Risk assessment methodologies for Critical Infrastructures ...uranium.ing.uniroma3.it/wp-content/uploads/2015/10/... · Risk, Hazard and Protection definition Protection: all activities

With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme European

Commission - Directorate-General Home Affairs

” Risk assessment methodologies for Critical Infrastructures Protection”

Dr.Eng. Luisa FranchinaDr. Michele Kidane Mariam

Training session objectives

Understanding the risk assessment’s requirements of Critical Infrastructure Protection

Analysing strengths and weaknesses of existing risk assessment approaches for CIP

Identifying common features in existing risk assessment methodologies for CIP

Identifying the current gap in CIP risk assessment methodologies

Associazione Italiana esperti infrastrutture Critiche – AIIC

A I IC is an Italian scientific non-profit association of experts and stakeholders in Critical Infrastructure Protection.

AIIC was established in 2006.

The association aims at developing an interdisciplinary CIPR culture related to:

Strategies Methodologies Tools Technologies

For Critical Infrastructure Protection (CIP),Especially in crisis situations

AIIC Objectives

AIIC main objectives are to deepen, promote and shareknowledge regarding Critical Infrastructures and their protection.

To reach its objective AIIC has organised over the years:

Conferences and workshops

Roundtables

Technical visits

Working groups and information sharing among professionals

Training courses

Critical Infrastructure Definition & Key Features 1/4

European directive 114/2008:

CRITICAL INFRASTRUCTURE: an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions;

Critical Infrastructure have 4 types cross and intra sectoral Interdependencies (Rinaldi et al. , 2001):

Physical: The operation of one infrastructure depends on the material output of the other

Cyber: Dependency on information transmitted through the information infrastructure. Geographic: Dependency on local environmental effects that affects simultaneously

several infrastructures Logical: Any kind of dependency not characterized as Physical, Cyber or Geographic

Besides cross-sectoral interdependencies (e.g. ICT and Electricity, Satellite navigation and Transport), at European level one can identify intra-sectoral interdependencies of national infrastructures that form European infrastructures

Example: high voltage electricity grid is composed by the interconnected national high-voltage electricity grids

Critical Infrastructure Definition & Key Features – Interdependencies 3/4

Therefor Critical Infrastructure can be defined as

System of

Systems

Not clearly defined

boundaries

Multiple actors

Evolve trough time

Interdimensional Interdependency

Critical Infrastructure Definition & Key Features – System of Systems 4/4

Risk, Hazard and Protection definition

Protection: all activities aimed at ensuring the functionality, continuity and integrity of critical infrastructures in order to deter, mitigate and neutralise a threat, risk or vulnerability (2008/114/EC);

Risk: a combination of the consequences of an event (hazard/treat) and the associated likelihood/probability of its occurrence. (ISO 31010)

Hazard: a dangerous phenomenon, substance, human activity or condition that may cause loss of life, injury or other health impacts, property damage, loss of livelihoods and services, social and economic disruption, or environmental damage (UNISDR, 2009).

Risk Assessment

Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. (ISO 31010)

Risk Identification

Risk AnalysisRisk

Evaluation

Prioritizing risk Determine whether

risk or/and its magnitude is acceptable/tolerable

Finding Recognizing Describing risks

Comprehend the nature of risk Determine Impact and probability Determine level of risk

Risk Assessment – Risk

Human impacts

Risks are the combination of the consequences of an event or hazard and the associated likelihood of its occurrence (ISO 31010).

The consequences are the negative effects of an event expressed in terms of:

Economic and environmental impacts

Political/social impacts

When the extent of the impacts is independent of the probability of occurrence of the hazard, which is often the case for purely natural hazards, such as earthquakes or storms, risk can be expressed algebraically as:

Risk = hazard impact * probability of occurrence

Risk Assessment – Impact Assessment 1/2

Human impacts the number of

affected people the number of

deaths, the number of

severely injured or ill people,

the number of permanently displaced people

In Critical Infrastructure Protection, impact assessment should consider AT LEAST the following type of impacts :

Economic and environmental impacts the sum of the costs of cure or healthcare, cost of immediate or longer-term emergency measures, costs of restoration of buildings, public transport systems and

infrastructure, property, cultural heritage, etc., costs of environmental restoration and other environmental costs (or

environmental damage), costs of disruption of/to economic activity, value of insurance pay-outs, indirect costs on the economy, indirect social costs, and other direct and indirect costs, as relevant

Risk Assessment – Impact Assessment 2/2

Political/social impacts public outrage and anxiety encroachment of the territory, infringement of the international

position, violation of the democratic system, social psychological impact, impact on public order and safety, political implications, psychological

implications, damage to cultural assets, other factors considered important which

cannot be measured in single units

Political/social impacts will generally refer to a semi-quantitative scale comprising a

number of classes

limited/ insignificant

minor/ substantial

moderate/ serious

significant/ very serious

catastrophic/ disastrous.

