You are on page 1of 166

Risk and Vulnerability

Management of Complex
Interdependent Systems
(ENMA 771/871)

Module 1: Complex
Interdependent Systems
Dr. Adrian V. Gheorghe
Department of Engineering
Management & Systems
Engineering
©2009 A. Gheorghe All Rights Reserved
Dealing with Complex
and Interdependent
Systems

Critical
Topics Infrastructures

Infranomics - A New
Dimension of Complex and
Interdependent Vital
Systems
©2009 A. Gheorghe All Rights Reserved
Module 1 Objectives
1. Introduce and formulate contemporary systems of
high interdependency addressing vital societal needs;
featuring risks, vulnerability/resiliency,
sustainability and governance.
2. Discuss the advent of critical infrastructure systems;
need for a coherent approach to their complexity
and inter-dependencies in relationship to systems
analysis and systems engineering.
engineering
3. What is infranomics;
infranomics understand rules of
interactions, dependability, complexity and their
implications for complex critical infrastructure
systems and their problem solving.

"Good teachers never teach anything. What they do is create the conditions under
which learning takes place" S.I.Hayakawa

©2009 A. Gheorghe All Rights Reserved


Complex Interdependent
Systems
Critical Infrastructures – a
• Energy categorization
• Transport
• ITC
• Banking
• Health
• Defense Industry
• See later some concrete examples
– There are differences between USA, European Union,
Australia, critical infrastructures taxonomy, but not
dramatically

©2009 A. Gheorghe All Rights Reserved


Critical Infrastructures
•A network of large-scale human-made systems* that function
synergistically to produce a continuous flow of essential services;
•Designed to satisfy specific social needs but shape social change at
much broader and complex level;
•Subject to multiple threats (technical-human, physical, natural, cyber,
contextual; unintended or malicious) and pose risks themselves;
•Highly complex, inter-dependent, both physically and through a host of
industrial ICT (“system of systems”); subject to rapid changes;
•Disruptions may cascade (recall “blackouts”), even “normal” service
interruptions cost industrialized countries a few percent of GDP;
•No single owner / operator / regulator; based on different goals / logics.
* A system is a group of independent but interrelated elements comprising a
unified whole; it reacts on a different way then the sum of its parts.

©2009 A. Gheorghe All Rights Reserved


USA Critical
Infrastructures
Agriculture and Food Transportation
Š 1.9M farms  120,000 miles of railroad
Š 87,000 food processing plants  590,000 highway bridges
Water  2M miles of pipeline
Š 1,800 federal reservoirs  300 ports
Š 1,600 treatment plants Banking and Finance
Public Health  26,600 FDIC institutions
Š 5,800 registered hospitals Postal and Shipping
Chemical Industry  137M delivery sites
Š 66,000 chemical plants Key Assets
Telecomm  5,800 historic buildings
Š 2B miles of cable  104 nuclear power plants
Energy
 80K dams
Š 2,800 power plants
 3,000 government facilities
Š 300K production sites
 460 skyscrapers

©2009 A. Gheorghe All Rights Reserved


Critical Infrastructures

Complex Dynamic Evolutive Living Systems

Information as a
Common Denominator
Information/Knowledge

Digitalization

Electricity
Critical Infrastructures made by People. They do carry
beliefs, values, art, vision, „ideology“
©2009 A. Gheorghe All Rights Reserved
A Real Story

The Advent of cyber-


threats for complex
infrastructures

©2009 A. Gheorghe All Rights Reserved


Australia 2001

©2009 A. Gheorghe All Rights Reserved


Recent Major Blackouts

load [GW]
Duration
Blackout

affected
People

causes
Loss of

Main
[h]
Aug. 14, Great Lakes, NYC ~60 ~16 50 mio Inadequate right-of-way maintenance, EMS failure,
2003 poor coordination among neighboring TSOs
Aug. 28, London 0,72 1 500´000 Incorrect line protection device setting
2003
Sept. 23, Denmark / 6,4 ~7 4,2 mio Two independent component failures (not covered
2003 Sweden by N-1rule)
Sept. 28, Italy ~30 up to 56 mio High load flow CH-IT, line flashovers, poor
2003 18 coordination among neighboring TSOs
July 12, Athens ~9 ~3 5 mio Voltage collapse
2004
May 25, Moscow 2,5 ~4 4 mio Transformer fire, high demand leading to overload
2005 conditions
June 22, Switzerland 0.2 ~3 200´000 Non-fulfillment of the N-1rule, wrong
2005 (railway supply) passengers documentation of line protection settings,
inadequate alarm processing
Aug. 14, Tokyo ? ~5 0.8 mio Damage of a main line due to construction work
2006 households
Nov. 4, Western Europe ~14 ~2 15 mio High load flow DE-NL, violation of the N-1rule, poor
2006 (UCTE) households inter TSO- coordination

©2009 A. Gheorghe All Rights Reserved


Interdependent and
Complex Systems

©2009 A. Gheorghe All Rights Reserved


Interdependencies

©2009 A. Gheorghe All Rights Reserved


Critical Infrastructures
Understanding Complexity and
Interdependencies

Power Infrastructure Users


Power + information
Market Supplier
Distribution
Transmission
Operators / Brokers Industry
Generation Energy

Business
Threats
Government

Business services
Citizens
Electro -mech .
parts/systems

Technical services
RCS, ICS
Data

Energy
Vulnerabilities
ICSInterdependencies

Other Telecoms ISPs


Infrastructures Information Infrastructure

©2009 A. Gheorghe All Rights Reserved


“Addiction to Changes”
Trends and Driving Forces
Ōthe marketÕ

consumers
large
power
exchange bilateral
market
distribution economic
integrated utility company consumers subsystem producers

retail companies
companies

consumers
small
interconnector
balancing congestion
market management

transmission distribution
generators load system
network networks
operator

transmission distribution
network network
managers managers
TSO

physical transmission distribution


generation load
subsystem network networks

• The liberalization of the USA and European electricity sectors, respectively


• The internationalization (i.e. interconnection among national grids) of the
electricity system
• Evolutionary unsuitability, is that the electricity transmission networks
increasingly are being used in ways for which they were not designed initially
• Smart Grids and sustainable energy technologies e.g. wind, solar
• The wide scale application of information and communication technologies
in electricity systems, from the level of individual switches up to the operational
control of entire electricity networks
• Earth 3.0 (see later on this concept)

©2009 A. Gheorghe All Rights Reserved


Threats
C om ponent level (failures...)
System level Internal
(topology, structure...) Physical

External Techn olo gy-related


Isolated system s
Unintended (errors...)
"O pen Cyber Insiders
Intented (sabotage...)
accessible" system s
Hu m an-related
U nintended
O utsiders
Intented (cyber attack)

Political, legal an d institu tio nal


T hreats to the Electric Po w er S ystem
02.12.2004 - v29
M acro-Econom ic
M arket-related
M icro-Econom ic N atural hazards (earthquakes, storm s...)
En viron m ental U navailability of resources (wind, sun,
w ater...)
S trategic
Tactical M anagem ent
M an ag em ent and operatio n
O perational activities
Com ponent level
O peration activities
System level

©2009 A. Gheorghe All Rights Reserved


DisasterPandemic
Event e.g. Pandemic
Advent of New
Threats
Pandemic as
Vulnerability Triggering Event

on
Health Trans- Com- Public
Energy Banks
System portation unication Security
Vulnerability

of
Power Infrastructure Users
Power + information
Market Supplier Critical Infrastructures
Distribution
Transmission
Operators / Brokers Industry
Generation
Business Government
Business services Energy
Electro-mech.
Citizens
parts/systems

Technical services RCS, ICS

Refineries &
Nuclear Hydro
Petrochemical
power plants power plants
©2009 A. Gheorghe All Rights Reserved plants
Interdependencies – A
Homeland Security Issue
Rafinery
Rail
NPP System
Oil Delivery

Incapacity of Interruption of
Scram Oil Processing
Operation Goods Delivery

Cyber Insurance
Threat Hospitals Liability

Potential Deaths Liabilities LOF


Distribution Incapacity to
System
Partial Lack of Communicate
Air Control In Time
Aviation Potential
Disruption Control Air Collision
In Electricity
Power System Distribution

Total or Disruption Crop


Partial Black-out Irrigation Losses

Power Water Agriculture


Grid Supply

1-st Order 2-nd Order 3-rd Order


Effect Effect Effect
©2009 A. Gheorghe All Rights Reserved
Why and how to protect
interdependent systems?
• Services, such as electricity, mobility, communication are common
goods; American and European societies cannot afford major
disruptions of supply, luck of mobiliy, eetc.
• Traditional approaches to protection, e.g. electricity:
– Separation of physical systems (power plant, grid) from ICT (industrial
control, business), dedicated systems / „island solutions“ for sensitive
parts; security risk contained
– (N – x) security criterion, redundancies / reserves to ensure high
reliability; one-day-in-advance planning, off-line operational grid
management
– Physical protection of most sensitive parts (e.g. NPP); interconnection of
grids mainly to allow for mutual assistance
• Increased risk today, therefore new strategies and measures
needed such as smart grids, resilient infrastructures

©2009 A. Gheorghe All Rights Reserved


New threats to interdependent
systems
Inter alia malicious attacks, both
• Physical due to hardware and
software interactions
• Cyber
– Terrorists and hackers are sophisticated in use of
ICTs; infrastructures are known targets &
capabilities;
– while attack sophistication goes up intruder
knowledge goes down e.g. existence of open source
instrumentation and software facillitating such
situations.

©2009 A. Gheorghe All Rights Reserved


Cyber Examples
 In 1982, CIA exploited software transferred to Soviet Union that
operated pumps, turbines, & valves of pipeline, causing software to
malfunction and reset pump speeds and valve settings.
Result was Largest Non-Nuclear Explosion and Fire Ever Seen
From Space. 3 kilotons TNT Equivalent – Hiroshima was 14-20
kilotons TNT

 In 2000, disgruntled rejected employee used radio transmitter on 46


occasions to hack into controls of sewage treatment plant and released
264 000 gallons of raw sewage into rivers & parks

 In 2003, Slammer Worm affected business network of Ohio Nuclear


Plant and spread to Operations Network. Caused Computerized Panel
Used to Monitor Crucial Safety Indicators to Fail. Minutes Later Plan
Process Computer Crashed.

© Jody R. Westby
Global Cyber Risk LLC
©2009 A. Gheorghe All Rights Reserved February 24, 2006
Asymmetrical Cyber
Realities
Expert opinions:

 “The primary [tool terrorists] are using to their advantage is information


technology.” Lt. Gen. Kellogg, Head of C4I, Joint Chiefs

 President’s National Security Telecommunications Advisory Committee


(NSTAC): “An organization with sufficient resources, such as a foreign
intelligence service or terrorist group could conduct a structured cyber
attack on the electrical power grid with a high degree of anonymity and
without having to set foot in the U.S”.

 Faris Muhammad Al-Masri – UNITY “It is no longer necessary to have


rockets to destroy an electrical facility. Instead, penetrating the enemy’s
networks and planting your code will get a better result.”
© Jody R. Westby
©2009 A. Gheorghe All Rights Reserved Global Cyber Risk LLC
February 24, 2006
On Resiliency of
Interdependent
Systems

©2009 A. Gheorghe All Rights Reserved


The Advent of Resiliency
Concept
• Is resilience a new paradigm or a new
expression, complementing use of
other terms such as vulnerability or
risk?
• Is resilience the opposite of
vulnerability?
• How can you define resilience as a
desired outcome(s) or as a process
leading to a desired outcome(s).
©2009 A. Gheorghe All Rights Reserved
Definitions of Resiliency
(1)
There is no clear consensus on the definition of resilience. Some
recent definitions in hazards area are the following:
• Resilience is the ability of a system to withstand a major
disruption within acceptable degradation parameters and to
recover within an acceptable cost and time (Haimes et al., 2008).
• Resilience is the ability to survive and cope with a disaster with
minimum impact and damage (Berke and Campanella, 2006; and
National Research Council, 2006). This definition involves the
ability to minimize or eliminate losses, to control the
consequences of disasters and to recover from disasters with a
minimum social distraction.
• Resilience is the result of preventing, minimizing and recovering
quickly from adverse consequences (Westrum, 2006).

