Critical infrastructure resilience

Thales Security Solutions & Services

Seven findings on Critical Infrastructures Resilience

CRITIS 2011 – Luzern – 09/09/2011 – Paul Théron


2 /2 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

The context

Very general, and diverse, definitions of resilience

Confusion between dependability, BCM, …, and resilience

Burgeoning standardisation initiatives in relation to resilience

The idea of extreme shocks is now fully accepted :

� «A recent OECD study* analysed whether cyber-incidents could lead to a ‘global shock’ as devastating as e.g. large-scale pandemics. They concluded that there are a very few cyberevents with the capacity to provoke a global shock. Although they state that there are many examples where cyber-incidents have caused a great deal of harm and financial loss, they conclude that the greatest concern for policy makers are large scale events caused by two different cyber-incidents taking place at the same time or a cyber-event taking place during another form of disaster or attack. »

In European Parliament (2011) Study Report on “The role of ENISA in contributing to a coherent and enhanced structure of network and information security in the EU and internationally”. Directorate General for Internal Policies ; Policy Department A: Economic and Scientific Policy ; Industry, Research and Energy, p21

* OECD (2011) Reducing Systemic Cybersecurity Risk. P. Sommer, I. Brown, IFP/WKP/FGS(2011)

So, the question is : Can we better define the notion of resilience ?


3 /3 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

REST : The REsilience Studies Team

REsilience Studies Team (REST) � Cyber REsilience Studies Team (CREST)

� Goals : To elicit the theoretical underpinnings of r esilience in order to build resilient socio-technic al systems

� Approach : Phenomena dynamics, Social-Ecological Sys tems, Organisation, Computing Science, Cognition/Ps ychology

� Scope : National, Societal / Territorial, Business, and Critical Infrastructure Resilience

� Methods : Literature review, Case studies, Action re search, EU & Collaborative projects, Dual experimen ts, Workshops

� Fields : Telecommunications, Energy, Communities, Bu siness, Political regimes, Work collectives, Fire-f ighters


4 /4 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Katrina (August 2005, New Orleans)

IncidentsIncidents

EvacuationEvacuation

AlerteAlerte

Dernières précautionsDernières précautions

RefugeRefuge

DévastationDévastation

ChocChoc SurvieSurvie

Préparation des secoursPréparation des secours

SécurisationSécurisation

DéploiementDéploiement

Après coupAprès coup

IncidentsIncidents

EvacuationEvacuation

AlerteAlerte

Dernières précautionsDernières précautions

RefugeRefuge

DévastationDévastation

ChocChoc SurvieSurvie

Préparation des secoursPréparation des secours

SécurisationSécurisation

DéploiementDéploiement

Après coupAprès coup

Paul Théron 2007


5 /5 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Défense

Manoeuvre

Survie

échec

échec

échec

Effondrement

Incident

Sauvetage échec

Destruction

Le feu est à 150/200 yards

Dodge ordonne de remonter le canyon

Le feu rattrape les hommes

Dodge ordonne de jeter les outils

Le feu va « exploser »

Dodge “invente” le “contre-feu” ; Sallee et Rumsey se sont réfugiés dans

une crevasse

Récupération

Dodge, Sallee et Rumsey ont survécu

Mais les 12 Smokejumpers ont succombé

D’autres Smokejumpers sont très grièvement blessés

On tente de les secourir…

Défense

Manoeuvre

Survie

échec

échec

échec

Effondrement

Incident

Sauvetage échec

Destruction

Le feu est à 150/200 yards

Dodge ordonne de remonter le canyon

Le feu rattrape les hommes

Dodge ordonne de jeter les outils

Le feu va « exploser »

Dodge “invente” le “contre-feu” ; Sallee et Rumsey se sont réfugiés dans

une crevasse

Récupération

Dodge, Sallee et Rumsey ont survécu

Mais les 12 Smokejumpers ont succombé

D’autres Smokejumpers sont très grièvement blessés

On tente de les secourir…

Mann Gulch (August 1949, USA, Montana)


Our findings…


7 /7 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

First finding on resiliency : what it has to do with

STRESS

FEAR

TRAUMA


8 /8 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Second finding on resiliency : what it is

pressureFragile

pressure pressure

more

Robust

Resilient pressure pressure

more

Yushi Fujita - Resilience Engineering Symposium, October 25-29, 2004, Soderkoping Brunn, Sweden

surprise


9 /9 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Third finding on resiliency : why it is needed

Davos report 2011

Rinaldi IEEE Control System Magazine 2001

Complexity frominterdependencies

A crisis-pronesociety


10 /10 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Fourth finding on resiliency : how it works

SurpriseSurprise

Plannedresponse

Navigation

Survival

fails

fails

fails

Collapse

Incident

Rescue fails

Destruction

Recovery

Learning

Preparation

Overwhelming circumstances

Crushing circumstances

Fate

Destabilising circumstances

Prev / Prot*

fails

VulnerabilityVulnerability

CRISIS

Post-traumaticRESILIENCE

PeritraumaticRESILIENCE

P Théron (2007-2011) Resilience V-Model

* Prevention / Protection


11 /11 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Fifth finding on resiliency : How it can be defined