Risk Assessment – Empirical Evidence

Impact analysis should rely as much as possible on empirical evidence andexperience from past event data or established quantitative models of impact. It isclear that for quantification purposes, a number of assumptions and estimates willhave to be used, some of which may be rather uncertain. These assumptions andestimates should always be clearly identified and substantiated.

The assessment of the probability of an event or hazard should be based, wherepossible, on the historical frequency of events of similar scale and available statisticaldata relevant for an analysis of the main drivers.

However, when considering Cyber-Threat reliance on historical data may not beenough, especially when considering the most innovative and advance threats (APT,Zero day, etc.). For this reason in this domain the focus of risk assessment has shiftedtoward continuous monitoring and real-time data gathering/analysis

Cyber-risk managment in CIP

Cyber risk management in CIP: Shift from a reactive approach to a predictive approach

Use of intelligence technique and platform for bid data gathering and analysis

Use of specific and establish risk management framework for Cyber security:

Cobit

ISO 27001

NIST

Framework Cyber-Security

Risk Assessment – Single & Multiple

Single-risk assessment: determine the singular risk (i.e. likelihood and consequences) of one particular hazard (e.g. flood) or one particular type of hazard (e.g. flooding) occurring in a particular geographic area during a given period of time.

Multi-risk all-hazard assessment: determine the total risk from several hazards either occurring at the same time or shortly following each other, because they are dependent from one another or because they are caused by the same triggering event or hazard; or merely threatening the same elements at risk (vulnerable/ exposed elements) without chronological coincidence.

Co-funded by the

Prevention, Preparedness and Consequence Management of Terrorism and other Security -related Risks Programme

of the European Union

European Cooperation Network on Critical Infrastructure Protection

Multi-Risk Assessment Challenges

Current Challenges:

Adequately taking into account all possible follow-on effects (also: knock-on effects, domino effects or cascading effects) amongst hazards and infrastructure (Interdependencies)

Co-ordination and interfacing between different specialized authorities and agencies, which each deals with specific hazards or risks without developing a complete overview of the knock-on, domino and cascading effects

Most multi-risk assessment methodologies are just an adaptation of single risk-assessment methodologies

There are a number of difficulties combining single-risk analyses into more integrated multi-risk analysis:

Available data for different single risks may refer to different time windows, different typologies of impacts are used, etc.,

Making comparisons and rankings difficult if not impossible.

Risk Assessment Metodologies for Critical Infrastructure Protection

Risk assessment methodologies audience

Risk assessment methodologies domain of applicability:

System of System level

Infrastructure/System Level

Asset Level

Policy Makers

Stakeholders

Decision Makers

Public Authorities Operators


Risk Assessment Methodologies for Critical Infrastructure Protection

Sectoral Methodologies

Each sector is treated separately with its

own risks and ranking

System Approach Methodologies

Assess critical infrastructures as an

interconnected network


The following are the Methodologies that will be presented:

Argonne National Laboratory –Better Infrastructure Risk Resilience (BIRR)

DECRIS Project

CARVER2 - NI2

Critical Infrastructure Protection Decision Support System

RAMCAP-Plus

Risk Assessment Methodologies for Critical Infrastructure ProtectionArgonne National Laboratory – Better Infrastructure Risk Resilience (BIRR)

Argonne National Laboratory is one of the U.S. Department of Energy’s oldest andlargest national laboratories conducting research in a wide range of fields

One of the main domains is national security. Protection of critical infrastructures ispart of this field.

Research conducted in this direction is mainly oriented to the policy needs of theDepartment of Homeland Security (DHS).

Argonne develops methodologies for assessing infrastructure risk and resilience to avariety of natural and man made hazards for various infrastructures including :

Energy facilities

Transportation

Water treatment plants

Financial institutions

Commercial office buildings


Enhanced Critical Infrastructure Protection (ECIP ) : umbrella program covering Critical Infrastructure Protection activities.

