A Survey of Interdependency Models for Critical Infrastructure Networks
AA Survey of Interdependency Models forCritical Infrastructure Networks
Joydeep BANERJEE a , , Arun DAS a , and Arunabha SEN a , Computer Science and Engineering ProgramSchool of Computing, Informatics and Decision System EngineeringArizona State University, Tempe, Arizona 85287, USA
Abstract.
The critical infrastructures of the nation such as the power grid and thecommunication network are highly interdependent. Also, it has been observed thatthere exists complex interdependent relationships between individual entities of thepower grid and the communication network that further obfuscates the analysis, andmitigation of faults in such multi-layered networks. In recent years, the researchcommunity has made significant efforts towards gaining insight and understandingof the interdependency relations in such multi-layered networks, and accordingly,a number of models have been proposed and analyzed towards realizing this goal.In this chapter we study existing interdependency models proposed in the recentliterature and discuss their approach, and inherent features, towards modeling inter-dependent multi-layer networks. We also provide a brief discussion into the draw-backs of each of these models and propose an alternate model that addresses thesedrawbacks by capturing the interdependency relationships using a combination ofconjunctive and disjunctive relations.
Keywords.
Interdependent Network, Power Network, Communication Network,Cascading Failure
1. Introduction
In the last few years there has been an increasing awareness in the research com-munity that the critical infrastructures of the nation do not operate in isolation. In fact,they are closely coupled with other infrastructures such that the well being of one infras-tructure depends heavily on the well being of another. As an example, consider the in-terdependent relationship between the power, communication, and transport networks asshown in Figure 1 [1]. If we focus exclusively on the power and communication networkswe observe that entities of the power grid, such as the Supervisory Control and Data Ac-quisition (SCADA) systems, that control power stations and sub-stations, are dependent Correspondence To: Joydeep Banerjee, E-mail: [email protected] Correspondence To: Arun Das, E-mail: [email protected] a r X i v : . [ phy s i c s . s o c - ph ] F e b n the communication network to receive their operational commands. While entities ofthe communication network, such as routers and cell towers, are dependent on the powergrid to remain operational. Compounding the complexity of analysis of this symbioticrelationship between the two networks, is the effect of cascading failures across thesenetworks. For instance, not only can entities of the power networks, such as generatorsand transmission lines, trigger a power failure, but also communication network entities,such as routers and optical fiber lines, can trigger failures in the power grid. Thus, itis essential that the interdependency between different types of networks be understoodwell, so that preventive measures can be taken to avoid cascading catastrophic failures insuch multi-layered network environments. Figure 1.
Interdependency between power, communication and transportation infrastructures
With the continued focus for developing realistic failure propagation models thataid in analyzing, and mitigating the effects of cascading faults across the entities of themulti-layered network, several failure propagation models have been studied that addressthe interdependency relationship between power, and communication networks [3,7,8,9],and space based networks [10].In this chapter we present a survey of the existing interdependency models for criti-cal infrastructure networks that have been proposed in the recent literature. In Section 2,we present the models and draw attention to some of their limitations. In Section 3 weoutline the considerations that need to be taken into account for capturing the complexinterdependency that exists between power grid and communication networks in the realworld. In Section 4 we propose an alternative model that overcomes some of the limita-tions of existing models by capturing the interdependency between the networks usinga combination of conjunctive and disjunctive relations. Finally, in Section 5 we presentconcluding remarks. . Interdependency Models
Motivated by the electricity blackout in Italy (2003) Buldyrev et al. [3] proposed a cas-cading failure model for interdependent networks.The power and communication infrastructures can be represented as networks.These networks are depicted as two connected graphs P (for power network) and C (forcommunication network) with same number of nodes. To represent the interdependencybetween the networks, bidirectional links between P and C , termed as P ↔ C edges, areconsidered with every node in each graph connected to exactly one node in the othergraph as shown in Figure 2(a). These bidirectional links represent the interdependencyrelationship that a node in the power network is dependent on exactly one node in thecommunication network and vice-versa. Thus capturing the fact that a failure of a nodein the power (communication) network causes the corresponding node in the commu-nication (power) network to fail. Hence the interdependent power and communicationinfrastructure can be represented as a network consisting of graphs P and C and P ↔ C edges.Failures are considered in the model when a fraction of the nodes from any of the twographs P , or C are removed. Upon the introduction of a failure in the