You are on page 1of 3

Reliability Engineering and System Safety 96 (2011) 671–678

Contents lists available at ScienceDirect

Reliability Engineering and System Safety

journal homepage:

A method for risk modeling of interdependencies in critical infrastructures

I.B. Utne a,n, P. Hokstad b, J. Vatn c
Department of Marine Technology, Norwegian University of Science and Technology (NTNU), Trondheim, Norway
SINTEF Technology and Society, Safety Research, Trondheim, Norway
Department of Production and Quality Engineering, Norwegian University of Science and Technology (NTNU), Trondheim, Norway

article info abstract

Available online 29 December 2010 Failures in critical infrastructures may be hazardous to population, economy, and national security.
Keywords: There can be strong interdependencies between various infrastructures, but these interdependencies
Critical infrastructures are seldom accounted for in current risk and vulnerability analyses. To reduce probability and mitigate
Risk analysis consequences of infrastructure failures, these interdependencies have to be assessed. The objective of
Interdependencies this paper is to present a method for assessing interdependencies of critical infrastructures, as part of a
Safety cross-sector risk and vulnerability analysis. The method is based on a relatively simple approach
applicable for practitioners, but may be extended for more detailed analyses by specialists. Examples
from a case study with the Emergency Preparedness Group of the city of Oslo, Norway, are included.
& 2010 Elsevier Ltd. All rights reserved.

1. Introduction The objective of this paper is to present a method for modeling

and assessing interdependencies between critical infrastructures, as
Critical infrastructures are technological networks, such as part of an overall cross-sector extended RVA developed in the
energy supply, transport services, water supply, oil and gas DECRIS project [8]. The paper builds on a simplified approach that
supply, banking and finance, and ICT (information and commu- was presented in Ref. [9], but explains and discusses the method
nication technology) systems [1,2]. These systems are important more thoroughly, and introduces more advanced calculations of risk.
to maintain essential functions of society, and infrastructure The method is illustrated by examples from a case study of the city
failures can cause serious harm to population, economy, and of Oslo, Norway. The case study was carried out in cooperation with
national security. Critical infrastructures interact at different the Emergency Preparedness Group (EPG) in Oslo. The EPG is an
levels, and failure in one infrastructure may impact the function- organization working with safety and cooperation between the
ality of other infrastructures [3]. The significant societal impor- critical infrastructure owners of water supply, electricity supply,
tance of these infrastructures and their entanglements means that ICT, hospital, harbor, transportation, and fire and rescue services in
sufficient safety and security measures should be identified to the municipality. Previous RVA-analyses of Oslo [10,11] were used
reduce the risks of failure [4,5]. as a basis for the case study. The results are now being used as input
In the early 1990s, a simple approach to quantitative risk analysis to the work on societal risk carried out by the EPG of Oslo, and as
was developed in Norway, called Risk and Vulnerability Analysis basis in the planning of future research projects.
(RVA; in Norwegian, ROS—‘‘Risiko- og Sa˚ rbarhetsanalyse’’), [6], The structure of the paper is as follows. Section 2 gives a short
which is rather similar to Preliminary Hazard Analysis (PHA) [7]. overview of terms, characteristics, and some approaches to
Risk analysis methods, like Probabilistic Safety Analysis (PSA) and interdependency analysis suggested in the literature. The purpose
Quantitative Risk Analysis (QRA), comprise detailed probabilistic and is to clarify some important issues related to the proposed
physical models. Such models require more knowledge and resources approach in the present paper, but not to give the reader a total
than normally available in small/medium enterprises and the public overview of all existing methods. Section 3 describes the sug-
sector, and the RVA has become a frequently applied approach. gested approach to analyzing interdependencies as part of an
During the last two decades, the RVA has been applied for various overall risk analysis of critical infrastructures. Section 4 presents
critical infrastructures separately, but not as a unified approach the discussions and conclusions.
across sectors, including interdependencies between the various
2. Types of interdependency analyses

Corresponding author. There are different ways of defining and characterizing inter-
E-mail address: (I.B. Utne). dependencies. Sometimes it may be useful to distinguish between

0951-8320/$ - see front matter & 2010 Elsevier Ltd. All rights reserved.
672 I.B. Utne et al. / Reliability Engineering and System Safety 96 (2011) 671–678