©2009 A. Gheorghe All Rights Reserved


Definitions of Resiliency
(2)
• Resilience is the capacity to cope with unanticipated dangers after they have
become manifest, learning to bounce back (Wildavsky, 1991).
• 1995 It is the buffer capacity or the ability of a system to absorb perturbation, or
the magnitude of disturbance that can be absorbed before a system changes its
structure by changing the variables (Holling et al.).
• Resilience is a fundamental quality of individuals, groups and organisations, and
systems as a whole to respond productively to significant change that disrupts
the expected pattern of events without engaging in an extended period of
regressive behavior (Horne and Orr, 1998).
• Resilience is the ability of an individual or organization to expeditiously design
and implement positive adaptive behaviors matched to the immediate situation,
while enduring minimal stress (Mallak, 1998).
• Local resiliency with regard to disasters means that a locale is able to withstand
an extreme natural event without suffering devastating losses, damage,
diminished productivity, or quality of life without a large amount of assistance
from outside the community (Miletti, 1999).
• The capacity to adapt existing resources and skills to new systems and operating
conditions (Comfort, 1999).

©2009 A. Gheorghe All Rights Reserved


Definitions of Resiliency
(3)
• Resilience describes an active process of self-righting, learned
resourcefulness and growth the ability to function psychologically at a
level far greater than expected given the individual’s capabilities and
previous experiences (Paton, Smith and Violanti,2000).
• The ability to respond to singular or unique events (Kendra and
Wachtendorf, 2003).
• The capacity of the damaged ecosystem or community to absorb negative
impacts and recover from these (Cardona, 2003).
• The ability of an actor to cope with or adapt to hazard stress (Pelling,
2003).
• Ecosystem resilience is the capacity of an ecosystem to tolerate
disturbance without collapsing into a qualitatively different state that is
controlled by a different set of processes. A resilient ecosystem can
withstand shocks and rebuild itself when necessary. Resilience in social
systems has the added capacity of humans to anticipate and plan for the
future (Resilience Alliance, 2005).
• The capacity of a system, community or society potentially exposed to
hazards to adapt, by resisting or changing in order to reach and maintain
an acceptable level of functioning and structure. This is determined by the
degree to which the social system is capable of organising itself to
increase this capacity for learning from past disasters for better future
protection and to improve risk reduction measures (UNISDR, 2005).
©2009 A. Gheorghe All Rights Reserved
Definitions of Resiliency
(4)
• Categorizing definitions either as a
desired outcome or a process leading
to a desired outcome is not a easy
task and distinction may seem
unnecessary.
• But, from the definitions, resiliency
can gradually shift from more
outcome-oriented to more process
oriented.
©2009 A. Gheorghe All Rights Reserved
The Relationship Between
Vulnerability and Resiliency
• Resilience and vulnerability are common, related
concepts in a number of scientific disciplines.
• A key question that emerges, however, concerns
the relationship between them.
– Is resilience the opposite of vulnerability?
– Is resilience a factor of vulnerability? Or
– Is it the other way around?
• It is not easy to provide single answers to these
questions.

©2009 A. Gheorghe All Rights Reserved


Definitions of Vulnerability
Induced Resiliency (1)
• Vulnerability is the degree to which a system acts adversely to the occurrence of a
hazardous event. The degree and quality of the adverse reaction are conditioned
by a system’s resilience (a measure of the system’s capacity to absorb and
recover from the event) (Timmerman, 1981).

• Vulnerability is the threat or interaction between risk and preparedness. It is the


degree to which hazardous materials threaten a particular population (risk) and
the capacity of the community to reduce the risk or adverse consequences of
hazardous material releases (Pijawka and Radwan, 1985).

• Vulnerability is the differential capacity of groups and individuals to deal with


hazards, based on their positions within physical and social worlds (Dow, 1992).

• Vulnerability is defined in terms of exposure, capacity and potentiality.


Accordingly, the prescriptive and normative response to vulnerability is to reduce
exposure, enhance coping capacity, strengthen recovery potential and bolster
damage control (i.e., minimize destructive consequences) via private and public
means (Watts and Bohle, 1993).

• By vulnerability we mean the characteristics of a person or a group in terms of


their capacity to anticipate, cope with, resist and recover from the impact of a
natural hazard. It involves a combination of factors that determine the degree to
which someone’s life and livelihood are put at risk by a discrete and identifiable
event
©2009 in nature
A. Gheorghe or in society (Blaikie et al., 1994).
All Rights Reserved
Definitions of Vulnerability
Induced Resiliency (2)
• Vulnerability to flood disruption is a product of dependence (the degree to
which an activity requires a particular good as an input to function
normally), transferability (the ability of an activity to respond to a disruptive
threat by overcoming dependence either by deferring the activity in time,
or by relocation, or by using substitutes), and susceptibility (the probability
and extent to which the physical presence of flood water will affect inputs
or outputs of an activity) (Green et al., 1994)

• Vulnerability is best defined as an aggregate measure of human welfare


that integrates environmental, social, economic and political exposure to a
range of potential harmful perturbations. Vulnerability is a multilayered and
multidimensional social space defined by the determinate, political,
economic and institutional capabilities of people in specific places at
specific times (Bohle, Downing and Watts, 1994).

• By vulnerability, we mean the condition of a given area with respect to


hazard, exposure, preparedness, prevention, and response characteristics
to cope with specific natural hazards. It is a measure of the capability of this
set of elements to withstand events of a certain physical character
(Weichselgartner and Bertens, 2000).

©2009 A. Gheorghe All Rights Reserved


Definitions of Vulnerability
Induced Resiliency (3)
• Vulnerability is the threat (to hazardous materials) to which people are exposed
(including chemical agents and the ecological situation of the communities and
their level of emergency preparedness). Vulnerability is the risk context (Gabor
and Griffith, 1980).

• Vulnerability is the degree of the loss to a given element or set of elements at risk
resulting from the occurrence of a natural phenomenon of a given magnitude
(UNDRO, 1982).

• Vulnerability is the degree to which different classes of society are differentially at


risk (Susman, O’Keefe and Wisner, 1983).
• Vulnerability is the potential for loss (Mitchell, 1989).

• The author distinguishes between vulnerability as a biophysical condition and


vulnerability as defined by political, social and economic conditions of society. She
argues for vulnerability in geographic space (where vulnerable people and places
are located) and vulnerability in social space (who in that place is vulnerable)
(Liverman, 1990).

• Vulnerability has three connotations: it refers to a consequence (e.g. famine)


rather than a cause (e.g. drought); it implies an adverse consequence (e.g., maize
yields are sensitive to drought; households are vulnerable to hunger); and it is a
relative term that differentiates among socioeconomic groups or regions, rather
than an absolute measure or deprivation (Downing, 1991).
©2009 A. Gheorghe All Rights Reserved
Definitions of Vulnerability

Induced Resiliency (4)
Vulnerability is the degree of the loss to a given element or set of elements at risk
resulting from the occurrence of a natural phenomenon of a given magnitude and
expressed on a scale from 0 (no damage) to 1 (total loss). In lay terms, it means
the degree to which the individual, family, community, class or region is at risk of
suffering a sudden and serious misfortune following an extreme natural event
(UNDRO, 1991).

• Human vulnerability is function of the costs and benefits of inhabiting areas at risk
of natural disaster (Alexander, 1993).

• Vulnerability is the likelihood that an individual or group will be exposed to and


adversely affected by a hazard. It is the interaction of the hazard of place (risk and
mitigation) with the social profile of communities (Cutter, 1993).

• Vulnerability is the differential susceptibility of circumstances contributing to


vulnerability. Biophysical, demographic, economic, social and technological factors
such as population ages, economic dependency, racism and age of infrastructure
are some factors which have been examined in association with natural hazard
(Dow and Downing, 1995).

• Vulnerability represents the sensitivity of land use to the hazard phenomenon


(Gilard and Givone, 1997).

• Vulnerability are those circumstances that place people at risk while reducing their
means of response or denying them available protection (Comfort et al., 1999).
©2009 A. Gheorghe All Rights Reserved
Differences Between Vulnerability
and Resiliency
Vulnerability Resiliency

Resistance Recovery
Force bound Time bound
Safety Bounce back
Mitigation Adaptation
Institutional Community-based
System Network
Engineering Culture
Risk assessment Vulnerability and capacity
analysis
Outcome Process
Standards Institution

©2009 A. Gheorghe All Rights Reserved


Vulnerability Analysis
Tools
• risk/vulnerability matrices,
• MCDM,
• Quantitative Risk Analysis,
• Risk Profiles,
• Risk Landscape in GIS,
• Interview/questionnaire,
• Cluster Analysis,
• Factor Analysis,
• Scenario-based Indicator efforts,
• Games/Simulating,
• Expert Assessment/Delfi-panels,
• Polar Diagrams,
• QVA and
• HHM-approach with IRAM.

©2009 A. Gheorghe All Rights Reserved


Risk / Vulnerability
Matrices (1)
• An intuitive and simple way of showing risk/vulnerability in a certain case is
to use risk/vulnerability matrixes. Such a matrix often represents the
probability and the consequences of a given scenario. The matrix is filled
with risk values based on probability and consequences of each scenario.
So that one can observe their position in a single diagram for every
scenario

©2009 A. Gheorghe All Rights Reserved


Risk Map
Risk / Vulnerability
Matrices (2)
• In Switzerland in 1999, a risk matrix of the risks in the country has been
produced as a result of an extensive project called "Comprehensive risk
analysis”. Considering present day conditions, possible future scenarios
have been constructed of the development with regard to aspects such as
demography, terrorism, the influence of the greenhouse effect, etc.

• Both the probability that a scenario will take place and its consequence
has been estimated. The consequences are estimated as a result of many
factors such as deaths, damage, costs as well as recovery time. The final
product is a matrix that shows all the consequences of a specific scenario
as well as the probability that it will happen. Risk matrixes according to
the Swiss concept should perhaps be most useful in order to show the
total risk scenario in a specific area.

Please look at Reference 1 for Risk Matrix – A case of chemical risk acceptability assessment (pages 64-66).

©2009 A. Gheorghe All Rights Reserved


Electricity
Infrastructures

©2009 A. Gheorghe All Rights Reserved


The Italian Blackout Sept 28, 2003 –
Contextual Factors
 Discrepancy between commercial and physical
flows:The generation dispatch realized in FR for the
energy export to IT led to high loads on the transit lines
in CH. The resulting high phase angle differential over
the failed Mettlen-Lavorgo line impeded its timely re-
closure.
 Insufficient coordination and information
exchange among the adjacent TSOs (CH-IT-FR) due to
economic, technical and historical reasons.
 Non-compliance of Italian generators with the
technical rules of connection to the transmission
network: after the disconnection from the UCTE grid
21 out of 50 large thermal generation units were lost
before the nominal 47,5 Hz frequency threshold was
reached, impeding the successful island operation of IT.