graph P , the failednodes are removed and correspondingly, the nodes in the graph C that are connected via P ↔ C edges to the attacked nodes are also removed. Parallel to the node removals, anyedge within graph P or C , or P ↔ C edges that do not have one node at each end pointare also simultaneously removed.The cascade now proceeds as follows. In the first stage, the set of connected com-ponents in the graph P is defined as p clusters. The set of C nodes connected to the p clusters by P ↔ C edges are termed as c sets. Any edges in graph C , that connectsthese c sets are removed. The set of connected components in graph C after this removalof edges are defined as c clusters. In the second stage using same procedure as that tofind the c cluster and c sets, p sets (from c clusters and p clusters are obtained.In subsequent stages this cascade process then oscillates between the two graphs untila steady state is reached when no further removal of edges in the graphs are possible.At the steady state, the interdependent network consists of mutually connected clusters .Each mutually connected cluster consists of nodes having the properties (a) the nodes ingraphs P and C are completely connected, (b) each of these nodes which belong to thegraph P ( C ) has P ↔ C edge with graph C ( P ). Note that there exists no intra-links be-tween any of the mutually connected clusters. An example demonstrating this cascadingprocess is shown in Figure 2.The largest mutually connected cluster is defined as the cluster having the maximumnumber of nodes. Given a fraction 1 − p , (0 ≤ p ≤
1) of nodes that are removed fromthe interdependent network (due to a failure), the ratio P ∞ defines the number of nodesin the largest mutually connected cluster at the steady state, as compared to the initialnumber of nodes in the network. For the purpose of simulation and study, the powerand communication networks are considered as, coupled scale free, Erdos Reyni [15],and random networks. Different values of P ∞ were computed by varying the values of p , and the size of the network. It was observed that, above a percolation threshold p c ,the value of P ∞ changes from the neighborhood of zero to the neighborhood of one for igure 2. The interdependent network shown consists of power network nodes p , p , p and p and commu-nication network nodes c , c , c and c . Blue and green edges represent intra links in power and communica-tion network respectively and black edges represent the interdependency (inter links). In the respective figuresthe cascading failure is demonstrated as follows — (a) Node p is attacked, (b) the node p and its intra linksare removed along with its interdependent node c and its intra link, (c) the intra link ( c , c ) is removed usingthe cascade process defined. And finally, the steady state is reached comprising of two mutually connectedclusters with cluster 2 as the largest mutually connected cluster. a given network size. From this observation the authors infer that when the fraction offailed node is below 1 − p c of the original number of nodes, the largest connected clusterhas a size approximately equal to the size of initial pre-failure network. The percolationthreshold p c for Erdos Reyni networks is validated by analytical results.In subsequent papers, Buldyrev et al. extend their work from their original cascadingfailure model (as discussed above), to interdependent networks with directional depen-dency [4], and interdependency between more than one network [5].One noticeable shortcoming of this model proposed by Buldyrev et al. is that itdoes not distinguish between nodes in either network as separate entities. Nodes in thepower network may be functionally separate entities such as power plants, sub-stations,and load nodes. Similarly, nodes in the communication network may be functionallyseparate entities such as cell towers, and routers. When separate entities of the networkare considered, the proposed cascading model may not work in the same way as assumedby the authors, and also the dependency relationship of one type of entity to the othermay not be able to be captured with this model. Another potential drawback to thismodel is for the functionality of the mutually connected cluster. The mutually connectedclusters generated after the cascade may not be completely functional because of thephysical limitations of the network [16]. For example, the nodes from the power grid ina mutually connected cluster may not be able to provide sufficient power to the nodes inthe communication network due to the limits on the power generation capacities. Thus,t would be wrong to assume that the residual mutually connected clusters continue to befunctional after a cascade simply because they remain connected. In [7], Rostato et al. model the power flow in the power grid, and the data flow in thecommunication network separately. They then analyze the effect of failures in the com-munication network, caused by failures in the power grid using a coupling model be-tween the two infrastructures. Their analysis of the failure propagation is performed onthe backdrop of the Italian high voltage electric transmission network (HVIET), and thehigh-bandwidth backbone of the Italian Internet network (GARR). Data for both the net-works were gathered from documentation available in the public domain.For modeling the power network, the HVIET network is represented by an undi-rected graph consisting of three type of vertices, namely, source nodes (nodes that sup-ply power to the network), load nodes (nodes that draw power out of the network), andjunction nodes (which neither draw nor supply