Euracom - Risk Assessment and Contingency Planning Methodologies
-
Upload
khalilv3x6739 -
Category
Documents
-
view
36 -
download
10
description
Transcript of Euracom - Risk Assessment and Contingency Planning Methodologies
-
DELIVERABLE D2.3
Integrated report on the link between Risk Assessment and
Contingency Planning Methodologies
Deliverable: D 2.3 Integrated report on the link between RA and CP
Version:
Seventh Framework Programme Theme ICT-SEC-2007-7.0-01
Project Acronym: EURACOM
Project Full Title: European Risk Assessment and Contingency
Planning Methodologies for interconnected networks
Grant Agreement: 225579
Coordinator: EOS
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 2 of 118
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 3 of 118
Table of Contents
1 Introduction .................................................................................................................................. 10
1.1 Context of EURACOM ........................................................................................................... 10
1.2 WP2 Deliverables .................................................................................................................. 11
1.3 WP 2.3 Objectives ................................................................................................................. 12
1.4 Links of WP2.3 with other EURACOM deliverables ................................................................ 12
1.5 Structure of the document.................................................................................................... 13
1.6 Acronyms ............................................................................................................................. 14
2 Analysis of links between available Risk Assessment and Contingency Planning methodologies ..... 16
2.1 Objectives of the section ...................................................................................................... 16
2.2 Relationship between Risk Assessment & Contingency Planning ........................................... 16
2.2.1 The preparation loop: from RA to CP ................................................................................ 17
2.2.2 The lessons learnt loop ..................................................................................................... 17
2.2.3 The relationship at a glance .............................................................................................. 18
3 Founding principles of the approaches ........................................................................................... 20
3.1 The Scope of applicability of the approaches ........................................................................ 20
3.2 Glossary of Terms and Risk Management Concepts .............................................................. 23
3.2.1 Definition of terms ........................................................................................................... 23
3.2.2 Impact for the combined structure of Risk Assessment and Contingency Planning
approaches .................................................................................................................................... 26
3.2.3 Towards a holistic, combined, all-hazards approach ......................................................... 27
4 Risk Assessment............................................................................................................................. 29
4.1 EURACOM WP 2.1 Desktop Study ......................................................................................... 29
4.2 Methodology for Holistic Risk Assessment ............................................................................ 30
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 4 of 118
4.2.1 Overview of Structure ....................................................................................................... 30
4.2.2 Introduction to Holistic Risk Management ........................................................................ 31
4.2.3 Methodology description.................................................................................................. 32
4.2.3.1 STEP 1: Constitute the Holistic Risk Assessment Team .................................................. 32
4.2.3.2 STEP 2: Define the scope of the Risk Assessment .......................................................... 33
4.2.3.3 STEP 3: Define the scales for risk evaluation ................................................................. 34
4.2.3.4 STEP 4: Understand the assets in the scope .................................................................. 36
4.2.3.5 STEP 5: Understand the threats .................................................................................... 37
4.2.3.6 STEP 6: Review security and Identify vulnerabilities ...................................................... 38
4.2.3.7 STEP 7: Evaluate the associated risks ............................................................................ 40
4.2.4 Maintenance of the risk assessment ................................................................................. 41
4.3 The implementation of EURAM within the Energy Sector ...................................................... 42
4.3.1 Electricity Transmission .................................................................................................... 42
4.3.2 Gas Transmission .............................................................................................................. 49
4.3.3 Oil Transmission ............................................................................................................... 56
5 Contingency Planning .................................................................................................................... 63
5.1 Introduction ......................................................................................................................... 63
5.2 EURACOM WP 2.2 Desktop Study ......................................................................................... 63
5.3 The Contingency Planning Approach at a glance ................................................................... 66
5.4 Preparation Phase ................................................................................................................ 67
5.4.1 The Objectives and scope ................................................................................................. 68
5.4.2 Organisation for Contingency Planning ............................................................................. 70
5.4.3 Risk Mitigation Strategy Setting ........................................................................................ 73
5.4.4 Implementation of Prevention and Protection measures .................................................. 75
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 5 of 118
5.4.5 Implementation of Response and Recovery measures ...................................................... 78
5.4.5.1 Approach - Scenarios selection ..................................................................................... 78
5.4.5.2 Continuity of Supply objectives..................................................................................... 79
5.4.5.3 Derive Supply Continuity Objectives in the infrastructure ............................................. 79
5.4.5.4 Define possible strategies to meet the Supply Continuity Objectives ............................ 80
5.4.5.5 Selection of strategies .................................................................................................. 80
5.4.5.6 Implementation of Response and Recovery Measures: the contingency plan ............... 81
5.4.5.7 Supporting data: the key elements of a Contingency Plan ............................................. 82
5.4.5.7.1 Incident Management .............................................................................................. 82
5.4.5.7.2 Crisis Management................................................................................................... 83
5.4.5.7.3 Business Continuity Management ............................................................................ 84
5.4.5.7.4 Disaster Recovery Management ............................................................................... 85
5.5 The Test, Exercise & Training Phase ...................................................................................... 87
5.5.1 Contingency Planning Training .......................................................................................... 87
5.5.2 Test the Contingency Plan ................................................................................................ 89
5.5.3 Contingency Exercises ...................................................................................................... 91
5.6 The Maintenance Phase ........................................................................................................ 94
5.6.1 Contingency Planning Maintenance .................................................................................. 94
5.6.2 Lessons Learnt .................................................................................................................. 97
6 The EURACOM Combined Risk Assessment and Contingency Planning Approach ......................... 100
6.1 The preparation loop .......................................................................................................... 101
6.2 The lessons learnt loop ....................................................................................................... 102
7 Managing Dependencies of the energy sector in Risk Assessment and Contingency planning ...... 104
7.1 Introduction ....................................................................................................................... 104
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 6 of 118
7.2 Managing dependencies in risk assessment (EURAM) ......................................................... 105
7.2.1 Defining the scope of the analysis and the risk assessment team .................................... 106
7.2.2 Identifying vulnerabilities stemming from interdependency situations within a wider scope
106
7.2.3 Evaluating (inter)dependency risks ................................................................................. 108
7.3 Managing dependencies in contingency planning ............................................................... 109
7.3.1 Preparation Phase .......................................................................................................... 109
7.3.1.1 The Objectives and scope ........................................................................................... 109
7.3.1.2 Organisation for Contingency Planning ....................................................................... 110
7.3.1.3 Risk Mitigation Strategy Setting .................................................................................. 110
7.3.1.4 Implementation of Prevention and Protection measures ............................................ 111
7.3.1.5 Implementation of Response and Recovery measures ................................................ 111
7.3.2 Test Exercise and Training Phase .................................................................................... 112
7.3.2.1 Contingency Planning Training .................................................................................... 112
