ci-2 dependency and interdependency considerations for...
TRANSCRIPT
CI-3 Dependency and Interdependency Considerations for Critical Infrastructure
Prepared for:
GovSec West 2011
Critical Infrastructure and Key Assets Protection & Response
November 15, 2011
Lori EatonInfrastructure Analyst Associate
Infrastructure Assurance Center
Argonne National Laboratory
Argonne, IL
Argonne National Laboratory
Go to ”Insert (View) | Header and Footer" to add your organization, sponsor, meeting name here; then, click "Apply to All"
2
■
Multi‐program science and research center
managed by The University of Chicago for the
U.S. Department of Energy
■
Located 25 miles southwest of
Chicago
■
Staff of about 4,000 (1,800 scientists and
engineers)
■
Active infrastructure assurance programs for 15
years
■
Infrastructure Assurance Center helps to protect
and assure critical infrastructures and key
resources
Argonne Infrastructure Assurance Center (IAC)
■
Goal – to provide methodologies,
information, analyses, tools, and
technologies to inform decisions about
infrastructure protection and resilience
■
Capabilities built on 20+ years of critical
infrastructure protection support to
DOE, DoD, President’s Commission on
Critical Infrastructure Protection
(PCCIP), EMP Commission, DHS, and
other organizations
■
Part of Transition Team to standup DHS
■
Large interdisciplinary staff to support
infrastructure assurance work
Go to ”Insert (View) | Header and Footer" to add your organization, sponsor, meeting name here; then, click "Apply to All"
3
Information
Tools
Methodologies
Analyses
Technologies
InfrastructureProtection andResilience
■ Engineers
■ Computer scientists
■ Information and cyber security specialists
■ Geospatial analysts
■ Economists
■ Social scientists
■ Lawyers
■ Regulatory analysts and public policy experts
■ Risk management professionals
■ Decision analysts
■ Educators
Argonne Staff, Other National Labs, Academia, Research Centers, Private Sector, …
■ Engineers
■ Computer scientists
■ Information and cyber security specialists
■ Geospatial analysts
■ Economists
■ Social scientists
■ Lawyers
■ Regulatory analysts and public policy experts
■ Risk management professionals
■ Decision analysts
■ Educators
Argonne Staff, Other National Labs, Academia, Research Centers, Private Sector, …
Core Capabilities and Expertise Applied to Infrastructure Protection
■
Risk and resilience methodology
development and assessment
■
Metrics development and analysis
■
Infrastructure and
interdependencies modeling &
analysis
■
GIS/visualization tools
■
Decision support systems
■
Training (e.g., risk analysis)
Go to ”Insert (View) | Header and Footer" to add your organization, sponsor, meeting name here; then, click "Apply to All"
4
NAVAL SUBMARINE BASEKINGS BAY
Substation
230-kV Transmission Line
115-kV Tranmission Line
LEGEND
FLORIDA
GEORGIA
CROOKED-RIVER-115
ST.-MARYS-115
US-NAVAL-SUB-SUPPLY-#2-230
US-NAVAL-SUB-SUPPLY-#1-230
KINGSLAND-230/115
COLERAIN-SWITCH-STN.-230
National
LocalRegional
NAVAL SUBMARINE BASEKINGS BAY
Substation
230-kV Transmission Line
115-kV Tranmission Line
LEGEND
FLORIDA
GEORGIA
CROOKED-RIVER-115
ST.-MARYS-115
US-NAVAL-SUB-SUPPLY-#2-230
US-NAVAL-SUB-SUPPLY-#1-230
KINGSLAND-230/115
COLERAIN-SWITCH-STN.-230
National
LocalRegional
Presentation Outline
Definition of Dependencies and Interdependencies
Importance to Risk
Interdependencies are Complex
Types of Interdependencies
Effects of Interdependencies
Illustrative Infrastructure Interdependencies
Interdependencies Lessons Learned
Current Interdependencies Research
GIS demo
Go to ”Insert (View) | Header and Footer" to add your organization, sponsor, meeting name here; then, click "Apply to All"
5
Infrastructure Outages Have Caused “Interdependence”
Problems
The Interdependencies Concern …