power to network, but act as relays). Theedges of the graph corresponds to the transmission lines. The power flow dynamics inthe power grid relies on the DC power flow model as given by [12]. At every occurrenceof a failure of one or more nodes, or transmission lines (edges), the power flow dynamicsare recalculated using this model. It is to be noted here that the DC power flow modelconsiders the physical constraints pertaining to the maximum power flow possible overa transmission line while computing the minimum load re-dispatch (reducing the powerdrawn out by the load nodes) after a failure. The authors define the quality of service(QoS) of the power network as the ratio of the change in the total power drawn by theload nodes after the failure event, as compared to the total power drawn by the load nodesbefore the failure event.For modeling the communication network, the GARR network is represented as agraph consisting of high-bandwidth backbone links as edges, and the Italian universitiesand research institutions as nodes. For computing the total amount of traffic inflow intothe network, the probability that a node generates a packet λ , (0 ≤ λ ≤
1) is consideredat each time step. For each generated packet a random node is chosen as its destination.A probabilistic packet routing model is considered along the lines of [13] for sending thepackets to their intended destinations. The average delivery time is defined as the averageof the packet transmission time from source to destination over all packets deliveredcorrectly within a particular time interval. The average delivery time is then used as ametric to define the efficiency of the network for a given value of λ .The coupling between the two networks is achieved by associating a node from thecommunication network to the closest load node from the power network (Euclideandistance). Note that this coupling is one directional, that is, for a node to be operationalin the communication network it is dependent on a node from the power network, butthe power network node is not dependent on the communication node for its survival. Ina failure event, if a load node i that was initially extracting power P i units, now extracts P i units of power after the subsequent load re-dispatching process. The communicationnodes coupled to i remain operational as long as the value of P i is greater than or equalto α P i , (0 ≤ α ≤ α is termed as the strength of coupling between thetwo networks.The authors then use the above coupling model to analyze and simulate the effectof random link failures in the power network for a fixed parameter of α (taken as α = . In [8], Nguyen et al. propose a cascading model in similar lines of [3], and address theproblem for identifying the critical nodes in an interdependent network. In their model,the power network, and communication network are considered as graphs G s = ( V s , E s ) and G c = ( V c , E c ) , and the interdependency is represented by an unidirectional edge set E sc that connect vertices from set V s with set V c in a composite graph containing thisedge set, and both the power, and communication networks graphs. A failure due to adependency relation is outlined by the assumption that, not only do the failed node(s)cease to operate, but also the nodes connected to the failed nodes via edges from theedge set E sc also become non-operational. Failures propagate in the following way: thefailed nodes and the incident edges to these nodes that belong to G s (power network),and G c (communication network) are removed to generate G (cid:48) s and G (cid:48) c respectively. Then,the largest connected components L s and L c are computed for the graphs G (cid:48) s and G (cid:48) c . Anynode n s ∈ G (cid:48) s that does not belong to L s , and any node n c ∈ G (cid:48) c that does not belong to L c are considered non-operational. Failures due to the dependency relations are simultane-ously considered, and propagation ensues until a steady state is reached when no furthernodes in either network can fail. An example showing this failure propagation is shownin Figure 3.Using the above defined failure propagation model, the authors consider the prob-lem of identifying a set of critical nodes in the power network of size less than a positiveinteger k , such that at the steady state the size of the largest connected component inthe power network is minimized. The authors show that this problem is NP-complete byreduction from the decision version of the Maximum Independent Set problem, and inferthat this problem is in-approximable within a bound of 2 − ε . Three greedy approxima-tion algorithms are proposed by the authors for approximating the solution to this prob-lem in polynomial time, namely, Maximum Cascade (Max-Cas),
Iterative InterdependentCentrality (IIC), and
Hybrid .The authors perform an extensive simulation of the proposed algorithms using threedifferent power network, and communication network data sets. The data sets consideredwere (i) US Western States power network, and a synthetic scale free communicationnetwork with an exponential factor, β = .
2, (ii) Synthetic scale free power networkwith β = .
0, and a synthetic scale free communication network with β = .
2, and (ii)Scale free power and communication networks with the same β = .
6. For each of thesimulations the interdependency relationship between the two networks were setup usinga random weighted permutation of nodes of the two networks.In the simulations it was observed that the Hybrid algorithm takes lesser time andhas better performance bounds than the other two algorithms. In the process of the simu- igure 3.
