Euracom - Risk Assessment and Contingency Planning Methodologies

DELIVERABLE D2.3

Integrated report on the link between Risk Assessment and

Contingency Planning Methodologies

Deliverable: D 2.3 Integrated report on the link between RA and CP

Version:

Seventh Framework Programme Theme ICT-SEC-2007-7.0-01

Project Acronym: EURACOM

Project Full Title: European Risk Assessment and Contingency

Planning Methodologies for interconnected networks

Grant Agreement: 225579

Coordinator: EOS

D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies

Page 2 of 118


Page 3 of 118

Table of Contents

1 Introduction .................................................................................................................................. 10

1.1 Context of EURACOM ........................................................................................................... 10

1.2 WP2 Deliverables .................................................................................................................. 11

1.3 WP 2.3 Objectives ................................................................................................................. 12

1.4 Links of WP2.3 with other EURACOM deliverables ................................................................ 12

1.5 Structure of the document.................................................................................................... 13

1.6 Acronyms ............................................................................................................................. 14

2 Analysis of links between available Risk Assessment and Contingency Planning methodologies ..... 16

2.1 Objectives of the section ...................................................................................................... 16

2.2 Relationship between Risk Assessment & Contingency Planning ........................................... 16

2.2.1 The preparation loop: from RA to CP ................................................................................ 17

2.2.2 The lessons learnt loop ..................................................................................................... 17

2.2.3 The relationship at a glance .............................................................................................. 18

3 Founding principles of the approaches ........................................................................................... 20

3.1 The Scope of applicability of the approaches ........................................................................ 20

3.2 Glossary of Terms and Risk Management Concepts .............................................................. 23

3.2.1 Definition of terms ........................................................................................................... 23

3.2.2 Impact for the combined structure of Risk Assessment and Contingency Planning

approaches .................................................................................................................................... 26

3.2.3 Towards a holistic, combined, all-hazards approach ......................................................... 27

4 Risk Assessment............................................................................................................................. 29

4.1 EURACOM WP 2.1 Desktop Study ......................................................................................... 29

4.2 Methodology for Holistic Risk Assessment ............................................................................ 30


Page 4 of 118

4.2.1 Overview of Structure ....................................................................................................... 30

4.2.2 Introduction to Holistic Risk Management ........................................................................ 31

4.2.3 Methodology description.................................................................................................. 32

4.2.3.1 STEP 1: Constitute the Holistic Risk Assessment Team .................................................. 32

4.2.3.2 STEP 2: Define the scope of the Risk Assessment .......................................................... 33

4.2.3.3 STEP 3: Define the scales for risk evaluation ................................................................. 34

4.2.3.4 STEP 4: Understand the assets in the scope .................................................................. 36

4.2.3.5 STEP 5: Understand the threats .................................................................................... 37

4.2.3.6 STEP 6: Review security and Identify vulnerabilities ...................................................... 38

4.2.3.7 STEP 7: Evaluate the associated risks ............................................................................ 40

4.2.4 Maintenance of the risk assessment ................................................................................. 41

4.3 The implementation of EURAM within the Energy Sector ...................................................... 42

4.3.1 Electricity Transmission .................................................................................................... 42

4.3.2 Gas Transmission .............................................................................................................. 49

4.3.3 Oil Transmission ............................................................................................................... 56

5 Contingency Planning .................................................................................................................... 63

5.1 Introduction ......................................................................................................................... 63

5.2 EURACOM WP 2.2 Desktop Study ......................................................................................... 63

5.3 The Contingency Planning Approach at a glance ................................................................... 66

5.4 Preparation Phase ................................................................................................................ 67

5.4.1 The Objectives and scope ................................................................................................. 68

5.4.2 Organisation for Contingency Planning ............................................................................. 70

5.4.3 Risk Mitigation Strategy Setting ........................................................................................ 73

5.4.4 Implementation of Prevention and Protection measures .................................................. 75


Page 5 of 118

5.4.5 Implementation of Response and Recovery measures ...................................................... 78

5.4.5.1 Approach - Scenarios selection ..................................................................................... 78

5.4.5.2 Continuity of Supply objectives..................................................................................... 79

5.4.5.3 Derive Supply Continuity Objectives in the infrastructure ............................................. 79

5.4.5.4 Define possible strategies to meet the Supply Continuity Objectives ............................ 80

5.4.5.5 Selection of strategies .................................................................................................. 80

5.4.5.6 Implementation of Response and Recovery Measures: the contingency plan ............... 81

5.4.5.7 Supporting data: the key elements of a Contingency Plan ............................................. 82

5.4.5.7.1 Incident Management .............................................................................................. 82

5.4.5.7.2 Crisis Management................................................................................................... 83

5.4.5.7.3 Business Continuity Management ............................................................................ 84

5.4.5.7.4 Disaster Recovery Management ............................................................................... 85

5.5 The Test, Exercise & Training Phase ...................................................................................... 87

5.5.1 Contingency Planning Training .......................................................................................... 87

5.5.2 Test the Contingency Plan ................................................................................................ 89

5.5.3 Contingency Exercises ...................................................................................................... 91

5.6 The Maintenance Phase ........................................................................................................ 94

5.6.1 Contingency Planning Maintenance .................................................................................. 94

5.6.2 Lessons Learnt .................................................................................................................. 97

6 The EURACOM Combined Risk Assessment and Contingency Planning Approach ......................... 100

6.1 The preparation loop .......................................................................................................... 101

6.2 The lessons learnt loop ....................................................................................................... 102

7 Managing Dependencies of the energy sector in Risk Assessment and Contingency planning ...... 104

7.1 Introduction ....................................................................................................................... 104


Page 6 of 118

7.2 Managing dependencies in risk assessment (EURAM) ......................................................... 105

7.2.1 Defining the scope of the analysis and the risk assessment team .................................... 106

7.2.2 Identifying vulnerabilities stemming from interdependency situations within a wider scope

106

7.2.3 Evaluating (inter)dependency risks ................................................................................. 108

7.3 Managing dependencies in contingency planning ............................................................... 109

7.3.1 Preparation Phase .......................................................................................................... 109

7.3.1.1 The Objectives and scope ........................................................................................... 109

7.3.1.2 Organisation for Contingency Planning ....................................................................... 110

7.3.1.3 Risk Mitigation Strategy Setting .................................................................................. 110

7.3.1.4 Implementation of Prevention and Protection measures ............................................ 111

7.3.1.5 Implementation of Response and Recovery measures ................................................ 111

7.3.2 Test Exercise and Training Phase .................................................................................... 112

7.3.2.1 Contingency Planning Training .................................................................................... 112

7.3.2.2 Test the Contingency Plan .......................................................................................... 113

7.3.2.3 Contingency Exercises ................................................................................................ 113

7.3.3 Maintenance Phase ........................................................................................................ 114

7.3.3.1 Contingency Planning Maintenance ............................................................................ 114

7.3.3.2 Lessons Learnt ............................................................................................................ 114

7.3.3.3 Monitoring and Information Sharing .......................................................................... 114

7.4 Current Framework for Operational Practices ..................................................................... 115

8 Conclusion ................................................................................................................................... 118