©2009 A. Gheorghe All Rights Reserved


New Challenges Protecting Vast Systems:
Learning from the Italian Blackout Sept 28, 2003

1. Inadequate right-of-way maintenance practices (tree cutting)


2. Highly loaded transit lines used for long distance transmission (operating near
to maximum capacity, protective devices that blocked re-closure)
3. Operators lack an overview of the whole system (no-one sees the „big
picture“ nor has sufficient information about adjacent systems)
4. Human and organizational factors (lacking sense of urgency; ETRANS
control room understaffed; inadequate request for import reduction;
inadequate joint procedures to return to N-1 secured conditions)
5. System sensitivity against voltage/frequency disturbances (load rejection
above stated threshold of 47.5 Hz); stability problems
6. Insufficient capabilities of power plants to switch on „house-load“ or to
perform back-starts (impeded restoration)
7. Insufficient reliability of the telecommunication systems (open access
system – ceased to work due to power outage)

©2009 A. Gheorghe All Rights Reserved


The Blackout in the United
States and Canada
• In the afternoon of the
August 14, 2003, large
portions of the northeastern
United States and the
Canadian province of
Ontario experienced a
massive electric power
blackout. The outage, which
was triggered in Northern
Ohio, affected an area with
an estimated 50 million
people and 61'800
megawatts (MW) of electric
load. Power was not restored
for up to 2 days in some
parts of the affected region.

©2009 A. Gheorghe All Rights Reserved


Work Steps in Case
Study Analysis

Normal and abnormal frequency ranges

©2009 A. Gheorghe All Rights Reserved


Key Players Involved in the
Blackout
• The cascading spread of the
blackout was triggered in
Northern Ohio involving the
following key players:
• FirstEnergy (FE) - Control area
operator in northern Ohio
consisting of seven electric utility
operating companies.
• American Electric Power (AEP)
Control area operator south of
FE.
• Midwest Independent System
Operator (MISO) Reliability
coordinator for FE (and for other
37 control areas).
• PJM Interconnection (PJM)
Reliability coordinator for AEP

©2009 A. Gheorghe All Rights Reserved


Contingency Analysis
• To predict the impact of potential component outages (e.g.
lines, generators) and short-term changes of load, voltage
and frequency on the network, some reliability coordinators
and control areas perform automated real time contingency
analyses on a regular schedule (e.g., every 5 minutes) by
using a digital energy management system (EMS). Thereby
the raw data about some key components collected by the
SCADA system are processed by the state estimator (i.e. a
mathematical model of the network configuration) to
evaluate the system conditions as voltages at each bus,
real and reactive power flow quantities on each line. The
results are used in software tools such as real time
contingency analysis (RTCA) to simulate various conditions
and outages in order to evaluate the reliability to the
electric power system

©2009 A. Gheorghe All Rights Reserved


Identified System
Weaknesses Mechanism

©2009 A. Gheorghe All Rights Reserved


Common Features and Differences
of the U.S. / Canada and the
Italian Blackout (1)
Deregulation Induced Vulnerability
• From a historical point of view the electric power systems in Europe and North
America have been designed to fulfill needs and provide services of adequate
reliability and quality within a restricted area (i.e. nations in Europe). However, during
the last few years the liberalization process has significantly changed the environment
in which a reliable and secure electricity supply has to be maintained.
• The decentralized control and monitoring structure and the legal framework did not
keep pace with this development. Due to low economic incentives generated by the
intense competition among the power companies the transmission systems more and
more are pushed to the physical limits of operation. In turn, this endangers the secure
and reliable operation of the system. In both blackout cases these facts have been
manifested by different root causes, inter alia:
– Inadequate tree trimming practices
– Weak joint communication and emergency procedures among different transmission system
operators
– Inadequate legal framework
– Limited access to overall system operation status information
• As a conclusion it is not only the liberalization process itself to blame for the blackouts.
It is rather the omission of the technical, organizational and functional adjustments of
the power systems (including the legal framework) which finally resulted in the
inadequate and slow response to the emergencies. This finding is confirmed by
different investigations recently carried out by academics and industry experts.

©2009 A. Gheorghe All Rights Reserved


Common Features and Differences
of the U.S. / Canada and the
Italian Blackout (2)
Technical Issues
• Human Factor; In both cases human failures
contributed significantly to the sequence events
leading to the irreversible blackout status.
• High system sensitivity against voltage and frequency
deviations; As in the U.S.-Canadian and in the Italian
case the setting of line and generator protection
devices responding on voltage and frequency devices
has been too conservative, favoring the spread of the
blackout.
• Limited reliability and availability performance of the
SCADA systems during the restoration process; Due to
insufficient power backup (e.g. diesel-driven
generators, batteries) some SCADA systems lost
visibility during the blackout phase leading to certain
delays within the restoration process.
©2009 A. Gheorghe All Rights Reserved
Common Features and Differences
of the U.S. / Canada and the
Italian Blackout (3)
Features of the Italian Blackout
• Few features are distinctive for the Italian blackout, namely:
– No specification of the maximum time interval given for
interactive corrective measures after a N-1 rule violation.
– Highly loaded transit lines by long distance transmission.

Features of the U.S. / Canada Blackout


• A number of distinct features has been found relevant only
for the case of the U.S. / Canada blackout, namely:
– Weak internal communication procedures.
– Insufficient regulation of the reactive power support.
– Insufficient reliability of the supporting digital energy
management system.
– Insufficient emergency preparedness.
– Unavailability of adequate load shedding plans.

©2009 A. Gheorghe All Rights Reserved


Analysis of US Interruption
Data

Cascading failures in the North American electricity grid have been more common than
one might expect. Forty-six of the events between 1984 and 2000, or nearly three per
year, involved losses of > 1,000 MW. The probability of smaller power losses follows
an exponential curve, while for losses >500 MW is described by a power law typical for
self-organized systems.
©2009 A. Gheorghe All Rights Reserved
• The political framework, institutions and actor networks became market-
focused; security of supply must become a new overarching principle.
• The initial design and operation criteria (e.g. N-1) need to be aligned with
the current use and practice („evolutionary unsuitability“).
• Digitalized non-dedicated control systems are becoming increasingly
ubiquituous; unsecured the public internet should not be used for vital
operation and control functions.
• Compiance with the growing need for real time based data acquisition
and management systems (SCADA), mandatory rules including
contingency procedures and improved coordination (TSOs), etc. needed.
• Development of risk / vulnerability awareness and intellectual
modeling capabilities to be promoted.

©2009 A. Gheorghe All Rights Reserved


Risk Matrix and Risk
Cadaster

©2009 A. Gheorghe All Rights Reserved


Risk Mitigation Strategies
Unacceptable 1. Preventive actions
High Risk Area Removing the cause
before the risk appears
Probability

2. Mitigation actions
Medium
Reducing the impact of
the risk before, during
and after it
Low Acceptable appears/occurs
Risk Area
3. Recovery actions
“Emergency actions”
Low Medium High Reduction of the impact
after the risk occurs

Impact

©2009 A. Gheorghe All Rights Reserved


CHEMICAL AND
NUCLEAR
RISK CADASTER

©2009 A. Gheorghe All Rights Reserved


Elements of Vulnerability
Economics

Total Cost
Cost

Cost of Security

Minimum of
Total Cost

Cost of Security Breach


0% Level of Security 100 %

©2009 A. Gheorghe All Rights Reserved


Vulnerability

Vulnerability

Susceptibility Resilience

Coping Capacity Recovery

Time

Service Disruption
©2009 A. Gheorghe All Rights Reserved
Vulnerability Scenarios
Low Susceptibility No cascading effects

Sys with LOW vulnerability

l anoit c nu F
Sys with HIGH vulnerability

?
Cascading
effects

High Susceptibility

l anoit c nu Ft o N
Time
Vulnerability
Susceptibility Resilience
Coping Capacity Recover

Service Disruption
©2009 A. Gheorghe All Rights Reserved
Vulnerability induced
Complexity

©2009 A. Gheorghe All Rights Reserved


Complexity induced vulnerability
– Decision Support System

Degree of penetrability as a measure of vulnerability


©2009 A. Gheorghe All Rights Reserved
Vulnerability Matrix
and Vulnerability
Cadastre
GIS Representation

©2009 A. Gheorghe All Rights Reserved


Numerical evaluations

©2009 A. Gheorghe All Rights Reserved


©2009 A. Gheorghe All Rights Reserved
Vulnerability Acceptance
Matrix

©2009 A. Gheorghe All Rights Reserved


©2009 A. Gheorghe All Rights Reserved
Framing Guidelines for
Risk and Vulnerability
Assessment

©2009 A. Gheorghe All Rights Reserved


Framework for Risk and
Vulnerability Assessment

Models and Tools - Overview

• Vulnerability Assessment
Checklists
• Actor-Based Modeling and
Simulation
• Aggregate Supply and Demand
Tools
• Dynamic Simulations
• Physics Based Models
• Population Mobility Models
• Leontief Input-Output Models
• Network Topology Design
Theories
• Critical Infrastructure
Interdependencies Integrator
(CI3)
©2009 A. Gheorghe All Rights Reserved • Hybrid Approaches
Criticality and security: a
complementary approach
Infrastructure

“if “is
disrupted required
will lead in case
to…” of…”

CRISIS

©2009 A. Gheorghe All Rights Reserved


A regional system of
interdependent CI
Regional system A regional system,
e.g.
Subsystem of CI 1 economic defined as a
system “complex
distributed spatial
e.g. system, consisting
e.g. Energy Social of all existing
system
Etc.
critical
e.g. infrastructures, the

`
Political socio-economic
system
and political
systems and the
interactions
amongst all these
Subsystem of CI 3… elements”
e.g. Transport

Subsystem of CI 2
©2009 A. Gheorghe All Rights Reserved
Structure of Guidelines
Vulnerability analysis
Definition of the SRVA
Process 5.Direct vulnerability
1.Objectives and scope assessment for the
relevant scenarios
2.Involved stakeholders
and responsibilities 6.Cascading vulnerability
assessment for the
relevant scenarios
Criticality assessment

1.Definition of
criticality criteria Relevant scenarios
2.Identification and definition Define Vulnerability
ranking of CI at regional reduction strategies
level 4.Definition and
ranking of scenario of 7.Definition of
3.Characterization of service disruptions of acceptable level of
the MOST critical the most critical vulnerability
system and of system
priority exposed 8. Define actions
elements to be taken
©2009 A. Gheorghe All Rights Reserved
Critical Infrastructures
Issues of Homeland
Security
An International
Perspective

©2009 A. Gheorghe All Rights Reserved


Expert Opinions

Traditional one-
e.g. dimensional perspective of
Armeni
a
security policy:
Georgia
„Maslow Pyramid“ Military threats, power
(revised) politics
Broadening scope of
Austria security policy
Norway recognized, partly
Switzerland analyzed
Sweden
U.S.A Comprehensive risk
analysis:
Interdependency
analysis of threats and
Broadening
©2009 A. Gheorghe All Rights Reserved
critical infrastructures
Need for Integrative
Approach
Risk
Vulnerability
Sustainability
Governance

©2009 A. Gheorghe All Rights Reserved


An Invariant – in „System of Systems
Engineering“?

ARASP- As Resilient As Society Permits ALARA – As Low As Reasonable Acceptable

Sustainability Governance

Multicriteria Indicators Acceptability, Perception,


and their Integration Trust, Participation
©2009 A. Gheorghe All Rights Reserved
©2009 A. Gheorghe All Rights Reserved
A Short Exercise (1)
What are the implications of
variety for interdependent
complex and vital systems?

©2009 A. Gheorghe All Rights Reserved


A Short Exercise (2)
What are the issues related to dealing with complex
systems based on the concepts of risk, vulnerability,
sustainability, and governance?

©2009 A. Gheorghe All Rights Reserved


Four Types of Concepts
Risk Assessment Vulnerability
Characterization

Complexity
Vitality

Sustainability Governance & DMP


©2009 A. Gheorghe All Rights Reserved
4 Types of Concepts (1)
Risk and its Constituencies
Probability
Consequences
Scenarios
Risk acceptance and its representation
Example: vital interdependent systems: electricity system
and the water infrastructure

©2009 A. Gheorghe All Rights Reserved


4 Types of Concepts
(2)
Vulnerability Assessment
Vulnerability Assessment
Susceptibility assessment and degree of penetration in
complex infrastructures
Threat identification and assessment
Resiliency of simple and interdependent
infrastructures
Example:
Example attempts to evaluate numerically vulnerability
of given vital systems / infrastructures

©2009 A. Gheorghe All Rights Reserved


4 Types of Concepts (3)
Sustainability Approach for Vital
Infrastructures:
Large number of indicators to define sustainability
Categorization of sustainability indicators
Criteria - Attributes - Indicators for sustainable evaluation of
critical infrastructures
How sustainable one can get from vital infrastructures?
Degree of Sustainability for infrastructure systems
These concept exhibit emergence!

