, {San} {Francisco}, {California}},
	author = {Elks, C. R. and Bakker, T. and Hite, R. and Gautham, S. and Venkatesh, V. and Moore, J.},
	year = {2017},
}