Page 7 of 118

Table of Figures

Figure 1: Structure of the EURACOM project ......................................................................................... 11

Figure 2: Interactions between Risk Assessment and Contingency Planning ........................................... 18

Figure 3: Interactions between Risk Assessment and Contingency Planning ........................................... 19

Figure 4: The energy networks analysis framework ................................................................................ 20

Figure 5: Energy players from organisational to international ................................................................ 21

Figure 6: High level overview of the Supply Chain .................................................................................. 21

Figure 7: Focus of RA and CP approach .................................................................................................. 22

Figure 8: The collection of the Risk Management processes .................................................................. 24

Figure 9: The EURAM 7 step Risk Assessment approach ......................................................................... 31

Figure 10: Holistic Risk Assessment Team .............................................................................................. 42

Figure 11: Impact Scales for Electricity Transmission ............................................................................. 44

Figure 12: Probability Scales for Electricity Transmission ....................................................................... 45

Figure 13: Common Threats to Electricity Transmission operators ......................................................... 47


Figure 15: Impact Scales for Gas Transmission ....................................................................................... 52

Figure 16: Probability Scales for Gas Transmission ................................................................................. 52

Figure 17: Common Threats to Gas Transmission operators .................................................................. 54


Figure 19: Impact Scales for Oil Transmission ........................................................................................ 59

Figure 20: Probability Scales for Oil Transmission .................................................................................. 59

Figure 21: Common Threats to Oil Transmission operators .................................................................... 61

Figure 22: The Contingency Planning 3 Phase Approach ........................................................................ 66

Figure 23: Contingency Planning Preparation Phase structure ............................................................... 67


Page 8 of 118

Figure 24: Risk Assessment Scale ........................................................................................................... 69

Figure 25: Role vs. Contribution Internal Matrix .................................................................................. 71

Figure 26: Role vs. Contribution External Matrix ................................................................................. 72

Figure 27: Continuity Objective Profile .................................................................................................. 79

Figure 28: Continuity Objective ............................................................................................................. 80

Figure 29: The test, exercise and training phase .................................................................................... 87

Figure 30: The maintenance phase ........................................................................................................ 94

Figure 31: The Combined Approach Taken by EURACOM to Risk Assessment and Contingency Planning.

............................................................................................................................................................ 100

Figure 32: The preparation loop .......................................................................................................... 101

Figure 33: The lessons learnt loop .................................................................................................... 102

Figure 34: The High Level Analysis of Risk Assessment and Contingency Planning. ............................... 105

Figure 35: A unique severity scale for multi-stakeholders scopes ......................................................... 107

Figure 36: A unique severity scale for multi-stakeholders scopes ......................................................... 108


Page 9 of 118


Page 10 of 118

1 Introduction

1.1 Context of EURACOM

The objective of EURACOM is to identify, together with European Critical Energy Infrastructure

operators, a common and holistic approach (end-to-end energy supply chain) for risk assessment and

contingency planning methods. This is to facilitate the establishment of appropriate levels of resilience

within critical energy services across the whole (end-to-end) energy infrastructure chain.

EURACOMs activities to define common risk assessment and contingency planning methodologies will

build upon the EURAM project results: the concepts of the EURAM methodology will be specifically

developed further for the energy sector.

The objective is to create more resilient energy infrastructures by developing methodologies and tools

that assure a dialogue, sharing of data and close co-operation between energy operators, large energy

users, security solution suppliers, administrations, regulatory bodies, and other stakeholders. This

approach requires common methodologies all along the value chain, from production to distribution. It

also requires common methodologies at different hierarchical levels, from individual companies up to

European level.

EURACOM has to cover all applicable hazards to the energy sector, including threats from natural

causes, human intent, technical failure, human failure, dependencies of other Critical Infrastructures

and other dependencies.

In the development of the EURACOM project, it was apparent that methodological solutions and

supporting tools should be developed in close cooperation with European Critical Energy Infrastructure

operators. The EURACOM project has been structured accordingly.

In order to develop the methodology and supporting tools, the structure depicted in Figure 1 is applied

to the EURACOM project.


Page 11 of 118

Figure 1: Structure of the EURACOM project

1.2 WP2 Deliverables

The role of Work Package 2 (WP2) in EURACOM is the identification of a common and holistic approach

for risk assessment and contingency planning. WP2 has three deliverables:

Deliverable 2.1: Concerns the analysis of available Risk Assessment approaches to identify good

practices from several domains including security industry, national guidance and energy standards.

Deliverable 2.2: Concerns the analysis of Contingency Planning approaches to identify good practices

from several domains including security industry, national guidance and energy standards.

Deliverable 2.3 (This Report): Concerns the analysis of the communally accepted links between Risk

Assessment and Contingency Planning practices and the creation of Risk Assessment and Contingency

Planning approaches which can be combined and are clearly targeted to the energy sector.


Page 12 of 118

1.3 WP 2.3 Objectives

The objective of Work Package 2.3 (WP 2.3) is described in the EURACOM Description of Work

document:

A 1.2 Project Summary: Abstract:

EURACOM objective is to identify, together with EU Energy Infrastructure Operators, a holistic

approach (end-to-end energy supply train: from fuel transport, power generation and transmission) for

risk assessment and contingency planning solutions

The scope also includes the requirement to report on the link between Risk Assessment and

Contingency Planning Methodologies.

In addition to the analysis of the link between Risk Assessment and Contingency Planning

methodologies, this report will deliver a combined and holistic approach to Risk Assessment and

Contingency Planning in a format that can be used as a framework for implementation by the Energy

sector operators. These main additional aspects are delivered through:

1. the creation of a risk assessment and of a contingency planning approach to be implemented at

operator (=organisation) level and,

2. as the last section of the document recommendations on how risk assessment and contingency

planning processes can be implemented and supported at higher level of analysis (i.e. on the

scope of interconnected energy infrastructures involving many operators).

1.4 Links of WP2.3 with other EURACOM deliverables

This deliverable D2.3 has relationships with several other EURACOM deliverables:

D1.1 Generic system architecture with relevant functionalities for hazard identification: D1.1 models

and describes the Energy environment in which the approaches described in this present deliverable

will be applicable. As such, D1.1 is a major input in defining the scope of D2.3 as described in section

3.1.

D2.1 Common Areas of Risk Assessment Methodologies: D2.1, after presenting the results of the

analysis performed in a Desktop study of available Risk Assessment approaches, provides conclusions

about the good practices of the discipline. These good practices will be used in order to develop the

EURACOM Risk Assessment approach as described in section 4.1.

D2.2 Common Areas of Contingency Planning Methodologies: D2.2, after presenting the results of

the analysis performed in a Desktop study of available Contingency Planning approaches, provides


Page 13 of 118

conclusions about the good practices of the discipline. These good practices will be used in order to

develop the EURACOM Contingency Planning approach as described in section 5.3.

D2.2 and D2.3 are also combined in order to feed into the analysis of the links between Risk

Assessment and Contingency Planning practices as described in section 2.