Power Network consisting of nodes p , p , p , p and Communication Network consisting of nodes c , c , c , c . Blue and green edges represents intra links in power and communication network respectivelyand black edges represent the interdependency (interlinks). (a) The node p is attacked. (b) The intra links ofnode p are removed due to its failure along with its interdependent node c in communication network and allits associated intra links. (c) The node p fails as it is disconnected from the the largest connected componentin the power network. The steady state is reached with nodes p and p in power network as functional nodesafter the failure event. lations, it was observed that when interdependent systems are loosely connected they aremore vulnerable to failure. Their observations also included that sparse interdependentnetworks are more vulnerable to cascading failures. This was observed from simulationscarried out by varying the exponential factor of the scale free communication network,while keeping the exponential factor of the power network, and the total number of nodesconstant. The simulations carried out by the authors by varying the total number of nodesof both the networks, while keeping a fixed exponential factor of the considered scalefree networks, showed that large networks are more vulnerable to cascading failures.The observable shortcomings of this model are similar to the drawbacks discussedabove for the model proposed by Buldyrev et al. [3]. Without the distinction of nodes inthe networks into separate entities, such as power plants, and substations, for the powernetwork, and cell towers, and routers for the communication network, the failure cas-cading model may not represent the workings of real world networks. Thus hinderingthe analysis, and mitigation of faults caused by cascading failures in multi-layer criticalinfrastructure networks. Parandehgheibi et al. [9] also consider the power and communication infrastructure net-works to analyze the effect of cascading failures on these interdependent networks. Intheir model, the power network graph P = ( V p , E p ) consist of vertices V p representingthe generators, and substations, and edges E p representing the transmission lines. Simi-larly, the communication network graph C = ( V c , E c ) consist of vertices V c representinghe control centers, and routers, edges E c representing the communication lines. In thegraphs, it is assumed that nodes represented by generators, and control centers, are au-tonomous , i.e. these nodes operate independently without any dependency on any othernode across both the networks. In this model, dependency between network entities isrepresented by coupling the routers, and substations with edges E (directed or undi-rected), in a composite graph of G = ( V , E , E p , E c ) , V = V p ∪ V c . Whether a node of thiscomposite graph G is operational or not is defined by the following functional rules: Ifthe node represents a substation, it remains operational as long as, (i) there exists a pathbetween the substation and a generator via the power network edges E p , and (ii) thereexists a path between the substation and a router (to receive control signals) via edges of E . If the node represents a router, it remains operational as long as, (i) there exists a pathbetween the router and a control center via the communication network edges E c , and(ii) there exists a path between the router and a substation (to receive power) via edges of E . Lastly, if the node represents a generator, or a control center, it remains continuouslyfunctional. At the time of the initial failure (due to a possible attack, or fault), the failednodes, or edges are removed from the graph G . The failure propagation is then repre-sented in the model by iteratively removing the failed nodes and all their incident edgesfrom graph G that do not satisfy the aforementioned functional rules. This propagationcontinues until a steady state is reached when no further removals of nodes, or edges arenecessary. An example of the described failure propagation is illustrated in Figure 4.Keeping this failure model as their basis, the authors consider the problem of se-lection of the minimum number of non-autonomous nodes (substations, and routers),that need to be removed from the graph G , such that the resulting graph generated atthe steady state contains no non-autonomous nodes. The authors term this problem asthe Node-MTFR (minimum total failure removal) problem. They also identify anothersimilar problem
Edge-MTFR , that concentrates on the selection of the minimum num-ber of edges of G such that the resulting graph generated at the steady state contains nonon-autonomous node.For solving these two problems the authors assume that the power network graph P ,and the communication network graph C , are each star topology graphs. For the powernetwork, the substations are directly connected to a generator without any connectionsbetween any other substations, i.e for all edges ( u , v ) ∈ E p , node u represents a substa-tion, and node v represents a generator. Similarly for the communication network therouter are directly connected to a control center without any connections between anyother routers, i.e for all edges ( u , v ) ∈ E c , node u represents a router node, and node v represents a control center node. The authors now proceed to analyze the problem fromthe perspective of a bipartite graph, where the nodes in the bipartite graph comprise ofthe substations of the power network, and routers of the communication network (thenodes representing generators, and control centers are ignored). The edges of this bipar-tite graph is the set of dependency relations represented by edge set E , of graph G . Theauthors analyze this problem from two interdependency perspectives, namely, unidirec-tional