Intentional exploitation of these
new vulnerabilities could have
severe consequences for our
economy, security, and
way of life
A series of incidents could
interact (cascade) across critical
infrastructures to degrade the
service upon which all depend
Interdependencies lead to the
possibility that our
infrastructures may be
vulnerable in ways they never
have been before
Threats Complexity
Physical Cyber
Interdependencies
Infrastructure Interdependencies
Dependency
and Interdependency
are related “Dependency”
refer to the a linkage or connection between two infrastructures
through which the state of one influences the state of the other
“Interdependencies”
refers to a bidirectional relationship between
infrastructures dependent on the other—creating a “systems of systems”
Infrastructure linkages vary significantly in scale and complexity
The “new economy”
(Internet, e‐commerce) has important interdependence
implications
Understanding interdependencies requires identifying how each infrastructure
depends on, or is supported by, each of the other infrastructures
Definition of Interdependencies
The multi‐
or bi‐directional reliance of an asset, system,
network, or collection thereof, within or across sectors, on
input, interaction, or other requirement from other sources in
order to function properly*
Infrastructure j Infrastructure k
Goods/Services
Goods/Services
*United States Department of Homeland Security National Infrastructure Protection Plan
Dependencies vs. Interdependencies
Interdependencies – Bidirectional
Dependencies— Unidirectional
Synergies emerge when large sets of components interact with one
another
Complexity makes prediction of what will happen difficult to predict
Interdependencies Are Complex
Normal
Stressed/
Disrupted
Repair/
Restoration
State of
Operation
Types of
InterdependenciesEnvironment
Social/
Political
Business
Legal/
Regulatory
TechnicalHealth/Safety
Security
Coupling
and
Response
Behavior
Type of Failure
Inflexible
Linear/
Complex
Loose/
Tight
Adaptive
Physical
Cyber
Logical
Geographi
c
PublicPolicyCascading
InfrastructureCharacteristics
SpatialTemporal
Operational
Organizational
Common
Cause
Economic
Escalatin
g
Dimensions of Interdependencies
Types of Infrastructure Interdependencies
Physical
(e.g., output of one infrastructure used
by another)
Cyber
(e.g., electronic, informational linkages)
Geographic
(e.g., common corridor)
Logical
(e.g., dependency through financial
markets)
Physical Interdependencies
14
Coal Power Plant
Railroads
Coal for fuel
Delivers repair parts
Electricity –
signals,
switches, control centers
Locomotives
(electrified rail)
Physical Linkage
Cyber Interdependency
Computerized Systems
Monitors
Collects Data
Controls
SCADA ‐
Supervisory Control And Data
Acquisition system
Geographic Interdependency (Common Corridor)
16
Close spatial proximityPipeline & Electric
Transmission Lines
Pipeline & Highway
Rail &
Transmission
Lines
Airport
Tank
Farms
Telecom & Sewer
Logical Interdependency
17
No direct physical, cyber or geographic connection
Seasonal weather conditions
Human decisions/habitual
behaviors
Public Policy (i.e. environmental
regulations)
Economic Impacts:
Government Regulations
• consumer prices
• utility companies
External market prices
Lack of investments to meet
growing demand
(i.e. 2001 California
Energy Crisis)
Illustrative Petroleum Dependencies
Three Effects of Interdependency Failures
Common cause failure
– A disruption of two or more
infrastructures at the same time because of a common
cause
Cascading failure
– A disruption in one infrastructure
causes a disruption in a second infrastructure
Escalating failure
– A disruption in one infrastructure
exacerbates a disruption of a second infrastructure
Private
Microwave
Network
