![Page 1: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/1.jpg)
The European Commission’sscience and knowledge service
Joint Research Centre
Marianthi [email protected]
Risk Assessment Methodologies for Critical Infrastructures
• Directorate E: Space, Security and Migration• Technology innovation in Security
![Page 2: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/2.jpg)
The Joint Research Centre at a glance
3000 staffAlmost 75% are scientists and researchers.Headquarters in Brussels and research facilitieslocated in 5 Member States.
![Page 3: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/3.jpg)
Risk
• effect of uncertainty on objectives (ISO 31000)
• often expressed in terms of a combination of: • consequences of an event• associated likelihood of occurrence
Likelihood Consequences
![Page 4: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/4.jpg)
Critical Infrastructure Risk Management at EU level
•National assets•European CI
•Dependencies!
CI Identification
•Organizational level
•Sector level•National level•European level
Risk Assessment (all hazards) •Measures of
protection•Measures of Resilience
Risk Treatment
![Page 5: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/5.jpg)
In the world …
5
World Economic ForumGlobal Risks 2016
11th Edition
![Page 6: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/6.jpg)
NRA guidelines (DG-ECHO)
• Based on ISO31000
![Page 7: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/7.jpg)
Top Hazards in EU
2016 update: Several countries include scenarios on loss of CI, including power outage.
Natural Hazards
• Floods• Severe weather• Wild/Forest fires• Earthquakes• Pandemics/epidemics• Livestock epidemics
Man-made Hazards (Non Malicious)
•Industrial accidents•Nuclear/radiological accidents
•Transport accidents•Loss of critical infrastructure
Man-made Hazards (Malicious)
• Cyber attacks• Terrorist attacks
COMMISSION STAFF WORKING DOCUMENT, Overview of natural and man-made disaster risks in the EU, SWD(2014) 134 final, Brussels, 8.4.2014
![Page 8: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/8.jpg)
Examples of CI-related risks
Country Risk Level Term used
CZ High Critical infrastructure disruption
DE - Outage of critical infrastructure
IE High Loss Critical Infrastructure
PL Medium Disruption of electricity supplies, of fuel supplies, of natural gas supplies
SE Very High Disruption in food supply die to fuel shortages
UK High Attacks on Infrastructure
NL
Very High IP Network failure/ Malicious prolonged electricity failure
High National power failure/ malicious power supply failure
Medium Malicious gas supply failure
![Page 9: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/9.jpg)
Cascading or correlating hazardsHazard Cascade or correlated hazard Country
Severe weather phenomena
Flood DK, NO, RO, HU
Landslides ITForest Fires HU, IE, LT
Pollution, CI loss, Transport accidents DK, LT, SE, NO
EarthquakesLandslides HU, ITTsunamis EL
Landslides, Earthquakes or Volcanos Transport Accidents NO, IT, EL, UK
Nuclear chemical and transport accidents, CI loss
Contamination, Pollution DK, LT, UK, NO
Terrorist & Cyber attacks NO, UK
CI lossFlood, Pollution, CI loss or UK, IE
Pandemics DKPollution Pandemics EE, SE
![Page 10: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/10.jpg)
Likelihood
• Semi-quantitative scales:o ‘very low/very rare (1)’ to ‘very high/very likely (5)’o frequency of one or more incidents in various time scaleso probability of occurrence within 1 yearo motive for intentional events: is a threat perceived as likely
or not?
• Refers to the initial probability of a risk scenario to occur.
• Likelihood that the event will cause damage (a) to specific CI or (b) to dependent CIs is not usually assessed.
![Page 11: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/11.jpg)
Impact
• Quantitative (in no. of affected people)• e.g. number of deaths, number of severely injured or ill people,
number of permanently displaced people
Human impacts
• Quantitative (Sum of the costs in Euros)• e.g. costs of cure or healthcare, immediate or longer-term
emergency measures, restoration, environmental costs, costs of disruption of economic activity, value of insurance pay-outs, indirect costs on the economy, indirect social costs, etc.
