Risk and Vulnerability Management of Complex Interdependent Systems

(ENMA 771/871)

Module 1: Complex Interdependent Systems
Dr. Adrian V. Gheorghe Department of Engineering Management & Systems Engineering
©2009 A. Gheorghe All Rights Reserved

Dealing with Complex and Interdependent Systems


Critical Infrastructures Infranomics - A New Dimension of Complex and Interdependent Vital Systems

©2009 A. Gheorghe All Rights Reserved

Module 1 Objectives
1. 2. Introduce and formulate contemporary systems of high interdependency addressing vital societal needs; featuring risks, vulnerability/resiliency, sustainability and governance. Discuss the advent of critical infrastructure systems; need for a coherent approach to their complexity and inter-dependencies in relationship to systems analysis and systems engineering. engineering What is infranomics; understand rules of infranomics interactions, dependability, complexity and their implications for complex critical infrastructure systems and their problem solving.
"Good teachers never teach anything. What they do is create the conditions under which learning takes place" S.I.Hayakawa


©2009 A. Gheorghe All Rights Reserved

Complex Interdependent Systems Critical Infrastructures – a • Energy categorization • Transport • ITC • Banking • Health • Defense Industry • See later some concrete examples – There are differences between USA. Australia. but not dramatically ©2009 A. European Union. Gheorghe All Rights Reserved . critical infrastructures taxonomy.

inter-dependent. physical. both physically and through a host of industrial ICT (“system of systems”). unintended or malicious) and pose risks themselves. cyber. ©2009 A. •Designed to satisfy specific social needs but shape social change at much broader and complex level. •Highly complex. •No single owner / operator / regulator.Critical Infrastructures •A network of large-scale human-made systems* that function synergistically to produce a continuous flow of essential services. contextual. Gheorghe All Rights Reserved . •Subject to multiple threats (technical-human. natural. it reacts on a different way then the sum of its parts. * A system is a group of independent but interrelated elements comprising a unified whole. based on different goals / logics. subject to rapid changes. •Disruptions may cascade (recall “blackouts”). even “normal” service interruptions cost industrialized countries a few percent of GDP.

800 historic buildings  104 nuclear power plants  80K dams  3.800 power plants Š 300K production sites Transportation  120.USA Critical Infrastructures Agriculture and Food Š 1.000 chemical plants Telecomm Š 2B miles of cable Energy Š 2. Gheorghe All Rights Reserved .800 federal reservoirs Š 1.800 registered hospitals Chemical Industry Š 66.000 miles of railroad  590.600 FDIC institutions Postal and Shipping  137M delivery sites Key Assets  5.9M farms Š 87.000 highway bridges  2M miles of pipeline  300 ports Banking and Finance  26.600 treatment plants Public Health Š 5.000 government facilities  460 skyscrapers ©2009 A.000 food processing plants Water Š 1.

Gheorghe All Rights Reserved . vision. art.Critical Infrastructures Complex Dynamic Evolutive Living Systems Information as a Common Denominator Information/Knowledge Digitalization Electricity Critical Infrastructures made by People. „ideology“ ©2009 A. They do carry beliefs. values.

Gheorghe All Rights Reserved .A Real Story The Advent of cyberthreats for complex infrastructures ©2009 A.

Australia 2001

©2009 A. Gheorghe All Rights Reserved

Recent Major Blackouts
Loss of load [GW] Duration [h] Blackout People affected Aug. 1 4, 2003 Aug. 28, 2003 Sept. 23, 2003 Sept. 28, 2003 July 1 2, 2004 May 25, 2005 June 22, 2005 Great Lakes, NYC ~60 ~1 6 London Denmark / Sweden Italy Athens Moscow Switzerland (railway supply) 0,72 1 6,4 ~7 50 mio 500´000 4,2 mio Main causes Inadequate right-of-way maintenance, EMS failure, poor coordination among neighboring TSOs Incorrect line protection device setting Two independent component failures (not covered by N-1rule) High load flow CH-IT, line flashovers, poor coordination among neighboring TSOs Voltage collapse

~30 up to 56 mio 1 8 ~9 ~3 5 mio 2,5 0.2 ~4 ~3 4 mio

Aug. 1 Tokyo 4, ? ~5 2006 Nov. 4, Western Europe ~1 ~2 4 2006 (UCTE)
©2009 A. Gheorghe All Rights Reserved

Transformer fire, high demand leading to overload conditions 200´000 Non-fulfillment of the N-1rule, wrong passengers documentation of line protection settings, inadequate alarm processing 0.8 mio Damage of a main line due to construction work households 1 mio 5 High load flow DE-NL, violation of the N-1rule, poor households inter TSO- coordination

Interdependent and Complex Systems

©2009 A. Gheorghe All Rights Reserved

Gheorghe All Rights Reserved .Interdependencies ©2009 A.

parts/systems Technical services RCS. Gheorghe All Rights Reserved . ICS Users Operators / Brokers Energy Industry Government Threats Citizens … Data Vulnerabilities Other Infrastructures Energy ICS Interdependencies Telecoms ISPs Information Infrastructure ©2009 A.Critical Infrastructures Understanding Complexity and Interdependencies Power Infrastructure Power + information Market Supplier Distribution Transmission Generation Business Business services Electro -mech .

e. solar The wide scale application of information and communication technologies in electricity systems. respectively The internationalization (i. wind. Gheorghe All Rights Reserved .“Addiction to Changes” Trends and Driving Forces Ō marketÕ the large consumers retail companies distribution network managers distribution networks load small consumers power exchange integrated utility company distribution companies consumers economic subsystem bilateral market producers balancing market interconnector congestion management generators transmission network distribution networks load system operator transmission network managers TSO physical subsystem generation transmission network • • • • • • The liberalization of the USA and European electricity sectors.0 (see later on this concept) ©2009 A. from the level of individual switches up to the operational control of entire electricity networks Earth 3.g. interconnection among national grids) of the electricity system Evolutionary unsuitability. is that the electricity transmission networks increasingly are being used in ways for which they were not designed initially Smart Grids and sustainable energy technologies e.

.12. structure..) S trategic Tactical O perational Com ponent level System level O peration activities M anagem ent M an ag em ent and operatio n activities ©2009 A.. legal an d institu tio nal T hreats to the Electric Po w er S ystem M acro-Econom ic M icro-Econom ic 02.2004 ..) External Isolated system s "O pen accessible" system s Cyber Insiders Physical Techn olo gy-related Unintended (errors.Threats C om ponent level (failures. Gheorghe All Rights Reserved .. sun..) Intented (sabotage..v29 M arket-related En viron m ental N atural hazards (earthquakes... storm s.. w ater.) Internal System level (topology.) U navailability of resources (wind..) U nintended Intented (cyber attack) Hu m an-related O utsiders Political..

Gheorghe All Rights Reserved Nuclear power plants Hydro power plants Refineries & Petrochemical plants .Pandemic Disaster Event e. Pandemic Advent of New Threats Pandemic as Triggering Event on Vulnerability of Vulnerability Health TransComEnergy Banks System portation unication Public Security Power Infrastructure Power + information Market Supplier Operators / Brokers Users Critical Infrastructures Industry Energy Government Citizens Distribution Transmission Generation Business Business services Electro -mech .g. parts/systems Technical services RCS. ICS … ©2009 A.

Interdependencies – A Homeland Security Issue NPP Scram Operation Cyber Threat Rail System Rafinery Oil Delivery Incapacity of Goods Delivery Interruption of Oil Processing Hospitals Insurance Liability Potential Deaths Liabilities LOF Distribution System Incapacity to Partial Lack of Communicate Air Control In Time Aviation Control Potential Air Collision Power System Disruption In Electricity Distribution Total or Disruption Partial Black-out Irrigation Power Grid Water Supply Crop Losses Agriculture 1-st Order Effect ©2009 A. Gheorghe All Rights Reserved 2-nd Order Effect 3-rd Order Effect .

g. • Traditional approaches to protection. such as electricity. mobility. therefore new strategies and measures needed such as smart grids. luck of mobiliy. security risk contained – (N – x) security criterion. dedicated systems / „island solutions“ for sensitive parts.g. resilient infrastructures ©2009 A. one-day-in-advance planning. electricity: – Separation of physical systems (power plant. redundancies / reserves to ensure high reliability. e. communication are common goods. off-line operational grid management – Physical protection of most sensitive parts (e.Why and how to protect interdependent systems? • Services. American and European societies cannot afford major disruptions of supply. grid) from ICT (industrial control. interconnection of grids mainly to allow for mutual assistance • Increased risk today. eetc. NPP). business). Gheorghe All Rights Reserved .

Gheorghe All Rights Reserved .g. infrastructures are known targets & capabilities. both • Physical due to hardware and software interactions • Cyber – Terrorists and hackers are sophisticated in use of ICTs. – while attack sophistication goes up intruder knowledge goes down e. ©2009 A. existence of open source instrumentation and software facillitating such situations.New threats to interdependent systems Inter alia malicious attacks.

Caused Computerized Panel Used to Monitor Crucial Safety Indicators to Fail. Gheorghe All Rights Reserved © Jody R.Cyber Examples  In 1982. causing software to malfunction and reset pump speeds and valve settings. 2006 . ©2009 A. & valves of pipeline. turbines. Westby Global Cyber Risk LLC February 24. Slammer Worm affected business network of Ohio Nuclear Plant and spread to Operations Network. Result was Largest Non-Nuclear Explosion and Fire Ever Seen From Space. CIA exploited software transferred to Soviet Union that operated pumps. disgruntled rejected employee used radio transmitter on 46 occasions to hack into controls of sewage treatment plant and released 264 000 gallons of raw sewage into rivers & parks  In 2003. 3 kilotons TNT Equivalent – Hiroshima was 14-20 kilotons TNT  In 2000. Minutes Later Plan Process Computer Crashed.

Instead.Asymmetrical Cyber Realities Expert opinions:  “The primary [tool terrorists] are using to their advantage is information technology. 2006 . Kellogg.  Faris Muhammad Al-Masri – UNITY “It is no longer necessary to have rockets to destroy an electrical facility. Gen.” Lt. Gheorghe All Rights Reserved © Jody R. Westby Global Cyber Risk LLC February 24.S”. such as a foreign intelligence service or terrorist group could conduct a structured cyber attack on the electrical power grid with a high degree of anonymity and without having to set foot in the U.” ©2009 A. Head of C4I. penetrating the enemy’s networks and planting your code will get a better result. Joint Chiefs  President’s National Security Telecommunications Advisory Committee (NSTAC): “An organization with sufficient resources.

Gheorghe All Rights Reserved .On Resiliency of Interdependent Systems ©2009 A.