Generating
Plant
Transmission
Substation
Distribution
Substation
Commercial
Loads
Industrial
Loads
Control
Center
Transportation
Loads
Disruptions Could CASCADECASCADE
Through the Electric Infrastructure
12
3
Public Networks
Private
Microwave
Network
Generating
Plant
Transmission
Substation
Distribution
Substation
Commercial
Loads
Industrial
Loads
Control Center
Transportation
Loads
Disruptions Could ESCALATEESCALATE
(Increase) Repair and Restoration Times
3
Repair Crews
DELAY
Public Networks
1
2
1
■
Agriculture/Food
■
Water
■
Public Health
■
Emergency Services
■
Defence Industrial Base
■
Information Technology
■
Telecommunications
Critical Infrastructure Sectors
■
Energy
■
Transportation Systems
■
Banking and Finance
■
Chemical
■
Postal and Shipping
■
National Monuments and Icons
Key Resources
■
Commercial Nuclear Reactors
■
Dams
■
Government Facilities
■
Commercial Facilities
Multiple Infrastructures Need to be Considered*
*Homeland Security Presidential Directive 7
Significant Electric Power Interdependencies
Nuclear Power Plants
Cooling Water –
controlled shutdown within one
day
Transmission
–
sudden loss of transmission
capacity can cause plant shutdown
Process Control ‐
will shut down (if possible)
Fossil‐Fuel Power Stations
Fuel Supply – may reduce or shut down power
plant
Cooling Water, Transmission , Process Control –
as above
Transmission
Telecommunication – important for substation
and dispatch center
operations
Distribution
Similar to Transmission
Significant Commercial Building Interdependencies
Utilities
Electric Power – most large commercial
buildings have single distribution circuit
from single utility substation
Potable Water – many buildings have only
one source of potable water, typically
supplied by municipality, inadequate on‐
site water storage
Sewer – may require building evacuation
if shut down
Telecommunications ‐
only if no
redundant external sources are
unavailable
Check for redundancy and emergency backup
capability
25
Interdependencies Can be Considered at Multiple Levels
Facilities/Assets End‐to‐End Systems
Regions
Networks
Communities
26
A “Systems”
Representation is Used to Understand Interdependencies
27
Pre‐Event Trans‐Event Post‐Event
Projected Storm Track
Natural Gas
OilProjected Im
pacts
Refinery Impacts
New Orleans Flooding
Days After Landfall
Damaged Storage Facility
Natural Gas
Prod
uctio
n
Interdependencies Change during Events
EnteringHILLSVILLE
FOUNDEDOUNDED
18021802ALTITUDEALTITUDE
620620POPULATIONPOPULATION
37003700
TOTALTOTAL
61226122
A Defendable Process is Essential for Making Infrastructure Decisions
Modeling/Visualization Tools Improve Understanding of Interdependencies
CAS Visualization
Service Restoration Is an Important Aspect of Interdependencies Analysis
Tool developed: Restore©*
Purpose: estimate service restoration time (i.e.,
the amount of time required to restore a system
to an operational state)
Motivation:
–
Impacts of disruptions vary as a function of
the outage duration
–
Duration of outages is uncertain
–
Estimates of outage duration are important
in making decisions about system
operations and strategies for mitigating
vulnerabilities
Restore Provides a Framework for Examining Interdependencies and Restoration Uncertainty
0
0.01
0.02
0.03
0.04
0.05
0.06
0 12 24 36 48
Total Outage Time (hr)
Prob
ability Den
sity
Critical OutageTime
Critical OutageTime
Range and Likelihoodof Outage Time
(Probability Density)
Additional
Accessibility Time
for Crew
Replacement of Damaged Pipelinenew pipeline segment
Time Until Area Is Safe
Inert gas
Hydrostatic Testing
Blowdown of pipe contents
NaturalGas
Service Restored
Purging of PipelineInert gas & air
Inert gas
Initiating Event Occurs
Location (urban, rural, remote)
affects access time.
Repeat repair iftest fails.