D6.3 Update and validation of used Risk Assessment and Contingency Planning methodologies: D6.3

will contain the final version of the EURACOM Risk Assessment and Contingency Planning

methodologies. These methodologies will have evolved from the approaches of D2.3 thanks to the

input of the case studies (WP4) and associated workshops (WP5). This will help in refining the

approach and in particular to tailor it to the needs of the Energy sector.

1.5 Structure of the document

The document is broken down in several sections:

Section 2 provides an analysis of links between available Risk Assessment and Contingency Planning

methodologies. It looks in particular at the way the two processes are relying on one another.

Section 3 presents the founding principles of the approaches by first presenting the scope of

applicability they are designed for, by positioning them against other concepts in a wider Risk

Management perspective and by providing some of the key characteristics they will have to comply

with.

Section 4 presents the results of our work to propose a Risk Assessment approach to the energy

sector.

Section 5 presents the results of our work to propose a Contingency Planning approach to the energy

sector.

Section 6 summarises how the Risk Assessment approach and the Contingency Planning approach

interact to deliver The EURACOM Combined Risk Assessment and Contingency Planning Approach.

Section 7 presents recommendations to allow the implementation of the EURACOM approaches at

higher level of analysis (i.e. above the single operator level) for Managing Dependencies of the energy

sector in Risk Assessment and Contingency planning


Page 14 of 118

1.6 Acronyms

BCM Business Continuity Management

BCP Business Continuity Planning (or Plan)

BIA Business Impact Analysis

CI Critical Infrastructure

CIP Critical Infrastructure Protection

CM Crisis Management

CP Contingency Planning (or Plan)

DR Disaster Recovery

EU European Union

ICT Information & Communication Technologies

IM Incident Management

IPOCM Incident Preparedness and Operational Continuity Management

KPI Key Performance Indicator

OR Organisational Resilience

PDCA Plan Do Check Act

PM Project Management

RA Risk Assessment

RAM Risk Assessment Methodology

RM Risk Management

TSO Transmission System Operator


Page 15 of 118


Page 16 of 118

2 Analysis of links between available Risk Assessment and

Contingency Planning methodologies

2.1 Objectives of the section

The objective of this section is to identify the links and the interactions between Risk Assessment and

Contingency Planning. The scope of this section satisfies the EURACOM Description of Work

requirement to report on the link between Risk Assessment and Contingency Planning

Methodologies

2.2 Relationship between Risk Assessment & Contingency Planning

Risk Assessment and Contingency Planning are both key elements within an organisations Risk

Management process. They are essential in the effort to ensure that risk are identified, prevented,

treated and where risk mitigation is not feasible, processes are created and implemented to manage

incidents should they occur.

The EURACOM deliverable D2.1 (Common Areas of Risk Assessment methodologies) highlighted, by its

non-inclusion, the issue that the majority of Risk Assessment standards and methodologies make little, if

any, reference to the Contingency Planning processes, even though Contingency Planning processes rely

on a clear evaluation of the business impact of adverse events. The EURAM methodology is an exception

in this respect as it discusses contingency and includes scenario based contingency workshops within the

methodology itself.

In contrast to this, the findings within the deliverable D2.2 (Contingency Planning Methodologies and

Business Continuity) highlighted within section 2.4 Relation to Risk Management, that the majority of

the Business Continuity and Contingency Planning Standards and Guidelines included some element of

Risk (and Vulnerability) Analysis (and also Business Impact Analysis) within the structure of their

framework. D2.2 also identified that although this Risk Assessment link/requirement was included

within most of the Standards and Guidelines, the depth of this Risk Assessment link/requirement is very

limited with little or no granularity.

However, there are some links between the two set of practices even if those are not translated into

standards. This section aims at clarifying what these links are and therefore provides objectives for the

development of the Risk Assessment and Contingency Planning sections developed later in this

document. Please see Figure 8: The collection of the Risk Management processes , for a high level

overview on where the two processes reside within the Risk Management process.


Page 17 of 118

2.2.1 The preparation loop: from RA to CP

As the essential underpinning element of the Risk Management process, Risk Assessment is the initial

process used to assess the potential impact and the likelihood of threats exploiting vulnerabilities.

Therefore the Risk Assessment process, along with the Business Impact Analysis, provides an

organisation with the necessary information required to address risk (Treat, Avoid or Accept) in line with

the organisations Risk Management objectives.

The Contingency Planning process receives the majority of its input from the Risk Assessment process

(including the Business Impact Analysis). Contingency Planning is used by an organisation to plan for the

prevention of incidents by implementing formal protective controls and also with ways of minimising

the effect of an incident by creating appropriate response and recovery processes.

2.2.2 The lessons learnt loop

The lessons learnt following Contingency Planning exercises, testing or incidents (within the organisation

or more largely within the energy sector) will provide a feed back to the organisations Risk Management

Life Cycle. Following this input, several maintenance actions can take place at multiple levels:

First the previous Risk Assessments may require to undergo re-evaluation in order to integrate new

data about risk elements through better understanding of vulnerabilities, finer evaluation of threats

or better appreciation of the actual chain of reaction that would cause the ultimate impact on the

organisation;

Then the mitigation controls may be reviewed in order to cover the gaps identified by the lessons

learnt.


Page 18 of 118

2.2.3 The relationship at a glance

From the first principles described in the preparation loop and in the lessons learnt loop, it is possible to

build a high-level picture of relationships between Risk Assessment and Contingency Planning processes.

Figure 2: Interactions between Risk Assessment and Contingency Planning

The preparation loop is a very linear process of implementation of the succession of steps in Risk

Assessment and Contingency planning. On the other hand, taking into account lessons learnt is an

activity, which requires coming back to previous stages of the analysis, update information, cascade the

results into the later stages and to ensure that all underlying elements (processes, documents, plans,

etc.) are kept up to date in a controlled manner. It is therefore important that this loop is controlled

through a sound process. For this purpose, it is possible to introduce a maintenance process which will

coordinate all updates of Risk Assessment and Contingency Planning from lessons learnt but also on

other events like periodical review of plans, change in environment (new threats, etc.), and change in

operations. By doing this, the lessons learnt loop is better controlled and the changes they can induce

are managed consistently with the other changes that can result from other maintenance operations.

The introduction of maintenance in the link is introduced below:


Page 19 of 118

Figure 3: Interactions between Risk Assessment and Contingency Planning

This high level view provides the desired output for the EURACOM RA and CP approaches to operate in a

combined manner and sharing a common maintenance process.


Page 20 of 118

3 Founding principles of the approaches

3.1 The Scope of applicability of the approaches

The EURACOM deliverable D 1.1 provides a view of the energy networks which are analysed, and a way

to model the energy networks. These views are analysed on different layers as illustrated on the

following diagram.

Strategy

Pro

cess

Inform

ation

Netw

ork

Organisational level

National level

European level

ELECTRICITY

GAS

OIL

Figure 4: The energy networks analysis framework

On this framework, the issue of resilience of energy networks is applicable in and across all the

dimensions depicted in this diagram:

From Organisational to European levels as the issues are not only intrinsic to the individual

organisations and the consequences and the management of adverse events have respectively the

potential and the necessity to spread at European scale.