7.3.2.2 Test the Contingency Plan .......................................................................................... 113
7.3.2.3 Contingency Exercises ................................................................................................ 113
7.3.3 Maintenance Phase ........................................................................................................ 114
7.3.3.1 Contingency Planning Maintenance ............................................................................ 114
7.3.3.2 Lessons Learnt ............................................................................................................ 114
7.3.3.3 Monitoring and Information Sharing .......................................................................... 114
7.4 Current Framework for Operational Practices ..................................................................... 115
8 Conclusion ................................................................................................................................... 118
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 7 of 118
Table of Figures
Figure 1: Structure of the EURACOM project ......................................................................................... 11
Figure 2: Interactions between Risk Assessment and Contingency Planning ........................................... 18
Figure 3: Interactions between Risk Assessment and Contingency Planning ........................................... 19
Figure 4: The energy networks analysis framework ................................................................................ 20
Figure 5: Energy players from organisational to international ................................................................ 21
Figure 6: High level overview of the Supply Chain .................................................................................. 21
Figure 7: Focus of RA and CP approach .................................................................................................. 22
Figure 8: The collection of the Risk Management processes .................................................................. 24
Figure 9: The EURAM 7 step Risk Assessment approach ......................................................................... 31
Figure 10: Holistic Risk Assessment Team .............................................................................................. 42
Figure 11: Impact Scales for Electricity Transmission ............................................................................. 44
Figure 12: Probability Scales for Electricity Transmission ....................................................................... 45
Figure 13: Common Threats to Electricity Transmission operators ......................................................... 47
Figure 14: Holistic Risk Assessment Team .............................................................................................. 49
Figure 15: Impact Scales for Gas Transmission ....................................................................................... 52
Figure 16: Probability Scales for Gas Transmission ................................................................................. 52
Figure 17: Common Threats to Gas Transmission operators .................................................................. 54
Figure 18: Holistic Risk Assessment Team .............................................................................................. 56
Figure 19: Impact Scales for Oil Transmission ........................................................................................ 59
Figure 20: Probability Scales for Oil Transmission .................................................................................. 59
Figure 21: Common Threats to Oil Transmission operators .................................................................... 61
Figure 22: The Contingency Planning 3 Phase Approach ........................................................................ 66
Figure 23: Contingency Planning Preparation Phase structure ............................................................... 67
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 8 of 118
Figure 24: Risk Assessment Scale ........................................................................................................... 69
Figure 25: Role vs. Contribution Internal Matrix .................................................................................. 71
Figure 26: Role vs. Contribution External Matrix ................................................................................. 72
Figure 27: Continuity Objective Profile .................................................................................................. 79
Figure 28: Continuity Objective ............................................................................................................. 80
Figure 29: The test, exercise and training phase .................................................................................... 87
Figure 30: The maintenance phase ........................................................................................................ 94
Figure 31: The Combined Approach Taken by EURACOM to Risk Assessment and Contingency Planning.
............................................................................................................................................................ 100
Figure 32: The preparation loop .......................................................................................................... 101
Figure 33: The lessons learnt loop .................................................................................................... 102
Figure 34: The High Level Analysis of Risk Assessment and Contingency Planning. ............................... 105
Figure 35: A unique severity scale for multi-stakeholders scopes ......................................................... 107
Figure 36: A unique severity scale for multi-stakeholders scopes ......................................................... 108
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 9 of 118
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 10 of 118
1 Introduction
1.1 Context of EURACOM
The objective of EURACOM is to identify, together with European Critical Energy Infrastructure
operators, a common and holistic approach (end-to-end energy supply chain) for risk assessment and
contingency planning methods. This is to facilitate the establishment of appropriate levels of resilience
within critical energy services across the whole (end-to-end) energy infrastructure chain.
EURACOMs activities to define common risk assessment and contingency planning methodologies will
build upon the EURAM project results: the concepts of the EURAM methodology will be specifically
developed further for the energy sector.
The objective is to create more resilient energy infrastructures by developing methodologies and tools
that assure a dialogue, sharing of data and close co-operation between energy operators, large energy
users, security solution suppliers, administrations, regulatory bodies, and other stakeholders. This
approach requires common methodologies all along the value chain, from production to distribution. It
also requires common methodologies at different hierarchical levels, from individual companies up to
European level.
EURACOM has to cover all applicable hazards to the energy sector, including threats from natural
causes, human intent, technical failure, human failure, dependencies of other Critical Infrastructures
and other dependencies.
In the development of the EURACOM project, it was apparent that methodological solutions and
supporting tools should be developed in close cooperation with European Critical Energy Infrastructure
operators. The EURACOM project has been structured accordingly.
In order to develop the methodology and supporting tools, the structure depicted in Figure 1 is applied
to the EURACOM project.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 11 of 118
Figure 1: Structure of the EURACOM project
1.2 WP2 Deliverables
The role of Work Package 2 (WP2) in EURACOM is the identification of a common and holistic approach
for risk assessment and contingency planning. WP2 has three deliverables:
Deliverable 2.1: Concerns the analysis of available Risk Assessment approaches to identify good
practices from several domains including security industry, national guidance and energy standards.
Deliverable 2.2: Concerns the analysis of Contingency Planning approaches to identify good practices
from several domains including security industry, national guidance and energy standards.
Deliverable 2.3 (This Report): Concerns the analysis of the communally accepted links between Risk
Assessment and Contingency Planning practices and the creation of Risk Assessment and Contingency
Planning approaches which can be combined and are clearly targeted to the energy sector.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 12 of 118
1.3 WP 2.3 Objectives
The objective of Work Package 2.3 (WP 2.3) is described in the EURACOM Description of Work
document:
A 1.2 Project Summary: Abstract:
EURACOM objective is to identify, together with EU Energy Infrastructure Operators, a holistic
approach (end-to-end energy supply train: from fuel transport, power generation and transmission) for
risk assessment and contingency planning solutions
The scope also includes the requirement to report on the link between Risk Assessment and
Contingency Planning Methodologies.
In addition to the analysis of the link between Risk Assessment and Contingency Planning
methodologies, this report will deliver a combined and holistic approach to Risk Assessment and
Contingency Planning in a format that can be used as a framework for implementation by the Energy
sector operators. These main additional aspects are delivered through:
1. the creation of a risk assessment and of a contingency planning approach to be implemented at
operator (=organisation) level and,
2. as the last section of the document recommendations on how risk assessment and contingency
planning processes can be implemented and supported at higher level of analysis (i.e. on the
scope of interconnected energy infrastructures involving many operators).
1.4 Links of WP2.3 with other EURACOM deliverables
This deliverable D2.3 has relationships with several other EURACOM deliverables:
D1.1 Generic system architecture with relevant functionalities for hazard identification: D1.1 models
and describes the Energy environment in which the approaches described in this present deliverable
will be applicable. As such, D1.1 is a major input in defining the scope of D2.3 as described in section
3.1.
D2.1 Common Areas of Risk Assessment Methodologies: D2.1, after presenting the results of the
analysis performed in a Desktop study of available Risk Assessment approaches, provides conclusions
about the good practices of the discipline. These good practices will be used in order to develop the
EURACOM Risk Assessment approach as described in section 4.1.
D2.2 Common Areas of Contingency Planning Methodologies: D2.2, after presenting the results of
the analysis performed in a Desktop study of available Contingency Planning approaches, provides
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 13 of 118
conclusions about the good practices of the discipline. These good practices will be used in order to
develop the EURACOM Contingency Planning approach as described in section 5.3.
