Risk assessment methodologies for Critical Infrastructures...
Transcript of Risk assessment methodologies for Critical Infrastructures...
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme European
Commission - Directorate-General Home Affairs
” Risk assessment methodologies for Critical Infrastructures Protection”
Dr.Eng. Luisa FranchinaDr. Michele Kidane Mariam
Training session objectives
Understanding the risk assessment’s requirements of Critical Infrastructure Protection
Analysing strengths and weaknesses of existing risk assessment approaches for CIP
Identifying common features in existing risk assessment methodologies for CIP
Identifying the current gap in CIP risk assessment methodologies
Associazione Italiana esperti infrastrutture Critiche – AIIC
A I IC is an Italian scientific non-profit association of experts and stakeholders in Critical Infrastructure Protection.
AIIC was established in 2006.
The association aims at developing an interdisciplinary CIPR culture related to:
Strategies Methodologies Tools Technologies
For Critical Infrastructure Protection (CIP),Especially in crisis situations
AIIC Objectives
AIIC main objectives are to deepen, promote and shareknowledge regarding Critical Infrastructures and their protection.
To reach its objective AIIC has organised over the years:
Conferences and workshops
Roundtables
Technical visits
Working groups and information sharing among professionals
Training courses
Critical Infrastructure Definition & Key Features 1/4
European directive 114/2008:
CRITICAL INFRASTRUCTURE: an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions;
Critical Infrastructure have 4 types cross and intra sectoral Interdependencies (Rinaldi et al. , 2001):
Physical: The operation of one infrastructure depends on the material output of the other
Cyber: Dependency on information transmitted through the information infrastructure. Geographic: Dependency on local environmental effects that affects simultaneously
several infrastructures Logical: Any kind of dependency not characterized as Physical, Cyber or Geographic
Besides cross-sectoral interdependencies (e.g. ICT and Electricity, Satellite navigation and Transport), at European level one can identify intra-sectoral interdependencies of national infrastructures that form European infrastructures
Example: high voltage electricity grid is composed by the interconnected national high-voltage electricity grids
Critical Infrastructure Definition & Key Features – Interdependencies 3/4
Therefor Critical Infrastructure can be defined as
System of
Systems
Not clearly defined
boundaries
Multiple actors
Evolve trough time
Interdimensional Interdependency
Critical Infrastructure Definition & Key Features – System of Systems 4/4
Risk, Hazard and Protection definition
Protection: all activities aimed at ensuring the functionality, continuity and integrity of critical infrastructures in order to deter, mitigate and neutralise a threat, risk or vulnerability (2008/114/EC);
Risk: a combination of the consequences of an event (hazard/treat) and the associated likelihood/probability of its occurrence. (ISO 31010)
Hazard: a dangerous phenomenon, substance, human activity or condition that may cause loss of life, injury or other health impacts, property damage, loss of livelihoods and services, social and economic disruption, or environmental damage (UNISDR, 2009).
Risk Assessment
Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. (ISO 31010)
Risk Identification
Risk AnalysisRisk
Evaluation
Prioritizing risk Determine whether
risk or/and its magnitude is acceptable/tolerable
Finding Recognizing Describing risks
Comprehend the nature of risk Determine Impact and probability Determine level of risk
Risk Assessment – Risk
Human impacts
Risks are the combination of the consequences of an event or hazard and the associated likelihood of its occurrence (ISO 31010).