©2009 A. Gheorghe All Rights Reserved


Williams, (1997) Chaos Theory Tamed
4 Types of Concepts
Governance (4)
Both quantitative and qualitative assessment
Observer interaction with the ‘system-being-observed’ and
governed. Position of a Governance Actor
Risk Governance; what is it?
Governance and Resiliency of Complex and Interdependent
Infrastructures
Example: The ‘instrument’ of Risk Governance in view of
Resilient Policy Design and System Implementation

©2009 A. Gheorghe All Rights Reserved


Short Exercise
Given the following situations what type of concepts are adequate and could be applied?
A blackout scenario for an interconnected electricity systems?
 A terrorist cyber attack and the weak states of an information and communication system?
 A mitigation scenario analysis after a natural hazard at regional level?
 A detailed performance evaluation system for smart and resilient infrastructures ?

©2009 A. Gheorghe All Rights Reserved


Critical Infrastructures

Ubiquity of Digitalization
and
Risks/Vulnerability of
Interdependent
Infrastructures
©2009 A. Gheorghe All Rights Reserved
Ubiquity of Digitalization
• According to authoritative definitions on ubiquity, one
can conclude that two of them are relevant to the
further work within this Project.
• Definition 1: “The capacity of being everywhere or in
all places at the same time” (Oxford English
Dictionary)
• Definition 2: “ Presence everywhere or in many places
especially simultaneously” (Merriam Webster
Dictionary)
• Definition 3: By digitalization we mean the process
automation related activities, as well as the intensive
use of various kind of computers, associated with
operational, tactical, as well as the strategic phase of a
given infrastructure

©2009 A. Gheorghe All Rights Reserved


Digitalization and Critical
Infrastructure
• The ubiquity of digitalization and its
influence on vital systems gives new
dimensions on how to treat, individually or
collectively, events such as sabotage,
human negligence, or the lack of security
culture, in view of the increased
contemporary safety needs.
• In respect to the ubiquity of digitalization
vs. influence on critical infrastructures, the
corporate management of infrastructure
systems (e.g. energy, ICS) is more afraid of
the changes within the regulation
framework and associated market
influences, rather than the aggressive
technological changes and their
penetration.
• Ubiquity of digitalization and its influence
on vital systems introduces completely new
questions on how to treat, individually or
collectively, events such as sabotage,
human negligence, or the lack of security
culture, in view of the increased
contemporary safety needs.

©2009 A. Gheorghe All Rights Reserved


Digitalization vs. Pervasive
Computing
• Pervasive computing refers to
the emerging trend toward
numerous, easily accessible
computing devices connected
to an increasingly ubiquitous
network infrastructure.
• Pervasive computing devices
are not personal computers
as we tend to think of them,
but very tiny - even invisible -
devices, either mobile or
embedded in almost any type
of object imaginable

©2009 A. Gheorghe All Rights Reserved


Interdependence and
Behavior
• Today, infrastructure systems are heavily
dependent upon one another. They are
invariable large-scale dynamic systems of
systems with numerous components,
non-linear in nature, spatially distributed;
they incorporate divisions with different
missions, resources, timetables, and
agendas working in different socio-
economic environments and cultures.

©2009 A. Gheorghe All Rights Reserved


Threats (Revisited)
• Risk of extreme and catastrophic events is of
paramount importance, organizational and
human errors/failures are common and, they are
dominated by multiple conflicting and competing
objectives. Disruption in any of the systems could
jeopardize the continued operation of the entire
infrastructure system.
• Many of these systems are known to be
vulnerable to physical and cyber threats and to
single failures with cascading effects in a causal
chain, induced by system complexity. Failures
may not only cause breakdowns of services but
may cause harm to society.

©2009 A. Gheorghe All Rights Reserved


Risk and Vulnerability
(Revisited)
• However, critical infrastructures are not only vulnerable to
threats and hazards; they pose a risk themselves, which is not
limited to cases of disruption and malfunction.
• One of the major risks of these infrastructures lies in their
enormous contribution to social welfare and economic growth
which, in turn, add to further development and extension of
the infrastructures.
• Because of the large diversity of systems considered as
critical infrastructures, only short selected issues will follow
next. The task to identify, at an adequate high level of
generality, risk assessment and governance related aspects
to this class of systems is still, worldwide, ongoing.

©2009 A. Gheorghe All Rights Reserved


Single Type Critical
Infrastructures The Electric

Power System
Energy supply systems are essential to an economy and its security. They are
becoming increasingly complex and interconnected. Vulnerability to disruptions from
natural causes, and malevolent threats, and industry restructuring could compromise
their stability and reliability, with potentially high economic loses. They could become
a target for sabotage. The electric power industry is restructuring, leading to
competition in a formerly restricted and regulated environment.
• This, in turn, will lead to new risks to the grid: the lack of sole responsibility for grid
reliability, the tendency for owners and operators to focus on a short-term, least-
expensive approach to operations, increased physical threats. This, potentially could
lead to national disasters.
• The new and emerging threats faced by the present engineering design and facility
management community demand innovative solutions, based on risk management
approaches.
• Energy infrastructures have an impact on agglomeration areas and mega-cities (towns
with more than 10 million of inhabitants by 2010), which, in turn, are highly vulnerable
(e.g. increased risk of infectious diseases when sewage systems fail; high death or
disease rates caused by accidents in chemical or nuclear facilities), and also comprise
a risk factor themselves - since they contribute to pollution or exploitation of
resources.
• A multidisciplinary governance and risk-management based program has to be
considered and implemented in order to cope with these risks.

©2009 A. Gheorghe All Rights Reserved


Single Type Critical Infrastructures

The Information and


• Communication
The investigation Systems
of the vulnerability of information
technology, and Internet in particular, shows an enormous
rise in recent years in the number of breaches in the
availability, confidentiality, or integrity of information
(systems). The advent of Internet has caused a blurring of the
boundaries between previously independent information
systems.
• Because of the large number of interconnections between
systems, the risks from these attacks are becoming even
greater.
• At present, the current level of the potential damage due to
the vulnerability of Internet, and the level of potential
damage to be expected into the future cannot be determined
exactly. The open nature of the Internet plays an important
part. The social and economic consequences of a vulnerable
Internet are expected to continue to increase.

©2009 A. Gheorghe All Rights Reserved


Single Type Critical
Infrastructures
Transportation Systems and
• In dealing with transportationMobility
risks at local or even regional levels, the public is
getting more involved in the governance process (citizens of Chamonix in
France voted to stop heavy transportation traffic through their region).
• Mobility of goods is in a fully rising stage. It induces openness within the
society, at large. Sophisticated logistics associated with transportation systems
allow an efficient and manageable increased flow of products.
• The interdependencies of production systems with the transportation systems
were managed within concepts such as "Just in Time" (JIT), "Intermodal Freight"
(ImF).
• Mobility changes business practice and its dimensions (from local to global);
computerized monitoring systems assist the JIT and ImF processes, and make
the business go round the world (e.g. salmon harvested early in the morning in
Scandinavian countries is served in the evening in Madrid or Rome). ImF allows
seamless integration of various transportation systems getting across various
borders and trading practices.
• More hazardous substances are transported every day. The increased volume
of activities in this industry, high interactions with human operators, computer
systems, infrastructures of transport, regulations and governance, lead to a
new degree of complexity of the industry.

©2009 A. Gheorghe All Rights Reserved


From Single Type Critical
Infrastructures to
Interdependent Systems
• There is a need to understand interactions and
dependencies at the level of single critical infrastructures. In
addition, the specific role of digitalization within a given
class of critical infrastructure is important to be understood
mainly in the initial design and operation phase for distinct
industries such as power generation, or the transportation
systems operators.
• When dealing with interdependent critical infrastructure
systems, there is an urgent need to address and assess
their complexity, and find new ways of understanding and
expressing the vulnerability and risks of coupled
infrastructures.
• Going to understand behavior of interdependent, tightly
coupled critical infrastructures is not a simple matter.
• There is a need to address the issue by looking at the
format of what is called in this report, system of systems.

©2009 A. Gheorghe All Rights Reserved


Relation to Critical
Infrastructure
• Many processes e.g. traffic, health, services, can be executed more
effectively by use of pervasive computing, opening up the potential
capability for the economical management of resources. However, the
pervasive computers lead to a higher degree of systems complexity in
relation to critical infrastructures. We have to live today with what one
can call "unmastered complexity". It is a trend that computer users
(actors) are willing to delegate decisions to the so called software agents
due to:
– the limited human capabilities to suddenly respond to a variety of tasks or
– finite time resources available at some given instances
• Pervasive computing creates new type infrastructures where it is difficult
to assess liabilities to single failures.
• Insurance companies are looking at this era of pervasive computers, on
specific new distribution of risks and their own position in insuring
potential liabilities.
• There is a degree of belief that mastering a new level of complexity due
to pervasive computing has inherent limits. The complexity level of
newly developed technologies has to be accepted to the degree of
safely managing the real systems of critical infrastructures.

©2009 A. Gheorghe All Rights Reserved


Rule of Thumb
• As a rule of thumb, one can argue that in the reeducation process towards
crucial new aspects and capabilities of pervasive computers, circa 90% of the
content would be to address the way how to avoid un-mastered complexity,
while 10% will be dedicated to the acquisition of formal / classical knowledge
and abilities e.g. programming.
• In handling the complexity due to ubiquity of pervasive computing one has to
adopt simple technical solutions and strategies.
• Pervasive computing in relation to a wide variety of critical infrastructures could
be prone and open to bring new forms of "digital time bombs".
• An awareness policy is necessary - the present situation in relation to pervasive
computing and its penetrability within the world of critical infrastructures
indicates that this is still in an immature stage. Together with the ubiquity of
digitalization, the two trends have to be addressed in relation to the risk and
vulnerability of critical infrastructures.
• New legal initiatives and practical steps should be instrumental in assisting the
negative effects of un- controlled pervasive computing and the ubiquity of
digitalization.

©2009 A. Gheorghe All Rights Reserved


The Swiss Rail
Transportation System

©2009 A. Gheorghe All Rights Reserved


Digitalization – Current
Status
• Concerning the selected Swiss rail transportation operator, its
control and management functions, as well as ordinary
operational activities are highly assisted by digital technologies.
This extensive use of computer assisted devices makes it possible
to overcome the challenge of controlling and operating the highly
complex railway system. The common digital technologies and
their penetration rate is mainly driven by market forces.
• Computer assisted models and tools to optimize the flow of the
traffic and to build up sophisticated reliable timetables indicate a
penetration of digitalized systems, and proves its ubiquity.
• Due to excess capacity in its own telecommunication
infrastructure capabilities, the corresponding Swiss transportation
company is selling its surplus capacity of the telecommunication
lines to other private ICS service providers. There are also other
initiatives, such as to rent excess capacities to cable TV
companies, or even to internet providers companies.
• IT infrastructure and services needed for the company’s
management and operation are partially outsourced to private
companies, outside of its competence and authority.

©2009 A. Gheorghe All Rights Reserved


Degree of Digitalization –
Trends
• Within the investigated industry
the current trend is to integrate
such different core functions as
the transmission of voice, train
signals or train steering by remote
control technology on a single
digitalized system by using a
single “information pipeline”

• The driving force for the increased


use of the digital technology is the
effort to increase the Company’s
productivity (e.g. increased traffic
capabilities up to ca. 30%). In
general, at the present time, when
it comes to digitalization and
operation related activities, the
economics prevails.