Gheorghe All Rights Reserved . complementing use of other terms such as vulnerability or risk? • Is resilience the opposite of vulnerability? • How can you define resilience as a desired outcome(s) or as a process leading to a desired outcome(s). ©2009 A.The Advent of Resiliency Concept • Is resilience a new paradigm or a new expression.

and National Research Council. minimizing and recovering quickly from adverse consequences (Westrum. 2006). 2008). ©2009 A. 2006). to control the consequences of disasters and to recover from disasters with a minimum social distraction. This definition involves the ability to minimize or eliminate losses. Gheorghe All Rights Reserved . 2006. • Resilience is the result of preventing. • Resilience is the ability to survive and cope with a disaster with minimum impact and damage (Berke and Campanella.Definitions of Resiliency (1) There is no clear consensus on the definition of resilience.. Some recent definitions in hazards area are the following: • Resilience is the ability of a system to withstand a major disruption within acceptable degradation parameters and to recover within an acceptable cost and time (Haimes et al.

or quality of life without a large amount of assistance from outside the community (Miletti.Definitions of Resiliency (2) • Resilience is the capacity to cope with unanticipated dangers after they have become manifest. learning to bounce back (Wildavsky. Gheorghe All Rights Reserved . 1991). 1999). 1998). • Resilience is the ability of an individual or organization to expeditiously design and implement positive adaptive behaviors matched to the immediate situation. • The capacity to adapt existing resources and skills to new systems and operating conditions (Comfort. while enduring minimal stress (Mallak. • Local resiliency with regard to disasters means that a locale is able to withstand an extreme natural event without suffering devastating losses. groups and organisations. or the magnitude of disturbance that can be absorbed before a system changes its structure by changing the variables (Holling et al. and systems as a whole to respond productively to significant change that disrupts the expected pattern of events without engaging in an extended period of regressive behavior (Horne and Orr. 1998). • 1995 It is the buffer capacity or the ability of a system to absorb perturbation. damage. ©2009 A. • Resilience is a fundamental quality of individuals. diminished productivity. 1999).).

by resisting or changing in order to reach and maintain an acceptable level of functioning and structure.2000). 2003). This is determined by the degree to which the social system is capable of organising itself to increase this capacity for learning from past disasters for better future protection and to improve risk reduction measures (UNISDR. learned resourcefulness and growth the ability to function psychologically at a level far greater than expected given the individual’s capabilities and previous experiences (Paton. • The ability of an actor to cope with or adapt to hazard stress (Pelling. • The capacity of a system. • The capacity of the damaged ecosystem or community to absorb negative impacts and recover from these (Cardona. community or society potentially exposed to hazards to adapt. Smith and Violanti. 2005). 2003).Definitions of Resiliency (3) • Resilience describes an active process of self-righting. Resilience in social systems has the added capacity of humans to anticipate and plan for the future (Resilience Alliance. ©2009 A. 2005). A resilient ecosystem can withstand shocks and rebuild itself when necessary. • Ecosystem resilience is the capacity of an ecosystem to tolerate disturbance without collapsing into a qualitatively different state that is controlled by a different set of processes. • The ability to respond to singular or unique events (Kendra and Wachtendorf. 2003). Gheorghe All Rights Reserved .

Definitions of Resiliency (4) • Categorizing definitions either as a desired outcome or a process leading to a desired outcome is not a easy task and distinction may seem unnecessary. from the definitions. Gheorghe All Rights Reserved . resiliency can gradually shift from more outcome-oriented to more process oriented. ©2009 A. • But.

©2009 A. concerns the relationship between them. however. • A key question that emerges.The Relationship Between Vulnerability and Resiliency • Resilience and vulnerability are common. – Is resilience the opposite of vulnerability? – Is resilience a factor of vulnerability? Or – Is it the other way around? • It is not easy to provide single answers to these questions. related concepts in a number of scientific disciplines. Gheorghe All Rights Reserved .

1981). 1994). the prescriptive and normative response to vulnerability is to reduce exposure. The degree and quality of the adverse reaction are conditioned by a system’s resilience (a measure of the system’s capacity to absorb and recover from the event) (Timmerman. Accordingly.e. ©2009 A. cope with. based on their positions within physical and social worlds (Dow. resist and recover from the impact of a natural hazard.Definitions of Vulnerability Induced Resiliency (1) • Vulnerability is the degree to which a system acts adversely to the occurrence of a hazardous event. minimize destructive consequences) via private and public means (Watts and Bohle. 1992). 1985). Gheorghe All Rights Reserved • • • • ... By vulnerability we mean the characteristics of a person or a group in terms of their capacity to anticipate. enhance coping capacity. It involves a combination of factors that determine the degree to which someone’s life and livelihood are put at risk by a discrete and identifiable event in nature or in society (Blaikie et al. Vulnerability is the threat or interaction between risk and preparedness. strengthen recovery potential and bolster damage control (i. It is the degree to which hazardous materials threaten a particular population (risk) and the capacity of the community to reduce the risk or adverse consequences of hazardous material releases (Pijawka and Radwan. Vulnerability is the differential capacity of groups and individuals to deal with hazards. Vulnerability is defined in terms of exposure. 1993). capacity and potentiality.

1994). or by using substitutes). ©2009 A. exposure. we mean the condition of a given area with respect to hazard. and response characteristics to cope with specific natural hazards. economic and institutional capabilities of people in specific places at specific times (Bohle. Gheorghe All Rights Reserved . transferability (the ability of an activity to respond to a disruptive threat by overcoming dependence either by deferring the activity in time.. political.Definitions of Vulnerability Induced Resiliency (2) • Vulnerability to flood disruption is a product of dependence (the degree to which an activity requires a particular good as an input to function normally). prevention. or by relocation. • By vulnerability. 2000). Downing and Watts. preparedness. It is a measure of the capability of this set of elements to withstand events of a certain physical character (Weichselgartner and Bertens. and susceptibility (the probability and extent to which the physical presence of flood water will affect inputs or outputs of an activity) (Green et al. Vulnerability is a multilayered and multidimensional social space defined by the determinate. social. economic and political exposure to a range of potential harmful perturbations. 1994) • Vulnerability is best defined as an aggregate measure of human welfare that integrates environmental.

households are vulnerable to hunger). Gheorghe All Rights Reserved • • • • • . The author distinguishes between vulnerability as a biophysical condition and vulnerability as defined by political. ©2009 A. rather than an absolute measure or deprivation (Downing. 1991).. 1989). Vulnerability is the degree of the loss to a given element or set of elements at risk resulting from the occurrence of a natural phenomenon of a given magnitude (UNDRO. O’Keefe and Wisner.g. Vulnerability is the risk context (Gabor and Griffith. Vulnerability is the potential for loss (Mitchell. 1982). social and economic conditions of society. 1980). 1990).• Definitions of Vulnerability Induced Resiliency (3) Vulnerability is the threat (to hazardous materials) to which people are exposed (including chemical agents and the ecological situation of the communities and their level of emergency preparedness).g. 1983). maize yields are sensitive to drought.g. famine) rather than a cause (e. and it is a relative term that differentiates among socioeconomic groups or regions. She argues for vulnerability in geographic space (where vulnerable people and places are located) and vulnerability in social space (who in that place is vulnerable) (Liverman. Vulnerability has three connotations: it refers to a consequence (e. Vulnerability is the degree to which different classes of society are differentially at risk (Susman. it implies an adverse consequence (e. drought).

• Definitions of Vulnerability Induced Resiliency (4) Vulnerability is the degree of the loss to a given element or set of elements at risk resulting from the occurrence of a natural phenomenon of a given magnitude and expressed on a scale from 0 (no damage) to 1 (total loss). Biophysical. . Vulnerability is the differential susceptibility of circumstances contributing to vulnerability. demographic. economic. economic dependency. • • • • • ©2009 A. It is the interaction of the hazard of place (risk and mitigation) with the social profile of communities (Cutter. it means the degree to which the individual. social and technological factors such as population ages. 1997). In lay terms. 1993). Human vulnerability is function of the costs and benefits of inhabiting areas at risk of natural disaster (Alexander. racism and age of infrastructure are some factors which have been examined in association with natural hazard (Dow and Downing. 1995). 1991). family. Vulnerability represents the sensitivity of land use to the hazard phenomenon (Gilard and Givone. Gheorghe All Rights Reserved Vulnerability are those circumstances that place people at risk while reducing their means of response or denying them available protection (Comfort et al.. community. 1999). Vulnerability is the likelihood that an individual or group will be exposed to and adversely affected by a hazard. class or region is at risk of suffering a sudden and serious misfortune following an extreme natural event (UNDRO. 1993).

Gheorghe All Rights Reserved Resiliency Recovery Time bound Bounce back Adaptation Community-based Network Culture Vulnerability and capacity analysis Process Institution .Differences Between Vulnerability and Resiliency Vulnerability Resistance Force bound Safety Mitigation Institutional System Engineering Risk assessment Outcome Standards ©2009 A.

Vulnerability Analysis Tools • • • • • • • • • • • • • • risk/vulnerability matrices. Quantitative Risk Analysis. Cluster Analysis. QVA and HHM-approach with IRAM. Risk Profiles. Games/Simulating. Risk Landscape in GIS. MCDM. Gheorghe All Rights Reserved . ©2009 A. Expert Assessment/Delfi-panels. Scenario-based Indicator efforts. Factor Analysis. Interview/questionnaire. Polar Diagrams.

Risk / Vulnerability Matrices (1) • An intuitive and simple way of showing risk/vulnerability in a certain case is to use risk/vulnerability matrixes. So that one can observe their position in a single diagram for every scenario ©2009 A. Gheorghe All Rights Reserved Risk Map . The matrix is filled with risk values based on probability and consequences of each scenario. Such a matrix often represents the probability and the consequences of a given scenario.

costs as well as recovery time.Risk / Vulnerability Matrices (2) • In Switzerland in 1999. • Both the probability that a scenario will take place and its consequence has been estimated. etc. Please look at Reference 1 for Risk Matrix – A case of chemical risk acceptability assessment (pages 64-66). Risk matrixes according to the Swiss concept should perhaps be most useful in order to show the total risk scenario in a specific area. Gheorghe All Rights Reserved . The consequences are estimated as a result of many factors such as deaths. The final product is a matrix that shows all the consequences of a specific scenario as well as the probability that it will happen. terrorism. ©2009 A. the influence of the greenhouse effect. damage. possible future scenarios have been constructed of the development with regard to aspects such as demography. a risk matrix of the risks in the country has been produced as a result of an extensive project called "Comprehensive risk analysis”. Considering present day conditions.

Electricity Infrastructures ©2009 A. Gheorghe All Rights Reserved .

The Italian Blackout Sept 28. Gheorghe All Rights Reserved .  Insufficient coordination and information exchange among the adjacent TSOs (CH-IT-FR) due to economic. 2003 – Contextual Factors  Discrepancy between commercial and physical flows:The generation dispatch realized in FR for the energy export to IT led to high loads on the transit lines in CH. ©2009 A. technical and historical reasons. The resulting high phase angle differential over the failed Mettlen-Lavorgo line impeded its timely reclosure.5 Hz frequency threshold was reached.  Non-compliance of Italian generators with the technical rules of connection to the transmission network: after the disconnection from the UCTE grid 21 out of 50 large thermal generation units were lost before the nominal 47. impeding the successful island operation of IT.

Highly loaded transit lines used for long distance transmission (operating near to maximum capacity.New Challenges Protecting Vast Systems: Learning from the Italian Blackout Sept 28. Operators lack an overview of the whole system (no-one sees the „big picture“ nor has sufficient information about adjacent systems) 4. Insufficient reliability of the telecommunication systems (open access system – ceased to work due to power outage) ©2009 A.5 Hz). Insufficient capabilities of power plants to switch on „house-load“ or to perform back-starts (impeded restoration) 7. protective devices that blocked re-closure) 3. System sensitivity against voltage/frequency disturbances (load rejection above stated threshold of 47. Gheorghe All Rights Reserved . inadequate request for import reduction. stability problems 6. inadequate joint procedures to return to N-1 secured conditions) 5. ETRANS control room understaffed. 2003 1. Human and organizational factors (lacking sense of urgency. Inadequate right-of-way maintenance practices (tree cutting) 2.

