A method for risk modeling of interdependencies in critical infrastructures
Introduction
Critical infrastructures are technological networks, such as energy supply, transport services, water supply, oil and gas supply, banking and finance, and ICT (information and communication technology) systems [1], [2]. These systems are important to maintain essential functions of society, and infrastructure failures can cause serious harm to population, economy, and national security. Critical infrastructures interact at different levels, and failure in one infrastructure may impact the functionality of other infrastructures [3]. The significant societal importance of these infrastructures and their entanglements means that sufficient safety and security measures should be identified to reduce the risks of failure [4], [5].
In the early 1990s, a simple approach to quantitative risk analysis was developed in Norway, called Risk and Vulnerability Analysis (RVA; in Norwegian, ROS—“Risiko- og Sårbarhetsanalyse”), [6], which is rather similar to Preliminary Hazard Analysis (PHA) [7]. Risk analysis methods, like Probabilistic Safety Analysis (PSA) and Quantitative Risk Analysis (QRA), comprise detailed probabilistic and physical models. Such models require more knowledge and resources than normally available in small/medium enterprises and the public sector, and the RVA has become a frequently applied approach. During the last two decades, the RVA has been applied for various critical infrastructures separately, but not as a unified approach across sectors, including interdependencies between the various infrastructures.
The objective of this paper is to present a method for modeling and assessing interdependencies between critical infrastructures, as part of an overall cross-sector extended RVA developed in the DECRIS project [8]. The paper builds on a simplified approach that was presented in Ref. [9], but explains and discusses the method more thoroughly, and introduces more advanced calculations of risk. The method is illustrated by examples from a case study of the city of Oslo, Norway. The case study was carried out in cooperation with the Emergency Preparedness Group (EPG) in Oslo. The EPG is an organization working with safety and cooperation between the critical infrastructure owners of water supply, electricity supply, ICT, hospital, harbor, transportation, and fire and rescue services in the municipality. Previous RVA-analyses of Oslo [10], [11] were used as a basis for the case study. The results are now being used as input to the work on societal risk carried out by the EPG of Oslo, and as basis in the planning of future research projects.
The structure of the paper is as follows. Section 2 gives a short overview of terms, characteristics, and some approaches to interdependency analysis suggested in the literature. The purpose is to clarify some important issues related to the proposed approach in the present paper, but not to give the reader a total overview of all existing methods. Section 3 describes the suggested approach to analyzing interdependencies as part of an overall risk analysis of critical infrastructures. Section 4 presents the discussions and conclusions.
Section snippets
Types of interdependency analyses
There are different ways of defining and characterizing interdependencies. Sometimes it may be useful to distinguish between dependencies and interdependencies. Setola et al. [3] use direct dependencies, which are relatively easy to identify, model, and analyze, and interdependencies, which are mutual dependencies that may be dangerous, but hard to understand. Rinaldi et al. [1] define interdependencies between infrastructures as a bidirectional relationship and dependencies as unidirectional.
Method for modeling and analysis of infrastructure interdependencies
An extended cross-sector RVA for critical infrastructure [9], [21] consists of the following two phases:
- •
Phase 1—a standard RVA, identifying and analyzing hazardous events. This is rather similar to a preliminary hazard analysis (PHA) [7], and risk is usually assessed using risk matrices. Also a risk screening is carried out to identify the hazardous events for which more detailed analyses are carried out.
- •
Phase 2—detailed analysis of selected hazardous events, e.g. to analyze interdependencies.
Discussion and conclusions
This paper describes a method to analyze interdependencies as part of a cross-sector RVA of critical infrastructures. A case study of Oslo (the culvert at Oslo Central Station) has been used to exemplify the approach. Analysis of interdependencies must be an integral and essential part of RVA.
With respect to the culvert event, there was redundancy of the electricity cables, but the two cables were put into the same culvert and therefore both affected by the fire. The cascading effects of the
Acknowledgements
We would like to thank the other participating partners of the research project DECRIS (Risk and Decision Systems for Critical Infrastructures). The research project is part of the SAMRISK program funded by the Norwegian Research Council. We would also like to acknowledge the Emergency Preparedness Group, and especially the Emergency Planning Agency of Oslo for their engagement in the case study. Last, but not least, we would like to thank an anonymous reviewer for valuable input to the
References (28)
Critical infrastructures at risk: a need for a new conceptual approach and extended analytical tools
Reliability Engineering and System Safety
(2008)- et al.
Critical infrastructure dependency assessment using the input-output inoperability model
International Journal of Critical Infrastructure Protection
(2009) - et al.
Identification of critical locations across multiple infrastructures for terrorist actions
Reliability Engineering and System Safety
(2007) - et al.
Application of the fault tree analysis for assessment of power system reliability
Reliability Engineering and System Safety
(2009) - et al.
Randomized flow model and centrality measure for electrical power transmission network analysis
Reliability Engineering and System Safety
(2010) - et al.
Identifying, understanding, and analyzing critical infrastructure interdependencies
IEEE Control Systems Magazine
(2001) - et al.
The state of the art in critical infrastructure protection: a framework for convergence
International Journal of Critical Infrastructures
(2008) - et al.
High-level modelling of critical infrastructures’ interdependencies
International Journal of Critical Infrastructures
(2009) - DSB. Guidelines for community risk and vulnerability analyses (Veileder for kommunale risiko- og sårbarhetsanalyser (in...
Hazard analysis techniques for system safety
(2005)