©2009 A. Gheorghe All Rights Reserved


Influence on Management
Functions
• The continuous technological improvements in the railway
system are also driven by the ageing of some present
technologies. Reengineering activities will definitely be
done via digitalization in various forms and degree of
integration.
• Currently, the development of remotely controlled high
speed trains is in process; the driver is in this case in a
new position in order to interact with the locomotive, and
in this case as a complex and almost fully digitalized
system.
• Discussions related to the deregulation processes do take
into account, to the necessary degree, relevant issues
related to safety – security concerning digitalized systems.
• Technological risk related assessment for the digitalization
within the Company industry is fully addressed and
covered by use of ISO standards.

©2009 A. Gheorghe All Rights Reserved


Digitalization Induced
Risks
• As a security principle, redundant information pipelines are in the process of being
fully implemented; such redundancy can go up to 500% in some cases, and that
depends on the needs required for each specific function which has to be assisted.
• Risk and safety issues related to the digitalization are of high importance for new
systems acquired via the integration of different traffic and management
functions. • There are currently no safety standards and implementation
guidelines for the so-called open systems; the digitalization in the railway systems
does require such standards and a new design philosophy. Therefore, there is an
urgent need to have a more scientific way of approaching the security.
• The company has not yet a full picture on risks and vulnerabilities induced by the
current digitalization trend, and still the old best practice assumptions are
considered when designing and implementing profoundly new design and
technologies. This must be changed within the industry; there is not yet a
definitive consensus on this issue.
• Also “Security through obscurity”, as a tactical approach to deal with risks related
to train communication, etc. still does not encompass the so called big picture.
• The topic of increased ubiquity of digital technologies and pervasive computing is
not treated under a single management department. This might create delays and
additional costs when the system will have to accelerate its rate of penetration of
digitalized integrated systems, into the company.

©2009 A. Gheorghe All Rights Reserved


Dependencies
Concept of Dependency
• Dependency is defined in the
open literature as a linkage or
connection between two
infrastructures, through which the
state of one infrastructure
influences or is correlated to the
state of the other.
• There are different degrees of
dependencies among objects /
agents within a given critical
infrastructure or among critical
infrastructures.
• The advent of digitalization, as a
central concept in assessing
critical infrastructures
performance, implies the need to
assess the impact of this vector
e.g. digital information and its
hardware support, in connection
with various agents and critical
infrastructures.

©2009 A. Gheorghe All Rights Reserved


Dependencies (2)
Dependencies and the Focal
Position of the Electric Power
Sector

• The degree of dependency concept


could be extended in order to
understand and quantify the impact of
digital technologies or of the ubiquity
of digitalization on the overall
performance of i) a given critical
infrastructure or ii) among distinct
critical infrastructures.
• If one meaning of the dependency
concept involves a potential physical
connection between parts or the entire
critical infrastructure, the other
meaning would take into consideration
the degree of ubiquity of digitalization
embedded into a given critical
infrastructure, in order that this would
provide the designed services, with
some degree of reliability and risk.

©2009 A. Gheorghe All Rights Reserved


Concept of
Interdependency (1)
• Interdependency is defined as a bi-directional relationship
between two infrastructures, through which the state of
each infrastructure influences or is correlated to the state
of the other. More generally, two infrastructures are
interdependent when each is dependent on the other.
• The degree of digitalization could be in focus of an
interdependency assessment by measuring the flow of
information which cross the interface between the
considered critical infrastructures.
• Interdependencies vary widely, and each has its own
characteristics and effects on infrastructure agents.
Among various dimensions which characterizes the
interdependencies among critical infrastructures are: type
of failure, state of operation, environment, coupling and
response behavior.

©2009 A. Gheorghe All Rights Reserved


Concept of
Interdependency (2)

©2009 A. Gheorghe All Rights Reserved


Classes of
Interdependencies
• Physical Interdependency: Two
infrastructures are physically
interdependent if the state of each
is dependent on the material
output(s) of the other.
• Cyber Interdependency: An
infrastructure has cyber
interdependency if its state
depends on information transmitted
through the information
infrastructure.
• Geographic Interdependency:
Infrastructures are geographically
interdependent if a local
environmental event can create
state changes in each of them.
• Logical Interdependency: Two
infrastructures are logically
interdependent if the state of each
depends on the state of the other
via a mechanism that is not a
physical, cyber, or geographic
connection

©2009 A. Gheorghe All Rights Reserved


There is by now a consensus that concepts like
interdependency and interconnection are not
similar when dealing with security aspects for critical
infrastructures.
– Interconnection implies mutual influences among distinct
components, up to the system level.
– Interdependencies affect services provided by distinct
infrastructures e.g. banking, hospitals, by their quality,
degree of extension, and indicates the build-in resilience of
various distinct systems up to their interface interactions.

©2009 A. Gheorghe All Rights Reserved


Network of Networks

©2009 A. Gheorghe All Rights Reserved


Coupling and Response
Behavior
• Tight coupling is characterized by time-dependent processes that have
little "give" or slack. Loose coupling, on the other hand, implies that
the infrastructures or agents are relatively independent of each other,
and the state of one is only weakly correlated to or independent of the
state of the other. Slack exists in the system, and the processes are
not nearly as time dependent as in a tightly coupled system. In sum,
tight and loose coupling refer to the relative degree of dependencies
among the infrastructures.
• The concept of tight / loose coupling within and among critical
infrastructures does allow additional flexibility via the use of the new
paradigm of the ubiquity of digitalization. IRGC should further
investigate the degree through which penetration of digital technology
would allow implementation of the fail safe concept as a solution of
treating interdependencies at the level of high control and flexible /
adaptive interactions.
• The coupling order indicates whether two infrastructures are directly
connected to one another or indirectly coupled through one or more
intervening infrastructures. The interactions among infrastructures can
be further classified as either linear or complex.

©2009 A. Gheorghe All Rights Reserved


Interactions
• Linear interactions are those in familiar production or
maintenance sequences, and those that are quite visible even if
unplanned.
– Linear interactions are generally those intended by design, with few
unintended or unfamiliar feedback loops.
• Complex interactions are those of unfamiliar sequences, or
unplanned and unexpected sequences, and either not visible or
not immediately comprehensible.
– Complex interactions are likely to exist when agents can interact with
other agents outside the normal production or operational sequence,
whether by design or inadvertently.
– Such interactions can occur in systems with branching paths, feedback
loops, and jumps from one linear sequence of operations to another
(possibly due to geographic interdependencies)

©2009 A. Gheorghe All Rights Reserved


Electric Power System
Interdependencies (1)
• Electricity Generation: Reliance on Open-Access ICS In case of the
Swiss power system, with high contribution from NPPs, the use of digital
systems and the interaction with the open-access ICS is limited only to the
management and marketing related activities.
• Trends:
– There is a tendency to discriminate in adopting information and communication
systems privately owned by the electricity industry vs. the open-access ICS. The
argumentation for such in principio position is related to the fact that the
contribution to electricity generation of NPPs is significant, and potential risks and
vulnerabilities are to be significant if the operation activities are exposed to
cyber-threats and other associated digital hazards.
– A national program of work related to the issue of risks, vulnerability and security
related tasks on information systems and electric power sector, is currently
ongoing.
• Electricity Generation: Reliance on the Rail Transportation System
In Switzerland due to the current electricity generation structure (55.9%
hydro, 39.7% nuclear and 4.4% conventional thermal), there is no
significant short term reliance by the electricity generation sector on the
availability of the rail transportation system (i.e. no use of fossil fuel which
should be transported continuously and timely).

©2009 A. Gheorghe All Rights Reserved


Electric Power System
Interdependencies (2)
• Electricity Transmission: Reliance on Open- Access ICS Electricity
transmission basic design philosophy aims that, at any time, a black-out
should be avoided; the electricity transmission lines should be kept under
voltage. As a corollary, keeping the transmission lines under voltage, must
go on even if the open-access communication systems are out of order or not
accessible at the time of a contingency.
• When a black-out is becoming imminent, or for some reasons it just happens,
the use of any communication and technological means – from battery
phones to satellite communication phones - is necessary, practical and
acceptable. For technological related aspects on the continuity in service, the
electricity transmission grid operates in an island mode, and is designed to
use its own IT and specific communication resources, without any need to
interact with the open-access domain of ICS.
• Trends:
– The recent liberalization policy of the electricity market is going to be
implemented, inter alia, via intensive use of information technology and open-
access ICS for commercial transactions as well as for logistic related purposes.
– This process, without proper care and adequate professional knowledge and
assistance, could lead to the manifestation of some new and unknown hazard
events.

©2009 A. Gheorghe All Rights Reserved


Interdependencies Related to
Market Forces
• Due to the new policy of market deregulation and privatization in
the electricity generation and transmission industries in
Switzerland, a new paradox tends to arise.
• Technical operational constraints require the integration of
generation (location and amount of electricity production),
transmission and load management under strict centralized or
improved control technology for frequency, and subsequently the
synchronous system operation (i.e. frequency, voltage limits).
• The new market rules induce the needs for the individual interests
of distinct old and new actors (e.g. decentralized generation
technologies), involved in the generation trading and marketing
which have to obey to the financial and business rules only.
• Findings:
– As adopting the two remarks/observations from above simultaneously,
they introduce a new management paradox (centralized production
and distribution operations, vs. decentralized marketing activities).
– The security of supply and the market opening criteria could be just the
de minimis condition to re-design systems, up to acceptable levels of
risks in operation.

©2009 A. Gheorghe All Rights Reserved


A New Situation - Smart
Grids and Renewable
Technologies
• The new paradox will be handled and harmonized (if it has to survive
technically and politically) by the existence of two distinct IT
environments which will operate separately (for how long?) or will
probably merge to some large extend (to what price in safety and
security?).
• The introduction of renewable technologies and other de-centralized
power and electricity generation technologies could create some
additional flexibility into the process of adopting, more vigorously,
the digitalized technologies.
• According with the current thinking and adopted trends, the IT control
should have an island – type architecture as far as it is affecting the
security of supply.
• In parallel, the market oriented IT-instruments, in case they are not
interacting with the technological processes, should be open and fully
linked to the Internet, type technology.
• The new political trends, in view of market deregulation, and the
operability of technological systems based indeed on fundamental
technical laws will require the adoption and recognition of the needs
for use of multi-criteria system design and reengineering in the
power sector
©2009 A. Gheorghe All Rights Reserved
nth Order Effects within
Critical Infrastructures
Rail Rafinery
NPP System Oil Delivery

Incapacity of Interruption of
Scram Oil Processing
Operation Goods Delivery

Cyber Insurance
Threat Hospitals Liability

Potential Deaths Liabilities LOF


Distribution Incapacity to
System
Partial Lack of Communicate
Air Control In Time
Aviation Potential
Disruption Control Air Collision
In Electricity
Power System Distribution

Total or Disruption Crop


Partial Black-out Irrigation Losses

Power Water
Agriculture
Grid Supply

1-st Order 2-nd Order 3-rd Order


Effect Effect Effect
©2009 A. Gheorghe All Rights Reserved
Governance and Critical
Infrastructure
• The need for viable governance strategies for critical infrastructures is simply
demonstrated by the series of spectacular infrastructure failures.
• Each critical infrastructure is different: Financial markets, for instance, pursue
different goals, are based on a different logic and adhere to different rules and
principles than emergency services or electricity grids.
• Governance strategies to address vulnerabilities and risks - whether inherent in
such systems or threatening them from the outside - vary widely according to
individual infrastructures.
• There are further complexities. Whereas, in terms of existing governance
patterns, some of the critical infrastructures might be relatively straightforward
to understand on a limited national level and when looking only at the system
itself without considering its outward relations (e.g. transportation system,
electricity grid), others, such as information and telecommunication systems,
are themselves a critical infrastructure to other infrastructures.
• There is an increasing degree of (horizontal or lateral) dependencies between
individual infrastructures (e.g. between transportation systems, gas networks
and the electricity grid) as well as cross-border dependencies within and across
particular infrastructures, meaning that "minor disturbances can snowball into
major disruptions".