Gheorghe All Rights Reserved . affected an area with an estimated 50 million people and 61'800 megawatts (MW) of electric load. ©2009 A. 2003. Power was not restored for up to 2 days in some parts of the affected region. The outage. large portions of the northeastern United States and the Canadian province of Ontario experienced a massive electric power blackout. which was triggered in Northern Ohio.The Blackout in the United States and Canada • In the afternoon of the August 14.

Work Steps in Case Study Analysis Normal and abnormal frequency ranges ©2009 A. Gheorghe All Rights Reserved .

• American Electric Power (AEP) Control area operator south of FE. • Midwest Independent System Operator (MISO) Reliability coordinator for FE (and for other 37 control areas).Key Players Involved in the Blackout • The cascading spread of the blackout was triggered in Northern Ohio involving the following key players: • FirstEnergy (FE) .Control area operator in northern Ohio consisting of seven electric utility operating companies. • PJM Interconnection (PJM) Reliability coordinator for AEP ©2009 A. Gheorghe All Rights Reserved .

The results are used in software tools such as real time contingency analysis (RTCA) to simulate various conditions and outages in order to evaluate the reliability to the electric power system ©2009 A. lines.g. voltage and frequency on the network.g. Thereby the raw data about some key components collected by the SCADA system are processed by the state estimator (i. generators) and short-term changes of load.e. some reliability coordinators and control areas perform automated real time contingency analyses on a regular schedule (e.Contingency Analysis • To predict the impact of potential component outages (e. every 5 minutes) by using a digital energy management system (EMS). real and reactive power flow quantities on each line.. a mathematical model of the network configuration) to evaluate the system conditions as voltages at each bus. Gheorghe All Rights Reserved .

Identified System Weaknesses Mechanism ©2009 A. Gheorghe All Rights Reserved .

/ Canada and the Italian Blackout (1) • Deregulation Induced Vulnerability From a historical point of view the electric power systems in Europe and North America have been designed to fulfill needs and provide services of adequate reliability and quality within a restricted area (i. ©2009 A. this endangers the secure and reliable operation of the system. The decentralized control and monitoring structure and the legal framework did not keep pace with this development. Gheorghe All Rights Reserved .e.S. nations in Europe). It is rather the omission of the technical. However. organizational and functional adjustments of the power systems (including the legal framework) which finally resulted in the inadequate and slow response to the emergencies. Due to low economic incentives generated by the intense competition among the power companies the transmission systems more and more are pushed to the physical limits of operation.Common Features and Differences of the U. This finding is confirmed by different investigations recently carried out by academics and industry experts. In turn. during the last few years the liberalization process has significantly changed the environment in which a reliable and secure electricity supply has to be maintained. inter alia: – – – – Inadequate tree trimming practices Weak joint communication and emergency procedures among different transmission system operators Inadequate legal framework Limited access to overall system operation status information • • As a conclusion it is not only the liberalization process itself to blame for the blackouts. In both blackout cases these facts have been manifested by different root causes.

©2009 A. In both cases human failures contributed significantly to the sequence events leading to the irreversible blackout status.Common Features and Differences of the U. Gheorghe All Rights Reserved .-Canadian and in the Italian case the setting of line and generator protection devices responding on voltage and frequency devices has been too conservative. batteries) some SCADA systems lost visibility during the blackout phase leading to certain delays within the restoration process. diesel-driven generators. Due to insufficient power backup (e.S. / Canada and the Italian Blackout (2) Technical Issues • Human Factor.S. • Limited reliability and availability performance of the SCADA systems during the restoration process. • High system sensitivity against voltage and frequency deviations. As in the U. favoring the spread of the blackout.g.

– Insufficient emergency preparedness. namely: – Weak internal communication procedures. namely: – No specification of the maximum time interval given for interactive corrective measures after a N-1 rule violation. – Insufficient regulation of the reactive power support. – Insufficient reliability of the supporting digital energy management system.S.S. – Highly loaded transit lines by long distance transmission. Gheorghe All Rights Reserved .S. / Canada blackout. – Unavailability of adequate load shedding plans. / Canada and the Italian Blackout (3) Features of the Italian Blackout • Few features are distinctive for the Italian blackout.Common Features and Differences of the U. ©2009 A. Features of the U. / Canada Blackout • A number of distinct features has been found relevant only for the case of the U.

while for losses >500 MW is described by a power law typical for self-organized systems. The probability of smaller power losses follows an exponential curve. Gheorghe All Rights Reserved .Analysis of US Interruption Data Cascading failures in the North American electricity grid have been more common than one might expect. Forty-six of the events between 1984 and 2000. involved losses of > 1. ©2009 A. or nearly three per year.000 MW.

• The initial design and operation criteria (e.g. institutions and actor networks became marketfocused. • Development of risk / vulnerability awareness and intellectual modeling capabilities to be promoted. • Digitalized non-dedicated control systems are becoming increasingly ubiquituous. Gheorghe All Rights Reserved . needed. etc. mandatory rules including contingency procedures and improved coordination (TSOs). • Compiance with the growing need for real time based data acquisition and management systems (SCADA). ©2009 A. N-1) need to be aligned with the current use and practice („evolutionary unsuitability“).• The political framework. unsecured the public internet should not be used for vital operation and control functions. security of supply must become a new overarching principle.

Gheorghe All Rights Reserved .Risk Matrix and Risk Cadaster ©2009 A.

Preventive actions Removing the cause before the risk appears 2.Risk Mitigation Strategies High Unacceptable Risk Area 1. Recovery actions “Emergency actions” Reduction of the impact after the risk occurs Probability Medium Low Acceptable Risk Area Low Medium High Impact ©2009 A. Gheorghe All Rights Reserved . Mitigation actions Reducing the impact of the risk before. during and after it appears/occurs 3.

CHEMICAL AND NUCLEAR RISK CADASTER ©2009 A. Gheorghe All Rights Reserved .

Gheorghe All Rights Reserved Level of Security 100 % .Elements of Vulnerability Economics Cost Total Cost Cost of Security Minimum of Total Cost Cost of Security Breach 0% ©2009 A.

Vulnerability Vulnerability Susceptibility Resilience Coping Capacity Recovery Time Service Disruption ©2009 A. Gheorghe All Rights Reserved .

Vulnerability Scenarios Low Susceptibility No cascading effects Sys with LOW vulnerability l ano t c nu F i Cascading effects Sys with HIGH vulnerability ? Vulnerability Susceptibility Resilience Coping Capacity Service Disruption ©2009 A. Gheorghe All Rights Reserved Time Recover l ano t c nu Ft o N i High Susceptibility .

Gheorghe All Rights Reserved .Vulnerability induced Complexity ©2009 A.

Complexity induced vulnerability – Decision Support System ©2009 A. Gheorghe All Rights Reserved Degree of penetrability as a measure of vulnerability .

Vulnerability Matrix and Vulnerability Cadastre GIS Representation ©2009 A. Gheorghe All Rights Reserved .

Numerical evaluations ©2009 A. Gheorghe All Rights Reserved .

©2009 A. Gheorghe All Rights Reserved .

Vulnerability Acceptance Matrix

©2009 A. Gheorghe All Rights Reserved

©2009 A. Gheorghe All Rights Reserved

Framing Guidelines for Risk and Vulnerability Assessment

©2009 A. Gheorghe All Rights Reserved

Gheorghe All Rights Reserved .Overview • Vulnerability Assessment Checklists • Actor-Based Modeling and Simulation • Aggregate Supply and Demand Tools • Dynamic Simulations • Physics Based Models • Population Mobility Models • Leontief Input-Output Models • Network Topology Design Theories • Critical Infrastructure Interdependencies Integrator (CI3) • Hybrid Approaches ©2009 A.Framework for Risk and Vulnerability Assessment Models and Tools .

Criticality and security: a complementary approach Infrastructure “if disrupted will lead to…” CRISIS “is required in case of…” ©2009 A. Gheorghe All Rights Reserved .

Energy e.g. economic system e. consisting of all existing critical infrastructures.g. the socio-economic and political systems and the interactions amongst all these elements” Subsystem of CI 2 ©2009 A. Political system ` e.g. Gheorghe All Rights Reserved . e. Social system Etc.g.A regional system of interdependent CI Regional system Subsystem of CI 1 e.g. Transport Subsystem of CI 3… A regional system. defined as a “complex distributed spatial system.

Objectives and scope 2.Cascading vulnerability assessment for the relevant scenarios Criticality assessment 1.Definition of acceptable level of vulnerability 8.Structure of Guidelines Definition of the SRVA Process 1. Gheorghe All Rights Reserved Relevant scenarios definition 4.Involved stakeholders and responsibilities Vulnerability analysis 5.Definition of criticality criteria 2.Characterization of the MOST critical system and of priority exposed elements ©2009 A.Direct vulnerability assessment for the relevant scenarios 6.Definition and ranking of scenario of service disruptions of the most critical system Define Vulnerability reduction strategies 7. Define actions to be taken .Identification and ranking of CI at regional level 3.

Critical Infrastructures Issues of Homeland Security An International Perspective ©2009 A. Gheorghe All Rights Reserved .

partly Norway analyzed Sweden Comprehensive risk analysis: Interdependency analysis of threats and critical infrastructures „Maslow Pyramid“ (revised) Austria e. Armeni a Georgia Switzerland U. power politics Broadening scope of security policy recognized. Gheorghe All Rights Reserved Broadening .Expert Opinions Traditional onedimensional perspective of security policy: Military threats.g.S.A ©2009 A.

Gheorghe All Rights Reserved .Need for Integrative Approach Risk Vulnerability Sustainability Governance ©2009 A.

Participation . Trust. Perception.As Resilient As Society Permits ALARA – As Low As Reasonable Acceptable Sustainability Multicriteria Indicators and their Integration ©2009 A.An Invariant – in „System of Systems Engineering“? ARASP. Gheorghe All Rights Reserved Governance Acceptability.

©2009 A. Gheorghe All Rights Reserved .

A Short Exercise (1) What are the implications of variety for interdependent complex and vital systems? ©2009 A. Gheorghe All Rights Reserved .

sustainability. vulnerability. and governance? ©2009 A. Gheorghe All Rights Reserved .A Short Exercise (2) What are the issues related to dealing with complex systems based on the concepts of risk.

Gheorghe All Rights Reserved Governance & DMP .Four Types of Concepts Risk Assessment Vulnerability Characterization Complexity Vitality Sustainability ©2009 A.

Gheorghe All Rights Reserved .4 Types of Concepts (1) Risk and its Constituencies Probability Consequences Scenarios Risk acceptance and its representation Example: vital interdependent systems: electricity system and the water infrastructure ©2009 A.