The BIRR methodology is developed within the framework of ECIP and covers the facilities in 18 critical infrastructure sectors :

Approach: sectoral approach that goes down to the assets level and gives priority on the protection measures that are applied mainly against terrorist threats

Aim: to provide policy makers with tools that can help in the analysis of the various sectors, identify vulnerabilities and prepare risk reports

Target audience: Policy maker


The methodology focus on evaluating three interrelating indexes:

VI (Vulnerability Index)

PMI (Protective Measures Index)

RI (Resilience Index)

The evaluation relies on:

Reliable data set:

Collected by 93 DHS Protective Security Advisors (PSAs) who are located throughout the US.

That undergo a quality assurance and control procedure and cover a wide area of security related components and subcomponents

Operators own asset assessment

Templates that contain what if scenarios


Vulnerability Index:

A common metric that facilitate the comparison across the various sectors of infrastructures that are covered bythis methodology.

The procedure for evaluating the VI starts from the ProtectiveMeasure Index

PMI is designed to reflect the increase in protection of certain assets as new measures are applied

Protective Measure Index:

Interdependencies are included in the PMI calculation.

For each asset that is analyzed it is possible to define on which main sectors (electricity, gas, ICT, etc.) its operation relies on and quantify this through three indexes:

Redundancy Index

Resilience Index

Impact index

Resilience Index:

The evaluation of the RI is based on the same methodology as the other indexes (VI, PMI)

Consider data on the robustness, resourcefulness and recovery of a facility/asset


Strengths of the methodology

It is possible for the operator to assess the securityof its assets with respect to certain scenarios andalso to compare their security level with respect tothat of similar sectors/subsectors.

The use of a common metric (VI) to comparecritical assets protection measures across sectors isremarkable

Cross-sectoral and Intra-sectoral dependences areconsidered (PMI)

Weaknesses of the methodology

Sectoral approach

Gives priority on the protection measuresthat are applied mainly against terroristthreats

Resilience index concept need furtherdevelopment and consideration

Risk Assessment Methodologies for Critical Infrastructure ProtectionDECRIS Project / Approach

The DECRIS approach is the result of intensive research from SINTEF in the domainof hazard/risk assessment for critical infrastructures

The DECRIS project/approach builds on the existing capacities in the sectoral riskassessment methodologies that existed already in Norway

Approach: Cross-sectoral / interconnected system approach

Aim: bridge the gap between the methodologies that exist in varioussectors and propose an all-hazard generic Risk and VulnerabilityAssessment methodology for cross-sector infrastructure analysis

Target audience: policy and decision makers


The DECRIS methodology is based on a four-steps procedure:

1. Establishment of event taxonomies and risk dimensions.

2. Simplified Risk and Vulnerability Analysis for the identified events. •

3. Selection of events to be further analysed.

4. Detailed analysis of selected events

A refinement mechanism has been incorporated in order to narrow down the list ofevents that have to be assessed.

The selection process is taking place on the basis of:

the importance of the risk,

of the amount of impacted infrastructures

the communication difficulties of this event to the public


A proof of concept of this methodology has been set up for the city of Oslo

Time period: January 2008‐December 2008

Meetings every 2 months.

Discussions in plenum and group work within each infrastructure

Four category of Critical Infrastructure have been consider:

Electricity,

Water,

Transport,

ICT

For each category a number of event have been considered

For each event, selection criteria have been applied and a short list of scenarios to be furtherassessed was established


The result of DECRIS’s Proof of Concept in Oslo:

Electricity power supply:

14 undesired events analysed.

Some interdependencies between the infrastructures, the ICT and electricity system.

Water supply:

Nine undesired events assessed.

Two events have dependencies to other infrastructures.

Several of the events have public communication challenges.

Transportation (road/rail):

Malicious acts included within the 23 events.

Dependencies to other infrastructures, especially to ICT.



