The European Commission’sscience and knowledge service

Joint Research Centre

Marianthi Theocharidoumarianthi.theocharidou@ec.europa.eu

Risk Assessment Methodologies for Critical Infrastructures

• Directorate E: Space, Security and Migration• Technology innovation in Security

The Joint Research Centre at a glance

3000 staffAlmost 75% are scientists and researchers.Headquarters in Brussels and research facilitieslocated in 5 Member States.

Risk

• effect of uncertainty on objectives (ISO 31000)

• often expressed in terms of a combination of: • consequences of an event• associated likelihood of occurrence

Likelihood Consequences

Critical Infrastructure Risk Management at EU level

•National assets•European CI

•Dependencies!

CI Identification

•Organizational level

•Sector level•National level•European level

Risk Assessment (all hazards) •Measures of

protection•Measures of Resilience

Risk Treatment

In the world …

5

World Economic ForumGlobal Risks 2016

11th Edition

NRA guidelines (DG-ECHO)

• Based on ISO31000

Top Hazards in EU

2016 update: Several countries include scenarios on loss of CI, including power outage.

Natural Hazards

• Floods• Severe weather• Wild/Forest fires• Earthquakes• Pandemics/epidemics• Livestock epidemics

Man-made Hazards (Non Malicious)

•Industrial accidents•Nuclear/radiological accidents

•Transport accidents•Loss of critical infrastructure

Man-made Hazards (Malicious)

• Cyber attacks• Terrorist attacks

COMMISSION STAFF WORKING DOCUMENT, Overview of natural and man-made disaster risks in the EU, SWD(2014) 134 final, Brussels, 8.4.2014

Examples of CI-related risks

Country Risk Level Term used

CZ High Critical infrastructure disruption

DE - Outage of critical infrastructure

IE High Loss Critical Infrastructure

PL Medium Disruption of electricity supplies, of fuel supplies, of natural gas supplies

SE Very High Disruption in food supply die to fuel shortages

UK High Attacks on Infrastructure

NL

Very High IP Network failure/ Malicious prolonged electricity failure

High National power failure/ malicious power supply failure

Medium Malicious gas supply failure

Cascading or correlating hazardsHazard Cascade or correlated hazard Country

Severe weather phenomena

Flood DK, NO, RO, HU

Landslides ITForest Fires HU, IE, LT

Pollution, CI loss, Transport accidents DK, LT, SE, NO

EarthquakesLandslides HU, ITTsunamis EL

Landslides, Earthquakes or Volcanos Transport Accidents NO, IT, EL, UK

Nuclear chemical and transport accidents, CI loss

Contamination, Pollution DK, LT, UK, NO

Terrorist & Cyber attacks NO, UK

CI lossFlood, Pollution, CI loss or UK, IE

Pandemics DKPollution Pandemics EE, SE

Likelihood

• Semi-quantitative scales:o ‘very low/very rare (1)’ to ‘very high/very likely (5)’o frequency of one or more incidents in various time scaleso probability of occurrence within 1 yearo motive for intentional events: is a threat perceived as likely

or not?

• Refers to the initial probability of a risk scenario to occur.

• Likelihood that the event will cause damage (a) to specific CI or (b) to dependent CIs is not usually assessed.

Impact

• Quantitative (in no. of affected people)• e.g. number of deaths, number of severely injured or ill people,

number of permanently displaced people

Human impacts

• Quantitative (Sum of the costs in Euros)• e.g. costs of cure or healthcare, immediate or longer-term

emergency measures, restoration, environmental costs, costs of disruption of economic activity, value of insurance pay-outs, indirect costs on the economy, indirect social costs, etc.

Economic and Environmental impacts

• Semi-quantitative (limited/insignificant, minor/substantial, moderate/serious, significant/very serious, catastrophic/disastrous)

• e.g. public outrage and anxiety, encroachment of the territory, infringement of the international position, violation of the democratic system, social psychological impact, impact on public order and safety, political implications, psychological implications, and damage to cultural assets, etc.

Political/social consequences

Complexity of CI Risk Assessment

Risk assessment methodologies for critical infrastructure protection. Part II: A new approach, Marianthi Theocharidou, Georgios Giannopoulos, EUR 27332 EN, 2015

A holistic approach for RA including CIs

Operators

Operators, Public A

uthorities

Public Authorities, C

ivil Protection

Current level of maturity

• Asset level RAs: High level of maturity, operators are doing this on a continuous basis*

• System level RAs: Low level of maturity, more effort is needed both at scientific level as well as governance level

• Models for the assessment of cascading effects still need to be developed – data collection methods are also missing

• Society level RAs: In principle does not include CI risks in a systematic way

*Risk Assessment Methodologies for Critical Infrastructure Protection. Part I: A state of the art, EUR 25286

RA vs. Performance-based RAFocus on the

performance of services, not on the

physical damage of assets…

Disruptive Event

Recovery Action

TimeP

erfo

rman

ce

Recovered State

Disrupted State

OriginalState

Cost

Infrastructure 1

Infrastructure …

Infrastructure 2

“Some elements of critical infrastructure are not assets, but are in fact networks or supply chains”(Australia’s Critical Infrastructure Resilience Strategy, 2010)

Risk (& Resilience) AssessmentMethodologies for Critical Infrastructures

16

Common steps

Risk Scenario Identification

Threat and Hazard

AssessmentVulnerability Assessment

Consequence Assessment

Critical Infrastructure Risk Management Framework

Better Infrastructure Risk and Resilience • Argonne National

Laboratory

• 18 sectors

• Vulnerability Index

• Protective Measures

Index

• Resilience Index

• Relies on operators for

the asset assessment

CA

RV

ER2

20

CIP Decision Support System

• High level systems of infrastructures

• 1-st order of dependencies

• Common metrics for impact

• Alternative risk mitigation options

CIPMA (Australia)

RAMCAP-Plus

1. Asset characterisation

2. Threat characterisation

3. Consequence analysis

4. Vulnerability analysis

5. Threat assessment

6. Risk and Resilience assessment

7. Risk and Resilience Management

• Most critical assets in a facility• Higher level analysis• Cross-Sectoral risk

comparison• Resilience is central

SRA tool

Summary

• Large set of methods and tools

• Cover various stages of the risk management process and various needs

• Resilience is not included in several tools explicitly

• Data input is a challenge

• For consequence analysis: Aggregated impact or Scoring

Operator level Sector level

National level

Cross-border level

Organisations exist within a community/system

Resilience is needed at all levels of this system

CIPedia©A multi-disciplinary glossary

www.cipedia.eu

•EU Science Hub: ec.europa.eu/jrc

•Twitter: @EU_ScienceHub

•Facebook: EU Science Hub - Joint Research Centre

•LinkedIn: Joint Research Centre

•YouTube: EU Science Hub

Stay in touch