4 Types of Concepts (2) Vulnerability Assessment Vulnerability Assessment Susceptibility assessment and degree of penetration in complex infrastructures Threat identification and assessment Resiliency of simple and interdependent infrastructures Example: attempts to evaluate numerically vulnerability Example of given vital systems / infrastructures ©2009 A. Gheorghe All Rights Reserved .

Indicators for sustainable evaluation of critical infrastructures How sustainable one can get from vital infrastructures? Degree of Sustainability for infrastructure systems These concept exhibit emergence! ©2009 A.4 Types of Concepts (3) Sustainability Approach for Vital Infrastructures: Large number of indicators to define sustainability Categorization of sustainability indicators Criteria . Gheorghe All Rights Reserved Williams. (1997) Chaos Theory Tamed .Attributes .

Position of a Governance Actor Risk Governance. what is it? Governance and Resiliency of Complex and Interdependent Infrastructures Example: The ‘instrument’ of Risk Governance in view of Resilient Policy Design and System Implementation ©2009 A.4 Types of Concepts (4) Governance Both quantitative and qualitative assessment Observer interaction with the ‘system-being-observed’ and governed. Gheorghe All Rights Reserved .

Gheorghe All Rights Reserved .Short Exercise Given the following situations what type of concepts are adequate and could be applied?     A blackout scenario for an interconnected electricity systems? A terrorist cyber attack and the weak states of an information and communication system? A mitigation scenario analysis after a natural hazard at regional level? A detailed performance evaluation system for smart and resilient infrastructures ? ©2009 A.

Critical Infrastructures Ubiquity of Digitalization and Risks/Vulnerability of Interdependent Infrastructures ©2009 A. Gheorghe All Rights Reserved .

one can conclude that two of them are relevant to the further work within this Project. as well as the strategic phase of a given infrastructure ©2009 A. • Definition 1: “The capacity of being everywhere or in all places at the same time” (Oxford English Dictionary) • Definition 2: “ Presence everywhere or in many places especially simultaneously” (Merriam Webster Dictionary) • Definition 3: By digitalization we mean the process automation related activities. Gheorghe All Rights Reserved . tactical. associated with operational.Ubiquity of Digitalization • According to authoritative definitions on ubiquity. as well as the intensive use of various kind of computers.

ICS) is more afraid of the changes within the regulation framework and associated market influences. In respect to the ubiquity of digitalization vs. individually or collectively. Ubiquity of digitalization and its influence on vital systems introduces completely new questions on how to treat. human negligence. in view of the increased contemporary safety needs. the corporate management of infrastructure systems (e. in view of the increased contemporary safety needs. or the lack of security culture. rather than the aggressive technological changes and their penetration.Digitalization and Critical Infrastructure • The ubiquity of digitalization and its influence on vital systems gives new dimensions on how to treat. individually or collectively. events such as sabotage. or the lack of security culture. human negligence. influence on critical infrastructures. events such as sabotage. Gheorghe All Rights Reserved .g. • • ©2009 A. energy.

Digitalization vs. Gheorghe All Rights Reserved . • Pervasive computing devices are not personal computers as we tend to think of them. Pervasive Computing • Pervasive computing refers to the emerging trend toward numerous. easily accessible computing devices connected to an increasingly ubiquitous network infrastructure. either mobile or embedded in almost any type of object imaginable ©2009 A.even invisible devices. but very tiny .

timetables.Interdependence and Behavior • Today. ©2009 A. spatially distributed. infrastructure systems are heavily dependent upon one another. They are invariable large-scale dynamic systems of systems with numerous components. Gheorghe All Rights Reserved . non-linear in nature. they incorporate divisions with different missions. and agendas working in different socioeconomic environments and cultures. resources.

Disruption in any of the systems could jeopardize the continued operation of the entire infrastructure system. organizational and human errors/failures are common and. Failures may not only cause breakdowns of services but may cause harm to society. induced by system complexity.Threats (Revisited) • Risk of extreme and catastrophic events is of paramount importance. they are dominated by multiple conflicting and competing objectives. • Many of these systems are known to be vulnerable to physical and cyber threats and to single failures with cascading effects in a causal chain. Gheorghe All Rights Reserved . ©2009 A.

risk assessment and governance related aspects to this class of systems is still. only short selected issues will follow next. Gheorghe All Rights Reserved . • Because of the large diversity of systems considered as critical infrastructures. • One of the major risks of these infrastructures lies in their enormous contribution to social welfare and economic growth which. worldwide. in turn. The task to identify. add to further development and extension of the infrastructures. at an adequate high level of generality. critical infrastructures are not only vulnerable to threats and hazards.Risk and Vulnerability (Revisited) • However. ongoing. ©2009 A. which is not limited to cases of disruption and malfunction. they pose a risk themselves.

Gheorghe All Rights Reserved . with potentially high economic loses. potentially could lead to national disasters.since they contribute to pollution or exploitation of resources. in turn. The new and emerging threats faced by the present engineering design and facility management community demand innovative solutions.g. are highly vulnerable (e. and malevolent threats. in turn. Energy infrastructures have an impact on agglomeration areas and mega-cities (towns with more than 10 million of inhabitants by 2010). based on risk management approaches. They could become a target for sabotage. and industry restructuring could compromise their stability and reliability. leading to competition in a formerly restricted and regulated environment. and also comprise a risk factor themselves . leastexpensive approach to operations.• Single Type Critical Infrastructures The Electric Power System • • • • Energy supply systems are essential to an economy and its security. high death or disease rates caused by accidents in chemical or nuclear facilities). which. increased physical threats. ©2009 A. A multidisciplinary governance and risk-management based program has to be considered and implemented in order to cope with these risks. They are becoming increasingly complex and interconnected. This. The electric power industry is restructuring. will lead to new risks to the grid: the lack of sole responsibility for grid reliability. This. Vulnerability to disruptions from natural causes. the tendency for owners and operators to focus on a short-term. increased risk of infectious diseases when sewage systems fail.

The open nature of the Internet plays an important part. or integrity of information (systems). and Internet in particular. The advent of Internet has caused a blurring of the boundaries between previously independent information systems. and the level of potential damage to be expected into the future cannot be determined exactly.Single Type Critical Infrastructures The Information and Communication Systems The investigation of the vulnerability of information • technology. The social and economic consequences of a vulnerable Internet are expected to continue to increase. the current level of the potential damage due to the vulnerability of Internet. shows an enormous rise in recent years in the number of breaches in the availability. • Because of the large number of interconnections between systems. ©2009 A. Gheorghe All Rights Reserved . confidentiality. • At present. the risks from these attacks are becoming even greater.

Sophisticated logistics associated with transportation systems allow an efficient and manageable increased flow of products. Gheorghe All Rights Reserved . ©2009 A. ImF allows seamless integration of various transportation systems getting across various borders and trading practices. The increased volume of activities in this industry. at large.g. "Intermodal Freight" (ImF). high interactions with human operators. Mobility of goods is in a fully rising stage. infrastructures of transport. computer systems. computerized monitoring systems assist the JIT and ImF processes. The interdependencies of production systems with the transportation systems were managed within concepts such as "Just in Time" (JIT). salmon harvested early in the morning in Scandinavian countries is served in the evening in Madrid or Rome). regulations and governance. and make the business go round the world (e. More hazardous substances are transported every day. It induces openness within the society. the public is • getting more involved in the governance process (citizens of Chamonix in France voted to stop heavy transportation traffic through their region). Mobility changes business practice and its dimensions (from local to global).• • • • Single Type Critical Infrastructures Transportation Systems and Mobility In dealing with transportation risks at local or even regional levels. lead to a new degree of complexity of the industry.

• When dealing with interdependent critical infrastructure systems. • Going to understand behavior of interdependent. and find new ways of understanding and expressing the vulnerability and risks of coupled infrastructures. Gheorghe All Rights Reserved . system of systems. there is an urgent need to address and assess their complexity. In addition. • There is a need to address the issue by looking at the format of what is called in this report. the specific role of digitalization within a given class of critical infrastructure is important to be understood mainly in the initial design and operation phase for distinct industries such as power generation. tightly coupled critical infrastructures is not a simple matter. From Single Type Critical Infrastructures to Interdependent Systems ©2009 A. or the transportation systems operators.• There is a need to understand interactions and dependencies at the level of single critical infrastructures.

opening up the potential capability for the economical management of resources. services. Gheorghe All Rights Reserved . It is a trend that computer users (actors) are willing to delegate decisions to the so called software agents due to: – the limited human capabilities to suddenly respond to a variety of tasks or – finite time resources available at some given instances • Pervasive computing creates new type infrastructures where it is difficult to assess liabilities to single failures. • Insurance companies are looking at this era of pervasive computers. the pervasive computers lead to a higher degree of systems complexity in relation to critical infrastructures.Relation to Critical Infrastructure • Many processes e. ©2009 A. can be executed more effectively by use of pervasive computing. on specific new distribution of risks and their own position in insuring potential liabilities. health. • There is a degree of belief that mastering a new level of complexity due to pervasive computing has inherent limits. traffic. However.g. The complexity level of newly developed technologies has to be accepted to the degree of safely managing the real systems of critical infrastructures. We have to live today with what one can call "unmastered complexity".

the present situation in relation to pervasive computing and its penetrability within the world of critical infrastructures indicates that this is still in an immature stage. Gheorghe All Rights Reserved . • New legal initiatives and practical steps should be instrumental in assisting the negative effects of un.g. while 10% will be dedicated to the acquisition of formal / classical knowledge and abilities e. ©2009 A. circa 90% of the content would be to address the way how to avoid un-mastered complexity.controlled pervasive computing and the ubiquity of digitalization. the two trends have to be addressed in relation to the risk and vulnerability of critical infrastructures. • In handling the complexity due to ubiquity of pervasive computing one has to adopt simple technical solutions and strategies. programming. Together with the ubiquity of digitalization. • An awareness policy is necessary . • Pervasive computing in relation to a wide variety of critical infrastructures could be prone and open to bring new forms of "digital time bombs".Rule of Thumb • As a rule of thumb. one can argue that in the reeducation process towards crucial new aspects and capabilities of pervasive computers.

Gheorghe All Rights Reserved .The Swiss Rail Transportation System ©2009 A.

Digitalization – Current Status • Concerning the selected Swiss rail transportation operator. the corresponding Swiss transportation company is selling its surplus capacity of the telecommunication lines to other private ICS service providers. as well as ordinary operational activities are highly assisted by digital technologies. its control and management functions. outside of its competence and authority. or even to internet providers companies. • Due to excess capacity in its own telecommunication infrastructure capabilities. There are also other initiatives. and proves its ubiquity. ©2009 A. Gheorghe All Rights Reserved . such as to rent excess capacities to cable TV companies. • IT infrastructure and services needed for the company’s management and operation are partially outsourced to private companies. The common digital technologies and their penetration rate is mainly driven by market forces. This extensive use of computer assisted devices makes it possible to overcome the challenge of controlling and operating the highly complex railway system. • Computer assisted models and tools to optimize the flow of the traffic and to build up sophisticated reliable timetables indicate a penetration of digitalized systems.

Gheorghe All Rights Reserved . 30%). In general. train signals or train steering by remote control technology on a single digitalized system by using a single “information pipeline” • The driving force for the increased use of the digital technology is the effort to increase the Company’s productivity (e. when it comes to digitalization and operation related activities.Degree of Digitalization – Trends • Within the investigated industry the current trend is to integrate such different core functions as the transmission of voice. the economics prevails.g. at the present time. ©2009 A. increased traffic capabilities up to ca.