A refinement mechanism to narrow down the listof events that have to be assessed

Fosters the collaboration between the variousstakeholders in the different sectors in order towiden their understanding on theinterdependencies across sectors

Cross-sectoral risk assessment approach

Cross-sectoral and Intra-sectoral dependences areconsidered


Resilience is not directly assessed in thismethodology

The methodology is not highlydifferentiated with respect to a typical riskassessment one

The issue of the comparability of theconsequences of one event on differentinfrastructures still remains

Risk Assessment Methodologies for Critical Infrastructure ProtectionCARVER2 - NI2

Developed by NI2 Centre for Infrastructure Expertise

CARVER stands for Criticality Accessibility Recoverability Vulnerability EspyabilityRedundancy

NI2 states that CRAVER is a non-technical method for comparing and rankingcritical infrastructure and key resources

Claims to be the only assessment tool that ranks critical infrastructure acrosssectors

A stand-alone PC tool and a server/client version (CARVER2Web) have beendeveloped for the implementation of this methodology

The methodology is supposed to cover both terrorist threats as well as naturaldisasters, thus implementing an all-hazards approach


CARVER2 is a tool that has been developed in order to serve the needs of criticalinfrastructure protection:

Approach: Cross-sectoral approach

Aim: to serve the needs of critical infrastructure analysis mostly from thepolicy maker point of view

Target audience: Policy makers


CARVER2Methodology:

Six different criteria for which an asset or an infrastructure is assessed:

Criticality: the impact assessment part of the methodology

Accessibility : the possibility that terrorists can enter the infrastructureto provokedestruction

mostly an assessment of the vulnerability of the infrastructure in terms of physical security

Recoverability : partially covers resilience since it refers to the bouncing back capability of the infrastructureafter failure.

Vulnerability: covers part of the potential infrastructurevulnerabilities related to:,

terrorist attacks

explosions and chemical/biologicalthreats

Espyability: the function of an infrastructure as an icon (e.g. cultural site) with indirect impact

the implementation to quantify this is not thoroughly explained

Redundancy: refers to the alternatives that exit for the asset in consideration


CARVER2 Methodology:

Particularly interesting is the way that interdependencies are assessed

The user has a list of sectors that are affected by the loss of an asset, or the list of the asset thatbelong to the same sector

The links between the various assets of different sectors have been predefined

needs to be further clarified at which level the interdependencies have been defined

Is not clear what kind of interdependencies are included in tool (cyber, physical,functional, geographical)

The user receives reports in various forms as well as a score for the classification of the asset

This scoring enables to perform apples with oranges comparison and it is a feature thatindeed provides a cross-sectoral harmonized metric for the assessment of the importance ofdifferent infrastructures



Cross-sectoral risk assessment approach

Cross-sectoral and Intra-sectoral dependences areconsidered

Predefined interdependencies

Provides a cross-sectoral harmonized metric

for the assessment of the importance of

different infrastructures


Resilience is only partially considered

A systems approach is missing

Not clear at which level theinterdependencies have been defined

Not clear what kind of interdependenciesare included in tool

Risk Assessment Methodologies for Critical Infrastructure ProtectionCritical Infrastructure Protection Decision Support System

The Critical Infrastructure Protection Decision Support System (CIPDSS) providesinformation and decision support for the protection of critical infrastructures basedon an assessment of risks appropriately accounting for the likelihood of threat,vulnerabilities, and uncertain consequences associated with terrorist activities,natural disasters, and accidents.

Approach: Cross-sectoral / System of systems approach

Aim: information and decision support for the protection of criticalinfrastructures

Target audience: decision makers that have to decide upon differentmitigation measures and operational tactics and prioritize the resources forprotecting critical infrastructures


CIPDSS is a computer simulation and decision analytic tool that informs users when makingdifficult choices between alternative mitigation measures and operational tactics, or whenallocating limited resources to protect the nation’s critical infrastructures against existing andfuture threats

Integrates event simulation with a risk assessment process, explicitly accounting foruncertainties in threats, vulnerabilities, and the consequences of terrorist acts andnatural disasters

It models the primary interdependencies that link 17 CI together and calculates theimpacts that cascade into these interdependent infrastructures and into the nationaleconomy.

Considering uncertainties in the input (threat, vulnerabilities) the tool is capable ofperforming simulation of a particular event and provides an estimation of the uncertainty foroutput (the impact of the event considered).