The consequences are the negative effects of an event expressed in terms of:
Economic and environmental impacts
Political/social impacts
When the extent of the impacts is independent of the probability of occurrence of the hazard, which is often the case for purely natural hazards, such as earthquakes or storms, risk can be expressed algebraically as:
Risk = hazard impact * probability of occurrence
Risk Assessment – Impact Assessment 1/2
Human impacts the number of
affected people the number of
deaths, the number of
severely injured or ill people,
the number of permanently displaced people
In Critical Infrastructure Protection, impact assessment should consider AT LEAST the following type of impacts :
Economic and environmental impacts the sum of the costs of cure or healthcare, cost of immediate or longer-term emergency measures, costs of restoration of buildings, public transport systems and
infrastructure, property, cultural heritage, etc., costs of environmental restoration and other environmental costs (or
environmental damage), costs of disruption of/to economic activity, value of insurance pay-outs, indirect costs on the economy, indirect social costs, and other direct and indirect costs, as relevant
Risk Assessment – Impact Assessment 2/2
Political/social impacts public outrage and anxiety encroachment of the territory, infringement of the international
position, violation of the democratic system, social psychological impact, impact on public order and safety, political implications, psychological
implications, damage to cultural assets, other factors considered important which
cannot be measured in single units
Political/social impacts will generally refer to a semi-quantitative scale comprising a
number of classes
limited/ insignificant
minor/ substantial
moderate/ serious
significant/ very serious
catastrophic/ disastrous.
Risk Assessment – Empirical Evidence
Impact analysis should rely as much as possible on empirical evidence andexperience from past event data or established quantitative models of impact. It isclear that for quantification purposes, a number of assumptions and estimates willhave to be used, some of which may be rather uncertain. These assumptions andestimates should always be clearly identified and substantiated.
The assessment of the probability of an event or hazard should be based, wherepossible, on the historical frequency of events of similar scale and available statisticaldata relevant for an analysis of the main drivers.
However, when considering Cyber-Threat reliance on historical data may not beenough, especially when considering the most innovative and advance threats (APT,Zero day, etc.). For this reason in this domain the focus of risk assessment has shiftedtoward continuous monitoring and real-time data gathering/analysis
Cyber-risk managment in CIP
Cyber risk management in CIP: Shift from a reactive approach to a predictive approach
Use of intelligence technique and platform for bid data gathering and analysis
Use of specific and establish risk management framework for Cyber security:
Cobit
ISO 27001
NIST
Framework Cyber-Security
Risk Assessment – Single & Multiple
Single-risk assessment: determine the singular risk (i.e. likelihood and consequences) of one particular hazard (e.g. flood) or one particular type of hazard (e.g. flooding) occurring in a particular geographic area during a given period of time.
Multi-risk all-hazard assessment: determine the total risk from several hazards either occurring at the same time or shortly following each other, because they are dependent from one another or because they are caused by the same triggering event or hazard; or merely threatening the same elements at risk (vulnerable/ exposed elements) without chronological coincidence.
Co-funded by the
Prevention, Preparedness and Consequence Management of Terrorism and other Security -related Risks Programme
of the European Union
European Cooperation Network on Critical Infrastructure Protection
Multi-Risk Assessment Challenges
Current Challenges:
Adequately taking into account all possible follow-on effects (also: knock-on effects, domino effects or cascading effects) amongst hazards and infrastructure (Interdependencies)
Co-ordination and interfacing between different specialized authorities and agencies, which each deals with specific hazards or risks without developing a complete overview of the knock-on, domino and cascading effects
Most multi-risk assessment methodologies are just an adaptation of single risk-assessment methodologies
There are a number of difficulties combining single-risk analyses into more integrated multi-risk analysis:
Available data for different single risks may refer to different time windows, different typologies of impacts are used, etc.,
Making comparisons and rankings difficult if not impossible.
Risk Assessment Metodologies for Critical Infrastructure Protection
Risk assessment methodologies audience
Risk assessment methodologies domain of applicability:
System of System level
Infrastructure/System Level
Asset Level
Policy Makers
Stakeholders
Decision Makers
Public Authorities Operators
Risk Assessment Metodologies for Critical Infrastructure Protection
Risk Assessment Methodologies for Critical Infrastructure Protection
Sectoral Methodologies
Each sector is treated separately with its
own risks and ranking
System Approach Methodologies
Assess critical infrastructures as an
interconnected network
Risk Assessment Metodologies for Critical Infrastructure Protection
The following are the Methodologies that will be presented:
Argonne National Laboratory –Better Infrastructure Risk Resilience (BIRR)
DECRIS Project
CARVER2 - NI2
Critical Infrastructure Protection Decision Support System
RAMCAP-Plus
Risk Assessment Methodologies for Critical Infrastructure ProtectionArgonne National Laboratory – Better Infrastructure Risk Resilience (BIRR)
Argonne National Laboratory is one of the U.S. Department of Energy’s oldest andlargest national laboratories conducting research in a wide range of fields
One of the main domains is national security. Protection of critical infrastructures ispart of this field.