D2.2 and D2.3 are also combined in order to feed into the analysis of the links between Risk
Assessment and Contingency Planning practices as described in section 2.
D6.3 Update and validation of used Risk Assessment and Contingency Planning methodologies: D6.3
will contain the final version of the EURACOM Risk Assessment and Contingency Planning
methodologies. These methodologies will have evolved from the approaches of D2.3 thanks to the
input of the case studies (WP4) and associated workshops (WP5). This will help in refining the
approach and in particular to tailor it to the needs of the Energy sector.
1.5 Structure of the document
The document is broken down in several sections:
Section 2 provides an analysis of links between available Risk Assessment and Contingency Planning
methodologies. It looks in particular at the way the two processes are relying on one another.
Section 3 presents the founding principles of the approaches by first presenting the scope of
applicability they are designed for, by positioning them against other concepts in a wider Risk
Management perspective and by providing some of the key characteristics they will have to comply
with.
Section 4 presents the results of our work to propose a Risk Assessment approach to the energy
sector.
Section 5 presents the results of our work to propose a Contingency Planning approach to the energy
sector.
Section 6 summarises how the Risk Assessment approach and the Contingency Planning approach
interact to deliver The EURACOM Combined Risk Assessment and Contingency Planning Approach.
Section 7 presents recommendations to allow the implementation of the EURACOM approaches at
higher level of analysis (i.e. above the single operator level) for Managing Dependencies of the energy
sector in Risk Assessment and Contingency planning
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 14 of 118
1.6 Acronyms
BCM Business Continuity Management
BCP Business Continuity Planning (or Plan)
BIA Business Impact Analysis
CI Critical Infrastructure
CIP Critical Infrastructure Protection
CM Crisis Management
CP Contingency Planning (or Plan)
DR Disaster Recovery
EU European Union
ICT Information & Communication Technologies
IM Incident Management
IPOCM Incident Preparedness and Operational Continuity Management
KPI Key Performance Indicator
OR Organisational Resilience
PDCA Plan Do Check Act
PM Project Management
RA Risk Assessment
RAM Risk Assessment Methodology
RM Risk Management
TSO Transmission System Operator
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 15 of 118
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 16 of 118
2 Analysis of links between available Risk Assessment and
Contingency Planning methodologies
2.1 Objectives of the section
The objective of this section is to identify the links and the interactions between Risk Assessment and
Contingency Planning. The scope of this section satisfies the EURACOM Description of Work
requirement to report on the link between Risk Assessment and Contingency Planning
Methodologies
2.2 Relationship between Risk Assessment & Contingency Planning
Risk Assessment and Contingency Planning are both key elements within an organisations Risk
Management process. They are essential in the effort to ensure that risk are identified, prevented,
treated and where risk mitigation is not feasible, processes are created and implemented to manage
incidents should they occur.
The EURACOM deliverable D2.1 (Common Areas of Risk Assessment methodologies) highlighted, by its
non-inclusion, the issue that the majority of Risk Assessment standards and methodologies make little, if
any, reference to the Contingency Planning processes, even though Contingency Planning processes rely
on a clear evaluation of the business impact of adverse events. The EURAM methodology is an exception
in this respect as it discusses contingency and includes scenario based contingency workshops within the
methodology itself.
In contrast to this, the findings within the deliverable D2.2 (Contingency Planning Methodologies and
Business Continuity) highlighted within section 2.4 Relation to Risk Management, that the majority of
the Business Continuity and Contingency Planning Standards and Guidelines included some element of
Risk (and Vulnerability) Analysis (and also Business Impact Analysis) within the structure of their
framework. D2.2 also identified that although this Risk Assessment link/requirement was included
within most of the Standards and Guidelines, the depth of this Risk Assessment link/requirement is very
limited with little or no granularity.
However, there are some links between the two set of practices even if those are not translated into
standards. This section aims at clarifying what these links are and therefore provides objectives for the
development of the Risk Assessment and Contingency Planning sections developed later in this
document. Please see Figure 8: The collection of the Risk Management processes , for a high level
overview on where the two processes reside within the Risk Management process.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 17 of 118
2.2.1 The preparation loop: from RA to CP
As the essential underpinning element of the Risk Management process, Risk Assessment is the initial
process used to assess the potential impact and the likelihood of threats exploiting vulnerabilities.
Therefore the Risk Assessment process, along with the Business Impact Analysis, provides an
organisation with the necessary information required to address risk (Treat, Avoid or Accept) in line with
the organisations Risk Management objectives.
The Contingency Planning process receives the majority of its input from the Risk Assessment process
(including the Business Impact Analysis). Contingency Planning is used by an organisation to plan for the
prevention of incidents by implementing formal protective controls and also with ways of minimising
the effect of an incident by creating appropriate response and recovery processes.
2.2.2 The lessons learnt loop
The lessons learnt following Contingency Planning exercises, testing or incidents (within the organisation
or more largely within the energy sector) will provide a feed back to the organisations Risk Management
Life Cycle. Following this input, several maintenance actions can take place at multiple levels:
First the previous Risk Assessments may require to undergo re-evaluation in order to integrate new
data about risk elements through better understanding of vulnerabilities, finer evaluation of threats
or better appreciation of the actual chain of reaction that would cause the ultimate impact on the
organisation;
Then the mitigation controls may be reviewed in order to cover the gaps identified by the lessons
learnt.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 18 of 118
2.2.3 The relationship at a glance
From the first principles described in the preparation loop and in the lessons learnt loop, it is possible to
build a high-level picture of relationships between Risk Assessment and Contingency Planning processes.
Figure 2: Interactions between Risk Assessment and Contingency Planning
The preparation loop is a very linear process of implementation of the succession of steps in Risk
Assessment and Contingency planning. On the other hand, taking into account lessons learnt is an
activity, which requires coming back to previous stages of the analysis, update information, cascade the
results into the later stages and to ensure that all underlying elements (processes, documents, plans,
etc.) are kept up to date in a controlled manner. It is therefore important that this loop is controlled
through a sound process. For this purpose, it is possible to introduce a maintenance process which will
coordinate all updates of Risk Assessment and Contingency Planning from lessons learnt but also on
other events like periodical review of plans, change in environment (new threats, etc.), and change in
operations. By doing this, the lessons learnt loop is better controlled and the changes they can induce
are managed consistently with the other changes that can result from other maintenance operations.
The introduction of maintenance in the link is introduced below:
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 19 of 118
Figure 3: Interactions between Risk Assessment and Contingency Planning
This high level view provides the desired output for the EURACOM RA and CP approaches to operate in a
combined manner and sharing a common maintenance process.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 20 of 118
3 Founding principles of the approaches
3.1 The Scope of applicability of the approaches
The EURACOM deliverable D 1.1 provides a view of the energy networks which are analysed, and a way
to model the energy networks. These views are analysed on different layers as illustrated on the
following diagram.