©2009 A. Gheorghe All Rights Reserved


Trends in Complexity and
Interdependency
Management (1)
1. Digitalization seems to be an irreversible trend within the operation, logistics,
control, management, and integration of various critical infrastructures. The adoption of
digital technologies have made it possible to operate infrastructures at a larger scale
and with a much higher level of service quality and reliability.
2. The human component plays today a decisive role in harmonizing information,
interpretation and making decisions on large and vastly distributed systems e.g.
electricity grids. It is proved by the recent blackouts that misinterpretation and
wrong/inadequate decisions are being potentially attributed to system operators. The
human component is going to be more and more replaced by automated process
control making use of digitalized technologies.
3. The ubiquity of digitalization in respect to all critical infrastructures is to be
considered as a new and revolutionary paradigm.
4. Under the current development of technology, and within the high degree of integration
of critical infrastructures, there is no room for a zero risk concept.
5. Insularization of some vital sensitive systems (e.g. NPP), is, in principle, possible. The
"oyster“ design concept for ICS-vital systems is catching more ground with respect to
some vital technologies (e.g. NPPs), while for others this design concept is fully (e.g.
communication systems) abandoned (e.g. rail transportation infrastructures)

©2009 A. Gheorghe All Rights Reserved


Changing from Human
Operated Systems to
Automated and Computerized
Systems

©2009 A. Gheorghe All Rights Reserved


Trends in Complexity and
Interdependency
Management (2)
6. There is an observed trend that "common mode technology" leads to
"common mode failure", and this complicates, or does not allow
sustainable secure system design of digitalized technologies for critical
infrastructures. Digitalization induced common cause failure is to be treated
in a systematically and, if possible, at all levels of manifestation e.g.
hardware, software, knowledge processing.
7. Organizational considerations are crucial in infrastructure behavior. The
organizational aspects can be key factors in determining the operational
characteristics of infrastructures.
8. The trends show that one has to integrate a variety of digitalized
approaches, from simulation and modeling, to sophisticated architectures
of highly resilient systems, exposed to a diversity of threats in a dynamic,
ever-changing operational and cultural environment.
9. Public awareness on critical infrastructure security involves adopting the
precautionary principle in view of acceptability of societal risk.
10.There is a need for a balanced approach between market intervention
and risk management, which finally aims towards a more secure
operational environment for sophisticated critical infrastructures.

©2009 A. Gheorghe All Rights Reserved


Trends in Complexity and
Interdependency
Management (3)
11. In analyzing some large scale accidents of critical infrastructures (e.g.
power systems), one can conclude that, due to the increased complexity
and sophistication in running critical infrastructures the insufficient
"digitalization“ could be a contributor.
12.Information and knowledge assets within corporations have to be
properly evaluated in order to further induce new mechanisms for risk
management and decision making.
13. Distinct critical infrastructures were not initially designed for the present
new market behavior and deregulation requirements. ICS through its
process of being embedded into e.g. electricity, and transportation
systems, is virtually considered to assist (all) new societal changes, up to
the level of maximum security and minimal costs.
14. Critical infrastructures incorporate technologies of a large variety, of
different ages, with distinct life cycles and life times (from a decade to
almost a century) which performs among themselves dynamic interactions
and interdependencies.
15. The penetration of digitalized systems into critical infrastructures induce
new aspects to people's privacy and some people, and the civil society,
argue that this could have influences on the basis of the democratic
foundations of our modern society, at large.

©2009 A. Gheorghe All Rights Reserved


Trends in Complexity and
Interdependency
Management (4)
16.There is a co-existence of various age technologies, and the trend is to shorten the
same age technologies when it comes to digital systems. In this process of adapting
new age technology or state-of-the-art digital products some incidents could be
foreseen due to the need for fine tuning among technologies, knowledge and human
capability to cope with the new situations and changes.
17.A different ergonomic design is needed, and finally has to be implemented within the
concept of ubiquity of digitalization and this in the context of changes in parallel with
existing operational technology.
18.Taking the assumption that infrastructure failures (e.g. electric power blackouts) cannot
be totally avoided, the survival of critical services (e.g. water supply, traffic control
devices, hospitals) during an infrastructure outage should be assured. There is a need
to clearly identify such critical social “missions” and to develop strategies to keep them
performing during an infrastructure outage.
19.When dealing with single type critical infrastructures operating in environments prone
to natural disasters (e.g. earthquakes), one has to take into account in a life cycle
mode the response capabilities in case of natural hazard occurence. Advanced sensors
and digital monitoring systems could put systems into a fail safe mode.

©2009 A. Gheorghe All Rights Reserved


Trends in Complexity and
Interdependency
Management (5)
20.There is an on-going technological osmosis between originally separated
infrastructure systems, which has to be considered as an established pattern
within the technology evolution. Thereby, the penetration of digital
technologies plays a crucial role.
21.There are emerging needs for comprehensive capabilities to address
systems of interdependent critical infrastructures, particularly in the areas of
in-time policy analysis, investment and mitigation planning, education and
training, real-time crisis assistance.
22.There exists no owner of critical infrastructure interfaces.
23.Storage vs. just-in-time concepts have to be integrated into a
secure/safety overall design of the ICS, and other vital systems interactions,
in view of production continuity and providing quality services.
24."Near misses" hazard events would have to be more strongly treated and
considered when dealing with security of critical infrastructures, and mainly
to ICS-electricity system interactions.
25.There are no robust and available solutions to protect system of systems.
In spite of the initial common belief that digitalization plays only a minor role
in the surety performance of critical infrastructures, our understanding is that
digitalization and/or cyber threats could multiply the negative potential
consequences in a large number of combinations.

©2009 A. Gheorghe All Rights Reserved


Trends in Complexity and
Interdependency
Management (6)
26.Critical infrastructure security has to be approached in a manifold
manner. Technical, business, and political issues have to be
considered jointly, in assisting the decision making process,
towards increasing the security level.
27.Additional research is needed to apply uncertainty techniques to
better understand the infrastructure component restoration
processes and linkages with other infrastructures.
28.Security culture for critical infrastructure design, operation, and
management is emerging as a topic which has to be professionally
handled.
29.In addressing the overall assessment of risk and vulnerability of
interdependent critical infrastructures, one should create an
awareness that systems could fail, and make it relevant within the
design, operation, and reengineering processes.
30.By adopting individual “ISO” type recommendations for
individual critical infrastructures, it will end up with the need to
adopt ISO type recommendations for handling mainly their
interfaces, while digitalization is becoming a common denominator.

©2009 A. Gheorghe All Rights Reserved


Dealing with an
Engineering Economic

Problem (1)
Security Management:
Security should become a primary goal when designing complex
systems, while economics should play a second role. The need to
integrate various operational control strategies for reasons of
security has to become an important and relevant issue.
• Strategic and Technical Management:
In dealing with this category of critical infrastructures, the concept
of strategic planning could play a substantial role in assuring
security functions. Also one can have adopted tactical planning,
mainly due to the load management of the grid, and the
optimization of the power flow in the grid, and that of operational
planning which deals with every hour loading the generators in
view of supply - demand evaluations.
• Pricing:
Pricing processes have to change their structure, if one needs to
assist first class security in complex systems and networks.

©2009 A. Gheorghe All Rights Reserved


Dealing with an
Engineering Economic
• Reliability:
Problem (2)
It is a need to refocus and give reliability a second priority in the overall design and re-
engineering (e.g. electricity as a critical infrastructure). This might require a new
paradigm in the process of understanding critical infrastructures and their new
systems engineering approach. There is today a lack of what one could call integrated
operational reliability and security related indicators, which by adopting such a system
might have some positive effects on the operational, tactical, and strategic levels.
Need for an Event Scale There is a need for an Event Scale to monitor the overall
system stability (e.g. by a dashboard) in view of aggregated decisions when dealing
with stability and market forces integration.
• Call for a Joint Approach
There is a need for a joint approach to concept such as "System of Systems", due to
the increasing size of systems, their complexity and their ambiguity on the way how
things can go wrong.
• On Cross Fertilization Solutions
One should learn from security related practices within other industries, such as
aviation, and these should be fully considered when implementing new rules and
standards for security of critical infrastructures.
• In the USA, there are visions that the control of large scale (e.g. power transmission
grids) could be assisted by satellite technology; this again could be in line with the
overall control capabilities in the aviation industry on various levels where the control
of flights is coordinated via satellite. Digitalization and its ubiquity could be a solution,
from a different prospective, in both industries.

©2009 A. Gheorghe All Rights Reserved


Infranomics

A New Working Concept for Interdependent Complex Systems

©2009 A. Gheorghe All Rights Reserved


Approaching Resilient
Critical Infrastructures

Socionomics

System
of
Systems

Infranomics Economics

©2009 A. Gheorghe All Rights Reserved


Advancements on R & V
Modeling

©2009 A. Gheorghe All Rights Reserved


Cluster Analysis and Factor
Analysis
• Cluster analysis is a tool that has the purpose of solving
classification problems. The aim is to classify what is being
investigated in clusters in such a way that the association is
strong between "the object" in the same cluster but weak to
objects in other clusters.

• Each cluster thus represents a class of its own. The cluster


analysis can expose links and structures in data that are not
evident on first inspection. The result of the cluster analysis can
be a classification system (such as for insects, plants, etc). The
cluster analysis ought to be most useful in order to group
municipal authorities in accordance with certain vulnerability
criteria and compare them with each other.

• Factor analysis is a statistical method used to identify a small


number of factors that represent situations between interrelated
variables. The correlation pattern is stated as latent variables
that are called factors. The aim is to identify diffuse observable
factors among the clearly observable variables.
©2009 A. Gheorghe All Rights Reserved
Interview, Questionnaire, Expert
Assessment and Delphi-panels

• A simple way of finding out the status of the safety work in a


municipality is to circulate a questionnaire or to carry out
interviews with key persons. A questionnaire can contain ready
answer alternatives that afterwards can be assessed with the help
of a point's key or there can be open questions for more semi-
structured answers. The questionnaires can be used as bases for
accumulate information in order to say something about the
overall municipal risk or the local authority's risk management
ability,

• In short, a Delphi-panel can be described as a group of experts


who each in turn answers a number of common questions. The
answers are put together anonymously and the results are then
presented officially. The experts then have the possibility of
revising their answers several times. The idea is that, together, the
experts should reach a consensus with the matters in question
without any specific expert's authority dominating the result. The
Delphi-model could be used as a model that concerns municipal
vulnerability but perhaps mainly be used as a component in
several of the already listed methods/models.
©2009 A. Gheorghe All Rights Reserved
Polar Diagrams
• A polar diagram can present the value of
several parameters. The advantage
compared for example to an ordinary risk
matrix is that several factors can be
observed at the same time. In Holland the
polar diagrams have been used in the
AMOEBA model. The purpose of this
model has been to describe and analyze
ecological systems. The aim is to compare
today's ecological system with a reference
system that is not influenced at all or only
on a very small scale. A number of plant
and animal species are chosen which are
then compared from a variety of aspects
(number, health, etc) in both systems.
When the values are presented, indicators
are created that can be compared to each
other.
• By letting the origin in the polar diagram
be the reference system, it is possible to
simply read the difference between the
present system and this one. The greater
the distance between the two systems the
less vulnerable is the system of today.
Polar diagrams can be used to assess and
present risks or organizational ability as
well as compare municipal authorities
with each other or a specified target.
©2009 A. Gheorghe All Rights Reserved
The Hierarchical Holographic Modeling
and the Infrastructure Risk Analysis
Model
• Hierarchical Holographic Modeling (HHM) is a mathematical model that was presented by
Haimes (1981).It is aimed representing within a single model of all aspects of a truly large-
scale system including principles like wholeness and hierarchy. HHM has emerged from
Hierarchical Overlapping Coordination which was the result of a water resource systems
study also developed by Haimes in 1978. It is proposed that his model represents the
large-scale systems in holographic view compared to other mathematical models planar
view with the same analogy in photography.