Research conducted in this direction is mainly oriented to the policy needs of theDepartment of Homeland Security (DHS).
Argonne develops methodologies for assessing infrastructure risk and resilience to avariety of natural and man made hazards for various infrastructures including :
Energy facilities
Transportation
Water treatment plants
Financial institutions
Commercial office buildings
Risk Assessment Methodologies for Critical Infrastructure ProtectionArgonne National Laboratory – Better Infrastructure Risk Resilience (BIRR)
Enhanced Critical Infrastructure Protection (ECIP ) : umbrella program covering Critical Infrastructure Protection activities.
The BIRR methodology is developed within the framework of ECIP and covers the facilities in 18 critical infrastructure sectors :
Approach: sectoral approach that goes down to the assets level and gives priority on the protection measures that are applied mainly against terrorist threats
Aim: to provide policy makers with tools that can help in the analysis of the various sectors, identify vulnerabilities and prepare risk reports
Target audience: Policy maker
Risk Assessment Methodologies for Critical Infrastructure ProtectionArgonne National Laboratory – Better Infrastructure Risk Resilience (BIRR)
The methodology focus on evaluating three interrelating indexes:
VI (Vulnerability Index)
PMI (Protective Measures Index)
RI (Resilience Index)
The evaluation relies on:
Reliable data set:
Collected by 93 DHS Protective Security Advisors (PSAs) who are located throughout the US.
That undergo a quality assurance and control procedure and cover a wide area of security related components and subcomponents
Operators own asset assessment
Templates that contain what if scenarios
Risk Assessment Methodologies for Critical Infrastructure ProtectionArgonne National Laboratory – Better Infrastructure Risk Resilience (BIRR)
Vulnerability Index:
A common metric that facilitate the comparison across the various sectors of infrastructures that are covered bythis methodology.
The procedure for evaluating the VI starts from the ProtectiveMeasure Index
PMI is designed to reflect the increase in protection of certain assets as new measures are applied
Protective Measure Index:
Interdependencies are included in the PMI calculation.
For each asset that is analyzed it is possible to define on which main sectors (electricity, gas, ICT, etc.) its operation relies on and quantify this through three indexes:
Redundancy Index
Resilience Index
Impact index
Resilience Index:
The evaluation of the RI is based on the same methodology as the other indexes (VI, PMI)
Consider data on the robustness, resourcefulness and recovery of a facility/asset
Risk Assessment Methodologies for Critical Infrastructure ProtectionArgonne National Laboratory – Better Infrastructure Risk Resilience (BIRR)
Strengths of the methodology
It is possible for the operator to assess the securityof its assets with respect to certain scenarios andalso to compare their security level with respect tothat of similar sectors/subsectors.
The use of a common metric (VI) to comparecritical assets protection measures across sectors isremarkable
Cross-sectoral and Intra-sectoral dependences areconsidered (PMI)
Weaknesses of the methodology
Sectoral approach
Gives priority on the protection measuresthat are applied mainly against terroristthreats
Resilience index concept need furtherdevelopment and consideration
Risk Assessment Methodologies for Critical Infrastructure ProtectionDECRIS Project / Approach
The DECRIS approach is the result of intensive research from SINTEF in the domainof hazard/risk assessment for critical infrastructures
The DECRIS project/approach builds on the existing capacities in the sectoral riskassessment methodologies that existed already in Norway
Approach: Cross-sectoral / interconnected system approach
Aim: bridge the gap between the methodologies that exist in varioussectors and propose an all-hazard generic Risk and VulnerabilityAssessment methodology for cross-sector infrastructure analysis
Target audience: policy and decision makers
Risk Assessment Methodologies for Critical Infrastructure ProtectionDECRIS Project / Approach
The DECRIS methodology is based on a four-steps procedure:
1. Establishment of event taxonomies and risk dimensions.
2. Simplified Risk and Vulnerability Analysis for the identified events. •
3. Selection of events to be further analysed.
4. Detailed analysis of selected events
A refinement mechanism has been incorporated in order to narrow down the list ofevents that have to be assessed.