Strategy
Pro
cess
Inform
ation
Netw
ork
Organisational level
National level
European level
ELECTRICITY
GAS
OIL
Figure 4: The energy networks analysis framework
On this framework, the issue of resilience of energy networks is applicable in and across all the
dimensions depicted in this diagram:
From Organisational to European levels as the issues are not only intrinsic to the individual
organisations and the consequences and the management of adverse events have respectively the
potential and the necessity to spread at European scale.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 21 of 118
Producers End Users
Transmission Operators
Distribution Operators
Traders / Shippers Suppliers
Ownership of commodities
Figure 5: Energy players from organisational to international
Within each of the Oil, Electricity and Gas services throughout their energy sector supply chain and
also across sectors as energy flows move from one sector to another (mainly from Gas to Electricity).
Figure 6: High level overview of the Supply Chain
In all the layers of one organisation Strategy, Process, Information and Network as the risk factors
and the associated responses do not reside in a single layer and rather form a holistic posture where
all the measures taken at strategic, processes, information or network level are meant to work in
conjunction.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 22 of 118
This very short introduction to the scope (not entering into any detail) of D 1.1 already provides an
insight to the order of magnitude of the complexity of the subject and it is not the objective of
EURACOM to provide answers to all of this. The objective and therefore the scope of D2.3 is to
concentrate on the energy operators for which the Risk Assessment and Contingency Planning
methodologies are meant (as depicted on the figure below). This does not mean that the full picture
does not need being taken into account. On the contrary, this picture is very important to set and to
integrate to understand in which context each single operator Risk Management approach (i.e. Risk
Assessment + Contingency Planning) will have to operate.
Strategy
Pro
cess
Inform
ation
Netw
ork
Organisational level
National level
European level
ELECTRICITY
GAS
OIL
Figure 7: Focus of RA and CP approach
The scope of applicability for WP 2.3 is governed by the EURACOM deliverable D 1.1 and is to build up
the method to start with the operator level and expand to higher levels at later sections in the
document (i.e. National or European level). The justification of this is that the implementation of
consistent and efficient risk management by each operator within its organisation is the prerequisite
and foundation for a collective and federated resilience across sectors and borders. This focus on single
operators should not forget the relationships they have with other external stakeholders. On the
contrary, it should treat them as critical but from the sole perspective of the entity on which the analysis
is applied. To meet this objective, the EURACOM D2.3 deliverables proposes first a generic approach to
Risk Assessment and Contingency Planning for energy operators and then provides specific information
on how to actually implement this generic approach into the distinct sectors of Electricity, Oil and Gas.
These sectors are analysed through the focal point constituted by TSOs which are at the heart of mutual
dependencies at European level and by taking into account their connections to the rest of the supply
chain (source, distribution, other grids, etc.).
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 23 of 118
The initial path explored by the document was to view Risk Assessment and Contingency Planning at the
operator level, then the end of the document gives some directions to reflect on for analysis at higher
levels where interactions are not any more seen only from one organisation perspective but from the
point of view of a network of organisations.
3.2 Glossary of Terms and Risk Management Concepts
3.2.1 Definition of terms
It has been identified as part of the desktop studies of task 2.1 and task 2.2 that the use of terms varies
considerably with mixes of notions like contingency planning and business continuity planning. The
stance taken in EURACOM is one of integrated risk and contingency management1. For the purpose of
this document, the descriptions of the different terms are as follows:
Risk Management
This is the collection of processes that form an organisations formal threat and vulnerability
management process. This includes all processes for risk assessment, risk treatment, risk avoidance, risk
acceptance, response and recovery.
1 Integrated Emergency Management concept - Guidance on Part 1 of the Civil Contingencies Act 2004 HM
Government United Kingdom
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 24 of 118
Figure 8: The collection of the Risk Management processes
Risk Assessment
Risk Assessment is the process used to assess the potential impact and the likelihood of a threat
exploiting vulnerabilities in order to provide a risk rating prior to the implementation of any risk
treatment or mitigation.
Business Impact Analysis
Business Impact Analysis is the analysis of how a risk scenario can cause a loss to an organisation, this
analysis is primarily orientated on the impact on the organisations business processes.
Risk Treatment
Risk Treatment is where the risk is reduced by the implementation of countermeasures designed for risk
mitigation. Risk treatment measures are aimed at reducing the probability and/or the severity of risk
factors.
Risk Avoidance
Risk Avoidance is used where the Risk Treatment is too costly or too impractical to implement and
where Risk Acceptance is not a viable option for an organisation to consider. Risk avoidance is a decision
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 25 of 118
to change the company infrastructure or more largely the mode of operation to ensure there is no more
exposure to a risk.
Risk Acceptance
Risk Acceptance is utilised when the risk level is acceptable to the business or when the risk can not be
avoided or mitigated to an acceptable residual risk level. The decision is ultimately taken by the
organisation risk owner(s) to accept the risk or residual risk.
Contingency Planning
Contingency Planning is required to plan for incidents by implementing formal controls to assist with the
prevention of incidents and also with ways of minimising the effects should an incident occur by creating
appropriate response and recovery processes.
Contingency Plan
A contingency plan is one of the results of Contingency Planning. Contingency plans are the set of
controls materialised through organisation, measures and resources which are put in place as a
response and recovery capability to respond to major incidents.
Contingency Planning vs. Contingency Plan
Contingency Planning is the process by which an organisation prepares itself for the management of
incidents and this covers the identification and implementation of prevention, protection, response and
recovery mechanisms.
The contingency plan is a result of this process focusing on formalising the mechanisms for response and
recovery should an incident occur.
Incidents, Major Incidents, Disasters & Crises
Various definitions exist for these terms. EURACOM proposes to classify these terms in two categories
depending on their magnitude and the reaction they trigger for an organisation:
1. Incident is a term used for the occurrence of issues which are a priori of limited magnitude. As a
consequence, an organisation would deal with incidents as part of a routine Incident
Management Process.
2. Major incidents, Disasters and Crises are reserved for issues whose order of magnitude or
complexity can not be handled through a routine incident management process and require the
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 26 of 118
special dispositions of Incident Management (or Crisis Management), Business Continuity and
Disaster Recovery. High Impact, Low Frequency events fall for example in this category.
Incident Management
Incident Management is a process that an organisation puts in place to manage the occurrence of
incidents of low to moderate magnitude. The Incident Management process has the possibility of
escalating into Crisis Management should the situation deviate from a low to moderate magnitude.
Crisis Management
Crisis Management is used to formally manage an active incident which has escalated beyond the
routine Incident Management process. Crisis management is the organisational and infrastructure
measures put in place to ensure that an organisation can be organised in times of crisis (alert rising,
crisis cell mobilisation, decision taking, situation awareness and communication of directives).
Business Continuity
Business Continuity ensures that business recovery processes are implemented to ensure continuity of
service with the minimum of disruption. Business continuity is mainly targeted at continuity of supply of
goods or services.
Disaster Recovery Management
Disaster Recovery Management is often used as IT Disaster Recovery Management; it provides the
processes for the recovery of key ICT systems following an incident.
3.2.2 Impact for the combined structure of Risk Assessment and
Contingency Planning approaches
The clarification of these terms allows for the scope and definition of the boundaries and the links
between the Risk Assessment Approach and the Contingency Planning approach.