Page 21 of 118

Producers End Users

Transmission Operators

Distribution Operators

Traders / Shippers Suppliers

Ownership of commodities

Figure 5: Energy players from organisational to international

Within each of the Oil, Electricity and Gas services throughout their energy sector supply chain and

also across sectors as energy flows move from one sector to another (mainly from Gas to Electricity).

Figure 6: High level overview of the Supply Chain

In all the layers of one organisation Strategy, Process, Information and Network as the risk factors

and the associated responses do not reside in a single layer and rather form a holistic posture where

all the measures taken at strategic, processes, information or network level are meant to work in

conjunction.


Page 22 of 118

This very short introduction to the scope (not entering into any detail) of D 1.1 already provides an

insight to the order of magnitude of the complexity of the subject and it is not the objective of

EURACOM to provide answers to all of this. The objective and therefore the scope of D2.3 is to

concentrate on the energy operators for which the Risk Assessment and Contingency Planning

methodologies are meant (as depicted on the figure below). This does not mean that the full picture

does not need being taken into account. On the contrary, this picture is very important to set and to

integrate to understand in which context each single operator Risk Management approach (i.e. Risk

Assessment + Contingency Planning) will have to operate.

Strategy

Pro

cess

Inform

ation

Netw

ork

Organisational level

National level

European level

ELECTRICITY

GAS

OIL

Figure 7: Focus of RA and CP approach

The scope of applicability for WP 2.3 is governed by the EURACOM deliverable D 1.1 and is to build up

the method to start with the operator level and expand to higher levels at later sections in the

document (i.e. National or European level). The justification of this is that the implementation of

consistent and efficient risk management by each operator within its organisation is the prerequisite

and foundation for a collective and federated resilience across sectors and borders. This focus on single

operators should not forget the relationships they have with other external stakeholders. On the

contrary, it should treat them as critical but from the sole perspective of the entity on which the analysis

is applied. To meet this objective, the EURACOM D2.3 deliverables proposes first a generic approach to

Risk Assessment and Contingency Planning for energy operators and then provides specific information

on how to actually implement this generic approach into the distinct sectors of Electricity, Oil and Gas.

These sectors are analysed through the focal point constituted by TSOs which are at the heart of mutual

dependencies at European level and by taking into account their connections to the rest of the supply

chain (source, distribution, other grids, etc.).


Page 23 of 118

The initial path explored by the document was to view Risk Assessment and Contingency Planning at the

operator level, then the end of the document gives some directions to reflect on for analysis at higher

levels where interactions are not any more seen only from one organisation perspective but from the

point of view of a network of organisations.

3.2 Glossary of Terms and Risk Management Concepts

3.2.1 Definition of terms

It has been identified as part of the desktop studies of task 2.1 and task 2.2 that the use of terms varies

considerably with mixes of notions like contingency planning and business continuity planning. The

stance taken in EURACOM is one of integrated risk and contingency management1. For the purpose of

this document, the descriptions of the different terms are as follows:

Risk Management

This is the collection of processes that form an organisations formal threat and vulnerability

management process. This includes all processes for risk assessment, risk treatment, risk avoidance, risk

acceptance, response and recovery.

1 Integrated Emergency Management concept - Guidance on Part 1 of the Civil Contingencies Act 2004 HM

Government United Kingdom


Page 24 of 118

Figure 8: The collection of the Risk Management processes

Risk Assessment

Risk Assessment is the process used to assess the potential impact and the likelihood of a threat

exploiting vulnerabilities in order to provide a risk rating prior to the implementation of any risk

treatment or mitigation.

Business Impact Analysis

Business Impact Analysis is the analysis of how a risk scenario can cause a loss to an organisation, this

analysis is primarily orientated on the impact on the organisations business processes.

Risk Treatment

Risk Treatment is where the risk is reduced by the implementation of countermeasures designed for risk

mitigation. Risk treatment measures are aimed at reducing the probability and/or the severity of risk

factors.

Risk Avoidance

Risk Avoidance is used where the Risk Treatment is too costly or too impractical to implement and

where Risk Acceptance is not a viable option for an organisation to consider. Risk avoidance is a decision


Page 25 of 118

to change the company infrastructure or more largely the mode of operation to ensure there is no more

exposure to a risk.

Risk Acceptance

Risk Acceptance is utilised when the risk level is acceptable to the business or when the risk can not be

avoided or mitigated to an acceptable residual risk level. The decision is ultimately taken by the

organisation risk owner(s) to accept the risk or residual risk.

Contingency Planning

Contingency Planning is required to plan for incidents by implementing formal controls to assist with the

prevention of incidents and also with ways of minimising the effects should an incident occur by creating

appropriate response and recovery processes.

Contingency Plan

A contingency plan is one of the results of Contingency Planning. Contingency plans are the set of

controls materialised through organisation, measures and resources which are put in place as a

response and recovery capability to respond to major incidents.

Contingency Planning vs. Contingency Plan

Contingency Planning is the process by which an organisation prepares itself for the management of

incidents and this covers the identification and implementation of prevention, protection, response and

recovery mechanisms.

The contingency plan is a result of this process focusing on formalising the mechanisms for response and

recovery should an incident occur.

Incidents, Major Incidents, Disasters & Crises

Various definitions exist for these terms. EURACOM proposes to classify these terms in two categories

depending on their magnitude and the reaction they trigger for an organisation:

1. Incident is a term used for the occurrence of issues which are a priori of limited magnitude. As a

consequence, an organisation would deal with incidents as part of a routine Incident

Management Process.

2. Major incidents, Disasters and Crises are reserved for issues whose order of magnitude or

complexity can not be handled through a routine incident management process and require the


Page 26 of 118

special dispositions of Incident Management (or Crisis Management), Business Continuity and

Disaster Recovery. High Impact, Low Frequency events fall for example in this category.

Incident Management

Incident Management is a process that an organisation puts in place to manage the occurrence of

incidents of low to moderate magnitude. The Incident Management process has the possibility of

escalating into Crisis Management should the situation deviate from a low to moderate magnitude.

Crisis Management

Crisis Management is used to formally manage an active incident which has escalated beyond the

routine Incident Management process. Crisis management is the organisational and infrastructure

measures put in place to ensure that an organisation can be organised in times of crisis (alert rising,

crisis cell mobilisation, decision taking, situation awareness and communication of directives).

Business Continuity

Business Continuity ensures that business recovery processes are implemented to ensure continuity of

service with the minimum of disruption. Business continuity is mainly targeted at continuity of supply of

goods or services.

Disaster Recovery Management

Disaster Recovery Management is often used as IT Disaster Recovery Management; it provides the

processes for the recovery of key ICT systems following an incident.

3.2.2 Impact for the combined structure of Risk Assessment and

Contingency Planning approaches

The clarification of these terms allows for the scope and definition of the boundaries and the links

between the Risk Assessment Approach and the Contingency Planning approach.

When considering the combined nature of the two approaches developed in this document, the choice

has been taken to remove all Risk Assessment or Business Impact Analysis from the Contingency

Planning approach. It is worth mentioning that, as the analysis within D2.2 has shown, most of the

Business Continuity or Contingency Planning approaches integrate a Business Impact Analysis stage. Our

choice to remove that step has been taken as the EURACOM Contingency Planning approach will receive

those inputs from the EURACOM Risk Assessment approach.