interdependency, and bi-directional interdependency.For unidirectional dependency, the Node-MTFR problem is shown to be NP-complete by reduction from the Feedback Vertex Set problem, and an optimal solutionis proposed by an integer linear program (ILP). A greedy approximation algorithm isalso proposed for this problem and its solution is compared with the optimal solution ob- igure 4. The power network consists of a generator G and substations s , s , s and communication networkconsists of control center C and routers r , r , r . Blue edges denotes the power network edges (composed oftransmission lines) and green edges denotes the communication network edges (composed of communicationlinks). Black edges denotes the interdependency between substation of power network and routers in commu-nication network. (a) The substation s is attacked. (b) Failure of substation s results in removal of all powernetwork edges incident on s and failure of interdependent router r and removal of communication networkedges incident on it. (c) Substations s , s and routers r , r fails and hence are removed as they do not satisfyboth the properties for being being functional as mentioned. The edges incident on these substations and routersare subsequently removed. The resultant interdependent network after the failure consists of two autonomousnodes G and C . tained from the ILP. The authors also prove that Edge-MTFR problem for unidirectionalinterdependency is NP-complete by reduction from the Feedback Edge Set problem.For bidirectional interdependency, the authors show that the Node-MTFR problemcorresponds to a minimum vertex cover problem for bipartite graphs, and using Konig’sTheorem, show that this problem is equivalent to the maximum matching problem for bi-partite graphs which has a known polynomial time solvable algorithm [14]. Thus show-ing that the Node-MTRFR problem for bidirectional interdependency is polynomiallysolvable. The authors also observe that for the Edge-MTFR problem with bidirectionalinterdependency all the edges of the bipartite graph must necessarily be removed, as anyexisting edge would denote the existence of operating non-autonomous nodes.For the purpose of experimentation and simulation, the authors use the Italian com-munication and power network data obtained from [7]. To preserve the star topologyconfiguration for the power and communication networks, only substations directly con-nected to the generators, and routers directly connected to control centers are considered.Unidirectional dependency between the substations and routers is established by assum-ing that a substation receives control signals from the nearest router, and a router receivespower from the nearest substation. Using this setup the simulation is carried out to findthe minimum number of nodes representing routers and substations that need to be re-moved, such that all non-autonomous nodes are removed from the graph (Node-MTFR).The experimental results showed that the north-western part of Italy is acutely vulnera-le as removal of just three routers results in the failure of all substations and remainingrouters.A possible drawback to this model is that this model is able to represent depen-dencies that are in disjunctive form, for example, a sub-station survives as long it has aconnection to a router. However, if there is a need to model a conjunctive dependencyamong network entities this model may not be adequate, for example, a scenario wherea sub-station survives only when it is connected to two routers. In the real world, it ishighly likely that entities in either the power or communication network have such con-junctive dependency amongst other entities, which this model may not be able to ade-quately represent. Another possible shortcoming of this model is the number of typesof power, and communication entities that this model considers. For instance, in a realworld communication network there may be communication entities such as cell towerswhose survivability may have to be modeled very differently than the way routers aremodeled. In the proposed model if support for additional entities are included that havedifferent functional rules, it is not clear how this model will be able to accommodatethem. In [10], Castet et al. develop a model for survivability analysis of networks with het-erogeneous nodes (nodes that can perform more than one function), and apply their ap-proach to space-based networks. The authors propose that heterogeneous networks canbe modeled as interdependent multi-layer networks, thus enabling survivability analysisof these networks. They assert that in this approach, the multi-layer aspect captures thecommon functionalities across the different nodes (by construction of homogeneous sub-networks), and the interdependency aspect captures the physical characteristics of eachnode in the network.In this paper the authors focuses on space-based networks (SBNs). In SBNs, eachnetwork entity (space-craft), may perform more than one function. SBN’s operate byphysically distributing functions in multiple orbiting space-crafts that are wirelessly con-nected to each other. The SBNs architecture allows the sharing of resources on-orbit,such as data processing, data storage, and downlinks among the network entities. In thisstudy, Castet et al. attempt to assess their proposed approach of modeling heterogeneousnetworks as interdependent multi-layer networks on SBNs, and benchmark the surviv-ability of a fractionated SBN architecture, against that of a traditional monolith space-craft.To represent the heterogeneous SBN as a multi-layer interdependent network theauthors define the following terms: • Super-Node : A network entity that supports multiple functionalities • Node : Component of a super-node that represents a single functionality of thatsuper-node • Layer : Set of nodes with the same functionality • Intra-Layer Link : A link between two nodes in the same layer. The link can bedirected (when one node is providing a resource and the other is receiving), orundirected (both provide, and receive resources) • Networked Layer : A network possessing intra-layer links