Influence on Management Functions
• The continuous technological improvements in the railway system are also driven by the ageing of some present technologies. Reengineering activities will definitely be done via digitalization in various forms and degree of integration. • Currently, the development of remotely controlled high speed trains is in process; the driver is in this case in a new position in order to interact with the locomotive, and in this case as a complex and almost fully digitalized system. • Discussions related to the deregulation processes do take into account, to the necessary degree, relevant issues related to safety – security concerning digitalized systems. • Technological risk related assessment for the digitalization within the Company industry is fully addressed and covered by use of ISO standards.
©2009 A. Gheorghe All Rights Reserved

Digitalization Induced Risks
• • As a security principle, redundant information pipelines are in the process of being fully implemented; such redundancy can go up to 500% in some cases, and that depends on the needs required for each specific function which has to be assisted. Risk and safety issues related to the digitalization are of high importance for new systems acquired via the integration of different traffic and management functions. • There are currently no safety standards and implementation guidelines for the so-called open systems; the digitalization in the railway systems does require such standards and a new design philosophy. Therefore, there is an urgent need to have a more scientific way of approaching the security. The company has not yet a full picture on risks and vulnerabilities induced by the current digitalization trend, and still the old best practice assumptions are considered when designing and implementing profoundly new design and technologies. This must be changed within the industry; there is not yet a definitive consensus on this issue. Also “Security through obscurity”, as a tactical approach to deal with risks related to train communication, etc. still does not encompass the so called big picture. The topic of increased ubiquity of digital technologies and pervasive computing is not treated under a single management department. This might create delays and additional costs when the system will have to accelerate its rate of penetration of digitalized integrated systems, into the company.

• •

©2009 A. Gheorghe All Rights Reserved

• Concept of Dependency Dependency is defined in the open literature as a linkage or connection between two infrastructures, through which the state of one infrastructure influences or is correlated to the state of the other. There are different degrees of dependencies among objects / agents within a given critical infrastructure or among critical infrastructures. The advent of digitalization, as a central concept in assessing critical infrastructures performance, implies the need to assess the impact of this vector e.g. digital information and its hardware support, in connection with various agents and critical infrastructures.

©2009 A. Gheorghe All Rights Reserved

in order that this would provide the designed services. the other meaning would take into consideration the degree of ubiquity of digitalization embedded into a given critical infrastructure. • ©2009 A. If one meaning of the dependency concept involves a potential physical connection between parts or the entire critical infrastructure.Dependencies (2) Dependencies and the Focal Position of the Electric Power Sector • The degree of dependency concept could be extended in order to understand and quantify the impact of digital technologies or of the ubiquity of digitalization on the overall performance of i) a given critical infrastructure or ii) among distinct critical infrastructures. with some degree of reliability and risk. Gheorghe All Rights Reserved .

and each has its own characteristics and effects on infrastructure agents. state of operation. More generally. environment. coupling and response behavior. two infrastructures are interdependent when each is dependent on the other. • The degree of digitalization could be in focus of an interdependency assessment by measuring the flow of information which cross the interface between the considered critical infrastructures. • Interdependencies vary widely. through which the state of each infrastructure influences or is correlated to the state of the other. Among various dimensions which characterizes the interdependencies among critical infrastructures are: type of failure. ©2009 A.Concept of Interdependency (1) • Interdependency is defined as a bi-directional relationship between two infrastructures. Gheorghe All Rights Reserved .

Concept of Interdependency (2) ©2009 A. Gheorghe All Rights Reserved .

Classes of Interdependencies • • Physical Interdependency: Two infrastructures are physically interdependent if the state of each is dependent on the material output(s) of the other. Geographic Interdependency: Infrastructures are geographically interdependent if a local environmental event can create state changes in each of them. Gheorghe All Rights Reserved . cyber. Logical Interdependency: Two infrastructures are logically interdependent if the state of each depends on the state of the other via a mechanism that is not a physical. Cyber Interdependency: An infrastructure has cyber interdependency if its state depends on information transmitted through the information infrastructure. or geographic connection • • ©2009 A.

g. – Interconnection implies mutual influences among distinct components. degree of extension. banking. – Interdependencies affect services provided by distinct infrastructures e. Gheorghe All Rights Reserved . and indicates the build-in resilience of various distinct systems up to their interface interactions. up to the system level.There is by now a consensus that concepts like interdependency and interconnection are not similar when dealing with security aspects for critical infrastructures. ©2009 A. by their quality. hospitals.

Gheorghe All Rights Reserved .Network of Networks ©2009 A.

Coupling and Response Behavior
• Tight coupling is characterized by time-dependent processes that have little "give" or slack. Loose coupling, on the other hand, implies that the infrastructures or agents are relatively independent of each other, and the state of one is only weakly correlated to or independent of the state of the other. Slack exists in the system, and the processes are not nearly as time dependent as in a tightly coupled system. In sum, tight and loose coupling refer to the relative degree of dependencies among the infrastructures. • The concept of tight / loose coupling within and among critical infrastructures does allow additional flexibility via the use of the new paradigm of the ubiquity of digitalization. IRGC should further investigate the degree through which penetration of digital technology would allow implementation of the fail safe concept as a solution of treating interdependencies at the level of high control and flexible / adaptive interactions. • The coupling order indicates whether two infrastructures are directly connected to one another or indirectly coupled through one or more intervening infrastructures. The interactions among infrastructures can be further classified as either linear or complex.

©2009 A. Gheorghe All Rights Reserved

• Linear interactions are those in familiar production or maintenance sequences, and those that are quite visible even if unplanned.
– Linear interactions are generally those intended by design, with few unintended or unfamiliar feedback loops.

• Complex interactions are those of unfamiliar sequences, or unplanned and unexpected sequences, and either not visible or not immediately comprehensible.
– Complex interactions are likely to exist when agents can interact with other agents outside the normal production or operational sequence, whether by design or inadvertently. – Such interactions can occur in systems with branching paths, feedback loops, and jumps from one linear sequence of operations to another (possibly due to geographic interdependencies)

©2009 A. Gheorghe All Rights Reserved

Electric Power System Interdependencies (1)
• Electricity Generation: Reliance on Open-Access ICS In case of the Swiss power system, with high contribution from NPPs, the use of digital systems and the interaction with the open-access ICS is limited only to the management and marketing related activities. • Trends:
– There is a tendency to discriminate in adopting information and communication systems privately owned by the electricity industry vs. the open-access ICS. The argumentation for such in principio position is related to the fact that the contribution to electricity generation of NPPs is significant, and potential risks and vulnerabilities are to be significant if the operation activities are exposed to cyber-threats and other associated digital hazards. – A national program of work related to the issue of risks, vulnerability and security related tasks on information systems and electric power sector, is currently ongoing.

• Electricity Generation: Reliance on the Rail Transportation System In Switzerland due to the current electricity generation structure (55.9% hydro, 39.7% nuclear and 4.4% conventional thermal), there is no significant short term reliance by the electricity generation sector on the availability of the rail transportation system (i.e. no use of fossil fuel which should be transported continuously and timely).

©2009 A. Gheorghe All Rights Reserved

via intensive use of information technology and openaccess ICS for commercial transactions as well as for logistic related purposes. inter alia.Access ICS Electricity transmission basic design philosophy aims that. could lead to the manifestation of some new and unknown hazard events. the use of any communication and technological means – from battery phones to satellite communication phones .Electric Power System Interdependencies (2) • Electricity Transmission: Reliance on Open. the electricity transmission grid operates in an island mode. a black-out should be avoided. Gheorghe All Rights Reserved . must go on even if the open-access communication systems are out of order or not accessible at the time of a contingency. without proper care and adequate professional knowledge and assistance. keeping the transmission lines under voltage. As a corollary. • When a black-out is becoming imminent. without any need to interact with the open-access domain of ICS. • Trends: – The recent liberalization policy of the electricity market is going to be implemented. the electricity transmission lines should be kept under voltage. or for some reasons it just happens. – This process. For technological related aspects on the continuity in service. practical and acceptable. and is designed to use its own IT and specific communication resources.is necessary. ©2009 A. at any time.

• Technical operational constraints require the integration of generation (location and amount of electricity production). voltage limits). decentralized marketing activities). involved in the generation trading and marketing which have to obey to the financial and business rules only. ©2009 A. – The security of supply and the market opening criteria could be just the de minimis condition to re-design systems. up to acceptable levels of risks in operation.g. a new paradox tends to arise. • Findings: – As adopting the two remarks/observations from above simultaneously. frequency. Gheorghe All Rights Reserved . and subsequently the synchronous system operation (i. • The new market rules induce the needs for the individual interests of distinct old and new actors (e.e. decentralized generation technologies).Interdependencies Related to Market Forces • Due to the new policy of market deregulation and privatization in the electricity generation and transmission industries in Switzerland. vs. they introduce a new management paradox (centralized production and distribution operations. transmission and load management under strict centralized or improved control technology for frequency.

A New Situation . the digitalized technologies. the market oriented IT-instruments. in view of market deregulation.Smart Grids and Renewable Technologies • The new paradox will be handled and harmonized (if it has to survive technically and politically) by the existence of two distinct IT environments which will operate separately (for how long?) or will probably merge to some large extend (to what price in safety and security?). • The introduction of renewable technologies and other de-centralized power and electricity generation technologies could create some additional flexibility into the process of adopting. type technology. and the operability of technological systems based indeed on fundamental technical laws will require the adoption and recognition of the needs for use of multi-criteria system design and reengineering in the power sector ©2009 A. • In parallel. should be open and fully linked to the Internet. the IT control should have an island – type architecture as far as it is affecting the security of supply. in case they are not interacting with the technological processes. • According with the current thinking and adopted trends. Gheorghe All Rights Reserved . more vigorously. • The new political trends.

Gheorghe All Rights Reserved 1-st Order Effect 2-nd Order Effect 3-rd Order Effect .nth Order Effects within Critical Infrastructures NPP Scram Operation Cyber Threat Rail System Rafinery Oil Delivery Incapacity of Goods Delivery Interruption of Oil Processing Hospitals Insurance Liability Potential Deaths Liabilities LOF Distribution System Incapacity to Partial Lack of Communicate Air Control In Time Aviation Control Potential Air Collision Power System Disruption In Electricity Distribution Total or Disruption Partial Black-out Irrigation Power Grid Water Supply Crop Losses Agriculture ©2009 A.

pursue different goals. • Governance strategies to address vulnerabilities and risks . between transportation systems. gas networks and the electricity grid) as well as cross-border dependencies within and across particular infrastructures.Governance and Critical Infrastructure • The need for viable governance strategies for critical infrastructures is simply demonstrated by the series of spectacular infrastructure failures.vary widely according to individual infrastructures. Whereas. meaning that "minor disturbances can snowball into major disruptions". transportation system.whether inherent in such systems or threatening them from the outside . others. such as information and telecommunication systems. Gheorghe All Rights Reserved . some of the critical infrastructures might be relatively straightforward to understand on a limited national level and when looking only at the system itself without considering its outward relations (e. ©2009 A. for instance.g. • There is an increasing degree of (horizontal or lateral) dependencies between individual infrastructures (e.g. • Each critical infrastructure is different: Financial markets. electricity grid). are themselves a critical infrastructure to other infrastructures. in terms of existing governance patterns. are based on a different logic and adhere to different rules and principles than emergency services or electricity grids. • There are further complexities.