The key feature of this methodology is the risk informed decision making process implemented:

NISAC’s CIPDSS team has interviewed critical infrastructure protection decision makers andstakeholders to identify:

Requirements for the decision support system

Scope out the decision environment

Quantify the prioritization of consequences

The taxonomy of decision metrics includes:

Fatalities

Injuries

Economic loss

Public confidence


Source: Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA 2015



Cross-sectoral / System of System risk assessmentapproach

Evaluation of the impact through common decisionprocess metrics overcomes the problem ofcomparing risks among sectors

Predefined interdependencies among 17 differentsectors

Provides a common metric for the prioritization ofmitigation measures, operational tactics andresources for protecting critical infrastructures


Resilience is not considered

Risk Assessment Methodologies for Critical Infrastructure ProtectionRAMCAP-Plus

Developed by ASME (American Society of Mechanical Engineers) as an all hazards riskand resilience assessment methodology

Approach: Cross-sectoral approach

Aim: to provide an objective, consistent and efficient method for assessingand reducing infrastructure risks in terms directly comparable among theassets of a given sector and across sectors

Target audience: Critical Infrastructure operators and decision makers

The RAMCAP approach was conceived as having two levels:

A high-level and general method, periodically updated

A series of Sector-Specific Guidance (SSG) documents, expressly tailoredto the technologies, issues and cultures of the respective sectors andsubsectors


RAMCAP-Plus methodology:

The methodology is based on a seven step approach namely:

1. Asset characterization

2. Threat characterization

3. Consequence analysis

4. Vulnerability analysis

5. Threat assessment

6. Risk and Resilience assessment

7. Risk and Resilience Management


This methodology is particularly interesting as it incorporates a number of importantfeatures for risk assessment of infrastructures:

Avoids unnecessary detail by focusing on the most critical assets at a facility.

The developers of the methodology have identified the necessity for cross-sectoralrisk comparisons which is rarely offered by the existing risk assessmentmethodologies.

The methodology has a simplified approach and it is based on existing riskassessment techniques but the high-level approach is pronounced.



Cross-sectoral / System of System risk assessmentapproach

Resilience is addressed in this methodology andconstitutes a central element of the methodology.

Cross-sectoral interdependences are considered

Focus on the most critical assets

Has both high and sector specific application

Offer cross-sectoral risk comparisons method


Adapts existing risk assessment techniquesto a system of system approach

Risk Assessment Metodologies for Critical Infrastructure protection Existing metodologies shortcoming

Methodologies developed at sectoral and assets level are well defined, tested, validated and thevast majority follows a linear risk assessment approach.

Existing sectoral and assets methodologies have been extended to cope with critical infrastructureinterdependencies.

This reflects the natural evolution of risk assessment methodologies existing already atorganizational level

These methodologies reveal their limitations when cross-sectoral issues have to beaddressed.

Detailed risk assessment is not applicable any more and a certain level of abstraction isnecessary.

Representing all assets of a networked system at the highest level of detail can leads tounprecedented complexity that is out of the scope for policy and decision makers.

Conclusion 1/2

In many cases, the risk assessment methodologies for CI are an adaptation ofmethodologies that have been used for assessing risks within the confined environment ofan organization.

These methodologies are tailored to the particular needs of this organization and biased toconsider only part of relevant threats. In such context, the application is facilitated by theknowledge of architecture and functioning principles, which are the preconditions formodelling and subsequent simulation.

This precondition is not always met when the risk assessment methodology exceeds thelimits of the organization and aims at the assessment of systems of systems, such asinterconnected infrastructure, for which the knowledge on architecture and functioningprinciples is fuzzy.

The true challenge for upscaling any risk assessment methodology to complex systems is todevelop effective approaches for the assessment of system of systems interdependences

Conclusion 2/2

The identification of cross-sectoral interdependencies would allow to assess cascading effects and return a common cross-sector risk figure so that comparison of sectors does not end up to a comparison of apples vs oranges.

Two main approaches have been identified: aggregated impact and scoring

In order to define a common approach for interdependencies assessment further cooperation is required among government authorities, CI operators and stakeholders.

Impact of infrastructure disruption is usually expressed in terms of aggregated figures that account for the economic losses. This is a straightforward choice that enables policy makers inter alia to evaluate different disruption scenarios including cascading effects across sectors and evaluate costs and benefits of mitigation measures.

In all available methodologies, resilience seams to be the missing element, or in the best option it is only implicitly addressed.

AIICDr. Luisa Franchina

PresidentE-Mail address

[email protected]

Thank you for your attention

for any further information

Documents

Risk assessment methodologies for Critical Infrastructures ...uranium.ing.uniroma3.it/wp-content/uploads/2015/10/... · Risk, Hazard and Protection definition Protection: all activities