0 5t1 (hrs)
Prob
ability
Den
sity
0 5t2(hrs)
Prob
ability
Den
sity
0 30
Prob
ability
Den
sity
0 10t6 (hrs)
Prob
ability
Den
sity
t5 (hrs)+ t
5+
Probability Distribution over
Restoration Time
0 3t3(hrs)
Prob
ability
Den
sity
0.00
0.02
0.04
0.06
0.08
0.10
0 10 20 30 40
Hours
Prob
abili
ty D
ensi
ty
Restore Example: Repair and Restoration of a Ruptured Natural Gas Pipe
Repair and Restoration of a Ruptured Gas Pipe – A Restore Transition Diagram (portion)
Dependence on
Transportation (Road)
Dependence on
Telecommunications
Results for Repair and Restoration of a Damaged NG Pipeline ––
Telecom Operational
This graph tells us that:
•
Outage duration range is
about 60‐140 hrs
•
Most likely value is about 90
hrs
•
Probability that duration >
115 hours is ~5%
Previous graph said:
•
Outage duration range is
about 60‐140 hrs
•
Most likely value is about 90
hrs
•
Probability that duration >
115 hours is ~5%
This graph tells us that:
•
Outage duration range is
about 90‐240 hrs
•
Most likely value is about 150
hrs
•
Probability that duration >
200 hours is ~5%
Results for Repair and Restoration of a Damaged NG Pipeline ––
Telecom Disrupted
Over the Past Several Years, Argonne Staff Have Developed the Following Restore Models
Natural Gas Pipelines–
Diameters: 12”, 16”, 36”
–
Pressures: ≤250 psig, >250 psig–
Variable repair lengths
–
Fail & foul weather
–
Time of day, day of week
–
Type of terrain
–
Location: urban, suburban, rural
Natural Gas Pipelines–
Diameters: 12”, 16”, 36”
–
Pressures: ≤250 psig, >250 psig–
Variable repair lengths
–
Fail & foul weather
–
Time of day, day of week
–
Type of terrain
–
Location: urban, suburban, rural
City Gate
POL Pumping Station
Compressor Station
Propane Air Peaking Station
NG Separator
Underground Storage Facility
Large substation transformer
City Gate
POL Pumping Station
Compressor Station
Propane Air Peaking Station
NG Separator
Underground Storage Facility
Large substation transformer
GIS Demo
Julie Muzzareli’s GIS piece
Go to ”Insert (View) | Header and Footer" to add your organization, sponsor, meeting name here; then, click "Apply to All"
37
Benefits of Interdependencies Analysis Tools
■
Facilitate understanding of how disruptions:
- Propagate (cascade) among infrastructures
- Exacerbate repair and restoration problems
■
Identify critical components and vulnerabilities from
interdependencies perspective (transcends single
infrastructure perspective of asset criticality)
■
Determine consequences of disruptions
(e.g., economic impacts)
■
Allow “what if”
analyses
■
Support exercises, training, and education
Infrastructure Interdependencies Present Challenges for Security and Reliability
Need to identify infrastructure assets that, if lost or degraded, could
adversely affect the performance of other infrastructures –
Normal and stressed operations
–
Disruptions (including coincident events)
–
Repair and restoration
Need to identify how interdependencies change as a function of
outage duration, frequency, and other factors
Need to identify how backup systems or other mitigation
mechanisms can reduce interdependence problems
Interdependencies-related Lessons Learned
■
Vulnerabilities resulting from infrastructure interdependencies are
generally not as well understood as other vulnerabilities
■
Single‐point failures (due to interdependencies) can lead to multiple
infrastructure disruptions
■
Interdependencies can exacerbate repair and restoration problems
■
Facilities that have experience with natural disasters typically
have a
better understanding of infrastructure interdependencies ‐‐
more likely
to have contingency plans to deal with outages
■
You are only as secure as your suppliers and distributors
Moving Toward Cascading Failure Solutions
■
Identify internal and external infrastructure
assets, systems, and
networks that, if lost or degraded, could adversely affect performance
■
Study natural disasters and incidents to gain insight into
interdependencies problems and solutions
■
Develop contingency plans to deal with cascading outages
■
Identify how backup systems and other mitigation mechanisms can
reduce interdependencies problems –
implement as appropriate
■
Address security in contractual arrangements
■
Collaborate, cooperate, participate
■
Avoid “failure of imagination”
42
Risk
Threats
VulnerabilitiesConsequences
Interdependencies Influence all Components of Risk
Risk = f(Threat, Vulnerability, Consequence)
Innovative Targeting to
Exploit
Interdependencies
T = f(Capability, Intent)
Expanded Set of
Vulnerabilities Due to
Interdependencies
V = f(Physical, Cyber, Human)
Cascading and
Escalating
Interdependent
Consequences
C = f(Deaths, Economic Losses,
Strategic Mission Impacts,
Psychological Impacts, …)
Interdependencies: “Risk Multiplier”
Summary
■
Interdependencies are complex and multi‐dimensional
■
There is no one solution to analyzing interdependencies
■
Infrastructure dependencies and interdependencies should
be factored into risk decisions
■
Interdependencies is a growing research area with great
need for enhanced capability and innovation
Go to ”Insert (View) | Header and Footer" to add your organization, sponsor, meeting name here; then, click "Apply to All"
44
Lori EatonInfrastructure Analyst Associate
Infrastructure Assurance Center
Argonne National Laboratory
Go to ”Insert (View) | Header and Footer" to add your organization, sponsor, meeting name here; then, click "Apply to All"
45