Inter-Layer Link : A directed link that captures the inter-dependency betweenfunctionalities (nodes) within a super-node. Specifically, this link implies the (di-rected) propagation of failure from one node to the other.In their model two types of inter-layer links are considered that represent the twotypes of failure propagation possible in the model: (i) Inter-links for the kill effect failurepropagation, defined by the propagation rule as follows: When a node fails, all nodesthat have an incoming inter-link of this type from the failed node immediately fail, and(ii) Inter-links for the precursor effect failure propagation, defined by a conditional prop-agation rule as follows: When a node fails, and all the nodes with incoming intra-linksto this failed node have also failed, all entities that have an incoming inter-link of thistype from the failed node fails. This type of inter-link implicitly implies that as long as asuper-node has access to a particular functionality, either from its own resources or fromanother super-node, all nodes in the super-node dependent on this functionality survive.Figure 5 demonstrates the propagation rules and represents a sample SBN as aninterdependent multi-layer network N defined by N ( G , ..., G L , E k , E p ) , where: L is the number o f layers each numbered sequentially f rom to LG , ...., G L are the graphs on each layer : ∀ l ∈ [ , ..., L ] , G l = ( V l , E l ) with : (cid:40) V l is the set o f n l nodes in G l E l is the set o f intra − layer links in G l E k is the set o f inter − layer links representing the ” kill e f f ect ” E p is the set o f inter − layer links representing the ” precursor e f f ect ”To analyze the survivability of an interdependent multi-layer network using theabove network representation, and propagation rules, the authors carry out the follow-ing steps: (i) Generate the time to failure for each node and intra-layer link, (ii) propa-gate failures through inter-layer links for the kill effect, (iii) propagate failures throughinter-layer links for the precursor effect, and (iv) combine all failure propagation effectsto obtain the probability of failure of each node. Random times to failure for the nodeswere generated using cumulative distribution functions representing the failure behaviorof each node. Since links between two space-crafts (super-nodes) is established througha wireless unit, a two step process was followed for generating the times to failure for theintra-layer links: (i) times to failure of the wireless units on each spacecraft was gener-ated using predetermined cumulative distribution functions, (ii) times to failures for eachintra-layer link was generated by taking the minimum of the time to failures of the twoassociated wireless units.For simulation and study, the authors apply their model into three different SBNscenarios. In their first scenario they consider three different space network architectures.The first architecture considered consists of a traditional monolith spacecraft with threesubsystems (or layers), namely, Telemetry Tracking and Command (TTC), supportingsubsystems , and payload . The second architecture consists of two space based networks,one of them a traditional monolith spacecraft, while the other spacecraft consists of twosubsystems —
TTC and supporting subsystems . The two spacecrafts shares their TTCsubsystems, i.e. a TTC redundancy is introduced, through a wireless link. This architec- igure 5.
Interdependent space based network consisting of three layers represented by graphs G = ( { , } , { ( , ) , ( , ) } ) , G = ( { , } , /0 ) , G = ( { } , /0 ) . Edge set E k = { ( , ) , ( , ) , ( , ) } and edgeset E p = { ( , ) , ( , ) , ( , ) } . If node 3 fails, nodes 1 and 5 immediately fail ( kill effect ). If node 1 fails thennodes 3 and 5 don’t fail unless node 2 also fails ( precursor effect ). ture is shown in Figure 5 with layer 1,2 and 3 denoting subsystems TTC, supporting sub-systems, and payload respectively. A third architecture is considered which is comprisedof the monolith spacecraft, and two spacecrafts having two subsystems — TTC and sup-porting subsystems . These three spacecrafts share there TTC subsystems, i.e. there is ahigher degree of TTC redundancy, through wireless links. Wireless links in the secondand third spacecraft architecture are assumed to be perfect. The distribution of probabil-ity of unavailability (failure) of TTC subsystem with time, identified as a major space-craft unreliability factor in [19], is obtained from [18]. The probability of unavailabilityof the payload subsystem over time, for the three spacecrafts is computed consideringthe failure of the TTC subsystem using a Monte Carlo Simulation. The simulation re-sults showed that for a given time, increasing the redundancy of the TTC subsystemsreduces the probability of unavailability of the payload. However, it was observed thatthe percentage of this reduction is not linear with the redundancy introduced.The second scenario was aimed to study the impact of wireless link failure. AWeibull distribution is considered for probability of unavailability of wireless link failurewith time. The parameters of Weibull distribution are set such that the wireless link hasa probability of 0 . .
5% over the monolith spacecraft. This makes way to draw a conclu-sion that this architecture has greater improvement in reduction of failure over monolithspacecraft, than by only introducing TTC redundancy (as considered in first scenario).