The "oyster“ design concept for ICS-vital systems is catching more ground with respect to some vital technologies (e. Digitalization seems to be an irreversible trend within the operation. 3. there is no room for a zero risk concept. The human component plays today a decisive role in harmonizing information.1. and within the high degree of integration of critical infrastructures. It is proved by the recent blackouts that misinterpretation and wrong/inadequate decisions are being potentially attributed to system operators. Under the current development of technology.g. while for others this design concept is fully (e.g. management. The ubiquity of digitalization in respect to all critical infrastructures is to be considered as a new and revolutionary paradigm. 2. control. 4. NPPs). logistics.g. rail transportation infrastructures) Trends in Complexity and Interdependency Management (1) ©2009 A.g. is. NPP). possible. Gheorghe All Rights Reserved . Insularization of some vital sensitive systems (e. The adoption of digital technologies have made it possible to operate infrastructures at a larger scale and with a much higher level of service quality and reliability. in principle. communication systems) abandoned (e. 5. The human component is going to be more and more replaced by automated process control making use of digitalized technologies. interpretation and making decisions on large and vastly distributed systems e. electricity grids. and integration of various critical infrastructures.g.

Gheorghe All Rights Reserved .Changing from Human Operated Systems to Automated and Computerized Systems ©2009 A.

9. Trends in Complexity and Interdependency Management (2) ©2009 A. 7. exposed to a diversity of threats in a dynamic. ever-changing operational and cultural environment. Organizational considerations are crucial in infrastructure behavior. The trends show that one has to integrate a variety of digitalized approaches. hardware. 10. Public awareness on critical infrastructure security involves adopting the precautionary principle in view of acceptability of societal risk. The organizational aspects can be key factors in determining the operational characteristics of infrastructures.There is a need for a balanced approach between market intervention and risk management. Gheorghe All Rights Reserved . at all levels of manifestation e. There is an observed trend that "common mode technology" leads to "common mode failure".6. from simulation and modeling.g. if possible. Digitalization induced common cause failure is to be treated in a systematically and. or does not allow sustainable secure system design of digitalized technologies for critical infrastructures. and this complicates. to sophisticated architectures of highly resilient systems. 8. software. knowledge processing. which finally aims towards a more secure operational environment for sophisticated critical infrastructures.

13. and transportation systems. In analyzing some large scale accidents of critical infrastructures (e. due to the increased complexity and sophistication in running critical infrastructures the insufficient "digitalization“ could be a contributor. 12. electricity. 15. Trends in Complexity and Interdependency Management (3) ©2009 A.g. The penetration of digitalized systems into critical infrastructures induce new aspects to people's privacy and some people. at large. of different ages. Distinct critical infrastructures were not initially designed for the present new market behavior and deregulation requirements. power systems).11. 14. and the civil society. Gheorghe All Rights Reserved . argue that this could have influences on the basis of the democratic foundations of our modern society. is virtually considered to assist (all) new societal changes.g. with distinct life cycles and life times (from a decade to almost a century) which performs among themselves dynamic interactions and interdependencies. one can conclude that. Critical infrastructures incorporate technologies of a large variety. up to the level of maximum security and minimal costs. ICS through its process of being embedded into e.Information and knowledge assets within corporations have to be properly evaluated in order to further induce new mechanisms for risk management and decision making.

g.When dealing with single type critical infrastructures operating in environments prone to natural disasters (e. water supply. traffic control devices.Taking the assumption that infrastructure failures (e.There is a co-existence of various age technologies.A different ergonomic design is needed. Trends in Complexity and Interdependency Management (4) ©2009 A.g. Gheorghe All Rights Reserved . Advanced sensors and digital monitoring systems could put systems into a fail safe mode. In this process of adapting new age technology or state-of-the-art digital products some incidents could be foreseen due to the need for fine tuning among technologies. and the trend is to shorten the same age technologies when it comes to digital systems. There is a need to clearly identify such critical social “missions” and to develop strategies to keep them performing during an infrastructure outage.16.g. earthquakes). 18. 17. one has to take into account in a life cycle mode the response capabilities in case of natural hazard occurence. electric power blackouts) cannot be totally avoided. knowledge and human capability to cope with the new situations and changes. hospitals) during an infrastructure outage should be assured. the survival of critical services (e. and finally has to be implemented within the concept of ubiquity of digitalization and this in the context of changes in parallel with existing operational technology. 19.

Trends in Complexity and Interdependency Management (5) ©2009 A. and mainly to ICS-electricity system interactions. real-time crisis assistance.Storage vs. education and training. 24.There are emerging needs for comprehensive capabilities to address systems of interdependent critical infrastructures. our understanding is that digitalization and/or cyber threats could multiply the negative potential consequences in a large number of combinations.There are no robust and available solutions to protect system of systems.There exists no owner of critical infrastructure interfaces. 25. particularly in the areas of in-time policy analysis. Gheorghe All Rights Reserved . in view of production continuity and providing quality services. 23. which has to be considered as an established pattern within the technology evolution.20. just-in-time concepts have to be integrated into a secure/safety overall design of the ICS."Near misses" hazard events would have to be more strongly treated and considered when dealing with security of critical infrastructures. 21. 22. and other vital systems interactions.There is an on-going technological osmosis between originally separated infrastructure systems. the penetration of digital technologies plays a crucial role. In spite of the initial common belief that digitalization plays only a minor role in the surety performance of critical infrastructures. Thereby. investment and mitigation planning.

operation. 30. 28. operation. while digitalization is becoming a common denominator.In addressing the overall assessment of risk and vulnerability of interdependent critical infrastructures. Gheorghe All Rights Reserved . business. and management is emerging as a topic which has to be professionally handled. 29. and reengineering processes.Security culture for critical infrastructure design.By adopting individual “ISO” type recommendations for individual critical infrastructures.Trends in Complexity and Interdependency Management (6) 26. Technical. and make it relevant within the design. ©2009 A. 27. it will end up with the need to adopt ISO type recommendations for handling mainly their interfaces. in assisting the decision making process. one should create an awareness that systems could fail.Additional research is needed to apply uncertainty techniques to better understand the infrastructure component restoration processes and linkages with other infrastructures. towards increasing the security level. and political issues have to be considered jointly.Critical infrastructure security has to be approached in a manifold manner.

while economics should play a second role. the concept of strategic planning could play a substantial role in assuring security functions. The need to integrate various operational control strategies for reasons of security has to become an important and relevant issue.demand evaluations. if one needs to assist first class security in complex systems and networks. Gheorghe All Rights Reserved . and the optimization of the power flow in the grid. and that of operational planning which deals with every hour loading the generators in view of supply . • Pricing: Pricing processes have to change their structure.• Dealing with an Engineering Economic Problem (1) Security Management: Security should become a primary goal when designing complex systems. mainly due to the load management of the grid. • Strategic and Technical Management: In dealing with this category of critical infrastructures. Also one can have adopted tactical planning. ©2009 A.

Call for a Joint Approach There is a need for a joint approach to concept such as "System of Systems". power transmission grids) could be assisted by satellite technology. due to the increasing size of systems. there are visions that the control of large scale (e. Gheorghe All Rights Reserved . tactical. and these should be fully considered when implementing new rules and standards for security of critical infrastructures. electricity as a critical infrastructure). by a dashboard) in view of aggregated decisions when dealing with stability and market forces integration. Need for an Event Scale There is a need for an Event Scale to monitor the overall system stability (e. In the USA.g. This might require a new paradigm in the process of understanding critical infrastructures and their new systems engineering approach. which by adopting such a system might have some positive effects on the operational. in both industries.g.g.• • • • Reliability: It is a need to refocus and give reliability a second priority in the overall design and reengineering (e. this again could be in line with the overall control capabilities in the aviation industry on various levels where the control of flights is coordinated via satellite. There is today a lack of what one could call integrated operational reliability and security related indicators. Dealing with an Engineering Economic Problem (2) ©2009 A. such as aviation. and strategic levels. their complexity and their ambiguity on the way how things can go wrong. On Cross Fertilization Solutions One should learn from security related practices within other industries. from a different prospective. Digitalization and its ubiquity could be a solution.

Infranomics A New Working Concept for Interdependent Complex Systems ©2009 A. Gheorghe All Rights Reserved .

Approaching Resilient Critical Infrastructures Socionomics System of Systems Infranomics Economics ©2009 A. Gheorghe All Rights Reserved .

Gheorghe All Rights Reserved .Advancements on R & V Modeling ©2009 A.

©2009 A. • Factor analysis is a statistical method used to identify a small number of factors that represent situations between interrelated variables. The cluster analysis ought to be most useful in order to group municipal authorities in accordance with certain vulnerability criteria and compare them with each other. The result of the cluster analysis can be a classification system (such as for insects. The correlation pattern is stated as latent variables that are called factors. plants. etc). • Each cluster thus represents a class of its own. The aim is to identify diffuse observable factors among the clearly observable variables. The aim is to classify what is being investigated in clusters in such a way that the association is strong between "the object" in the same cluster but weak to objects in other clusters. The cluster analysis can expose links and structures in data that are not evident on first inspection. Gheorghe All Rights Reserved .Cluster Analysis and Factor Analysis • Cluster analysis is a tool that has the purpose of solving classification problems.

Interview. Gheorghe All Rights Reserved . The experts then have the possibility of revising their answers several times. The Delphi-model could be used as a model that concerns municipal vulnerability but perhaps mainly be used as a component in several of the already listed methods/models. Questionnaire. a Delphi-panel can be described as a group of experts who each in turn answers a number of common questions. A questionnaire can contain ready answer alternatives that afterwards can be assessed with the help of a point's key or there can be open questions for more semistructured answers. • In short. The idea is that. The questionnaires can be used as bases for accumulate information in order to say something about the overall municipal risk or the local authority's risk management ability. the experts should reach a consensus with the matters in question without any specific expert's authority dominating the result. Expert Assessment and Delphi-panels • A simple way of finding out the status of the safety work in a municipality is to circulate a questionnaire or to carry out interviews with key persons. together. The answers are put together anonymously and the results are then presented officially. ©2009 A.

indicators are created that can be compared to each other. The advantage compared for example to an ordinary risk matrix is that several factors can be observed at the same time. The aim is to compare today's ecological system with a reference system that is not influenced at all or only on a very small scale. ©2009 A.Polar Diagrams • A polar diagram can present the value of several parameters. The purpose of this model has been to describe and analyze ecological systems. When the values are presented. A number of plant and animal species are chosen which are then compared from a variety of aspects (number. In Holland the polar diagrams have been used in the AMOEBA model. it is possible to simply read the difference between the present system and this one. health. The greater the distance between the two systems the less vulnerable is the system of today. etc) in both systems. By letting the origin in the polar diagram be the reference system. Polar diagrams can be used to assess and present risks or organizational ability as well as compare municipal authorities with each other or a specified target. Gheorghe All Rights Reserved • .