Page 27 of 118

Also EURACOM clarifies the differences and relations between concept whose boundaries are often

fuzzy like Contingency Planning, Business Continuity, Incident & Crisis Management and Disaster

Recovery. All these notions are federated and are clearly differentiated under the umbrella of

Contingency Planning which covers the entire spectrum of issues.

3.2.3 Towards a holistic, combined, all-hazards approach

The EURACOM approach should respond to three main characteristics. These should be:

Holistic in terms of infrastructure coverage, which means that it should include all aspects that

contribute to operations, i.e. the physical infrastructure, the ICT infrastructure, the organisation

(including links to external stakeholders) and human factor aspects, and the human resources.

Combined in the sense that Risk Assessment and Contingency Planning processes need to be closely

integrated with clear linkages between one another.

All-hazards, in the sense it will cover the two main categories:

1. Accidental (Human or Technical, Natural causes, or linked to external dependencies), and

2. Deliberate (Human).


Page 28 of 118


Page 29 of 118

4 Risk Assessment

4.1 EURACOM WP 2.1 Desktop Study

EURACOM WP2.1 performed an analysis on available risk assessment methodologies in order to learn

from good practices and also to assess their suitability to the context of EURACOM. The analysis, the

results and the recommendations are reported in D2.1 Common areas of Risk Assessment

Methodologies.

The major conclusions from WP2.1 are:

[]

When we look at the EURAM method and compare it to the RA methods we assessed, we can conclude:

The EURAM method is still one of the few methods which is both holistic, all-hazard and

generically applicable to all Critical Infrastructure (CI) sectors.

The EURAM method is one of the few methods that can be applied to all operational and

organisational levels of CI and even trans-sector.

The EURAM method is unique in the sense that it provides a mechanism to spread responsibilities

for risk management over all levels while assuring all risk factors are addressed. Additionally, this

is facilitated by a non-prescriptive mechanism.

The EURAM method is still rather conceptual and has few supporting tools (although it includes

the start of some supporting checklists).

The EURAM method complies with the common good practice approaches identified in most of the

other Risk Assessment methods.

[]

The further recommendations from WP2.1 to develop the EURACOM Risk Assessment approach are:

[]

Develop supporting tools (checklists or otherwise) to support easy application of the method with

respect to determining:

o Threats

o Vulnerabilities

o Effects

o Assets

Supply clear, tangible, and easy-to-follow steps that require a minimum of expertise of the user.

o Develop a supporting glossary of the terms used;

o Support the execution of the method with simple, easily distributable tools.

Develop a checklist whereby the user can determine beforehand what information is required to

complete the RA and where it may be found.


Page 30 of 118

Of course, when the RA method is to be applied to a single sector, it can be further honed to the needs of

that specific sector (e.g. energy), by conforming to the terminologies of the sector, concentrating on

specific assets, threats, vulnerabilities, and effects that are most relevant to the sector. This will further

heighten the ease of use.

[]

These conclusions and recommendations are used to develop the EURACOM Risk Assessment approach.

4.2 Methodology for Holistic Risk Assessment

4.2.1 Overview of Structure

The seven steps of this risk assessment process are described below from a high level perspective. These

are directly extracted from the results of the EURAM approach. The changes introduced by EURACOM

will become visible at a more granular level and will include the tailored approach for the energy

transmission operations within the energy sector including: Electricity in section 4.3.1, Gas in section

4.3.2 and Oil in section 4.3.3. The decision to narrow the scope to transmission is justified by the fact

that energy grids are the pivotal point of dependencies and cascading effects at European scale whether

we talk about dependencies between grids themselves or their interaction with source and distribution.

In this sense energy sources and distribution knock on effects are analysed through the point of view of

the transmission networks and especially the impact they can induce on energy transmission networks

and in turn how these networks can propagate the impact to the distribution.


Page 31 of 118

Figure 9: The EURAM 7 step Risk Assessment approach

4.2.2 Introduction to Holistic Risk Management

Before presenting the detail of the methodology, it is important to present what a Holistic Approach to

Security means.

A holistic approach or holistic risk management aims at managing risks using a joined up approach.

This joined up approach requires each dimensions of risks to be considered, these dimensions are:

Physical security.

Information and Communication Technology security.

Organisational security.

Human factor aspects regarding security.

These four dimensions will be used to analyse each of the components of the risk (please refer to

the glossary section):

Assets.

Vulnerabilities.

Threats.

Effects.


Page 32 of 118

4.2.3 Methodology description

4.2.3.1 STEP 1: Constitute the Holistic Risk Assessment Team

The objective of this step is to select a team that will be in charge of conducting the holistic Risk

Assessment.

This team will be ideally composed of several persons including:

A team leader that will be responsible for the completeness, consistency and homogeneity of the risk

evaluation, and

Several team members who will bring their expertise from the four dimensions of holistic security

physical, Information and Communication Technology, Organisational and human aspects. For the

reliability of the risk assessment process the team members should be independent, i.e. those not

implementing the process. The implementers will be consulted during the risk assessment process and

will contribute with their expert knowledge.

It is important that the skills and experience are carefully selected as it is the basis of a successful risk

assessment. It is also important to make sure that everybody in the team understands the holistic

approach to security.

With regards to the team leader, the role is extremely important as this person will be in charge of

ensuring that all areas of risk are given equal consideration and that the process of information sharing

and identification of risk within the team goes smoothly. As this role is so critical, it is suggested that

organisations seek external assistance on the above to overcome any skill gaps or other potential

internal difficulties.

Concerning the lead associated to the exercise, it is recommended that the responsibility of the

implementation of the approach be at a transversal level to avoid the pitfall of silos 2often found in

organisations. When the scope is at a company or operator level, this means that the ownership of the

risk assessment has to be taken at senior management level above the various departments or

functions.

Output: An operational holistic risk assessment team

2 Silos is referring to the compartmentalisation often noticed in organisations where risk factors are not

managed across the whole organisation but in silos (e.g. Physical Security, IT security, HR, etc.).


Page 33 of 118

4.2.3.2 STEP 2: Define the scope of the Risk Assessment

This step can be implemented on smaller or larger scopes with more or less detail depending on the

resources applied and the stakes involved, as the principles remains applicable with scale. However, the

scope of the holistic risk assessment needs to be clearly defined and understood by all the team.

The scope definition needs to have its reality set from a holistic point of view which means that:

It should have a physical perimeter including physical assets.

It should be composed of defined systems and networks.

It should have boundaries from an organisational point of view with identification of the various

job functions involved.

Please note that dependencies of the organisation towards elements outside of the scope can be

analysed using the results of the EURAM project on the Methodology for (inter)dependency analysis.

Output: Definition of scope understood by all team.


Page 34 of 118

4.2.3.3 STEP 3: Define the scales for risk evaluation

This methodology takes the path of practicality. The evaluation of the risk (R) is reached by direct

evaluation of probability of occurrence (P) and Severity (S). With R = P x S.

It is therefore important at the beginning of the project to define the scale against which probability and

impact will be evaluated. For practical reasons, qualitative scales are advised on a 1 to 5 range as it gives

enough values to discriminate the risks.

