The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5: Issue 17

Sunday, 26 July 1987


o Re: Separation of Duties and Computer Security
Ted Lee
o Re: Robocop
Zalman Stern
o Re: B of A's computer problems
Bob Larson
o Nuclear power plant monitoring and engineering
o Info on RISKS (comp.risks)

Re: Separation of Duties and Computer Security

Sun, 26 Jul 87 12:42 EDT
It is not true that development of computer security principles in the
"defense establishment" has ignored the principle of separation of
duties.  At class B2 of the Orange Book a system is required to support
separate operator and [security] administrator roles.  At B3 and above
it is quite explicit that a) to assume the security administrator role a
distinct auditable action must be taken, and b) that when performing in
that role a person is limited to ONLY doing those things "essential to
performing the security role effectively." Furthermore, there was quite
a long discussion at one of the recent national conferences (I forget
whether it was the last Oakland conference or the NBS/DoD before it)
about the topic of separation of duties as found in the financial
community and how it did or did not relate to the kinds of security
policies "traditionally" found in trusted systems.  One could in fact
argue that the fundamental principle of "need-to-know" versus
"clearance" is a kind of two-man rule:  the person who decides to let me
see a particular classified document, based on his judgement that I need
to see it, is not the same person who grants me the clearance that I
must have in the first place.


Re: Robocop (RISKS DIGEST 5.12)

Zalman Stern <>
Sat, 25 Jul 87 22:23:22 edt
On the one hand, I am loathe to assign any sort of serious meaning to
Robocop. It was basically lots of very well done violence with a streak of
humor thrown in. The most thought provoking question I had after seeing it
was "Who in their right mind would trust anything that carried a big gun and
ran MS-DOS?" On the other hand, Ebert's quote clearly ignored the major plot
line of the movie. The guy who was championing ED-209 (The robot that gunned
down a board member during a demonstration) really didn't care if it killed
people. One of his quotes was something to the effect of "I had it all lined
up. Millitary contracts, spare parts for the next 25 years. The profits would
have been great. Who cares if it worked!" Of course the competition for the
ED-209 was a cyborg (half human) which had human judgement and therefore was
much safer... The other great social comment in the movie was the
not-so-overdone "trivialize death and suffering" newscasts.

As for computer risks, there was one lesson to be learned from Robocop. If
you are going to program back doors into an armed robot to protect yourself,
make sure you word your logic strongly enough so you don't get blown away in
the end :-)

Zalman Stern, Information Technology Center, Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet:     Usenet: ...seismo!!zs01+


Re: B of A's computer problems

Bob Larson <>
26 Jul 87 04:17:56 GMT
In article <>:
>The system is designed around four Prime Computer models known as Leopards,
>costing about $750,000 each.  "Prime has had at least five people here full
>time trying to staighten things out," a bank official said.  "This is going
>to be a really slick system, when it works," he added.

A couple of corrections:  The "leopard" was Prime's development name for the
6350.  B of A did not have any in March, since the 6350 had not been announced
and B of A was not a hardware beta test site.  (USC was one of three beta sites
for the 6350, ours was installed in April if I remember correctly.)

(Chances are that B of A got 9955-II's and planned to upgrade.)
Bob Larson      Arpa: Blarson@Ecla.Usc.Edu
Uucp: {sdcrdcf,seismo!cit-vax}!oberon!castor!blarson


Southern Methodist University <Leff>
Sat, 25 Jul 1987 19:56 CST
Subject:      Nuclear power plant monitoring and engineering

Attached, please find some references to applications of computers to
nuclear power plant monitoring and engineering.  A frequent theme is to try
and reduce cognitive overload in the event of a critical situation, i.e.,
present something other than 500 alarms ringing at once.

Works in the control engineering field address this issue in a more general
context: power plants, nuclear plants, chemical plants etc.  A couple of AI
based tools for fault tree analysis which is used in estimating risk
probabilities in the nuclear field among others have also been announced at
various conferences.

For those desiring to track this field, you should watch the American
Control Conference every year and the section for nuclear engineering and
control engineering in the IEEE Computer and Control Abstracts.  This is
very complete: our librarians complain that people keep requesting
references from there that are not in any library in the United States which
makes Interlibrary Loan a tad bit difficult.  It ranges from six months to a
year behind the date of publication unfortunately for the printed edition.

As far as the RISK of an accident, the average number of days of life loss
for nuclear accidents in the United States is on the order of two days per
person.  This uses probabilities estimated by antinuclear power plant
groups.  The number of days lost is a tenth to a hundredth of such risks as
automobile accidents, lighting and the like which we accept on a regular basis.

Hans Mark pointed out that the loss of life from Chernobyl due to delayed
cancers would be lost in the "noise."  That is no statistical test done on
deaths in the Soviet Union could discern that something happened.  If
nuclear power plants were removed and replaced with coal burning plants,
more people would die from the radiation released into the atmosphere by the
burning coal.  This ignores the death toll from coal mine accidents and air
pollution.  In short nuclear power plants are about as risk free as one can
get in this society and our energies are much better off being devoted to
automobile accidents, cigarrette smoking and alcohol addiction.