Gheorghe All Rights Reserved .The two papers serve to introduce the probabilistic Infrastructure Risk Analysis Model (IRAM) developed for a small community's water supply and treatment system in the United States. In 1995 Haimes published another paper on use of HHM for risk identification in complex systems. the authors take a "system perspective". The paper adopts a holistic approach to model a water infrastructure system's interconnectedness and interdependencies. It is proposed that his model represents the large-scale systems in holographic view compared to other mathematical models planar view with the same analogy in photography. one identifies the risks to the infrastructure by decomposing the system. Borrowing from the HHM philosophy.More recent application of HHM into risk and vulnerability can be found in Ezell’s works (Ezell 2000). In phase I.The Hierarchical Holographic Modeling and the Infrastructure Risk Analysis Model • Hierarchical Holographic Modeling (HHM) is a mathematical model that was presented by Haimes (1981). HHM has been applied elsewhere to software project development (Chittister and Haimes 1993)and global sustainable development (Haimes 1992). The IRAM consists of four phases.It is aimed representing within a single model of all aspects of a truly largescale system including principles like wholeness and hierarchy. HHM has emerged from Hierarchical Overlapping Coordination which was the result of a water resource systems study also developed by Haimes in 1978. decomposing the infrastructure with respect to – – – – – Components Hierarchical structure Function State Vulnerability • • ©2009 A.

AvestaRisk Management (ARM) and Balanced Scorecards • From the industry checklists. ©2009 A. Gheorghe All Rights Reserved DoD’s Risk Management Framework using Balanced Scorecard Approach: . • Department of Defense (DoD) (Defense Threat Reduction Agency (DTRA) prepares and publishes annual performance plans for all mission areas using a Balanced Scorecard approach. • These Balanced Scorecards further define the objectives of the strategic plan and measure progress using the DoD Risk Management Perspectives given in table. AvestaRisk Management (ARM) and Balanced Scorecards may serve as good examples when further developing an audit method.

Switzerland regional vulnerability assessment based on Sweden Municipal ©2009 A. Gheorghe All Rights Reserved Vulnerability Assessment (MVA) model .

©2009 A. Gheorghe All Rights Reserved Switzerland regional vulnerability assessment output for cantons .

©2009 A.MCDM and QVA (1) • The methodology to derive an index as a basis for decision making follows the Multiple Attribute Decision Making (MADM) approach. Gheorghe All Rights Reserved . • Quantitative Vulnerability Analysis is a method to diagnose the current vulnerability of a complex system featuring large numbers of indicators. both internal and external. QVA named as a MCDM tool. as well as to dynamically monitor the timeevolvement of the vulnerability.

Every multi-component system can be modeled with multiindicators and can be in two states either operable or inoperable ii. Gheorghe All Rights Reserved . iii. Parameters are divided into two subcategories like internal and external indicators. A new Vulnerability Scale introduced in order to create a Vulnerability Index ©2009 A. i.MCDM and QVA (2) • In order to quantify the vulnerability of critical infrastructures QVA brings some new concepts briefly described below.

MCDM and QVA (3) • To complete model description two assumptions were made. • Assumption 1: An operational definition of vulnerability adopts the emergent. consensual understanding of vulnerability as a system's virtual openness to lose its design functions. and/or structural integrity. – The U-factors are named as fast variable or internal indicators and covers features of the system. • All factors are supposed to be eventually quantifiable by appropriate indicators. ©2009 A. – The V-factors are named as slow variables or external indicators and covers influences that effects system’s functions. – V: Management response-featuring factors. and/or identity under the combined interplay of two sets of factors: – U: Risk-featuring factors. Gheorghe All Rights Reserved .

Gheorghe All Rights Reserved . the binary alloys. Bragg–Williams approximation to the solution is adopted. ©2009 A.g. the ferromagnets. where the archetype is known as the Ising Model. and other order–disorder phenomena.MCDM and QVA (4) • Assumption 2: These factors or indicators may be aggregated using fuzzy sets so that two indicators U factor and V factor may be obtained. • Assumption 3: Once U and V are determined. the membership fractions in the two-state system can be obtained on certain assumptions on the probabilities of individual transitions between the two states. U and V are membership functions of the fuzzy sets theory approach to impact indicators (Christen et al. covering macroscopic properties. it is assumed that these make the aggregated control variables of a two-state. The behavior of such a system is a textbook matter in statistical physics. 1995)... stability issues and phase transitions in such systems as e. According to this approach. • In consideration of their nature. multicomponent system (see next section). Though no exact solution is available.

‘physical’. • Since no analytic solution for the equation of the cusp line is readily available. based on the assessment of the system state in the (U. – Critically unstable/vulnerable. V)-space. the system may only be found inoperable. distance D is actually evaluated up to the Bezier interpolation of a sufficient number of (U. and thereby featuring a low vulnerability. and thereby featuring a high vulnerability. a ‘Vulnerability Scale’ (V scale on the 0–100) may be defined. which in turn will drive the system ‘state’in and out of a region of instability. V) knots on the cusp ©2009 A. In a conventional sense.MCDM and QVA (5) The interplay of the actual. an operable system may thereby appear as: – Stable. or – Unstable. and potentially numerous system indicators will result in variations of the aggregated parameters. Beyond these. Gheorghe All Rights Reserved . • Assumption 4:In consideration of the above. U and V.

HRA methods experience some drawbacks. Measurement of risk for both the individual and society can be calculated.Quantitative Risk Analyses (QRA). QRA or PRA can be an adequate method in order to assess parts of the vulnerability. • Inclusion of human factors in quantitative risk analysis is doneby use of human reliability analysis techniques. However. These limitations lead to uncertainty in QRA results. ©2009 A. Gheorghe All Rights Reserved . • In a PRA. Probabilistic Risk Analysis (PRA) • A QRA may be useful for quantifying the risks that exist in a factory plant and which threaten people inside or outside the plant. • It is generally used as a part of vulnerability assessment studies. one tries more thoroughly to investigate the factors that cause the event and to concentrate more on analyzing the event and fault tree analysis. which lead to uncertainties in human error probabilities.

Gheorghe All Rights Reserved .Risk Profiles and Risk Maps • A risk profile is a document that provides a summary of relevant information on a specific food safety issue. Risk profiling is also becoming part of an internationally accepted approach to risk assessment. under the auspices of the Codex Alimentarius Commission ©2009 A. It is a widely used and increasingly accepted tool for risk assessment. Each profile is intended to be a tool that allows risks managers to make decisions about how to manage the food safety issue. • New Zealand Ministry of Health is using this tool to asses the risk that coming out of the food people eat.

. and provides input into ranking the safety issue for risk management. ©2009 A. Bureau for Crisis Prevention and Recovery (BCPR)-Disaster Reduction Unit (DRU) global report on “Reducing Disaster Risk: A Challenge for Development” as show in Figure. It is widely used in United Nations Development Programme (UNDP).• Risk Profiles and Risk Maps Database (1) Risk profiles show the risk scenario in a simple way that is easy to survey in diagram form with the probability that a certain accident (often measured as an economic consequence) will or will not occur. Gheorghe All Rights Reserved Figure: Risk Profile for earthquakes showing people killed by earthquakes between years 1980 and 2000. The risk profile informs the overall process.

1980–2000 ©2009 A. Risk maps developed are used as orientation tools to take decisions Figure: Relative Vulnerability for Earthquakes. on risk management as a multidiscipline dimension of development that transcends the aspects of preparedness and emergency response.Risk Profiles and Risk Maps Database (2) • Increasing awareness activities of organizations such as Civil Defense have been undertaken. Gheorghe All Rights Reserved . and that needs to involve social actors and institutions that go beyond the firstresponse agencies.

Vulnerability is thought as the interaction of aggregate risk of oil spills with an Environmental Sensitivity Index (ESI) surface. It was an attempt at characterizing the significance of the risk of oil spill to the landscape. ©2009 A. Gheorghe All Rights Reserved .GIS based Vulnerability/Risk analysis with Modeling and Simulation (1) • • GIS based vulnerability and risk assessments are becoming much popular and demanding. Miller and Onwuteaka created a model that evaluates potential risk of oil spills from existing oil facilities (Vulnerability is modeled as a suitability surface) and refined hydrocarbon shipping lanes. Vulnerability may be expressed as the following formula: Vulnerability = Risk Surface x ESI Sensitivity so that Figure can be constructed. For example in a study constructed in Nigeria. Especially in emergency situations tools for rapid production of response information are paramount. Since the commercialization and popularization of ease-of-use computer programs like GoogleEarth® are increasing GIS based modeling and simulation techniques will be on the front lines. Previously created simulations are now getting much more integrated real geographical data.

©2009 A. funded by the Department of Homeland Security Science and Technology Directorate (DHS S&T). Gheorghe All Rights Reserved . which makes it possible to easily and quickly look at the vulnerability problem from different angles. • To address need for simulation.GIS based Vulnerability/Risk analysis with Modeling and Simulation (2) • One of the strengths with GIS is the potential to combine information in different layers in different ways. has developed a decision support tool that provides insights to help decision makers make riskinformed decisions. the Critical Infrastructure Protection Decision Support System (CIPDSS) project.

2000). the CIPDSS tool has ability to provide a high-level. • Games/simulating are a well-developed method that are used by a wide number of organizations in order to test an organization’s ability.al. 2002). A central question is how the result of a game is to be assessed. Gheorghe All Rights Reserved . Fair et. developed a simulation model that shows the time-dependent evolution of a disease. The method is presumably most suitable for testing an organization’s ability as well as to compare different municipal abilities with each other (Nilsson et al. There is a need for some form of measure and measurement tool. This model can be calibrated to prior data or to other higher fidelity models as appropriate (Fair et al. ©2009 A. integrated analysis of a pandemic influenza outbreak while representing the impact on critical infrastructures.GIS based Vulnerability/Risk analysis with Modeling and Simulation (3) • With the addition of a disease progression simulation. Measurements could be made up of wellchosen indicators.

The connections within or between infrastructures are represented by connections between these relevant actors. they negotiate and coordinate transfer of information .this requires both sensing and acting. while dialoging requires communication. Extreme and rare events for which an appropriate experience is lacking can be simulated realistically. logical or functional entity in an infrastructure is modeled by a smart software “actor” whose attributes simulate the corresponding real-world behavior and operational characteristics.based representation. The outstanding capability of this method is to model the dynamic and complex behavior and interactions of multiple different infrastructures from a holistic “system of systems” perspective. Gheorghe All Rights Reserved . Agents are computer programs (software agents) that engage in dialogs. • • • • • ©2009 A. In addition agents can also model the effects of decision and policy makers upon infrastructure operations. Every single infrastructure or multiple infrastructures that can be represented in terms of a dependency graph can be modeled using this actor.Actor-Based Modeling and Simulation Theoretical Background and Capabilities • Each physical.

and laws upon infrastructure operations can be studied. distribution and consumption of infrastructure commodities and services are modeled as flows and accumulations. Effects of policies.Dynamic Simulations • The generation. ©2009 A. Gheorghe All Rights Reserved . • The dynamic simulation integrates infrastructure interdependencies as flows of commodities among multiple infrastructures. regulations.

power flow and stability analyses can be performed on electric power grids. • These models provide highly detailed information. down to the component level. Gheorghe All Rights Reserved . For example. and hydraulic analyses can be used with pipeline systems. ©2009 A. on the operational state of the infrastructure.Physics-Based Models • Infrastructure systems are described with standard engineering techniques and associated models.

