Question

Explain Risk management and risk analysis and their relationship to critical infrastructure protection.

Answer 1

Effective risk assessment methodologies are the cornerstone of a successful Critical Infrastructure

Protection programme. The extensive number of risk assessment methodologies for critical infrastruc-

tures clearly supports this argument. Risk assessment is indispensable in order to identify threats, assess

vulnerabilities and evaluate the impact on assets, infrastructures or systems taking into account the prob-

ability of the occurrence of these threats. This is a critical element that differentiates a risk assessment

from a typical impact assessment methodology.

There is a significant number of risk assessment methodologies for critical infrastructures. In gen-

eral the approach that is used is rather common and linear, consisting of some main elements: Identifica-

tion and classification of threats, identification of vulnerabilities and evaluation of impact. This is a well

known and established approach for evaluating risk and it is the backbone of almost all risk assessment

methodologies.

However, there is a huge differentiation of risk assessment methodologies based on the scope of the

methodology, the audience to which it is addressed (policy makers, decision makers, research institutes)

and their domain of applicability (asset level, infrastructure/system level, system of systems level). These

attributes are not mutually exclusive, in the sense that the domain of applicability defines to a certain

extent the target group of the methodology. For example, a risk assessment methodology that is applicable

to system of systems at national or even supranational level is mostly addressed to policy makers and

relevant authorities and less to operators or to asset managers at local level.

Methodologies developed for certain assets are well defined, tested and validated and the vast ma-

jority follows the linear approach already mentioned. However, methodologies that aim at assessing risksat a higher level e.g. networked systems require further refinement. Detailed risk assessment is not ap-

plicable any more and a certain level of abstraction is necessary. Representing all assets of a networked

system at the highest level of detail (mostly an operator’s approach) leads to unprecedented complexity

that is out of the scope for policy and decision makers. This target group requires simplified solutions

that can provide results even in real time.

The second important parameter that is entering the stage for the risk assessment methodologies of

networked infrastructures is the element of interdependencies. According to the work of Rinaldi et al.

[1] four types of interdependencies are identified for critical infrastructures:

• Physical: The operation of one infrastructure depends on the material output of the other.

• Cyber: Dependency on information transmitted through the information infrastructure.

• Geographic: Dependency on local environmental effects that affects simultaneously several infras-

tructures.

• Logical: Any kind of dependency not characterized as Physical, Cyber or Geographic.

Besides cross-sectoral interdependencies (e.g. ICT and Electricity, Satellite navigation and Trans-

port), at European level one can identify intra-sectoral interdependencies of national infrastructures that

form European infrastructures. As a concrete example we can mention the high voltage electricity grid

that is composed by the interconnected national high-voltage electricity grids.

As mentioned before, the domain of applicability of a risk assessment methodology may be the

most important attribute. According to this attribute, CIP risk assessment methodologies can be divided

in two major categories: Sectoral methodologies, when each sector is treated separately with its own risks

and ranking and systems approach that assess the critical infrastructures as an interconnected network.

Methodologies that have been initially conceptualised to fit in the second category are rather limited.

The vast majority of the existing work has been sectoral and mostly at asset level. These methodologieshave been then extended to cope with networked systems. This reflects the natural evolution of risk as-

sessment methodologies existing already at organizational level to address issues at sectoral level. These

methodologies reveal their limitations when cross-sectoral issues have to be addressed.

PLEASE DO LIKE??