• In 1995 Haimes published another paper on use of HHM for risk identification in complex
systems. HHM has been applied elsewhere to software project development (Chittister and
Haimes 1993)and global sustainable development (Haimes 1992).More recent application
of HHM into risk and vulnerability can be found in Ezell’s works (Ezell 2000).The two papers
serve to introduce the probabilistic Infrastructure Risk Analysis Model (IRAM) developed for
a small community's water supply and treatment system in the United States. The paper
adopts a holistic approach to model a water infrastructure system's interconnectedness
and interdependencies.

• The IRAM consists of four phases. In phase I, one identifies the risks to the infrastructure by
decomposing the system. Borrowing from the HHM philosophy, the authors take a "system
perspective", decomposing the infrastructure with respect to

– Components
– Hierarchical structure
– Function
– State
– Vulnerability

©2009 A. Gheorghe All Rights Reserved


AvestaRisk Management (ARM)
and Balanced Scorecards
• From the industry checklists,
AvestaRisk Management (ARM) DoD’s Risk Management Framework
and Balanced Scorecards may using Balanced Scorecard Approach:
serve as good examples when
further developing an audit
method.
• Department of Defense (DoD)
(Defense Threat Reduction
Agency (DTRA) prepares and
publishes annual performance
plans for all mission areas
using a Balanced Scorecard
approach.
• These Balanced Scorecards
further define the objectives of
the strategic plan and measure
progress using the DoD Risk
Management Perspectives
given in table.

©2009 A. Gheorghe All Rights Reserved


Switzerland regional vulnerability assessment based on Sweden Municipal
Vulnerability Assessment (MVA) model
©2009 A. Gheorghe All Rights Reserved
©2009 A. Gheorghe All Rights Reserved
Switzerland regional vulnerability assessment output for cantons
MCDM and QVA (1)

• The methodology to derive an index as a basis for


decision making follows the Multiple Attribute Decision
Making (MADM) approach. QVA named as a MCDM tool.

• Quantitative Vulnerability Analysis is a method to


diagnose the current vulnerability of a complex system
featuring large numbers of indicators, both internal and
external, as well as to dynamically monitor the time-
evolvement of the vulnerability.

©2009 A. Gheorghe All Rights Reserved


MCDM and QVA (2)

• In order to quantify the vulnerability of critical infrastructures


QVA brings some new concepts briefly described below.

i. Every multi-component system can be modeled with multi-


indicators and can be in two states either operable or
inoperable

ii. Parameters are divided into two subcategories like internal


and external indicators.

iii. A new Vulnerability Scale introduced in order to create a


Vulnerability Index

©2009 A. Gheorghe All Rights Reserved


MCDM and QVA (3)
• To complete model description two assumptions were made.

• Assumption 1: An operational definition of vulnerability adopts the


emergent, consensual understanding of vulnerability as a system's
virtual openness to lose its design functions, and/or structural integrity,
and/or identity under the combined interplay of two sets of factors:

– U: Risk-featuring factors,
– V: Management response-featuring factors,

• All factors are supposed to be eventually quantifiable by appropriate


indicators.
– The U-factors are named as fast variable or internal indicators and covers
features of the system.
– The V-factors are named as slow variables or external indicators and covers
influences that effects system’s functions.

©2009 A. Gheorghe All Rights Reserved


MCDM and QVA (4)

• Assumption 2: These factors or indicators may be aggregated using fuzzy sets


so that two indicators U factor and V factor may be obtained.

• In consideration of their nature, U and V are membership functions of the fuzzy


sets theory approach to impact indicators (Christen et al., 1995).

• Assumption 3: Once U and V are determined, it is assumed that these make


the aggregated control variables of a two-state, multicomponent system (see
next section). The behavior of such a system is a textbook matter in statistical
physics, where the archetype is known as the Ising Model, covering
macroscopic properties, stability issues and phase transitions in such systems
as e.g., the ferromagnets, the binary alloys, and other order–disorder
phenomena. Though no exact solution is available, Bragg–Williams
approximation to the solution is adopted. According to this approach, the
membership fractions in the two-state system can be obtained on certain
assumptions on the probabilities of individual transitions between the two
states.

©2009 A. Gheorghe All Rights Reserved


MCDM and QVA (5)
The interplay of the actual, ‘physical’, and potentially numerous system
indicators will result in variations of the aggregated parameters, U and V,
which in turn will drive the system ‘state’in and out of a region of instability.
In a conventional sense, an operable system may thereby appear as:
– Stable, and thereby featuring a low vulnerability;
– Critically unstable/vulnerable; or
– Unstable, and thereby featuring a high vulnerability.

Beyond these, the system may only be found inoperable.

• Assumption 4:In consideration of the above, a ‘Vulnerability Scale’ (V scale


on the 0–100) may be defined, based on the assessment of the system state
in the (U, V)-space.

• Since no analytic solution for the equation of the cusp line is readily available,
distance D is actually evaluated up to the Bezier interpolation of a sufficient
number of (U, V) knots on the cusp

©2009 A. Gheorghe All Rights Reserved


Quantitative Risk Analyses (QRA),
Probabilistic Risk Analysis (PRA)
• A QRA may be useful for quantifying the risks that exist in a
factory plant and which threaten people inside or outside the
plant. Measurement of risk for both the individual and society
can be calculated.

• Inclusion of human factors in quantitative risk analysis is


doneby use of human reliability analysis techniques.
However, HRA methods experience some drawbacks, which
lead to uncertainties in human error probabilities. These
limitations lead to uncertainty in QRA results.

• In a PRA, one tries more thoroughly to investigate the factors


that cause the event and to concentrate more on analyzing
the event and fault tree analysis. QRA or PRA can be an
adequate method in order to assess parts of the vulnerability.

• It is generally used as a part of vulnerability assessment


studies.
©2009 A. Gheorghe All Rights Reserved
Risk Profiles and Risk Maps

• A risk profile is a document that provides a summary of


relevant information on a specific food safety issue.
Each profile is intended to be a tool that allows risks
managers to make decisions about how to manage the
food safety issue. It is a widely used and increasingly
accepted tool for risk assessment.

• New Zealand Ministry of Health is using this tool to


asses the risk that coming out of the food people eat.
Risk profiling is also becoming part of an internationally
accepted approach to risk assessment, under the
auspices of the Codex Alimentarius Commission

©2009 A. Gheorghe All Rights Reserved


Risk Profiles and Risk Maps

Database (1)
Risk profiles show the risk scenario in a simple way that is easy to
survey in diagram form with the probability that a certain accident
(often measured as an economic consequence) will or will not
occur. The risk profile informs the overall process, and provides
input into ranking the safety issue for risk management. It is
widely used in United Nations Development Programme (UNDP),
Bureau for Crisis Prevention and Recovery (BCPR)-Disaster
Reduction Unit (DRU) global report on “Reducing Disaster Risk: A
Challenge for Development” as show in Figure.

Figure: Risk Profile for


earthquakes showing
people killed by
earthquakes
between years 1980 and
©2009 A. Gheorghe All Rights Reserved
2000.
Risk Profiles and Risk Maps
Database (2)
• Increasing awareness activities of organizations such as Civil
Defense have been undertaken, on risk management as a
multidiscipline dimension of development that transcends the
aspects of preparedness and emergency response, and that needs
to involve social actors and institutions that go beyond the first-
response agencies. Risk maps developed are used as orientation
tools to take decisions

Figure: Relative
Vulnerability
for Earthquakes,
1980–2000

©2009 A. Gheorghe All Rights Reserved


GIS based Vulnerability/Risk
analysis with Modeling and
Simulation (1) • GIS based vulnerability and risk assessments
are becoming much popular and demanding.
Since the commercialization and popularization
of ease-of-use computer programs like Google-
Earth® are increasing GIS based modeling and
simulation techniques will be on the front lines.
Previously created simulations are now getting
much more integrated real geographical data.
Especially in emergency situations tools for
rapid production of response information are
paramount.
• For example in a study constructed in Nigeria,
Miller and Onwuteaka created a model that
evaluates potential risk of oil spills from
existing oil facilities (Vulnerability is modeled
as a suitability surface) and refined
hydrocarbon shipping lanes. Vulnerability is
thought as the interaction of aggregate risk of
oil spills with an Environmental Sensitivity
Index (ESI) surface. It was an attempt at
characterizing the significance of the risk of oil
spill to the landscape. Vulnerability may be
expressed as the following formula:
Vulnerability = Risk Surface x ESI Sensitivity so
that Figure can be constructed.

©2009 A. Gheorghe All Rights Reserved


GIS based Vulnerability/Risk
analysis with Modeling and
Simulation (2)

• One of the strengths with GIS is the potential to


combine information in different layers in different
ways, which makes it possible to easily and quickly look
at the vulnerability problem from different angles.
• To address need for simulation, the Critical
Infrastructure Protection Decision Support System
(CIPDSS) project, funded by the Department of
Homeland Security Science and Technology Directorate
(DHS S&T), has developed a decision support tool that
provides insights to help decision makers make risk-
informed decisions.

©2009 A. Gheorghe All Rights Reserved


GIS based Vulnerability/Risk
analysis with Modeling and
Simulation (3)
• With the addition of a disease progression simulation, the CIPDSS
tool has ability to provide a high-level, integrated analysis of a
pandemic influenza outbreak while representing the impact on
critical infrastructures. Fair et.al. developed a simulation model
that shows the time-dependent evolution of a disease. This
model can be calibrated to prior data or to other higher fidelity
models as appropriate (Fair et al. 2002).

• Games/simulating are a well-developed method that are used by


a wide number of organizations in order to test an organization’s
ability. A central question is how the result of a game is to be
assessed. There is a need for some form of measure and
measurement tool. Measurements could be made up of well-
chosen indicators. The method is presumably most suitable for
testing an organization’s ability as well as to compare different
municipal abilities with each other (Nilsson et al. 2000).

©2009 A. Gheorghe All Rights Reserved


Actor-Based Modeling and
Simulation
Theoretical Background and Capabilities

• Each physical, logical or functional entity in an infrastructure


is modeled by a smart software “actor” whose attributes
simulate the corresponding real-world behavior and
operational characteristics.
• The connections within or between infrastructures are
represented by connections between these relevant actors.
• Every single infrastructure or multiple infrastructures that
can be represented in terms of a dependency graph can be
modeled using this actor- based representation.
• Agents are computer programs (software agents) that
engage in dialogs; they negotiate and coordinate transfer of
information - this requires both sensing and acting, while
dialoging requires communication.
• The outstanding capability of this method is to model the
dynamic and complex behavior and interactions of multiple
different infrastructures from a holistic “system of systems”
perspective.
• Extreme and rare events for which an appropriate experience
is lacking can be simulated realistically. In addition agents
can also model the effects of decision and policy makers
upon infrastructure operations.

©2009 A. Gheorghe All Rights Reserved


Dynamic Simulations
• The generation, distribution and consumption
of infrastructure commodities and services are
modeled as flows and accumulations.
• The dynamic simulation integrates
infrastructure interdependencies as flows of
commodities among multiple infrastructures.
Effects of policies, regulations, and laws upon
infrastructure operations can be studied.