• This model can be applied to infrastructure studies. ©2009 A. which represent the probability of an interconnected component propagating inoperability to another component. • Infrastructure interdependencies are captured through Leontief’s production coefficients.Leontief Input-Output Models • The Leontief input-output model is a framework for studying the equilibrium behavior of an economy and provides a forecast of effects on one economical segment due to changes in another. whereby infrastructure components are subject to independent risks of failure. as a result of one or more failures subject to risk management resource constraints. • The risk of inoperability in interconnected infrastructures. can be assessed and an understanding of failure propagation among interdependent infrastructures can be further examined. Gheorghe All Rights Reserved .

the size and/or number of disconnected fragments due to link cuts and the minimum connectedness of a network. • Some commonly used measures are the cardinality of cutsets (i. • For the quantification of network vulnerability and survivability there are three main approaches: the statistical.e. the minimum number of link disjoint and/or node-disjoint paths from one node to another. which can be found in an extensive field of literature. • The mentioned techniques primarily assess the vulnerability of network topologies to random or accidental failures. the minimum number of links or nodes whose removal disconnects a part of the network). • Deterministic approaches are for instance graph theoretic calculations offering various measures of network vulnerabilities. the deterministic approach and a combination of both techniques. • The statistical approach comprises reliability calculations aiming at the assessment of quantities as mean time between failures (MTBF) or mean time to repair (MTTR). Gheorghe All Rights Reserved . ©2009 A.Network Topology Design Models • In the field of communication network engineering a large number of theoretical models and techniques have been developed aiming at the design of robust network topologies. • For the quantification of vulnerabilities to malicious and calculated attacks there are developed new graph based methodologies.

©2009 A.Hybrid Approaches • The different model and simulation approaches with their different pros and cons as simplifications. simulation tools integrating multiple models are only beginning to be developed and will take time to mature. • Other models are dedicated to Quantitative Vulnerability Assessment (QVA) for critical infrastructures. Gheorghe All Rights Reserved . and mainly integrate into a hybrid approach continuous with discrete indicators and behavioral type. • However. assumptions and data requirements could be merged into a hybrid approach depending on the specific requirements.

Gheorghe All Rights Reserved . and it will have consequences on the way how to approach. transmission and distribution. risk and vulnerability of individual critical infrastructure technologies or a combination of any of them e. ©2009 A.Outlook for Novel Systemic Approaches (1) • System of Systems: A new science known as the System of Systems to deal with interdependencies among critical infrastructures is emerging.g. ICS and electricity generation. model and decide on security.

Outlook for Novel Systemic Approaches (2) • Multidimensional Indicators: There is a need for a contemporary vision of using multidimensional indicators for modeling and monitoring the dynamic behavior of critical infrastructures • Epidemic Models: Evolution of digitalization in time and space. (with respect to all other vital systems) is today comparable with the evolution and life of living systems. Gheorghe All Rights Reserved . ©2009 A. Thus epidemic models from biological systems might have methodological impact and could be of practical use for the ongoing modeling efforts of the evolution of ICS and their interactions with other vital systems for achieving "safe" living behavior.

must be part of the process of building up such metric. Indicators to understand the risk and vulnerability of critical infrastructures in view of digitalization capabilities. the chaos theory and strange attractors. inter alia. and the need for the treatment of entities such as critical infrastructures as “production systems”. Gheorghe All Rights Reserved . • Chaos Models: Recent attempts to understand the complex interface behavior between critical infrastructures lead to the use of.Outlook for Novel Systemic Approaches (3) • Metric for Digitalization: There is a need to address the process to build up a metric for digitalization. providing services and exchanging values and information ©2009 A.

An inherent defect (e. thus having the potential to impair larger system segments. . infrastructure upgrades and new capacity). power system operation) to hours (e. Relevant timescales of interest vary from milliseconds (e.g.g. Gheorghe All Rights Reserved • Resilience and Robustness: Robustness and resilient concepts are recently introduced and formalized in order to address issues of system vulnerability in case of complexity. stability and structural changes or other relevant socioengineering indicators which one could attach to the concepts of risks. and their quantitative assessment. short circuit in the control room of a nuclear power plant). • ©2009 A. Timescales have substantial implications for models and simulations. and transportation system operations) to years (e. water.Outlook for Novel Systemic Approaches (4) • Dynamic Modeling: Infrastructure dynamics span a vast temporal range.. gas. “active”. Benign interpretation.. there are two possible interpretations of the meaning of the internal connectivity of a system: benign and cautious. the better: the system is “functional”. given that certain time related infrastructure characteristics and interdependencies might not be relevant for a specific analysis Measuring Connectivity: Considering connectivity as an important concept in critical infrastructure interactions.g. the more extensive and multifunctional are the exchanges between a system’s constituents. vulnerability.g.. initiated at one specific knot in the system has higher chances to propagate throughout the system.

Issues in Review ©2009 A. Gheorghe All Rights Reserved .

The basis for the PAR idea is that a disaster is the intersection of two opposing forces: those processes generating vulnerability on one side. Modify version of the original PAR model can be seen in the Figure.Relationship Between Risk and Vulnerability (1) • In the book named “At Risk” [Wisner.2004]. ©2009 A. on the other. The image resembles a nutcracker. and the hazards event. with increasing pressure on systems arising from either side ― from their vulnerability and from the impact (and severity) of the hazards for those systems. a pressure and release (PAR) model is introduced to show the relationship between risk and vulnerability. Gheorghe All Rights Reserved Pressure and Release (PAR) model: the progression of vulnerability .

Relationship Between Risk and Vulnerability (2) • But PAR model does not provide a detailed and dynamic informed analysis of the relationship between risk and vulnerability. Name of this framework is HVSR model (hazards to a vulnerable system result in risks). Gheorghe All Rights Reserved . HVSR model shows relationship between Risk and vulnerability ©2009 A. A new framework has been proposed to depict this.

©2009 A. but the main analysis object of vulnerability is system per se. hazards). select a particular system or component of concern. in contrast. hazard) of concern. Vulnerability describes inherent characteristics of a system that create the potential for harm but are independent of the risk of occurrence of any particular hazard. and seek to examine why specific adverse outcomes comes to that system (component) in the face of variety of stressor (or threats. It is obvious. selects a particular stress (or threat. the risk focus on hazard analysis. hazards) and to identify a range of factors that may affect response capacity and adaptation to stressor ( or threats. Vulnerability analysis and assessment. and seeks to identify its important consequences for a variety of system properties. Gheorghe All Rights Reserved Risk assessment objective Vulnerability assessment objective .Differences Between Risk and Vulnerability (1) • Difference in analysis object: Risk assessment. as an impact assessment.

Proper resource allocation can reduce system vulnerability. Gheorghe All Rights Reserved . The actions to mitigate. and by deliberate actions. restore and restart the activities after an accident are normally not part of a risk analysis. All activities to restore and restart are therefore included in the analysis.Differences Between Risk and Vulnerability (2) • Difference in analysis scope: From traditional risk analysis for man-made systems is mainly limited to accidental events taking place within the physical boundaries of the system. ©2009 A. A detailed causal analysis of these events will in many cases not be worthwhile. In fact. reducing system vulnerability can reduce system risk. correspondently. The goal of risk analysis is to investigate and understand all concerned risks and provide information for decision-making about resource allocation. In contrast to risk analysis. since we often will not be able to influence on these threats. such as cyber attack. In a vulnerability analysis we work with open system models. In some risk analyses. A vulnerability analysis focuses on the whole disruption period until a new stable situation is obtained. a major part of the accidental events that are relevant for a vulnerability analysis will be caused by external threats. • Difference in emphasis: The focal point of vulnerability analysis is the survivability of the system. both inside and outside the physical boundaries of the system. if system can survive the hazards there are no much risk any more. and the threats are often limited to technological hazards within these boundaries. The only defense will often be to install barriers and make the system more robust against the threats. are taken into account. where risk factors. the environmental threats are partly covered.

Gheorghe All Rights Reserved .Questions & Answers ©2009 A.

Gheorghe All Rights Reserved . Oak Ridge). intensive research activities are sponsored by the Ministry of Education and science and implemented within the University of Tokyo and University of Kyoto. In Australia and New Zealand local governments assisted by consulting companies and universities initiated case studies on risk and vulnerability on a regional scale.Q&A • Question 1: What is the current state relating to school of thoughts on critical infrastructures? – Answer: The most prominent activities are taking place in the United States of America particularly within the National Laboratories (e. Argonne.g. ©2009 A. In Japan such work is under the heading of sociotechnical systems. Los Alamos. Sandia. In Europe activities has been recently initiated by EC under the coverage of the FP 6 and they will be augmented in the FP 7.

Gheorghe All Rights Reserved . They have to be fully harmonized with the technical and system characteristics of the critical infrastructures under consideration.Q&A • Question 2: Should the markets only shape the security profile for critical infrastructures? – Answer: Markets can play a role in assuring security of vital systems in various ways and by using specific market mechanisms. ©2009 A.

The cybernetic approach and way of thinking could play a significant role in re-engineering existing critical infrastructures and designing new generations of new technologies. interdependency and economics of socio-technical systems.Q&A • Question 3: Are there control mechanisms to guarantee higher security for critical infrastructures? – Answer: By adopting an open system of systems design platform one could create the framework for addressing the problematic of complexity. Digitalized systems are instrumental in assisting feedback mechanisms and controlling efficient operation and management. ©2009 A. Gheorghe All Rights Reserved .

S. Europe. Japan and in Australia and New Zealand. ©2009 A.. The current opinion among scientists is divided in respect to digitalization induced risks on critical infrastructures. managers of single type critical infrastructures hope that by taking classical engineering approach to safety and security will avoid accidents and blackouts.Q&A • Question 4: Is the public sufficiently aware of the potential negative problematic induced by the ubiquity of digitalized systems? – Answer: The public is getting more and more involved in taking benefit from a large variety of digital technologies. Trends indicate that new public-private partnerships should be put in place in order to achieve high level of security culture and understanding beyond words the complexity of critical infrastructures. On the other side. Gheorghe All Rights Reserved . Debates related to risk and vulnerability of associated support critical infrastructures are being initiated in U.

EC White Paper on Governance). in practical terms.Q&A • Question 5: What is the overall aim of risk governance strategies in relation to critical infrastructures? – Answer: Although the general rules of risk governance are being discussed and being established at the international level (e. Gheorghe All Rights Reserved .g. new principles of managing interdependencies should be introduced to avoid cascading accidents. special work should be carried on to translate general principles into risk and vulnerability management of single type or interdependent critical infrastructures. ©2009 A. Because. there is no owner of critical infrastructure interfaces. and IRGC has an active role through its TAXGOV project.

reliability and economics. ©2009 A.Q&A • Question 6: How does the current trend of increasing size and complexity of critical infrastructure influence the overall concept of security? – Answer: The emerging complex and non-linear behavior of interdependent critical infrastructures is forcing us to redefine the concept of security in relation to operational principles such as safety. Gheorghe All Rights Reserved .

Sign up to vote on this title
UsefulNot useful