« A crisis is an experience of collapse »

� Of a socio-technical system’s pillars

� What gives it its capacity to deliver

� Under the effect of a major shock

� Surprise

� Defencelessness

� Consciousness of a fatal issue

« Resilience is the aptitude of a socio-technical system to surmount a crisis »

� Getting-by

� Resisting

� Resuming

� Rebounding

# EC - JLS/2008/D1/018 : A study on measures to analyse and improve European emergency preparedness in the field of fixed and mobile telecommunications and Internet

Business a UsualDomain of

Emergencies

IncidentResponse

Procedures

Impacts

1Minor

Incident

4SevereShock

5ExtremeShock

0MinorEvent

2Major

Incident

3Severe

Incident

Range ofControlModes

ProceduredDefences

toIncident

Management

Creativeadaptation

toTactical

reasoning

Negligible Tolerable Untolerable

Business / SystemContinuity

Plans

CrisisManagementCapabilities

Skills & Knowledge

Impacts

1Minor

Incident

4SevereShock

5ExtremeShock

0MinorEvent

2Major

Incident

3Severe

Incident


ProceduredDefences

toIncident

Management

Creativeadaptation

toTactical

reasoning

Negligible Tolerable UntolerableImpacts

1Minor

Incident

4SevereShock

5ExtremeShock

0MinorEvent

2Major

Incident

3Severe

Incident


ProceduredDefences

toIncident

Management

Creativeadaptation

toTactical

reasoning

Negligible Tolerable Untolerable

Business / SystemContinuity

Plans

CrisisManagementCapabilities

Skills & Knowledge

EMERGENCY : situation in which a socio-technical system has to cope with a situation ranging from a major incident up to an extreme shock (2 �� 5)

Shift in theCommandment

paradigm

#

“The ability of a system to provide & maintain an acceptable level of service, in face of faults (unintentional, intentional, or naturally caused) affecting normal operation” http://www.enisa.europa.eu/act/res/files/glossary

“the ability of a system to recover from adversity, either back to its original state or an adjusted state based on new requirements. Building resilience requires a long-term effort involving reengineering fundamental processes, both technical and social.” EC COM(2009)149

“The ability of a system to provide & maintain an acceptable level of service, in face of faults (unintentional, intentional, or naturally caused) affecting normal operation” http://www.enisa.europa.eu/act/res/files/glossary

“the ability of a system to recover from adversity, either back to its original state or an adjusted state based on new requirements. Building resilience requires a long-term effort involving reengineering fundamental processes, both technical and social.” EC COM(2009)149


12 /12 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Sixth finding on resiliency : How it is obtained

Resilience requires

� Theory of resilience based on a

� Model of incidents dynamics

� Model of resilience production

� Emergency Preparation Process

� Collaborative

� Continuous Improvement Loop

� Emergency Response Organisation

� Tactical Decision Making

� Co-operative Processes

� Resilience Capabilities

Rules & Resource :-I1: Interpretation-I2: Reckoning & Anticipation-I3: Options Analysis

Rules & Resource :-M1: Time Margins-M2: Reserve Infrastructures-M3: Reserve Logistics-M4: Support Social Networks-M5: Intrinsic Robustness-M6: Creativity & Know-How-M7: Publics’ Sensitivity & Tolerance-M8: Publics’ Trust & Liking-M9: Financial & Legal Freedom

Rules & Resource :-F1: Urgentists-F2: Evacuation & Victims-F3: Clearing & Reconstruction-F4: Emergency Fund

Rules & Resource :-D1: Alarm & Mobilisation-D2: Strategies & Plans-D3: Decision-Making Procedures-D4: Chain of Command-D5: Chain of Control-D6: Communications & Interoperability

Rules & Resource :-O1: Intelligence-O2: Surveillance-O3: Reconnaissance

TR

Observation

Interpretation

MarginsForces

Com&Legal

Direction

Rules & Resource :-C1: Pre-Crisis Com-C2: Influence Network-C3: CrisCom Design-C4: MediaCom & HRCom-C5: Legal Action & Advice

Act upon Situation

See what’s going on Understand & Anticipate

on situation

Manoeuvre to regain Initiative

ManageTrust & Risk

Pilot Action

TR : Tactical Reasoning






TR

Observation

Interpretation

MarginsForces

Com&Legal

Direction


Act upon Situation


on situation


ManageTrust & Risk

Pilot Action







TR

Observation

Interpretation

MarginsForces

Com&Legal

Direction

TR

Observation

Interpretation

MarginsForces

Com&Legal

Direction


Act upon Situation


on situation


ManageTrust & Risk

Pilot Action


Awareness

Decision

Action

Awareness

Decision

Action TR

Awareness

Decision

Action

Awareness

Decision

Action TR

# EC - JLS/2008/D1/018 : A study on measures to analyse and improve European emergency preparedness in the field of fixed and mobile telecommunications and Internet