Economic and Environmental impacts
• Semi-quantitative (limited/insignificant, minor/substantial, moderate/serious, significant/very serious, catastrophic/disastrous)
• e.g. public outrage and anxiety, encroachment of the territory, infringement of the international position, violation of the democratic system, social psychological impact, impact on public order and safety, political implications, psychological implications, and damage to cultural assets, etc.
Political/social consequences
![Page 12: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/12.jpg)
Complexity of CI Risk Assessment
![Page 13: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/13.jpg)
Risk assessment methodologies for critical infrastructure protection. Part II: A new approach, Marianthi Theocharidou, Georgios Giannopoulos, EUR 27332 EN, 2015
A holistic approach for RA including CIs
Operators
Operators, Public A
uthorities
Public Authorities, C
ivil Protection
![Page 14: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/14.jpg)
Current level of maturity
• Asset level RAs: High level of maturity, operators are doing this on a continuous basis*
• System level RAs: Low level of maturity, more effort is needed both at scientific level as well as governance level
• Models for the assessment of cascading effects still need to be developed – data collection methods are also missing
• Society level RAs: In principle does not include CI risks in a systematic way
*Risk Assessment Methodologies for Critical Infrastructure Protection. Part I: A state of the art, EUR 25286
![Page 15: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/15.jpg)
RA vs. Performance-based RAFocus on the
performance of services, not on the
physical damage of assets…
Disruptive Event
Recovery Action
TimeP
erfo
rman
ce
Recovered State
Disrupted State
OriginalState
Cost
Infrastructure 1
Infrastructure …
Infrastructure 2
“Some elements of critical infrastructure are not assets, but are in fact networks or supply chains”(Australia’s Critical Infrastructure Resilience Strategy, 2010)
![Page 16: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/16.jpg)
Risk (& Resilience) AssessmentMethodologies for Critical Infrastructures
16
![Page 17: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/17.jpg)
Common steps
Risk Scenario Identification
Threat and Hazard
AssessmentVulnerability Assessment
Consequence Assessment
![Page 18: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/18.jpg)
Critical Infrastructure Risk Management Framework
![Page 19: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/19.jpg)
Better Infrastructure Risk and Resilience • Argonne National
Laboratory
• 18 sectors
• Vulnerability Index
• Protective Measures
Index
• Resilience Index
• Relies on operators for
the asset assessment
![Page 20: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/20.jpg)
CA
RV
ER2
20
![Page 21: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/21.jpg)
CIP Decision Support System
• High level systems of infrastructures
• 1-st order of dependencies
• Common metrics for impact
• Alternative risk mitigation options
![Page 22: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/22.jpg)
CIPMA (Australia)
![Page 23: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/23.jpg)
RAMCAP-Plus
1. Asset characterisation
2. Threat characterisation
3. Consequence analysis
4. Vulnerability analysis
5. Threat assessment
6. Risk and Resilience assessment
7. Risk and Resilience Management
• Most critical assets in a facility• Higher level analysis• Cross-Sectoral risk
comparison• Resilience is central
![Page 24: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/24.jpg)
SRA tool
![Page 25: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/25.jpg)
Summary
• Large set of methods and tools
• Cover various stages of the risk management process and various needs
• Resilience is not included in several tools explicitly
• Data input is a challenge
• For consequence analysis: Aggregated impact or Scoring
Operator level Sector level
National level
Cross-border level
![Page 26: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/26.jpg)
Organisations exist within a community/system
Resilience is needed at all levels of this system
![Page 27: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/27.jpg)
CIPedia©A multi-disciplinary glossary
www.cipedia.eu
![Page 28: Risk Assessment Methodologies for Critical Infrastructures · 1. Asset characterisation 2. Threat characterisation 3. Consequence analysis 4. Vulnerability analysis 5. Threat assessment](https://reader035.vdocuments.us/reader035/viewer/2022070112/60570ccb3f36a8255a774c2f/html5/thumbnails/28.jpg)
•EU Science Hub: ec.europa.eu/jrc
•Twitter: @EU_ScienceHub
•Facebook: EU Science Hub - Joint Research Centre
•LinkedIn: Joint Research Centre
•YouTube: EU Science Hub
Stay in touch