3. Limitations of Current Modeling Approaches and Possible Solutions
As discussed in the previous section, significant efforts have been made in the researchcommunity in the last few years to develop an appropriate model of interdependencybetween the entities of a multi-layer critical infrastructure network [3,4,5,7,6,10,9,11,8,23,21]. Unfortunately, many of the proposed models are overly simplistic in nature and assuch they fail to capture the complex interdependency that exists between power grid andcommunication networks. As noted in section 2.1, the highly cited paper due to Buldyrevet al. [3], assume that every node in one network can depend on one and only one nodeof the other network. Obviously, this assumption is not valid in an interdependent power-communication network that spans countries and continents, Even the authors in a followup paper [5] recognize that the assumption may not be valid in the real world and a singlenode in one network may depend on more than one node in the other network and vice-versa. A node in one network may be functional (“alive”) as long as one supporting nodeon the other network is functional.Although this generalization can account for disjunctive dependency of a node in the A network (say a i ) on more than one node in the B network (say, b j and b k ), implyingthat a i may be “alive” as long as either b i or b j is alive, it cannot account for conjunctivedependency of the form when both b j and b k has to be alive in order for a i to be alive. Ina real network the dependency is likely to be even more complex involving both disjunc-tive and conjunctive components. For example, a i may be alive if (i) b j and b k and b l arealive, or (ii) b m and b n are alive, or (iii) b p is alive. The graph based interdependencymodels proposed in the literature [4,7,6,10,9,8] including [3,5] cannot capture such com-plex interdependency between entities of multi-layer networks. In order to capture suchcomplex interdependency, we propose recently a new model of interdependency usingBoolean logic [20]. In the following, we briefly describe this model.We outline the model for an interdependent network with two layers. However, theconcept can easily be generalized to deal with networks with more layers. Suppose thatthe network entities in layer 1 are referred to as the A type entities, A = { a , . . . , a n } andentities in layer 2 are referred to as the B type entities, B = { b , . . . , b m } . If the layer 1entity a i is operational if (i) the layer 2 entities b j , b k , b l are operational, or (ii) b m , b n areoperational, or (iii) b p is operational, we express it in terms of Live Equations of the form a i ← b j b k b l + b m b n + b p . The Live Equation for a B type entity b r can be expressed in similar fashion in terms of A type entities. If b r is operational if (i) the layer 1 entities a s , a t , a u , a v are operational, or (ii) a w , a z are operational, we express it in terms of LiveEquations of the form b r ← a s a t a u a v + a w a z . It may be noted that the live equations only provide a necessary condition for entities such as a i or b r to be operational . Inother words, a i or b r may fail independently and may be not operational even when theconditions given by the corresponding live equations are satisfied . A live equation ingeneral will have the following form: x i ← T i ∑ j = t j ∏ k = y j , k where x i and y j , k are elements of the set A ( B ) and B ( A ) respectively, T i represents the number of min-terms in the live equation and t j refers to the size of the j -th min-term(the size of a min-term is equal to the number of A or B elements in that min-term). Inthe example a i ← b j b k b l + b m b n + b p , T i = t = , t = , t = x i = a i , y , = b m , y , = b p . Power Network Communication Network a ← b + b b ← a + a a a ← b b + b b ← a + a a ← b b b b ← a a a ← b + b + b −− Table 1.
Life Equations for a Multi-layer NetworkEntities Time Steps t t t t t t t a a a a b b b Table 2.
Time Stepped Cascade Effect for a Multi-layer Network
We refer to the live equations of the form a i ← b j b k b l + b m b n + b p as First OrderDependency Relations also, because these relations express direct dependency of the A type entities on B type entities and vice-versa. It may be noted however that as A type en-tities are dependent on B type entities, which in turn depends on A type entities, failure ofsome A type entities can trigger failure of other A type entities, though indirectly throughsome B type entities. Such interdependency creates a cascade of failures in multi-layerednetworks when only a few entities of either A type or B type (or a combination) fails. Weillustrate this with the help of an example. The live equations for this example is shownin Table 1.As shown in Table 2, in this example the failure of only one entity a at time step t triggered a chain of failures that resulted in the failure of all the entities of the networkafter by timestep t . A table entry of 1 indicates that the entity is “dead”. In this example, a) Cascading failures reach steady state after p time steps (b) Cascading failures as a fixed point system Figure 6.
Cascading Failures in Multi-layered Networks the failure of a at t triggered the failure of b at t , which in turn triggered the failureof a at t . The failure of b at t was due to the dependency relation b ← a a andthe failure of a at t was due to the dependency relation a ← b b b . The cascadingfailure process initiated by failure (or death) of a subset of A type entities at timestep t = A d and a subset of B type entities B d till it reaches its final steady state is showndiagrammatically in Figure 6(a). Accordingly, a multi-layered network can be viewed asa “closed loop” control system as shown in Figure 6(b). Finding the steady state after aninitial failure in this case is equivalent of computing the fixed point of a function F ( . ) such that F ( A pd ∪ B pd ) = A pd ∪ B pd , where p represents the number of steps when the systemreaches the steady state.We define a set of k entities in a multi-layered network as most vulnerable if failureof these k entities triggers the failure of the largest number of other entities. The goal ofthe k most vulnerable nodes in multi-layered network problem is to identify this set ofnodes. This is equivalent to identifying A d ⊆ A , B d ⊆ B , that maximizes | A pd ∪ B pd | , subjectto the constraint that | A d ∪ B d | = k .The dependency relations (live equations) can be formed either after careful analysisof the multi-layer network along the lines carried out in [21], or after consultation withthe engineers of the local utility and internet service providers.Utilizing this comprehensive model, we provide techniques to identify the k mostvulnerable nodes of an interdependent multi-layered network system in [20], so that pre-ventive measures can be taken to strengthen the network. We show that the this problemcan be solved in polynomial time for some special cases, whereas for some others, theproblem is NP-complete. We also show that this problem is equivalent to computation ofa fixed point [22] of a closed loop system and we provide a technique utilizing IntegerLinear Programming to compute that fixed point. Finally, we present the efficacy of ourtechnique using real data collected from power grid and communication networks thatspan the Maricopa county of Arizona in [20].