The Severity and Probability scale can be presented this way.

Probability 1 2 3 4 5

Very low

probability

Low

probability

Medium

probability

High Probability Near certainty

Evaluation of

feasibility of an

attack or likelihood

of an accident

Concerning the probability scale and later on in the methodology, there are a few pitfalls and good

practices to keep in mind when carrying out the exercise:

Probability scales need to fit with mainly two types of adverse events:

1. Untargeted attacks or accidents. For these types of events the most appropriate way to evaluate

probability is based on historical evidence, using for example experience or statistics on records

from past incidents. These records can be gathered at the operator level on past incidents in

their particular infrastructure but for low occurrence events wider scopes of information (e.g.

sector records, national records if available) would provide a more extensive view of the number

of incidents for a statistical analysis.

2. Targeted or intentional attacks. For these types of events, the statistical approach is not as

appropriate as the fact that an incident has not occurred yet does not mean it is not a feasible

attack and even less that it is not going to happen in the future. The more appropriate approach

to evaluate the probability of such events is to evaluate the feasibility of an attack taking into

account various factors as attractiveness of the target (asset), motivation/ skills/ resources of

the attacker and level of protection of the target (asset). In this area, it might be difficult for

operators to assess the probability of certain areas of risks; this is where there can be significant

value in sharing information with peers from other organisations or to receive intelligence

information from national intelligence agencies.


Page 35 of 118

Severity 1 2 3 4 5

Low impact Medium

impact

Significant

impact

Critical impact Most severe

impact

Evaluation of impact

on product/ service

delivery, citizen

security, image,

citizen confidence,

financial impact, or

other aspects.

Even if impact and probability levels examples have to be adapted to the scope of the analysis, it is

necessary to have a common definition of impact and probability levels, to enable analysis of

interdependencies between critical infrastructures. Therefore generic scales across sectors should be

used (please refer to section 7.2.3 for detail).

Output: Defined scales for evaluation of Probability and Severity.


Page 36 of 118

4.2.3.4 STEP 4: Understand the assets in the scope

The objective of this section of the risk assessment is for the team members to get an understanding of

how the critical infrastructure delivers its service/product. The objective is therefore to understand the

organisation in place, the infrastructure (physical or IT) necessary to operate and also the skills required.

Through this task, the whole team will understand broadly the operations of the critical infrastructure.

Each expert should also reach a deeper understanding of the assets in his area of expertise:

Physical assets,

ICT assets,

Organisational assets,

Human resources.

It is important to note that the methodology described in the EURAM project for the analysis of

(inter)dependencies, when applied on the same scope as the risk assessment, can also assist in

understanding how the various assets interact to support the operations.

Output: General understanding of the assets involved and their criticality for the operations (this does

not imply formalisation of an exhaustive asset register as it is felt that such a detailed register adds little

additional value to the approach suggested)


Page 37 of 118

4.2.3.5 STEP 5: Understand the threats

The objective of this stage is to understand the threat context the infrastructure faces. This does not

mean that an exhaustive inventory of threats has to be conducted as it is understood that a vast

majority of threats are going to be common and already clearly understood by each expert in his

domain.

The objective here is more to understand specific areas of the threat profile. Threats need to be

understood in the context of the infrastructure studied: level of terrorist threat in the country, past

natural disasters in the region, past incidents in the sector or other intelligence on specific threat agents.

To support the collaboration between critical infrastructures in performing risk analysis and

interdependencies analysis, it is necessary that similar types of threats are considered to ensure

consistency of results. Following this principle, the team should refer to a list of classes of threat to

consider when doing the analysis to avoid any gaps. An example of a generic threat classification is given

for each specific sector, i.e. Electricity, Gas and Oil, in sections 4.3.1, 4.3.2 and 4.3.3. In these

classifications, dependence upon other infrastructures is one of the threat categories.

Output: Threat profile report detailing information on the level of specific threats in the context of the

target of the risk assessment.


Page 38 of 118

4.2.3.6 STEP 6: Review security and Identify vulnerabilities

The objective of this step is for the security experts of the team to review the actual security controls in

place to protect the infrastructure, given the assets and threat context understood at the previous

stages.

This will lead to the identification of missing security controls and also the effectiveness of these security

controls in managing the risk. This will then lead to the identification of the vulnerabilities across the

various dimensions of the holistic risks:

Physical vulnerabilities (e.g. lack of perimeter protection, lack of access control)

ICT vulnerabilities (e.g. no segregation of networks, no antivirus)

Organisational vulnerabilities (e.g. no segregation of duties, no allocation of security

responsibilities)

Human vulnerabilities (e.g. poor training, no screening of key personnel)

Sources supporting security review and vulnerabilities identification

An energy transmission operator will be required to identify a number of sources for vulnerability

information and will also have to rely on their own subject matter experts to verify that vulnerabilities

exist, or not as the case may be, within the organisation.

To support this process, there are two main types of available information:

Security standards providing good practices on security implementation. These sources can be

used in order to perform a gap analysis. On this principle, any significant gap to good practices

can be considered as a vulnerability.

Vulnerability information sources providing data on actual vulnerabilities. These sources are

much more focused to specific vulnerabilities that may be exploited by specific threats, which

may reside in a particular technology, etc.

These two types of information can be found in several sources:

Industry Associations: Industry associations will provide a good source for the notification of sector

explicit and general vulnerabilities, as these organisations are setup to aid and assist the industry to

maintain good practices and therefore they will highlight vulnerabilities that may harm their members.

Industry associations may not always provide a service that is very current (dependent on the criticality

level of vulnerability), especially if they issue periodic vulnerability bulletins, e.g. monthly.

National Government (Security): Government departments will often provide Critical Infrastructure

organisations updates on the security threats within the sector which will enable an operator to validate


Page 39 of 118

if their organisation and infrastructure is potentially vulnerable. As for example: the UK Centre for the

Protection of National Infrastructure (CPNI): The CPNI provides Critical Infrastructure within the UK

with Security advice and security good practice guidelines, including an ICT vulnerability watch service.

http://www.cpni.gov.uk

Some private companies provide a security assessment and notification service about physical security

threats to sectors such as the energy sector (including early detection and remediation advice where

appropriate). Information about such threats and vulnerabilities are sent out to the subscribed service

users.

Some Government departments and private companies will provide an ICT vulnerability watch and

notification service where ICT vulnerabilities (including remediation advice where appropriate) are

collated and sent out to the subscribed service users.

Manufacturers: These will often provide notification of vulnerabilities within their products

(software/hardware) and suggestions for remediation, but sometimes they may not be able to provide

timely notification or even effective remediation.

Internal: It is also very important that an Energy Transmission System Operator utilises it own internal

experts to monitor their environment and maintain a level of vulnerability watch within their area of

expertise.

Examples of other sources for vulnerability information and assistance

Guide for ICT Vulnerability Identification: ICT Standard ISO/IEC 27002 for Corporate ICT systems. This

Standard provides good practices for ICT security. It is therefore possible through a gap analysis to

identify vulnerabilities.