When considering the combined nature of the two approaches developed in this document, the choice
has been taken to remove all Risk Assessment or Business Impact Analysis from the Contingency
Planning approach. It is worth mentioning that, as the analysis within D2.2 has shown, most of the
Business Continuity or Contingency Planning approaches integrate a Business Impact Analysis stage. Our
choice to remove that step has been taken as the EURACOM Contingency Planning approach will receive
those inputs from the EURACOM Risk Assessment approach.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 27 of 118
Also EURACOM clarifies the differences and relations between concept whose boundaries are often
fuzzy like Contingency Planning, Business Continuity, Incident & Crisis Management and Disaster
Recovery. All these notions are federated and are clearly differentiated under the umbrella of
Contingency Planning which covers the entire spectrum of issues.
3.2.3 Towards a holistic, combined, all-hazards approach
The EURACOM approach should respond to three main characteristics. These should be:
Holistic in terms of infrastructure coverage, which means that it should include all aspects that
contribute to operations, i.e. the physical infrastructure, the ICT infrastructure, the organisation
(including links to external stakeholders) and human factor aspects, and the human resources.
Combined in the sense that Risk Assessment and Contingency Planning processes need to be closely
integrated with clear linkages between one another.
All-hazards, in the sense it will cover the two main categories:
1. Accidental (Human or Technical, Natural causes, or linked to external dependencies), and
2. Deliberate (Human).
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 28 of 118
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 29 of 118
4 Risk Assessment
4.1 EURACOM WP 2.1 Desktop Study
EURACOM WP2.1 performed an analysis on available risk assessment methodologies in order to learn
from good practices and also to assess their suitability to the context of EURACOM. The analysis, the
results and the recommendations are reported in D2.1 Common areas of Risk Assessment
Methodologies.
The major conclusions from WP2.1 are:
[]
When we look at the EURAM method and compare it to the RA methods we assessed, we can conclude:
The EURAM method is still one of the few methods which is both holistic, all-hazard and
generically applicable to all Critical Infrastructure (CI) sectors.
The EURAM method is one of the few methods that can be applied to all operational and
organisational levels of CI and even trans-sector.
The EURAM method is unique in the sense that it provides a mechanism to spread responsibilities
for risk management over all levels while assuring all risk factors are addressed. Additionally, this
is facilitated by a non-prescriptive mechanism.
The EURAM method is still rather conceptual and has few supporting tools (although it includes
the start of some supporting checklists).
The EURAM method complies with the common good practice approaches identified in most of the
other Risk Assessment methods.
[]
The further recommendations from WP2.1 to develop the EURACOM Risk Assessment approach are:
[]
Develop supporting tools (checklists or otherwise) to support easy application of the method with
respect to determining:
o Threats
o Vulnerabilities
o Effects
o Assets
Supply clear, tangible, and easy-to-follow steps that require a minimum of expertise of the user.
o Develop a supporting glossary of the terms used;
o Support the execution of the method with simple, easily distributable tools.
Develop a checklist whereby the user can determine beforehand what information is required to
complete the RA and where it may be found.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 30 of 118
Of course, when the RA method is to be applied to a single sector, it can be further honed to the needs of
that specific sector (e.g. energy), by conforming to the terminologies of the sector, concentrating on
specific assets, threats, vulnerabilities, and effects that are most relevant to the sector. This will further
heighten the ease of use.
[]
These conclusions and recommendations are used to develop the EURACOM Risk Assessment approach.
4.2 Methodology for Holistic Risk Assessment
4.2.1 Overview of Structure
The seven steps of this risk assessment process are described below from a high level perspective. These
are directly extracted from the results of the EURAM approach. The changes introduced by EURACOM
will become visible at a more granular level and will include the tailored approach for the energy
transmission operations within the energy sector including: Electricity in section 4.3.1, Gas in section
4.3.2 and Oil in section 4.3.3. The decision to narrow the scope to transmission is justified by the fact
that energy grids are the pivotal point of dependencies and cascading effects at European scale whether
we talk about dependencies between grids themselves or their interaction with source and distribution.
In this sense energy sources and distribution knock on effects are analysed through the point of view of
the transmission networks and especially the impact they can induce on energy transmission networks
and in turn how these networks can propagate the impact to the distribution.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 31 of 118
Figure 9: The EURAM 7 step Risk Assessment approach
4.2.2 Introduction to Holistic Risk Management
Before presenting the detail of the methodology, it is important to present what a Holistic Approach to
Security means.
A holistic approach or holistic risk management aims at managing risks using a joined up approach.
This joined up approach requires each dimensions of risks to be considered, these dimensions are:
Physical security.
Information and Communication Technology security.
Organisational security.
Human factor aspects regarding security.
These four dimensions will be used to analyse each of the components of the risk (please refer to
the glossary section):
Assets.
Vulnerabilities.
Threats.
Effects.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 32 of 118
4.2.3 Methodology description
4.2.3.1 STEP 1: Constitute the Holistic Risk Assessment Team
The objective of this step is to select a team that will be in charge of conducting the holistic Risk
Assessment.
This team will be ideally composed of several persons including:
A team leader that will be responsible for the completeness, consistency and homogeneity of the risk
evaluation, and
Several team members who will bring their expertise from the four dimensions of holistic security
physical, Information and Communication Technology, Organisational and human aspects. For the
reliability of the risk assessment process the team members should be independent, i.e. those not
implementing the process. The implementers will be consulted during the risk assessment process and
will contribute with their expert knowledge.
It is important that the skills and experience are carefully selected as it is the basis of a successful risk
assessment. It is also important to make sure that everybody in the team understands the holistic
approach to security.
With regards to the team leader, the role is extremely important as this person will be in charge of
ensuring that all areas of risk are given equal consideration and that the process of information sharing
and identification of risk within the team goes smoothly. As this role is so critical, it is suggested that
organisations seek external assistance on the above to overcome any skill gaps or other potential
internal difficulties.
Concerning the lead associated to the exercise, it is recommended that the responsibility of the
implementation of the approach be at a transversal level to avoid the pitfall of silos 2often found in
organisations. When the scope is at a company or operator level, this means that the ownership of the
risk assessment has to be taken at senior management level above the various departments or
functions.
Output: An operational holistic risk assessment team
2 Silos is referring to the compartmentalisation often noticed in organisations where risk factors are not
managed across the whole organisation but in silos (e.g. Physical Security, IT security, HR, etc.).
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 33 of 118
4.2.3.2 STEP 2: Define the scope of the Risk Assessment
This step can be implemented on smaller or larger scopes with more or less detail depending on the
resources applied and the stakes involved, as the principles remains applicable with scale. However, the
scope of the holistic risk assessment needs to be clearly defined and understood by all the team.
The scope definition needs to have its reality set from a holistic point of view which means that:
It should have a physical perimeter including physical assets.
It should be composed of defined systems and networks.
It should have boundaries from an organisational point of view with identification of the various
job functions involved.
Please note that dependencies of the organisation towards elements outside of the scope can be
analysed using the results of the EURAM project on the Methodology for (inter)dependency analysis.
Output: Definition of scope understood by all team.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 34 of 118
4.2.3.3 STEP 3: Define the scales for risk evaluation
This methodology takes the path of practicality. The evaluation of the risk (R) is reached by direct
evaluation of probability of occurrence (P) and Severity (S). With R = P x S.