STKs

NSIE

infos

IRM

Alarm

RAS /CIWIN

Alarm

CERTs / TIERSs

TERC

infos Alarm

Alarm

REGULATOR

ENISA

infos

2

4

3

Report

5

56

9

coordination

Report

7

8

NFEP

NSM DB

infos

EP Measures

10

3

GOVERNMENT SERVICES

11

1

Incident

12

STKs

NSIE

infos

IRM

Alarm

RAS /CIWIN

Alarm

CERTs / TIERSs

TERC

infos Alarm

Alarm

REGULATOR

ENISA

infos

2

4

3

Report

5

56

9

coordination

Report

7

8

NFEP

NSM DB

infos

EP Measures

10

3

GOVERNMENT SERVICES

11

1

Incident

12

#


13 /13 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Seventh finding on resiliency : frameworks that could yield it

Governance : Emergency Preparedness Governance Model (EPGM)

Achievement targets : Emergency Response Framework (ERFW)

Process : Emergency Preparation Framework (EPFW)

Emergency PreparationActivities

PO

EL

LL

EX

AS

ED

PG

PO

EL

PO

EL

LL

EX

LL

EX

AS

ED

PG

AS

ED

AS

ED

PG

(re-)Assessment

Policy Making&

Strategy

Elaborationof

Measures

Education & Dissemination of good practices

Exercising&

Testing

Lesson Learningand sharing

&Monitoring

ProgrammeManagement

PO

EL

LL

EX

AS

ED

PG

PO

EL

PO

EL

LL

EX

LL

EX

AS

ED

PG

AS

ED

AS

ED

PG

(re-)Assessment

Policy Making&

Strategy

Elaborationof

Measures


Exercising&

Testing


&Monitoring

ProgrammeManagement

Emergency PreparationActivities

PO

EL

LL

EX

AS

ED

PG

PO

EL

PO

EL

LL

EX

LL

EX

AS

ED

PG

AS

ED

AS

ED

PG

(re-)Assessment

Policy Making&

Strategy

Elaborationof

Measures


Exercising&

Testing


&Monitoring

ProgrammeManagement

PO

EL

LL

EX

AS

ED

PG

PO

EL

PO

EL

LL

EX

LL

EX

AS

ED

PG

AS

ED

AS

ED

PG

(re-)Assessment

Policy Making&

Strategy

Elaborationof

Measures


Exercising&

Testing


&Monitoring

ProgrammeManagement

DIRECTIONS

PREPARATION

RESPONSE

EPFW

ERFW

EPGM

EEPC GUIDANCE & SUPPORT

Lessons Guidelines

Requirements Needs

DIRECTIONS

PREPARATION

RESPONSE

EPFW

ERFW

EPGM

EEPC GUIDANCE & SUPPORT

Lessons Guidelines

Requirements Needs

Strategic collaborationlevel

Programme Managementlevel

EC - JLS/2008/D1/018 : A study on measures to analyseand improve European emergency preparedness in the field of fixed and mobile telecommunications and Internet

GOVERNMENTS

STANDARDISATION

STAKEHOLDERS

Guidelines

Certification


Conclusions


15 /15 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Conclusions of the time…

Progress in the industry is currently led by a deficit of knowledge

� A burgeoning field of research but…

� A new, still ill-understood, topic in a complex context

� A silo mentality not helped by…

� A fundamental institutional inertia

� A window of opportunity for the most active lobbies leading to…

� A burst of standardisation initiatives despite…

� A fundamental lack of proper underlying models of resilience

� This may lead authorities and the industry to take inappropriate decisions

We need more inter-disciplinary, cross-industry, research

� Analysis of major incidents and lesson learning in relation to resilient responses

� Characterisation of major cyber shocks

� Resilience Management Frameworks

� Synergies between RM disciplines : safety, security, BCM, crisis management

� More real-world studies based on new models (ex for modelling interdependencies : new factors, real-life / real-size systems, real-li fe incident fine grained data)…


Thank you for your attention !

[email protected]


17 /17 /

Info

rmat

ions

con

fiden

tielle

s / p

ropr

i ét é

de T

h ale

s. T

ous

droi

ts r

é ser

vés.

/ T

hale

sco

nfid

entia

l / p

ropr

ieta

ry in

form

atio

n. A

ll rig

hts

res e

rved

P T

héro

n / C

RIT

IS 2

011

/ Luz

ern

09-0

9-20

11

Recent Bibliography

Theron P. (2009c) Resilience, Incident Reporting and Exercises. Measuring Resilience – the Next Challenge. ENISA

Quarterly Review Vol. 5, No. 4, December 2009

European Commission - DG JLS (2011) Study EC JLS/2008/D1/018: A study on measures to analyse and improve

European emergency preparedness in the field of fixed and mobile telecommunications and Internet.

http://ec.europa.eu/information_society/policy/nis/strategy/prep_study/index_en.htm

ENISA (2011) Enabling and managing end-to-end resilience. ENISA's website

ENISA (2011) National Risk Management Preparedness. http://www.enisa.europa.eu/act/rm/working-

group/WG%20NRPM%202010

Théron P (2011) Un nouveau paradigme pour l’étude des crises et de la résilience sociétale. Cahiers de la sécurité –

n°15 – janvier - mars 2011

News & Politics

Critical infrastructure resilience