MPSCIE, E-SCSIE and national process control information exchanges (e.g., ISACs): The Meridian,

European, and national SCADA (and process control) Security Information Exchanges aims for the

process control users, governments and research to benefit from the ability to collaborate on a range of

common security-related issues, and to focus effort and share resource where appropriate. The

intended outcome is a raised level of protection adopted across international as well as Europe's SCADA

and other Process Control Systems.

The National Vulnerability Database (NVD): Is a publicly accessible reference system for publicly known

ICT vulnerabilities and exposures. It is funded by the National Cyber Security Division of the United

States Department of Homeland Security: http://nvd.nist.gov/

Bugtraq: This is a mailing list where ICT Security issues and vulnerabilities are sent to subscribers of the

service. Options to subscribe to other Security related information such as security incidents is also

available: http://www.securityfocus.com/archive


Page 40 of 118

NIST: The US National Institute of Standards and Technology have issued a publication on Creating a

Patch and Vulnerability Management system: http://csrc.nist.gov/publications/nistpubs/800-40-

Ver2/SP800-40v2.pdf

MITRE:

1. CVE database is a dictionary of publicly known information security vulnerabilities and

exposures. http://cve.mitre.org/

2. Common Weakness Enumeration (CWE) provides a unified, measurable set of software

weaknesses that is enabling more effective discussion, description, selection, and use of

software security tools and services that can find these weaknesses in source code and

operational systems as well as better understanding and management of software

weaknesses related to architecture and design. http://cwe.mitre.org/

CVSS-SIG Common Vulnerability Scoring System Support v2 (CVSS) CVSS provides a universal open and

standardized method for rating IT vulnerabilities. http://www.first.org/cvss/

Output: Documented list of detailed vulnerabilities on the scope of the study in all areas of holistic

security.

4.2.3.7 STEP 7: Evaluate the associated risks

From the vulnerabilities listed at the previous stage, associated risks are identified. For each

vulnerability identified, the associated scenario(s) of incident can be developed. A scenario of incident

associated to a vulnerability is a threat exploiting this vulnerability to harm assets and more largely the

infrastructure.

For each scenario, probability and severity are evaluated using the scales previously defined which

allows then to evaluate the risk associated to each vulnerability.

It is important to note that this step of the risk assessment can also benefit from inputs from an

(inter)dependency analysis (please refer to the (inter)dependency analysis approach developed by the

EURAM project) carried out on the same scope. This dependency analysis will provide useful information

for identification of scenarios and ranking of associated risks. In this context, the different components

of the risk will be identified in the following manner:

Vulnerability: In the case of a dependency, the vulnerability is that one or several assets are

dependent on a service provided with limited resilience in case of disruption of this service.

Threat: In this context the threat is the disruption of the essential service associated to the

dependency.

Asset: the assets impacted are the assets being dependent.


Page 41 of 118

Severity: the dependency analysis will provide useful information for severity analysis identifying

in particular any possible knock-on effects and evolution of the impact over time.

Probability: The evaluation of the probability will be supported by the description of the

dependency context.

The result of this last step is the list of relevant risks that the infrastructure faces from a holistic point of

view. These risks are all evaluated and ranked which will support decision making in the risk mitigation

process part of the contingency planning approach.

Output: List of risks that have been qualified in terms of associated vulnerability (ies) and probability &

severity levels.

These risks will also be useful to support interdependencies analysis between critical infrastructures. By

construction these risks can be compared or cross-analysed with risks identified in an other

infrastructure provided that the same approach has been followed. This methodology used with

supporting guidelines ensures:

Consistent definition of scope,

Consistent scales for impact, probability and risk evaluation,

Comprehensive list of threat classes for threat context identification.

4.2.4 Maintenance of the risk assessment

This information is the result of the holistic risk assessment and this is the document that will have to be

maintained regularly to follow the evolution of the risk profile depending on:

The evolution of the infrastructure (reorganisation, new assets, etc.),

Changes in the threat context,

Implementation of new security controls,

Discovery of new vulnerabilities, attack techniques.

The maintenance of the risk assessment can also receive some feedback from experience of real or

simulated incidents through lessons learnt. This experience allows to refine the evaluation of risks and

notably in terms of the effects and cascading consequences or to identify new risks which were not

anticipated before.


Page 42 of 118

4.3 The implementation of EURAM within the Energy Sector

The following subsections detail the tailored approached for the energy transmission sector (Electricity,

Gas and Oil) as mentioned in section 4.2.1. It must be mentioned that there will be a number of

similarities between the 3 energy transmission sectors (especially gas & oil transmission) and therefore

some of the requirements will be the same (e.g. Setting up the Holistic team, SCADA, etc.).

4.3.1 Electricity Transmission

Step1: Constitute the Holistic Risk Assessment Team

The objective of Step 1 is to create and the holistic risk assessment team. The team should comprise

personnel as described in Figure 10, with the level of their contribution dependent on the risk

assessment being undertaken.

The Risk Manager is the owner/lead for this process and should be assisted in the process by 3-4

independent individuals. Expert and specialist input into the process will be provided by the following

organisational functions as and when required to the Holistic Risk Assessment team:

Holistic Risk Assessment Team Contributors

Maintenance Team (Transmission Infrastructure)

Engineering Team (Transmission Infrastructure)

ICT & Physical Security

Contingency Planning Manager

Facilities Team

HR Team

Control/Dispatch Room Manager

SCADA/Telemetry Manager(s)

Logistics Team

ICT (system & networks) Team

Figure 10: Holistic Risk Assessment Team


Page 43 of 118

Step2: Define the scope of the risk assessment

It is essential that the definition of the scope of the risk assessment is fully understood by the holistic

risk assessment team. The elements that could be considered for inclusion within the scope of the risk

assessment undertaken on an electricity transmission system operators environment might be:

Primary Electricity Transmission Infrastructure:

Wire (overhead, under ground &, underwater)

Pylons & Poles

Substations

Interconnector: An Interconnector is the point where the transmission network connects either

at a national or cross border/international level with another TSO area.

Supporting Electricity Transmission Infrastructure:

SCADA/Telemetry: These contain the key elements for the management, monitoring and

control of the electricity transmission infrastructure and include real time and historic status

information.

ICT Networks and Systems: The ICT systems and networks is the infrastructure that supports

the operations of the corporate and the SCADA/Telemetry environments.

Facilities: The facilities include the buildings and land where electricity transmission assets are

located.

Engineering function: The engineering function is responsible for the deployment and

management of the assets used for the transmission of electricity over the transmission

infrastructure.

Maintenance function: The maintenance function has the role of maintaining the infrastructure

and work in conjunction with the engineering function.

Contingency plans: The contingency plans provide the organisation with the tools required to

react in an effective manner following an incident.

Electricity Transmission Infrastructure Dependencies:

Electricity supply: This can be from Nuclear, Fossil, Bio, renewable, etc.


Page 44 of 118

Not owned telecommunications: Communication with own process control elements, adjacent

TSOs, DSOs, producers (planning 24h and longer term), relevant Power exchanges (e.g., APX),

maintenance crews, ..)

Weather (forecasting) services (short term and 24h planning demand as well as wind/solar

power supply)

Step 3: Define the scales for risk evaluation

The objective is to provide defined scales for the evaluation or probability and severity.

