CriticalInfrastructure

Protection

David AlexanderUniversity College London

“Those facilities, systems, sites andnetworks necessary for the functioningof society and the delivery of essentialservices upon which daily life depends.”

What is critical infrastructure?

"Those infrastructure assets (physicalor electronic) that are vital to the

continued delivery and integrity of theessential services upon which society

relies, the loss or compromise of whichwould lead to severe economic or social

consequences or to loss of life."

What is critical infrastructure?

The sectors of critical infrastructure

• water• energy• food• health• transport• communications• finance• government• emergency

services

Elements of critical infrastructure

Water: dams, treatment plants, pipelines, sewers

Energy: power stations, transmission lines

Food: distribution networks, warehouses and sales points

Health: hospitals, emergency systems, pharmaceuticals

Transport: road, rail, air, water

airports, sea ports, roads, railways, bridges

Communications: telephone, radio, cyber

Finance: banks, money supply, financial services

Government: national, regional, local

Emergency services: fire, police, ambulance, specialist.

• national - of importance to thefunctioning of national life and affairs

• local - of importance to thefunctioning of local life and affairs.

The divisions of critical infrastructure

• natural events (floods, storms, etc.)

• technological failures and human error

• terrorism and sabotage.

Hazards to critical infrastructure

Water

treatment works Railway station

Fire station

Electricity sub-station

Broadband antenna

Hospital

Supermarket

Power station

Waste water

treatment works

FLOOD SITUATION

Generation

output

restricted

Generator

out of service

Generator

out of service

Generator

out of service

Generation

output

increased

Additional

generator

on stand-by

Example of regional flood impact on electricity grid

Previously affectedNear misses

At risk(1 in 100)

Low risk

Risk exposure level

Low

Medium

High

Threat

Historic

Predicted

Low

Criticality scale

Impacton life

Economicimpact

Impact onessentialservices

Impa

ct c

ate

gories 5

4321

Critical threshold

Critical nationalinfrastructure

Other nationalinfrastructure

Virtuallycertain

HIGH

ProbableSIGNI-FICANT

Possible

ImprobableINTER-

MEDIATE

Highlyunlikely

LOW

Trivial Low Moderate Extensive CatastrophicFailur

e p

robability

Effects and degree of damage

Infrastructure criticality matrix

HAZARD

VULNERABILITY

EXPOSURE

A simplerisk assessment

matrix

Different definitions of exposure:

• under threat for agiven period of time

• at risk to a given extentof possible loss.

A person who spends five minutestwice a day crossing a bridge thatis at risk of collapse is exposedto that risk for 10/(60x24x7)=

0.00098 of a week

Command& control

Delegationto agency

Delegationto agency &negotiation

Enforcedself-

regulation

Voluntaryself-

regulation

Moreinterventionist

Lessinterventionist

The regulatory continuum

Governmentownership

Marketforces

The ALARP concept

Negligible risk

Unacceptable risk

Broadly acceptableregion (no need fordetailed work todemonstrate ALARP)

Unacceptable region

ALARP or tolerabilityregion: risk assumedonly if benefit warrants it

Cost of risk reduction

Risk

Inefficientmeasures

Disproportionatemeasures

Insufficientmeasures

Optimalmeasures

Critical infrastructure

Safeguarding critical infrastructures• redundant systems• adequate levels of operating supplies• fault-tolerant design• "fail-safe" design• adequate and reserve manpower• scenarios for failures and disasters• contingency and emergency plans- kept current

• involvement of top management

• measuring weaknesses

• creating resilience and redundancy

• restoring essential services.

Critical infrastructure protection:a programme, a plan or an activity

SMART criteria:S - specificM - measurableA - attractive,

acceptableR - realistic,

realisableT - timing.

The risk management process

Establishthe context

Identify hazardsand threats

Analyse risks

Evaluate risks

Manage risks

Accept risks

Com

mun

icate

and

con

sult

Mon

itor

and

review

Yes

No

1

2

3

Fully opera-tional

Opera-tional

Life safeNear collapse

Frequent

Occa-sional

Rare

Very rare

Performance level

Design standards versus performance levels

Design

leve

l Unacceptableperformance

for newconstruction

• measure interdependency

• adopt design standards

• create resilience.

Protection strategies

Policyadoption

Risk assessment• hazard• vulnerability• exposure

Policy assessment• costs• benefits• consequences

Disaster

Expectedlosses

Risk PolicyAssessment

Cyber

Hum

an

Physica

l

Set goals and objectives

Identify assets, systems and networks

Assess risks: vulnerabilities,threats, consequences

Prioritise

Implement programmes

Measure effectiveness

Continuous improvementto enhance protection

of

criticalinfrastructure and key resources

Feedback loop

interim.cabinetoffice.gov.uk/media/349103/strategic-framework.pdf

http://www.bmi.bund.de/SharedDocs/Downloads/EN/Broschueren/Basisschutzkonzept_kritische_Infrastrukturen_en.html?nn=441658