4. Conclusion
In order to build a robust and resilient system, a deep understanding of the complexinterdependency that exists between critical infrastructures such as the power grid andthe communication network is essential. Unfortunately, many of the proposed models areunable to capture such complex interdependency. In our opinion, the model proposed in[20] is a step in the right direction. However many problems, including the problem ofmodel validation, still remain open. These problems will most likely draw the attentionof the researchers in this domain for many years to come. eferences [1] Rinaldi, Steven M., James P. Peerenboom, and Terrence K. Kelly.
Identifying, understanding, and ana-lyzing critical infrastructure interdependencies.
Control Systems, IEEE, 21.6, 11-25, 2001.[2] Vespignani, Alessandro.
Complex networks: The fragility of interdependency
Nature, 464.7291, 984-985, 2010.[3] Buldyrev, Sergey V., et al.
Catastrophic cascade of failures in interdependent networks.
Nature464.7291, 1025-1028, 2010.[4] Shao, Jia, et al.
Cascade of failures in coupled network systems with multiple support-dependence rela-tions
Physical Review E 83.3, 2011.[5] Gao, Jianxi, et al.
Networks formed from interdependent networks
Nature Physics 8.1, 40-48, 2011.[6] Zhang, Pengcheng, Srinivas Peeta, and Terry Friesz.
Dynamic game theoretic model of multi-layer in-frastructure networks.
Networks and Spatial Economics 5.2, 147-178, 2005.[7] Rosato, Vittorio, et al.
Modelling interdependent infrastructures using interacting dynamical models.
International Journal of Critical Infrastructures 4.1, 63-79, 2008.[8] Nguyen, Dung T., Yilin Shen, and My T. Thai.
Detecting Critical Nodes in Interdependent PowerNetworks for Vulnerability Assessment.
IEEE Trans. on Smart Grid, 4.1, 1-9, 2013.[9] Parandehgheibi, Marzieh, and Eytan Modiano.
Robustness of Interdependent Networks: The case ofcommunication networks and the power grid.
GlobeCom (to appear), 2013.[10] Castet, Jean-Francois, and Joseph H. Saleh.
Interdependent Multi-Layer Networks: Modeling and Sur-vivability Analysis with Applications to Space-Based Networks.
PloS one 8.4, 2013.[11] Liu, Chen-Ching, et al.
Intruders in the Grid.
Power and Energy Magazine, IEEE, 10.1 58-66, 2012.[12] Wood, Allen J., and Bruce F. Wollenberg.
Power generation, operation, and control.
John Wiley & Sons,2012.[13] Echenique, Pablo, Jess Gmez-Gardees, and Yamir Moreno.
Improved routing strategies for Internettraffic delivery.
Physical Review E, 70.5, 2004.[14] Ahuja, Ravindra K., Thomas L. Magnanti, and James B. Orlin.
Network flows: theory, algorithms, andapplications.
On random graphs I.
Publ. Math. Debrecen 6, 290-297’ 1959.[16] Bernstein, Andrey, et al..
Power grid vulnerability to geographically correlated failures-analysis andcontrol implications. arXiv:1206.1099, 2012.[17] Watts, Duncan J., and Steven H. Strogatz.
Collective dynamics of small-worldnetworks. nature 393.6684,440-442, 1998.[18] Castet, Jean-Franois.
Reliability, multi-state failures and survivability of spacecraft and space-basednetworks. , 2012.[19] Saleh, Joseph Homer.
Spacecraft reliability and multi-state failures: a statistical approach. , Wiley. com,2011.[20] Sen, A. and Mazumder, A. and Banerjee, J. and Das, A. and Compton, R.
Identification of k mostvulnerable nodes in multi-layered network using a new model of interdependency , To be presented inthe International Workshop on Network Science for Communication Networks (INFOCOM workshop),IEEE, 2014.[21] Bernstein, Andrey and Bienstock, Daniel and Hay, David and Uzunoglu, Meric and Zussman, Gil.
Powergrid vulnerability to geographically correlated failures-analysis and control implications , arXiv preprintarXiv:1206.1099, 2012.[22] Fudenberg, A. and Tirole, J..
Game Theory , Ane Books, 2010.[23] Sen, Arunabha, Pavel Ghosh, Vijay Vittal, and Bo Yang.