The selection process is taking place on the basis of:
the importance of the risk,
of the amount of impacted infrastructures
the communication difficulties of this event to the public
Risk Assessment Methodologies for Critical Infrastructure ProtectionDECRIS Project / Approach
A proof of concept of this methodology has been set up for the city of Oslo
Time period: January 2008‐December 2008
Meetings every 2 months.
Discussions in plenum and group work within each infrastructure
Four category of Critical Infrastructure have been consider:
Electricity,
Water,
Transport,
ICT
For each category a number of event have been considered
For each event, selection criteria have been applied and a short list of scenarios to be furtherassessed was established
Risk Assessment Methodologies for Critical Infrastructure ProtectionDECRIS Project / Approach
The result of DECRIS’s Proof of Concept in Oslo:
Electricity power supply:
14 undesired events analysed.
Some interdependencies between the infrastructures, the ICT and electricity system.
Water supply:
Nine undesired events assessed.
Two events have dependencies to other infrastructures.
Several of the events have public communication challenges.
Transportation (road/rail):
Malicious acts included within the 23 events.
Dependencies to other infrastructures, especially to ICT.
Risk Assessment Methodologies for Critical Infrastructure ProtectionDECRIS Project / Approach
Strengths of the methodology
A refinement mechanism to narrow down the listof events that have to be assessed
Fosters the collaboration between the variousstakeholders in the different sectors in order towiden their understanding on theinterdependencies across sectors
Cross-sectoral risk assessment approach
Cross-sectoral and Intra-sectoral dependences areconsidered
Weaknesses of the methodology
Resilience is not directly assessed in thismethodology
The methodology is not highlydifferentiated with respect to a typical riskassessment one
The issue of the comparability of theconsequences of one event on differentinfrastructures still remains
Risk Assessment Methodologies for Critical Infrastructure ProtectionCARVER2 - NI2
Developed by NI2 Centre for Infrastructure Expertise
CARVER stands for Criticality Accessibility Recoverability Vulnerability EspyabilityRedundancy
NI2 states that CRAVER is a non-technical method for comparing and rankingcritical infrastructure and key resources
Claims to be the only assessment tool that ranks critical infrastructure acrosssectors
A stand-alone PC tool and a server/client version (CARVER2Web) have beendeveloped for the implementation of this methodology
The methodology is supposed to cover both terrorist threats as well as naturaldisasters, thus implementing an all-hazards approach
Risk Assessment Methodologies for Critical Infrastructure ProtectionCARVER2 - NI2
CARVER2 is a tool that has been developed in order to serve the needs of criticalinfrastructure protection:
Approach: Cross-sectoral approach
Aim: to serve the needs of critical infrastructure analysis mostly from thepolicy maker point of view
Target audience: Policy makers
Risk Assessment Methodologies for Critical Infrastructure ProtectionCARVER2 - NI2
CARVER2Methodology:
Six different criteria for which an asset or an infrastructure is assessed:
Criticality: the impact assessment part of the methodology
Accessibility : the possibility that terrorists can enter the infrastructureto provokedestruction
mostly an assessment of the vulnerability of the infrastructure in terms of physical security
Recoverability : partially covers resilience since it refers to the bouncing back capability of the infrastructureafter failure.