It is therefore important at the beginning of the project to define the scale against which probability and
impact will be evaluated. For practical reasons, qualitative scales are advised on a 1 to 5 range as it gives
enough values to discriminate the risks.
The Severity and Probability scale can be presented this way.
Probability 1 2 3 4 5
Very low
probability
Low
probability
Medium
probability
High Probability Near certainty
Evaluation of
feasibility of an
attack or likelihood
of an accident
Concerning the probability scale and later on in the methodology, there are a few pitfalls and good
practices to keep in mind when carrying out the exercise:
Probability scales need to fit with mainly two types of adverse events:
1. Untargeted attacks or accidents. For these types of events the most appropriate way to evaluate
probability is based on historical evidence, using for example experience or statistics on records
from past incidents. These records can be gathered at the operator level on past incidents in
their particular infrastructure but for low occurrence events wider scopes of information (e.g.
sector records, national records if available) would provide a more extensive view of the number
of incidents for a statistical analysis.
2. Targeted or intentional attacks. For these types of events, the statistical approach is not as
appropriate as the fact that an incident has not occurred yet does not mean it is not a feasible
attack and even less that it is not going to happen in the future. The more appropriate approach
to evaluate the probability of such events is to evaluate the feasibility of an attack taking into
account various factors as attractiveness of the target (asset), motivation/ skills/ resources of
the attacker and level of protection of the target (asset). In this area, it might be difficult for
operators to assess the probability of certain areas of risks; this is where there can be significant
value in sharing information with peers from other organisations or to receive intelligence
information from national intelligence agencies.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 35 of 118
Severity 1 2 3 4 5
Low impact Medium
impact
Significant
impact
Critical impact Most severe
impact
Evaluation of impact
on product/ service
delivery, citizen
security, image,
citizen confidence,
financial impact, or
other aspects.
Even if impact and probability levels examples have to be adapted to the scope of the analysis, it is
necessary to have a common definition of impact and probability levels, to enable analysis of
interdependencies between critical infrastructures. Therefore generic scales across sectors should be
used (please refer to section 7.2.3 for detail).
Output: Defined scales for evaluation of Probability and Severity.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 36 of 118
4.2.3.4 STEP 4: Understand the assets in the scope
The objective of this section of the risk assessment is for the team members to get an understanding of
how the critical infrastructure delivers its service/product. The objective is therefore to understand the
organisation in place, the infrastructure (physical or IT) necessary to operate and also the skills required.
Through this task, the whole team will understand broadly the operations of the critical infrastructure.
Each expert should also reach a deeper understanding of the assets in his area of expertise:
Physical assets,
ICT assets,
Organisational assets,
Human resources.
It is important to note that the methodology described in the EURAM project for the analysis of
(inter)dependencies, when applied on the same scope as the risk assessment, can also assist in
understanding how the various assets interact to support the operations.
Output: General understanding of the assets involved and their criticality for the operations (this does
not imply formalisation of an exhaustive asset register as it is felt that such a detailed register adds little
additional value to the approach suggested)
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 37 of 118
4.2.3.5 STEP 5: Understand the threats
The objective of this stage is to understand the threat context the infrastructure faces. This does not
mean that an exhaustive inventory of threats has to be conducted as it is understood that a vast
majority of threats are going to be common and already clearly understood by each expert in his
domain.
The objective here is more to understand specific areas of the threat profile. Threats need to be
understood in the context of the infrastructure studied: level of terrorist threat in the country, past
natural disasters in the region, past incidents in the sector or other intelligence on specific threat agents.
To support the collaboration between critical infrastructures in performing risk analysis and
interdependencies analysis, it is necessary that similar types of threats are considered to ensure
consistency of results. Following this principle, the team should refer to a list of classes of threat to
consider when doing the analysis to avoid any gaps. An example of a generic threat classification is given
for each specific sector, i.e. Electricity, Gas and Oil, in sections 4.3.1, 4.3.2 and 4.3.3. In these
classifications, dependence upon other infrastructures is one of the threat categories.
Output: Threat profile report detailing information on the level of specific threats in the context of the
target of the risk assessment.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 38 of 118
4.2.3.6 STEP 6: Review security and Identify vulnerabilities
The objective of this step is for the security experts of the team to review the actual security controls in
place to protect the infrastructure, given the assets and threat context understood at the previous
stages.
This will lead to the identification of missing security controls and also the effectiveness of these security
controls in managing the risk. This will then lead to the identification of the vulnerabilities across the
various dimensions of the holistic risks:
Physical vulnerabilities (e.g. lack of perimeter protection, lack of access control)
ICT vulnerabilities (e.g. no segregation of networks, no antivirus)
Organisational vulnerabilities (e.g. no segregation of duties, no allocation of security
responsibilities)
Human vulnerabilities (e.g. poor training, no screening of key personnel)
Sources supporting security review and vulnerabilities identification
An energy transmission operator will be required to identify a number of sources for vulnerability
information and will also have to rely on their own subject matter experts to verify that vulnerabilities
exist, or not as the case may be, within the organisation.
To support this process, there are two main types of available information:
Security standards providing good practices on security implementation. These sources can be
used in order to perform a gap analysis. On this principle, any significant gap to good practices
can be considered as a vulnerability.
Vulnerability information sources providing data on actual vulnerabilities. These sources are
much more focused to specific vulnerabilities that may be exploited by specific threats, which
may reside in a particular technology, etc.
These two types of information can be found in several sources:
Industry Associations: Industry associations will provide a good source for the notification of sector
explicit and general vulnerabilities, as these organisations are setup to aid and assist the industry to
maintain good practices and therefore they will highlight vulnerabilities that may harm their members.
Industry associations may not always provide a service that is very current (dependent on the criticality
level of vulnerability), especially if they issue periodic vulnerability bulletins, e.g. monthly.
National Government (Security): Government departments will often provide Critical Infrastructure
organisations updates on the security threats within the sector which will enable an operator to validate
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 39 of 118
if their organisation and infrastructure is potentially vulnerable. As for example: the UK Centre for the
Protection of National Infrastructure (CPNI): The CPNI provides Critical Infrastructure within the UK
with Security advice and security good practice guidelines, including an ICT vulnerability watch service.
http://www.cpni.gov.uk
Some private companies provide a security assessment and notification service about physical security
threats to sectors such as the energy sector (including early detection and remediation advice where
appropriate). Information about such threats and vulnerabilities are sent out to the subscribed service
users.
Some Government departments and private companies will provide an ICT vulnerability watch and
notification service where ICT vulnerabilities (including remediation advice where appropriate) are
collated and sent out to the subscribed service users.
Manufacturers: These will often provide notification of vulnerabilities within their products
(software/hardware) and suggestions for remediation, but sometimes they may not be able to provide
timely notification or even effective remediation.
Internal: It is also very important that an Energy Transmission System Operator utilises it own internal
experts to monitor their environment and maintain a level of vulnerability watch within their area of
expertise.
Examples of other sources for vulnerability information and assistance
Guide for ICT Vulnerability Identification: ICT Standard ISO/IEC 27002 for Corporate ICT systems. This
Standard provides good practices for ICT security. It is therefore possible through a gap analysis to
identify vulnerabilities.