dependencies and interdependencies. Setola et al. [3] use direct a risk screening is carried out to identify the hazardous events
dependencies, which are relatively easy to identify, model, and for which more detailed analyses are carried out.
analyze, and interdependencies, which are mutual dependencies ● Phase 2—detailed analysis of selected hazardous events, e.g. to
that may be dangerous, but hard to understand. Rinaldi et al. [1] analyze interdependencies.
define interdependencies between infrastructures as a bidirec-
tional relationship and dependencies as unidirectional. Bidirec- The focus of this paper is on phase 2. Based on the results from
tional relationships means that the state of one infrastructure phase 1, some hazardous events should be selected for inter-
affects or is correlated according to the state of another infra- dependency analysis. This could be based on decision criteria,
structure. Unless referring to the work of other authors, the term such as high risk, serious consequences, or suspected strong
interdependency is used in this paper, meaning that the depen- interdependencies.
dency can be either unidirectional or bidirectional (so it is not In the case study (involving electricity supply, water supply,
necessary to specify the ‘‘causal direction’’ of the dependency). transport, and ICT) the following four events were selected as a
In other words, dependencies may exist between infrastructures, result of the risk screening in phase 1 (the selection process is
within an infrastructure itself, and may include ‘‘loops’’, for described in Ref. [21]):
example, in terms of one infrastructure causing degradation of
another one, which again causes additional degradation in the 1. loss of electricity supply (main transformer stations/regional
first one. grid);
Johansson and Jö nsson [12] propose to distinguish between 2. loss of main water supply from Maridalsvannet;
direct (first order) or indirect (second order; inter) dependencies. 3. fire/explosion at Sjursøya (major petroleum transportation
If, for example infrastructure i depends on infrastructure j, and terminal); and
infrastructure j depends on infrastructure k, there is a second 4. culvert/joint conduit event
order (indirect) dependency between i and k. Obviously, indirect
dependencies may be more difficult to spot than direct. Zimmer- Event 4, involving short-circuiting in a culvert with electricity
man [13,14] distinguishes between spatial and functional inter- and ICT cables, was used to illustrate the method for modeling
connectedness and dependency. Spatial interconnectedness refers interdependencies and analysis of risks. (For analysis of event 1,
to proximity between infrastructures as the most important see Ref. [22].)
relationship between the systems. Functional interconnectedness The method for analyzing interdependencies includes the
refers to a situation in which an infrastructure is necessary for following steps:
operation of another infrastructure, for example, the pumps in a
water treatment system needing electricity in order to function. 1. Describe the initiating event.
There are also situations with both types of interconnectedness. 2. Identify interdependencies. Perform qualitative analysis.
The types of interdependencies addressed in this paper resemble 3. Perform a semi-quantitative assessment of the risk of the
Zimmerman’s spatial and functional categories. scenario.
In addition to the different definitions of terms and character- 4. Perform a detailed quantitative analysis of interdependencies
istics, several attempts have been made to model infrastructure (optional)
interdependencies. According to Johansson and Jö nsson [12],
5. Evaluate risk and measures to reduce interdependencies.
there are in general two types of approaches for dependency
6. Cost/benefit analysis (optional).
modeling/analysis—the empirical approaches and the predictive
approaches. In empirical approaches, previous events may be
The remaining part of this section is structured according to
studied in order to increase the understanding of infrastructure
these steps.
interdependencies. Often, the purpose is to find patterns that may
be interesting with respect to political decisions. It can, for
3.1. Step 1—describe initiating event
example, be patterns related to the consequences for the society,
or how often failures propagate between the various infrastruc-
tures. Examples of empirical approaches are Refs. [2,15–17]. To be able to identify and analyze the interdependencies, the
The predictive approaches model or simulate the behavior of a selected event(s) have to be described in detail. This means that
group of coupled infrastructures, for example, to assess how physical location, environmental conditions and constraints, spa-
disturbances cascade through the systems. Examples of predictive tial and temporal scales, technical and organizational systems,
approaches are Refs. [12,18–20]. The proposed approach in this operating factors, and physical objects affected immediately
paper belongs to the group of empirical approaches. The main should be described.
focus is on the consequences of cascading failures in critical The next task is to elaborate on the societal critical functions
infrastructures (not on the causes), and calculations of risks. Both (SCF). This is related to the involved physical objects, organiza-
the predictive and empirical methods may be valuable as input to tions, and social structures, including their state before, during,
RVA, but few are explicitly integrated in practice. and after the initiating event. The term societal critical function is
used in this paper to represent the function(s) of the critical
infrastructures. One critical infrastructure may have one or more
SCFs. Possible causes to the initiating event have to be included, in
3. Method for modeling and analysis of infrastructure order to determine how the consequences depend on the causes.
interdependencies In the case study, the culvert event was specified as follows:

An extended cross-sector RVA for critical infrastructure [9,21] ● ‘‘Loss or damage to electricity supply and/or ICT systems close
consists of the following two phases: to a culvert at Oslo Central Station (railway station), with
cascading failures to other SCFs’’.
● Phase 1—a standard RVA, identifying and analyzing hazardous
events. This is rather similar to a preliminary hazard analysis The basis for the initiating event description was a real event
(PHA) [7], and risk is usually assessed using risk matrices. Also that occurred at Oslo Central Station in November 2007, when an
Thank you for using service!

Only two pages are converted. Please Sign Up to convert all pages.