Vulnerability: covers part of the potential infrastructurevulnerabilities related to:,
terrorist attacks
explosions and chemical/biologicalthreats
Espyability: the function of an infrastructure as an icon (e.g. cultural site) with indirect impact
the implementation to quantify this is not thoroughly explained
Redundancy: refers to the alternatives that exit for the asset in consideration
Risk Assessment Methodologies for Critical Infrastructure ProtectionCARVER2 - NI2
CARVER2 Methodology:
Particularly interesting is the way that interdependencies are assessed
The user has a list of sectors that are affected by the loss of an asset, or the list of the asset thatbelong to the same sector
The links between the various assets of different sectors have been predefined
needs to be further clarified at which level the interdependencies have been defined
Is not clear what kind of interdependencies are included in tool (cyber, physical,functional, geographical)
The user receives reports in various forms as well as a score for the classification of the asset
This scoring enables to perform apples with oranges comparison and it is a feature thatindeed provides a cross-sectoral harmonized metric for the assessment of the importance ofdifferent infrastructures
Risk Assessment Methodologies for Critical Infrastructure ProtectionCARVER2 - NI2
Strengths of the methodology
Cross-sectoral risk assessment approach
Cross-sectoral and Intra-sectoral dependences areconsidered
Predefined interdependencies
Provides a cross-sectoral harmonized metric
for the assessment of the importance of
different infrastructures
Weaknesses of the methodology
Resilience is only partially considered
A systems approach is missing
Not clear at which level theinterdependencies have been defined
Not clear what kind of interdependenciesare included in tool
Risk Assessment Methodologies for Critical Infrastructure ProtectionCritical Infrastructure Protection Decision Support System
The Critical Infrastructure Protection Decision Support System (CIPDSS) providesinformation and decision support for the protection of critical infrastructures basedon an assessment of risks appropriately accounting for the likelihood of threat,vulnerabilities, and uncertain consequences associated with terrorist activities,natural disasters, and accidents.
Approach: Cross-sectoral / System of systems approach
Aim: information and decision support for the protection of criticalinfrastructures
Target audience: decision makers that have to decide upon differentmitigation measures and operational tactics and prioritize the resources forprotecting critical infrastructures
Risk Assessment Methodologies for Critical Infrastructure ProtectionCritical Infrastructure Protection Decision Support System
CIPDSS is a computer simulation and decision analytic tool that informs users when makingdifficult choices between alternative mitigation measures and operational tactics, or whenallocating limited resources to protect the nation’s critical infrastructures against existing andfuture threats
Integrates event simulation with a risk assessment process, explicitly accounting foruncertainties in threats, vulnerabilities, and the consequences of terrorist acts andnatural disasters
It models the primary interdependencies that link 17 CI together and calculates theimpacts that cascade into these interdependent infrastructures and into the nationaleconomy.
Considering uncertainties in the input (threat, vulnerabilities) the tool is capable ofperforming simulation of a particular event and provides an estimation of the uncertainty foroutput (the impact of the event considered).
Risk Assessment Methodologies for Critical Infrastructure ProtectionCritical Infrastructure Protection Decision Support System
The key feature of this methodology is the risk informed decision making process implemented:
NISAC’s CIPDSS team has interviewed critical infrastructure protection decision makers andstakeholders to identify:
Requirements for the decision support system
Scope out the decision environment
Quantify the prioritization of consequences
The taxonomy of decision metrics includes:
Fatalities
Injuries
Economic loss
Public confidence
Risk Assessment Methodologies for Critical Infrastructure ProtectionCritical Infrastructure Protection Decision Support System
Source: Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA 2015
Risk Assessment Methodologies for Critical Infrastructure ProtectionCritical Infrastructure Protection Decision Support System
Strengths of the methodology
Cross-sectoral / System of System risk assessmentapproach
Evaluation of the impact through common decisionprocess metrics overcomes the problem ofcomparing risks among sectors
Predefined interdependencies among 17 differentsectors
Provides a common metric for the prioritization ofmitigation measures, operational tactics andresources for protecting critical infrastructures
Weaknesses of the methodology
Resilience is not considered
Risk Assessment Methodologies for Critical Infrastructure ProtectionRAMCAP-Plus
Developed by ASME (American Society of Mechanical Engineers) as an all hazards riskand resilience assessment methodology
Approach: Cross-sectoral approach
Aim: to provide an objective, consistent and efficient method for assessingand reducing infrastructure risks in terms directly comparable among theassets of a given sector and across sectors
Target audience: Critical Infrastructure operators and decision makers
The RAMCAP approach was conceived as having two levels:
A high-level and general method, periodically updated
A series of Sector-Specific Guidance (SSG) documents, expressly tailoredto the technologies, issues and cultures of the respective sectors andsubsectors
Risk Assessment Methodologies for Critical Infrastructure ProtectionRAMCAP-Plus
RAMCAP-Plus methodology:
The methodology is based on a seven step approach namely:
1. Asset characterization
2. Threat characterization
3. Consequence analysis
4. Vulnerability analysis
5. Threat assessment
6. Risk and Resilience assessment
7. Risk and Resilience Management
Risk Assessment Methodologies for Critical Infrastructure ProtectionRAMCAP-Plus
This methodology is particularly interesting as it incorporates a number of importantfeatures for risk assessment of infrastructures:
Avoids unnecessary detail by focusing on the most critical assets at a facility.