©2009 A. Gheorghe All Rights Reserved


Physics-Based Models
• Infrastructure systems are described with
standard engineering techniques and
associated models. For example, power flow
and stability analyses can be performed on
electric power grids, and hydraulic analyses
can be used with pipeline systems.
• These models provide highly detailed
information, down to the component level, on
the operational state of the infrastructure.

©2009 A. Gheorghe All Rights Reserved


Leontief Input-Output
Models
• The Leontief input-output model is a framework for
studying the equilibrium behavior of an economy and
provides a forecast of effects on one economical segment
due to changes in another.
• This model can be applied to infrastructure studies,
whereby infrastructure components are subject to
independent risks of failure.
• Infrastructure interdependencies are captured through
Leontief’s production coefficients, which represent the
probability of an interconnected component propagating
inoperability to another component.
• The risk of inoperability in interconnected infrastructures,
as a result of one or more failures subject to risk
management resource constraints, can be assessed and
an understanding of failure propagation among
interdependent infrastructures can be further examined.

©2009 A. Gheorghe All Rights Reserved


Network Topology
Design Models
• In the field of communication network engineering a large number of
theoretical models and techniques have been developed aiming at the
design of robust network topologies.
• For the quantification of network vulnerability and survivability there are
three main approaches: the statistical, the deterministic approach and a
combination of both techniques.
• The statistical approach comprises reliability calculations aiming at the
assessment of quantities as mean time between failures (MTBF) or mean
time to repair (MTTR).
• Deterministic approaches are for instance graph theoretic calculations
offering various measures of network vulnerabilities, which can be found in
an extensive field of literature.
• Some commonly used measures are the cardinality of cutsets (i.e. the
minimum number of links or nodes whose removal disconnects a part of
the network), the minimum number of link disjoint and/or node-disjoint
paths from one node to another, the size and/or number of disconnected
fragments due to link cuts and the minimum connectedness of a network.
• The mentioned techniques primarily assess the vulnerability of network
topologies to random or accidental failures.
• For the quantification of vulnerabilities to malicious and calculated attacks
there are developed new graph based methodologies.

©2009 A. Gheorghe All Rights Reserved


Hybrid Approaches
• The different model and simulation approaches
with their different pros and cons as
simplifications, assumptions and data
requirements could be merged into a hybrid
approach depending on the specific requirements.
• However, simulation tools integrating multiple
models are only beginning to be developed and
will take time to mature.
• Other models are dedicated to Quantitative
Vulnerability Assessment (QVA) for critical
infrastructures, and mainly integrate into a hybrid
approach continuous with discrete indicators and
behavioral type.
©2009 A. Gheorghe All Rights Reserved
Outlook for Novel Systemic
Approaches (1)
• System of Systems: A new science known
as the System of Systems to deal with
interdependencies among critical
infrastructures is emerging, and it will have
consequences on the way how to approach,
model and decide on security, risk and
vulnerability of individual critical
infrastructure technologies or a combination
of any of them e.g. ICS and electricity
generation, transmission and distribution.

©2009 A. Gheorghe All Rights Reserved


Outlook for Novel Systemic
Approaches (2)
• Multidimensional Indicators: There is a need for a
contemporary vision of using multidimensional
indicators for modeling and monitoring the dynamic
behavior of critical infrastructures
• Epidemic Models: Evolution of digitalization in time
and space, (with respect to all other vital systems) is
today comparable with the evolution and life of living
systems. Thus epidemic models from biological
systems might have methodological impact and
could be of practical use for the ongoing modeling
efforts of the evolution of ICS and their interactions
with other vital systems for achieving "safe" living
behavior.

©2009 A. Gheorghe All Rights Reserved


Outlook for Novel Systemic
Approaches (3)
• Metric for Digitalization: There is a
need to address the process to build
up a metric for digitalization.
Indicators to understand the risk and
vulnerability of critical infrastructures
in view of digitalization capabilities,
must be part of the process of
building up such metric.

• Chaos Models: Recent attempts to


understand the complex interface
behavior between critical
infrastructures lead to the use of,
inter alia, the chaos theory and
strange attractors, and the need for
the treatment of entities such as
critical infrastructures as “production
systems”, providing services and
exchanging values and information

©2009 A. Gheorghe All Rights Reserved


Outlook for Novel Systemic
Approaches (4)
• Dynamic Modeling: Infrastructure dynamics span a
vast temporal range. Relevant timescales of interest
vary from milliseconds (e.g., power system operation)
to hours (e.g., gas, water, and transportation system
operations) to years (e.g., infrastructure upgrades and
new capacity). Timescales have substantial
implications for models and simulations, given that
certain time related infrastructure characteristics and
interdependencies might not be relevant for a specific
analysis
• Measuring Connectivity: Considering connectivity
as an important concept in critical infrastructure
interactions, there are two possible interpretations of
the meaning of the internal connectivity of a system:
benign and cautious. Benign interpretation, the more
extensive and multifunctional are the exchanges
between a system’s constituents, the better: the
system is “functional”, “active”. An inherent defect
(e.g. short circuit in the control room of a nuclear
power plant), initiated at one specific knot in the
system has higher chances to propagate throughout • Resilience and Robustness:
the system, thus having the potential to impair larger Robustness and resilient concepts
system segments.
are recently introduced and
formalized in order to address issues
of system vulnerability in case of
complexity, stability and structural
changes or other relevant socio-
engineering indicators which one
could attach to the concepts of risks,
©2009 A. Gheorghe All Rights Reserved
vulnerability, and their
quantitative assessment.
Issues in Review

©2009 A. Gheorghe All Rights Reserved


Relationship Between Risk
and Vulnerability (1)
• In the book named “At Risk” [Wisner,2004], a pressure and release (PAR) model is introduced to show the
relationship between risk and vulnerability. The basis for the PAR idea is that a disaster is the intersection of two
opposing forces: those processes generating vulnerability on one side, and the hazards event, on the other. The
image resembles a nutcracker, with increasing pressure on systems arising from either side ― from their
vulnerability and from the impact (and severity) of the hazards for those systems. Modify version of the original
PAR model can be seen in the Figure.

©2009 A. Gheorghe All Rights Reserved


Pressure and Release (PAR) model: the progression of vulnerability
Relationship Between Risk
and Vulnerability (2)
• But PAR model does not provide a detailed and dynamic
informed analysis of the relationship between risk and
vulnerability. A new framework has been proposed to
depict this. Name of this framework is HVSR model (hazards
to a vulnerable system result in risks).

HVSR model
shows
relationship
between
Risk and
vulnerability
©2009 A. Gheorghe All Rights Reserved
Differences Between Risk
and Vulnerability (1)
• Difference in analysis object:
Risk assessment, as an impact assessment, selects a particular stress (or threat, hazard) of concern, and
seeks to identify its important consequences for a variety of system properties. Vulnerability analysis and
assessment, in contrast, select a particular system or component of concern, and seek to examine why
specific adverse outcomes comes to that system (component) in the face of variety of stressor (or threats,
hazards) and to identify a range of factors that may affect response capacity and adaptation to stressor ( or
threats, hazards). It is obvious, the risk focus on hazard analysis, but the main analysis object of vulnerability
is system per se. Vulnerability describes inherent characteristics of a system that create the potential for

harm but are independent of the risk of occurrence of any particular hazard.

©2009 A. Gheorghe All Rights Reserved

Risk assessment objective Vulnerability assessment objective


Differences Between Risk
and Vulnerability (2)
• Difference in analysis scope:
From traditional risk analysis for man-made systems is mainly limited to accidental events
taking place within the physical boundaries of the system, and the threats are often limited
to technological hazards within these boundaries. In some risk analyses, the environmental
threats are partly covered. In a vulnerability analysis we work with open system models,
where risk factors, both inside and outside the physical boundaries of the system, are
taken into account. The actions to mitigate, restore and restart the activities after an
accident are normally not part of a risk analysis. A vulnerability analysis focuses on the
whole disruption period until a new stable situation is obtained. All activities to restore and
restart are therefore included in the analysis. In contrast to risk analysis, a major part of
the accidental events that are relevant for a vulnerability analysis will be caused by
external threats, and by deliberate actions. A detailed causal analysis of these events will
in many cases not be worthwhile, since we often will not be able to influence on these
threats, such as cyber attack. The only defense will often be to install barriers and make
the system more robust against the threats.

• Difference in emphasis:
The focal point of vulnerability analysis is the survivability of the system. The goal of risk
analysis is to investigate and understand all concerned risks and provide information for
decision-making about resource allocation. In fact, if system can survive the hazards there
are no much risk any more. Proper resource allocation can reduce system vulnerability;
correspondently, reducing system vulnerability can reduce system risk.

©2009 A. Gheorghe All Rights Reserved


Questions & Answers

©2009 A. Gheorghe All Rights Reserved


Q&A
• Question 1: What is the current state relating to
school of thoughts on critical infrastructures?

– Answer: The most prominent activities are taking place in


the United States of America particularly within the National
Laboratories (e.g. Sandia, Argonne, Los Alamos, Oak Ridge).
In Europe activities has been recently initiated by EC under
the coverage of the FP 6 and they will be augmented in the
FP 7. In Japan such work is under the heading of socio-
technical systems, intensive research activities are
sponsored by the Ministry of Education and science and
implemented within the University of Tokyo and University
of Kyoto. In Australia and New Zealand local governments
assisted by consulting companies and universities initiated
case studies on risk and vulnerability on a regional scale.

©2009 A. Gheorghe All Rights Reserved


Q&A
• Question 2: Should the markets only shape
the security profile for critical infrastructures?

– Answer: Markets can play a role in assuring


security of vital systems in various ways and by
using specific market mechanisms. They have to
be fully harmonized with the technical and system
characteristics of the critical infrastructures under
consideration.

©2009 A. Gheorghe All Rights Reserved


Q&A
• Question 3: Are there control mechanisms to
guarantee higher security for critical
infrastructures?

– Answer: By adopting an open system of systems


design platform one could create the framework for
addressing the problematic of complexity,
interdependency and economics of socio-technical
systems. The cybernetic approach and way of
thinking could play a significant role in re-engineering
existing critical infrastructures and designing new
generations of new technologies. Digitalized systems
are instrumental in assisting feedback mechanisms
and controlling efficient operation and management.

©2009 A. Gheorghe All Rights Reserved


Q&A
• Question 4: Is the public sufficiently aware of the
potential negative problematic induced by the ubiquity
of digitalized systems?

– Answer: The public is getting more and more involved in taking


benefit from a large variety of digital technologies. Debates
related to risk and vulnerability of associated support critical
infrastructures are being initiated in U.S., Europe, Japan and in
Australia and New Zealand. The current opinion among
scientists is divided in respect to digitalization induced risks on
critical infrastructures. On the other side, managers of single
type critical infrastructures hope that by taking classical
engineering approach to safety and security will avoid accidents
and blackouts. Trends indicate that new public-private
partnerships should be put in place in order to achieve high level
of security culture and understanding beyond words the
complexity of critical infrastructures.

©2009 A. Gheorghe All Rights Reserved


Q&A
• Question 5: What is the overall aim of risk
governance strategies in relation to critical
infrastructures?

– Answer: Although the general rules of risk governance are


being discussed and being established at the international
level (e.g. EC White Paper on Governance), and IRGC has
an active role through its TAXGOV project, special work
should be carried on to translate general principles into risk
and vulnerability management of single type or
interdependent critical infrastructures. Because, in
practical terms, there is no owner of critical infrastructure
interfaces, new principles of managing interdependencies
should be introduced to avoid cascading accidents.

©2009 A. Gheorghe All Rights Reserved


Q&A
• Question 6: How does the current trend of
increasing size and complexity of critical
infrastructure influence the overall concept of
security?

– Answer: The emerging complex and non-linear


behavior of interdependent critical infrastructures
is forcing us to redefine the concept of security in
relation to operational principles such as safety,
reliability and economics.

©2009 A. Gheorghe All Rights Reserved

You might also like