In the electricity transmission sector, the scales for risk evaluation of incidents can be estimated in the

following terms:

Impact Scales

The following table indicates the possible impact scales for an electricity TSO:

1: Low impact 2: Medium

impact

3: Significant

impact 4: Critical impact

5: Most severe

impact

Extent of loss of supply (by percentage of customers, by percentage of nominal capacity)

< 5%

> 5 %

< 25%

> 25%

< 50%

> 50%

< 75%

> 75%

Duration of power outage or fluctuation of supply quality (Brown Outs/Surges/Spikes)

< 5 Seconds > 5 Seconds

< 5 Minutes

> 5 Minutes

< 1 Hour

> 1 Hour

< 12 Hours

> 12 Hours

Financial loss

Loss of revenue, Customer compensation, Cost of reactive remedial action & Regulator fines as a

percentage of revenue during the period of an incident

< .5% < 5% < 25% < 50% > 50%

Figure 11: Impact Scales for Electricity Transmission


Page 45 of 118

Probability Scales

The following table indicates the possible probability scales for an electricity transmission operator:

1 Very low

probability

2 Low probability 3 Medium

probability

4 High Probability 5 Certainty

Accidental or untargeted attacks

It is extremely

unlikely that the

incident will

occur as for

example there is

merely no

experience of it in

the electricity

transmission

sector.

The incident is

not likely to occur

as for example

experience of it is

very limited in the

electricity

transmission

sector.

It is likely that the

incident will

occur as, for

example, similar

incidents have

been reported in

the electricity

transmission

sector.

It is very likely

that the incident

will occur in the

organisation as,

for example,

most of the

electricity

transmission

sector has already

suffered such

incidents.

The incident will

happen in the

organisation in

the close future.

Deliberate attacks

Attack would

require virtually

unlimited

resources

(money, skills,

etc.)

Attack very

difficult to

perform needing

conjunction of

expert skills and

money.

Attack not easy

but could be

possible with

single expert skills

and a reasonable

investment in

time and effort.

Attractiveness,

lack of protection

and, resources of

the attacker

making the attack

perfectly feasible.

Attractiveness,

lack of protection

and, resources of

the attacker

making the attack

ordinary.

Figure 12: Probability Scales for Electricity Transmission


Page 46 of 118

Step 4: Understand the assets in the scope

The objective of Step 4 is to gain an understanding of the assets within the scope of the risk assessment

for operations. Examples of the assets that could be within the scope of the risk assessment and that

require their criticality and their priority levels to the electricity transmission service to be understood

are:

The transmission grid (wires & cables, poles & pylons): The need is to fully understand and appreciate

the extent of the network and the resilience levels provided in case of the loss of a line. Dependencies

to energy sources, such as a Power Plant or other interconnections with other transmission networks

are also to be analysed. This analysis should be done for the different mode of operation of the

infrastructure such as seasonal usage and other usage patterns such as increases in peak demand.

The substations: These assets are used to step down the voltage from the very high voltages (e.g.

from 110KV to 765KV) to lower voltages (~50KV) (or vice-versa to step up lower voltages to high

voltage), to switch the energy flow, to control the reactive power, and to self-protect the grid

elements (e.g., tripping when lightning, wire failures, technical failure occur). The need at this stage is

to understand the criticality of substations within the energy supply chain. These assets contain

Transformers, Circuit Breakers, Protection devices, VAR compensators (SVR, Phasors), and Switches.

Measurement devices in substations provide the TSO with insight in the current energy flows in the

grid. Substations can also be the point where electricity Transmission System operations exchange

power with the Distribution System operations start.

The ICT systems & networks: This is primarily the organisations ICT assets and the need to protect

sensitive information that may facilitate a compromise of the electricity transmission system

infrastructure should its protection fail. It is also important to identify any possible route from the ICT

corporate infrastructure into the Telemetry infrastructure.

The SCADA/Telemetry infrastructure: The need is to understand the potential control of the energy

transmission infrastructure that can be achieved using the SCADA/Telemetry components and the

potential to cause widespread disruption to the electricity transmission infrastructure should the

systems be misused or compromised.

The Engineering and Maintenance teams: The need at this stage is to understand what are the critical

activities undertaken, who are the key actors within these teams and what other dependencies they

rely upon in order to deliver the required levels of service.

The Control/Dispatch Room (including Control Room personnel): The need is to understand the level

of resources required to function for different scenarios (normal load, peak time, incidents, etc). Also

how much of the control rooms management, monitoring and control of the systems are manual,

automatic or a combination of both.


Page 47 of 118

Interconnection points: These assets are where the transmission network interconnects with other

networks and what the level of criticality is given to each interconnection.

The Contingency Plan: The need is to understand the contingency plan and all the resources that can

be activated during an incident affecting the scope of the risk assessment.

Step 5: Understand the threats

The objective is to understand the specific threats in the context of the target of the risk assessment

being undertaken. The common threats against an electricity transmission organisation would include,

but are not limited to, the following:

Intent Failure/Accident Nature Cascade

Acts of Terrorism

Acts of Vandalism

Theft (copper/metals)

Theft (equipment)

Industrial action

Targeted Cyber Attack

Virus/Trojans

EMP

Act of War

Diplomatic Incident

Negligence

Mistake

Impact (e.g. vehicle

against pylon/pole)

Ingress of Water

Explosion

Disclosure of information

(Theft/Leakage)

Equipment malfunction

or failure

Chemical (spillage)

Loss, unavailability or

turnover of personnel

Outdated and un-

maintainable technology

Extreme weather

conditions

Pandemic (Flu/etc)

Geological

Fire

Flood

Solar Activity

Loss of power

supply/utilities/services

Loss of Telecoms

Loss of Energy Supply to the

Electricity Transmission

Network (Interconnector /

Generated supply)Loss of

black start capability

Loss of pumped storage

capacity

Figure 13: Common Threats to Electricity Transmission operators

An Electricity Transmission System operator is required to review the high level threats listed above and

if they are applicable to their context, they should proceed to evaluate the level of threat exposure,


Page 48 of 118

taking into consideration that the level of the threat of exposure may not be consistent across the scope

of the risk assessment.

Step 6: Review Security and identify vulnerabilities

The Step 6 objective is documenting the detailed vulnerabilities within the scope of the holistic risk

assessment.

This step is very dependent on the particular situation at hand. It is therefore difficult to provide a list of

typical vulnerabilities in the TSO domain. This would have the detrimental effect of focusing the user of

this approach on a finite list of vulnerabilities, which would by no mean be exhaustive.

Step 7: Evaluate the associated risk

The objective of Step 7 is to compile a list of risk factors that have been qualified in terms of associated

vulnerability(ies), probability, and severity levels. As such, it is not possible to tailor this explicitly for the

energy sector as it is a generic step. However, by virtue of the previous 6 steps being tailored for the

Electricity Transmission Operator, the output of Step 7 is specific to the energy sector as a whole.


Page 49 of 118

4.3.2 Gas

Euracom - Risk Assessment and Contingency Planning Methodologies

Documents

Transcript of Euracom - Risk Assessment and Contingency Planning Methodologies