MPSCIE, E-SCSIE and national process control information exchanges (e.g., ISACs): The Meridian,
European, and national SCADA (and process control) Security Information Exchanges aims for the
process control users, governments and research to benefit from the ability to collaborate on a range of
common security-related issues, and to focus effort and share resource where appropriate. The
intended outcome is a raised level of protection adopted across international as well as Europe's SCADA
and other Process Control Systems.
The National Vulnerability Database (NVD): Is a publicly accessible reference system for publicly known
ICT vulnerabilities and exposures. It is funded by the National Cyber Security Division of the United
States Department of Homeland Security: http://nvd.nist.gov/
Bugtraq: This is a mailing list where ICT Security issues and vulnerabilities are sent to subscribers of the
service. Options to subscribe to other Security related information such as security incidents is also
available: http://www.securityfocus.com/archive
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 40 of 118
NIST: The US National Institute of Standards and Technology have issued a publication on Creating a
Patch and Vulnerability Management system: http://csrc.nist.gov/publications/nistpubs/800-40-
Ver2/SP800-40v2.pdf
MITRE:
1. CVE database is a dictionary of publicly known information security vulnerabilities and
exposures. http://cve.mitre.org/
2. Common Weakness Enumeration (CWE) provides a unified, measurable set of software
weaknesses that is enabling more effective discussion, description, selection, and use of
software security tools and services that can find these weaknesses in source code and
operational systems as well as better understanding and management of software
weaknesses related to architecture and design. http://cwe.mitre.org/
CVSS-SIG Common Vulnerability Scoring System Support v2 (CVSS) CVSS provides a universal open and
standardized method for rating IT vulnerabilities. http://www.first.org/cvss/
Output: Documented list of detailed vulnerabilities on the scope of the study in all areas of holistic
security.
4.2.3.7 STEP 7: Evaluate the associated risks
From the vulnerabilities listed at the previous stage, associated risks are identified. For each
vulnerability identified, the associated scenario(s) of incident can be developed. A scenario of incident
associated to a vulnerability is a threat exploiting this vulnerability to harm assets and more largely the
infrastructure.
For each scenario, probability and severity are evaluated using the scales previously defined which
allows then to evaluate the risk associated to each vulnerability.
It is important to note that this step of the risk assessment can also benefit from inputs from an
(inter)dependency analysis (please refer to the (inter)dependency analysis approach developed by the
EURAM project) carried out on the same scope. This dependency analysis will provide useful information
for identification of scenarios and ranking of associated risks. In this context, the different components
of the risk will be identified in the following manner:
Vulnerability: In the case of a dependency, the vulnerability is that one or several assets are
dependent on a service provided with limited resilience in case of disruption of this service.
Threat: In this context the threat is the disruption of the essential service associated to the
dependency.
Asset: the assets impacted are the assets being dependent.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 41 of 118
Severity: the dependency analysis will provide useful information for severity analysis identifying
in particular any possible knock-on effects and evolution of the impact over time.
Probability: The evaluation of the probability will be supported by the description of the
dependency context.
The result of this last step is the list of relevant risks that the infrastructure faces from a holistic point of
view. These risks are all evaluated and ranked which will support decision making in the risk mitigation
process part of the contingency planning approach.
Output: List of risks that have been qualified in terms of associated vulnerability (ies) and probability &
severity levels.
These risks will also be useful to support interdependencies analysis between critical infrastructures. By
construction these risks can be compared or cross-analysed with risks identified in an other
infrastructure provided that the same approach has been followed. This methodology used with
supporting guidelines ensures:
Consistent definition of scope,
Consistent scales for impact, probability and risk evaluation,
Comprehensive list of threat classes for threat context identification.
4.2.4 Maintenance of the risk assessment
This information is the result of the holistic risk assessment and this is the document that will have to be
maintained regularly to follow the evolution of the risk profile depending on:
The evolution of the infrastructure (reorganisation, new assets, etc.),
Changes in the threat context,
Implementation of new security controls,
Discovery of new vulnerabilities, attack techniques.
The maintenance of the risk assessment can also receive some feedback from experience of real or
simulated incidents through lessons learnt. This experience allows to refine the evaluation of risks and
notably in terms of the effects and cascading consequences or to identify new risks which were not
anticipated before.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 42 of 118
4.3 The implementation of EURAM within the Energy Sector
The following subsections detail the tailored approached for the energy transmission sector (Electricity,
Gas and Oil) as mentioned in section 4.2.1. It must be mentioned that there will be a number of
similarities between the 3 energy transmission sectors (especially gas & oil transmission) and therefore
some of the requirements will be the same (e.g. Setting up the Holistic team, SCADA, etc.).
4.3.1 Electricity Transmission
Step1: Constitute the Holistic Risk Assessment Team
The objective of Step 1 is to create and the holistic risk assessment team. The team should comprise
personnel as described in Figure 10, with the level of their contribution dependent on the risk
assessment being undertaken.
The Risk Manager is the owner/lead for this process and should be assisted in the process by 3-4
independent individuals. Expert and specialist input into the process will be provided by the following
organisational functions as and when required to the Holistic Risk Assessment team:
Holistic Risk Assessment Team Contributors
Maintenance Team (Transmission Infrastructure)
Engineering Team (Transmission Infrastructure)
ICT & Physical Security
Contingency Planning Manager
Facilities Team
HR Team
Control/Dispatch Room Manager
SCADA/Telemetry Manager(s)
Logistics Team
ICT (system & networks) Team
Figure 10: Holistic Risk Assessment Team
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 43 of 118
Step2: Define the scope of the risk assessment
It is essential that the definition of the scope of the risk assessment is fully understood by the holistic
risk assessment team. The elements that could be considered for inclusion within the scope of the risk
assessment undertaken on an electricity transmission system operators environment might be:
Primary Electricity Transmission Infrastructure:
Wire (overhead, under ground &, underwater)
Pylons & Poles
Substations
Interconnector: An Interconnector is the point where the transmission network connects either
at a national or cross border/international level with another TSO area.
Supporting Electricity Transmission Infrastructure:
SCADA/Telemetry: These contain the key elements for the management, monitoring and
control of the electricity transmission infrastructure and include real time and historic status
information.
ICT Networks and Systems: The ICT systems and networks is the infrastructure that supports
the operations of the corporate and the SCADA/Telemetry environments.
Facilities: The facilities include the buildings and land where electricity transmission assets are
located.
Engineering function: The engineering function is responsible for the deployment and
management of the assets used for the transmission of electricity over the transmission
infrastructure.
Maintenance function: The maintenance function has the role of maintaining the infrastructure
and work in conjunction with the engineering function.
Contingency plans: The contingency plans provide the organisation with the tools required to
react in an effective manner following an incident.
Electricity Transmission Infrastructure Dependencies:
Electricity supply: This can be from Nuclear, Fossil, Bio, renewable, etc.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 44 of 118
Not owned telecommunications: Communication with own process control elements, adjacent
TSOs, DSOs, producers (planning 24h and longer term), relevant Power exchanges (e.g., APX),
maintenance crews, ..)