          [Following is left as is for UNIX users.  Apologies to others.  PGN]

Sachs, P. A., Paterson, A. M. and Turner, M. H. M., Escort - An Expert System
for Complex Operations in Real Time,
\fIExpert Systems\fR, Vol. 3, No. 1, pages 22-28, January 1986.
Describes a system to assist operators in controlling such systems as
off shore oil rigs and nuclear power plants.  It works by reducing the
number of alarms and hence the operator's cognitive overload.

Faught, W. S., Applications of AI in Engineering,
\fIComputer\fR, Vol. 19, No. 7, pages 18-27, July 1986.
Discusses applications of KEE to diagnosis of the Space Station Life Support
System and satellites, simulation of factory cells in sheet-metal
manufacturing, and determining the best fuel shuffling for a nuclear power
plant so as to keep the shutdown costs as low as possible.

Underwood, W. E.,
A CSA Model-based Nuclear Power Plant Consultant
In \fIProceedings 2nd NCAI\fR, pages 302-305, Pittsburgh, August 1982.
The Common Sense Algorithm representation is used to model the physical
system. Diagnostic rules are also represented in this formalism.

Nelson, W. R.,
REACTOR: An Expert System for Diagnosis and Treatment of Nuclear Reactor
In \fIProceedings 2nd NCAI\fR, Pittsburgh, pages 296-301, August 1982.
REACTOR is being developed at EG & G, Idaho, for assisting operators in the
diagnosis and treatment of nuclear reactor accidents.

Ancelin, J. and Legaud, P., An Expert System for Nuclear Reactor Alarm 
In \fISixth International Workshop on Expert Systems and Their Applications\fR,
Avignon, France, April 28-30, 1986.

Piette, D., Roche, C. and Ianeselli, J. C., ALPA: Diagnosis Expert System
for Supervision of Nuclear Reactors In
\fIECAI '86. Seventh European Conference on Artificial Intelligence (Brighton,
England)\fR, Vol. 2, pages 109-113, July 1986.
The use of an expert system to monitor and diagnose nuclear reactor
breakdowns.  Various knowledge representation schemes were tried.

Hoernes, P. E., Salame-Alfie, A. and Yeater, M. L.,
Enhanced Inspection of NPP's Using Expert Systems as a New Approach,
\fITransactions of the American Nuclear Society\fR, Vol. 53, pages 275-277, 1986
The development of a small expert system in evaluation of nuclear power
plant performance as part of the process of inspecting it.

Corsberg, D., Extending an Object-Oriented Alarm-Filtering System
In \fIExpert Systems in Government Symposium\fR, McLean, Virginia,
pages 80-87, Oct. 22-24, 1986.
This system uses functional relationships as opposed to fault/consequence
trees to provide necessary alarm filtering in a nuclear power plant.

Brodsky, S. and Tyle, N.,
Knowledge-based Expert
Systems for Power Engineering
In \fIProceedings of the
15th Pittsburgh Modeling and Simulation Conference\fR, Pittsburgh,
April  1984.
Paper presents a brief review of the development and application of expert
systems in areas related to electric power engineering.  The specific
examples discussed include nuclear power plant monitoring, power system
restoration and hydro-electric plant design.  In addition, several problems
are examined as candidates for future expert systems.

%A Mark A. Fischeti
%A Glenn Zorpette
%T Power and Energy
%J IEEE Spectrum
%V 23
%N 1
%D JAN 1986
%K AA04 AI01 Westinghouse Electric Corporation nuclear power Babcock and Wilson
EG&G Idaho reactor
%X "Westinghouse Electric Corporation of Pittsburgh, PA offers the Genaid
diagnostic software package to monitor changing conditions in power plant
generators, analyze them, and warn plant operators of potential trouble."
EG&G Idaho of Idaho Falls has a Reactor Safety Assessment system which
"processes large amounts of data from a nuclear power plant during an
emergency, makes diagnoses, and outliens the consequences of subsequent
actions.  After final refinements, this expert system program is to go on
line this year at he Nuclear Regulatory Commison's Operations Center in
Washington Center.  The system was developed for use with Babcock and Wilcox
Pressurized-water reactors and will be adapted for use with other reactors."
[In Spang-Robinson report, they indicated that the Japanese are putting
major amounts of money into expert systems for nuclear reactor operations.
See my summary for more info.  LEFF ]

%A D. Sharma
%A B. Chandrasekaran
%A D. Miller
%T Dynamic Procedure Synthesis, Execution, and Failure Recovery
%B Applications of Artificial Intelligence in Engineering Problems
%E D. Sriram
%E R. Adey
%V 2
%I Computational Mechanics Publications
%C Woburn, Massachussetts
%D 1986
%P 1055-1072
%K AA05 nuclear power plant AI01 AI09
%X Describes a system for planning failure recovery, synthesis, monitoring
for nuclear power plants.  A comparison of the "event-oriented" and
"function oriented" approaches to nuclear power plant management is
provided.  The nuclear industry is shifting to the latter in reaction to the
TMI difficulties.  The implications of this for expert system applications
and an example from reactor scram concerns are also provided.  Various plan
templates and blackboards are used in processing.  The final expert system
consists of system specialists, specialists in various kind of undesirable
events and specialists in various kind of goals such as reducing radioactivity.

Report problems with the web pages to the maintainer