A method for risk modeling of interdependencies in critical infrastructures

https://doi.org/10.1016/j.ress.2010.12.006Get rights and content

Abstract

Failures in critical infrastructures may be hazardous to population, economy, and national security. There can be strong interdependencies between various infrastructures, but these interdependencies are seldom accounted for in current risk and vulnerability analyses. To reduce probability and mitigate consequences of infrastructure failures, these interdependencies have to be assessed. The objective of this paper is to present a method for assessing interdependencies of critical infrastructures, as part of a cross-sector risk and vulnerability analysis. The method is based on a relatively simple approach applicable for practitioners, but may be extended for more detailed analyses by specialists. Examples from a case study with the Emergency Preparedness Group of the city of Oslo, Norway, are included.

Introduction

Critical infrastructures are technological networks, such as energy supply, transport services, water supply, oil and gas supply, banking and finance, and ICT (information and communication technology) systems [1], [2]. These systems are important to maintain essential functions of society, and infrastructure failures can cause serious harm to population, economy, and national security. Critical infrastructures interact at different levels, and failure in one infrastructure may impact the functionality of other infrastructures [3]. The significant societal importance of these infrastructures and their entanglements means that sufficient safety and security measures should be identified to reduce the risks of failure [4], [5].

In the early 1990s, a simple approach to quantitative risk analysis was developed in Norway, called Risk and Vulnerability Analysis (RVA; in Norwegian, ROS—“Risiko- og Sårbarhetsanalyse”), [6], which is rather similar to Preliminary Hazard Analysis (PHA) [7]. Risk analysis methods, like Probabilistic Safety Analysis (PSA) and Quantitative Risk Analysis (QRA), comprise detailed probabilistic and physical models. Such models require more knowledge and resources than normally available in small/medium enterprises and the public sector, and the RVA has become a frequently applied approach. During the last two decades, the RVA has been applied for various critical infrastructures separately, but not as a unified approach across sectors, including interdependencies between the various infrastructures.

The objective of this paper is to present a method for modeling and assessing interdependencies between critical infrastructures, as part of an overall cross-sector extended RVA developed in the DECRIS project [8]. The paper builds on a simplified approach that was presented in Ref. [9], but explains and discusses the method more thoroughly, and introduces more advanced calculations of risk. The method is illustrated by examples from a case study of the city of Oslo, Norway. The case study was carried out in cooperation with the Emergency Preparedness Group (EPG) in Oslo. The EPG is an organization working with safety and cooperation between the critical infrastructure owners of water supply, electricity supply, ICT, hospital, harbor, transportation, and fire and rescue services in the municipality. Previous RVA-analyses of Oslo [10], [11] were used as a basis for the case study. The results are now being used as input to the work on societal risk carried out by the EPG of Oslo, and as basis in the planning of future research projects.

The structure of the paper is as follows. Section 2 gives a short overview of terms, characteristics, and some approaches to interdependency analysis suggested in the literature. The purpose is to clarify some important issues related to the proposed approach in the present paper, but not to give the reader a total overview of all existing methods. Section 3 describes the suggested approach to analyzing interdependencies as part of an overall risk analysis of critical infrastructures. Section 4 presents the discussions and conclusions.

Section snippets

Types of interdependency analyses

There are different ways of defining and characterizing interdependencies. Sometimes it may be useful to distinguish between dependencies and interdependencies. Setola et al. [3] use direct dependencies, which are relatively easy to identify, model, and analyze, and interdependencies, which are mutual dependencies that may be dangerous, but hard to understand. Rinaldi et al. [1] define interdependencies between infrastructures as a bidirectional relationship and dependencies as unidirectional.

Method for modeling and analysis of infrastructure interdependencies

An extended cross-sector RVA for critical infrastructure [9], [21] consists of the following two phases:

  • Phase 1—a standard RVA, identifying and analyzing hazardous events. This is rather similar to a preliminary hazard analysis (PHA) [7], and risk is usually assessed using risk matrices. Also a risk screening is carried out to identify the hazardous events for which more detailed analyses are carried out.

  • Phase 2—detailed analysis of selected hazardous events, e.g. to analyze interdependencies.

Discussion and conclusions

This paper describes a method to analyze interdependencies as part of a cross-sector RVA of critical infrastructures. A case study of Oslo (the culvert at Oslo Central Station) has been used to exemplify the approach. Analysis of interdependencies must be an integral and essential part of RVA.

With respect to the culvert event, there was redundancy of the electricity cables, but the two cables were put into the same culvert and therefore both affected by the fire. The cascading effects of the

Acknowledgements

We would like to thank the other participating partners of the research project DECRIS (Risk and Decision Systems for Critical Infrastructures). The research project is part of the SAMRISK program funded by the Norwegian Research Council. We would also like to acknowledge the Emergency Preparedness Group, and especially the Emergency Planning Agency of Oslo for their engagement in the case study. Last, but not least, we would like to thank an anonymous reviewer for valuable input to the

References (28)

  • 〈http://www.sintef.no/Projectweb/SAMRISK/DECRIS/〉 [accessed...
  • Utne IB, Hokstad P, Vatn J. A method to modeling interdependencies in risk analysis of critical infrastructures. In:...
  • Sklet S, Tinmannsvik RK, Øien K. Safety and emergency preparedness in Oslo municipality (In Norwegian: Sikkerhet og...
  • SAFETEC. Oslo municipality, Emergency Planning Agency, main report, Update of RVA analysis (In Norwegian: Oslo kommune,...
  • Cited by (0)

    View full text