Weather (forecasting) services (short term and 24h planning demand as well as wind/solar
power supply)
Step 3: Define the scales for risk evaluation
The objective is to provide defined scales for the evaluation or probability and severity.
In the electricity transmission sector, the scales for risk evaluation of incidents can be estimated in the
following terms:
Impact Scales
The following table indicates the possible impact scales for an electricity TSO:
1: Low impact 2: Medium
impact
3: Significant
impact 4: Critical impact
5: Most severe
impact
Extent of loss of supply (by percentage of customers, by percentage of nominal capacity)
< 5%
> 5 %
< 25%
> 25%
< 50%
> 50%
< 75%
> 75%
Duration of power outage or fluctuation of supply quality (Brown Outs/Surges/Spikes)
< 5 Seconds > 5 Seconds
< 5 Minutes
> 5 Minutes
< 1 Hour
> 1 Hour
< 12 Hours
> 12 Hours
Financial loss
Loss of revenue, Customer compensation, Cost of reactive remedial action & Regulator fines as a
percentage of revenue during the period of an incident
< .5% < 5% < 25% < 50% > 50%
Figure 11: Impact Scales for Electricity Transmission
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 45 of 118
Probability Scales
The following table indicates the possible probability scales for an electricity transmission operator:
1 Very low
probability
2 Low probability 3 Medium
probability
4 High Probability 5 Certainty
Accidental or untargeted attacks
It is extremely
unlikely that the
incident will
occur as for
example there is
merely no
experience of it in
the electricity
transmission
sector.
The incident is
not likely to occur
as for example
experience of it is
very limited in the
electricity
transmission
sector.
It is likely that the
incident will
occur as, for
example, similar
incidents have
been reported in
the electricity
transmission
sector.
It is very likely
that the incident
will occur in the
organisation as,
for example,
most of the
electricity
transmission
sector has already
suffered such
incidents.
The incident will
happen in the
organisation in
the close future.
Deliberate attacks
Attack would
require virtually
unlimited
resources
(money, skills,
etc.)
Attack very
difficult to
perform needing
conjunction of
expert skills and
money.
Attack not easy
but could be
possible with
single expert skills
and a reasonable
investment in
time and effort.
Attractiveness,
lack of protection
and, resources of
the attacker
making the attack
perfectly feasible.
Attractiveness,
lack of protection
and, resources of
the attacker
making the attack
ordinary.
Figure 12: Probability Scales for Electricity Transmission
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 46 of 118
Step 4: Understand the assets in the scope
The objective of Step 4 is to gain an understanding of the assets within the scope of the risk assessment
for operations. Examples of the assets that could be within the scope of the risk assessment and that
require their criticality and their priority levels to the electricity transmission service to be understood
are:
The transmission grid (wires & cables, poles & pylons): The need is to fully understand and appreciate
the extent of the network and the resilience levels provided in case of the loss of a line. Dependencies
to energy sources, such as a Power Plant or other interconnections with other transmission networks
are also to be analysed. This analysis should be done for the different mode of operation of the
infrastructure such as seasonal usage and other usage patterns such as increases in peak demand.
The substations: These assets are used to step down the voltage from the very high voltages (e.g.
from 110KV to 765KV) to lower voltages (~50KV) (or vice-versa to step up lower voltages to high
voltage), to switch the energy flow, to control the reactive power, and to self-protect the grid
elements (e.g., tripping when lightning, wire failures, technical failure occur). The need at this stage is
to understand the criticality of substations within the energy supply chain. These assets contain
Transformers, Circuit Breakers, Protection devices, VAR compensators (SVR, Phasors), and Switches.
Measurement devices in substations provide the TSO with insight in the current energy flows in the
grid. Substations can also be the point where electricity Transmission System operations exchange
power with the Distribution System operations start.
The ICT systems & networks: This is primarily the organisations ICT assets and the need to protect
sensitive information that may facilitate a compromise of the electricity transmission system
infrastructure should its protection fail. It is also important to identify any possible route from the ICT
corporate infrastructure into the Telemetry infrastructure.
The SCADA/Telemetry infrastructure: The need is to understand the potential control of the energy
transmission infrastructure that can be achieved using the SCADA/Telemetry components and the
potential to cause widespread disruption to the electricity transmission infrastructure should the
systems be misused or compromised.
The Engineering and Maintenance teams: The need at this stage is to understand what are the critical
activities undertaken, who are the key actors within these teams and what other dependencies they
rely upon in order to deliver the required levels of service.
The Control/Dispatch Room (including Control Room personnel): The need is to understand the level
of resources required to function for different scenarios (normal load, peak time, incidents, etc). Also
how much of the control rooms management, monitoring and control of the systems are manual,
automatic or a combination of both.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 47 of 118
Interconnection points: These assets are where the transmission network interconnects with other
networks and what the level of criticality is given to each interconnection.
The Contingency Plan: The need is to understand the contingency plan and all the resources that can
be activated during an incident affecting the scope of the risk assessment.
Step 5: Understand the threats
The objective is to understand the specific threats in the context of the target of the risk assessment
being undertaken. The common threats against an electricity transmission organisation would include,
but are not limited to, the following:
Intent Failure/Accident Nature Cascade
Acts of Terrorism
Acts of Vandalism
Theft (copper/metals)
Theft (equipment)
Industrial action
Targeted Cyber Attack
Virus/Trojans
EMP
Act of War
Diplomatic Incident
Negligence
Mistake
Impact (e.g. vehicle
against pylon/pole)
Ingress of Water
Explosion
Disclosure of information
(Theft/Leakage)
Equipment malfunction
or failure
Chemical (spillage)
Loss, unavailability or
turnover of personnel
Outdated and un-
maintainable technology
Extreme weather
conditions
Pandemic (Flu/etc)
Geological
Fire
Flood
Solar Activity
Loss of power
supply/utilities/services
Loss of Telecoms
Loss of Energy Supply to the
Electricity Transmission
Network (Interconnector /
Generated supply)Loss of
black start capability
Loss of pumped storage
capacity
Figure 13: Common Threats to Electricity Transmission operators
An Electricity Transmission System operator is required to review the high level threats listed above and
if they are applicable to their context, they should proceed to evaluate the level of threat exposure,
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 48 of 118
taking into consideration that the level of the threat of exposure may not be consistent across the scope
of the risk assessment.
Step 6: Review Security and identify vulnerabilities
The Step 6 objective is documenting the detailed vulnerabilities within the scope of the holistic risk
assessment.
This step is very dependent on the particular situation at hand. It is therefore difficult to provide a list of
typical vulnerabilities in the TSO domain. This would have the detrimental effect of focusing the user of
this approach on a finite list of vulnerabilities, which would by no mean be exhaustive.
Step 7: Evaluate the associated risk
The objective of Step 7 is to compile a list of risk factors that have been qualified in terms of associated
vulnerability(ies), probability, and severity levels. As such, it is not possible to tailor this explicitly for the
energy sector as it is a generic step. However, by virtue of the previous 6 steps being tailored for the
Electricity Transmission Operator, the output of Step 7 is specific to the energy sector as a whole.
-
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 49 of 118
4.3.2 Gas