The developers of the methodology have identified the necessity for cross-sectoralrisk comparisons which is rarely offered by the existing risk assessmentmethodologies.
The methodology has a simplified approach and it is based on existing riskassessment techniques but the high-level approach is pronounced.
Risk Assessment Methodologies for Critical Infrastructure ProtectionRAMCAP-Plus
Strengths of the methodology
Cross-sectoral / System of System risk assessmentapproach
Resilience is addressed in this methodology andconstitutes a central element of the methodology.
Cross-sectoral interdependences are considered
Focus on the most critical assets
Has both high and sector specific application
Offer cross-sectoral risk comparisons method
Weaknesses of the methodology
Adapts existing risk assessment techniquesto a system of system approach
Risk Assessment Metodologies for Critical Infrastructure protection Existing metodologies shortcoming
Methodologies developed at sectoral and assets level are well defined, tested, validated and thevast majority follows a linear risk assessment approach.
Existing sectoral and assets methodologies have been extended to cope with critical infrastructureinterdependencies.
This reflects the natural evolution of risk assessment methodologies existing already atorganizational level
These methodologies reveal their limitations when cross-sectoral issues have to beaddressed.
Detailed risk assessment is not applicable any more and a certain level of abstraction isnecessary.
Representing all assets of a networked system at the highest level of detail can leads tounprecedented complexity that is out of the scope for policy and decision makers.
Conclusion 1/2
In many cases, the risk assessment methodologies for CI are an adaptation ofmethodologies that have been used for assessing risks within the confined environment ofan organization.
These methodologies are tailored to the particular needs of this organization and biased toconsider only part of relevant threats. In such context, the application is facilitated by theknowledge of architecture and functioning principles, which are the preconditions formodelling and subsequent simulation.
This precondition is not always met when the risk assessment methodology exceeds thelimits of the organization and aims at the assessment of systems of systems, such asinterconnected infrastructure, for which the knowledge on architecture and functioningprinciples is fuzzy.
The true challenge for upscaling any risk assessment methodology to complex systems is todevelop effective approaches for the assessment of system of systems interdependences
Conclusion 2/2
The identification of cross-sectoral interdependencies would allow to assess cascading effects and return a common cross-sector risk figure so that comparison of sectors does not end up to a comparison of apples vs oranges.
Two main approaches have been identified: aggregated impact and scoring
In order to define a common approach for interdependencies assessment further cooperation is required among government authorities, CI operators and stakeholders.
Impact of infrastructure disruption is usually expressed in terms of aggregated figures that account for the economic losses. This is a straightforward choice that enables policy makers inter alia to evaluate different disruption scenarios including cascading effects across sectors and evaluate costs and benefits of mitigation measures.
In all available methodologies, resilience seams to be the missing element, or in the best option it is only implicitly addressed.
AIICDr. Luisa Franchina
PresidentE-Mail address
Thank you for your attention
for any further information