Comprehensive Approach to Security Risk Management in Critical Infrastructures and Supply Chains (original) (raw)
Related papers
Security Risk Management for Critical Infrastructures
ItAIS 2011, 2011
This paper presents a methodology for risk management developed and used mainly for critical infrastructures, but that can be generalized and used in other contexts. It outlines security risk assessment including identifying processes, resources / assets, threats and vulnerabilities, impacts and likelihood of failures. The methodology primary focus is the analysis of business impacts and the quantification of the different risks, together with the identification of priority intervention areas, in order to eliminate, reduce, transfer or assume calculated risks, finding the right balance between the investment (resources, money etc.) and the acceptable level / threshold of risk. The paper, based on theoretical background and on practical experiences and results achieved in real organizations that operate on global level, presents critical infrastructure characteristics, the risk management process, security goals and standards and an integrated methodology for risk management applied to critical infrastructures. Some applications cases and results obtained are shortly described, disguised for strong confidentiality issues.
2014
Critical infrastructure protection (CIP) has become a major issue in civil security, emergency management and natural hazard management. The all-hazard approach has gained ground on the international scale, and the "comprehensive approach" in security policies and security research has been advanced in order to meet current and future threats based on better integrated information, assessment, policies and capabilities. This paper aims to showcase this "comprehensive approach", highlighting its character and cross-links to CI and natural hazard and disaster management. The paper also contributes to a broader perspective on CIP by addressing current European political concepts and socio-cultural conditions, as well as possible future EU roles. A focus is put on international critical infrastructure (CI) risks, and results from an Integrated Risk Taxonomy are presented. The paper concludes with proposing socio-cultural aspects for future research topics related to CI risks and security governance.
A Comprehensive Assessment Model for Critical Infrastructure Protection
Management and Production Engineering Review, 2017
International business demands seamless service and IT-infrastructure throughout the entire supply chain. However, dependencies between different parts of this vulnerable ecosystem form a fragile web. Assessment of the financial effects of any abnormalities in any part of the network is demanded in order to protect this network in a financially viable way. Contractual environment between the actors in a supply chain, different business domains and functions requires a management model, which enables a network wide protection for critical infrastructure. In this paper authors introduce such a model. It can be used to assess financial differences between centralized and decentralized protection of critical infrastructure. As an end result of this assessment business resilience to unknown threats can be improved across the entire supply chain.
2018
The subject matter of the article is information and communication networks of critical infrastructure systems. The goal of the work is to create an approach for strategic managing the security of critical infrastructure systems taking into account the risks of the information and communication network. The article deals with the following tasks: determining the procedure of strategic managing the security of critical infrastructure systems, identifying the risks of the information and communication network, assessing the importance and probability of partial network risks. The following methods are used: a systematic approach, cause-and-effect analysis, statistical methods. The following results are obtained: the diagram of multi-level risk management of critical infrastructure systems is developed; the diagram of the step-by-step method of information risks management is developed for increasing the safety of the system; the complex index is suggested for determining the category ...
2008
Critical infrastructure can be taken as a phenomenon of recent time. Not only theory but also practice has shown that solving problems of the protection of critical infrastructure, especially ensuring its functionality, is a necessary precondition for the operation of public authorities, services, the viability of a region, area or country. The first step to protect the critical Infrastructure must be the Identification of risks endangering the security of single systems or elements. The contribution deals with the problems of searching for and denoting these risks and by looking for their interrelations.
Critical Infrastructure Protection requires the prioritization of critical assets and the evaluation of the criticality of infrastructures. However, criticality analysis is not yet standardized. In this paper we examine the relation between security risk and criticality. We analyze the similarities and differences in terms of scope, aims, impacts, threats and vulnerabilities and we suggest how existing risk analysis can be applied when examining Critical Infrastructures. Based on the identified relation between risk and criticality, we propose a generic risk-based Criticality Analysis methodology. We place key emphasis on the definition of examined impact types, which are social-centric and/or sector-centric, in contrast to traditional risk analysis methodologies that mainly examine organization-centric impacts. We propose a detailed list of impact criteria in order to assess the criticality level of an infrastructure.
Outlining comprehensive security analysis of a critical infrastructure network
International Journal of Safety and Security Engineering, 2016
This paper outlines a security assessment methodology for analysing critical infrastructure networks. The focus is on intentional attacks against critical infrastructure, but otherwise the scope is not delimited much. Comprehensive security analysis of a critical infrastructure network requires an assessment of the probability of an attack, the probability of success of the attack, the propagation of the consequences in the network and the severity of the consequences. In this paper, a critical infrastructure network should be understood as a network including different infrastructures, such as gas, water and electricity. The aim is that the interconnections between different infrastructures are built in the risk model. In the outlined methodology, the analysis starts with the identification of potential attackers and targets, and selection of analysis cases. Then, a network model is utilised to identify attack locations and assess consequences, and in the last steps, attack events and their probabilities are analysed. Although different steps of the methodology can use different risk analysis methods, they are linked so that dependencies between them can be taken into account, and total risk estimates can be determined. It is not specified which particular method should be used in each step, but some potential methods are discussed. The selection of methods can depend on the application target and the size of the problem.
Risk and Vulnerability Analysis of Critical Infrastructures
Springer Series in Reliability Engineering, 2012
A Risk and Vulnerability Analysis (RVA) method for critical infrastructures is being developed in the SAMRISK project DECRIS (Risk and Decision Systems for Critical Infrastructures). The method supports an "all hazards" approach across sectors; i.e., electricity supply, water supply, transport (road/rail), and information and communication systems (ICT). The main focus is on serious events, and the DECRIS approach is an enhanced RVA, focusing on serious events and emphasizing dependencies between the sectors. The end users of the method and decision support systems are local governments, municipalities, and companies responsible for the infrastructures. The objective of this paper is to present main features of the method and discuss some preliminary findings from the project's case study of Oslo municipality.
Combining Security and Safety Risk Management in Critical Infrastructure
Journal of Network and Information Security, 2022
Within the critical infrastructure sector, risk management for safety and security are often treated as disjoint processes. Separating these processes creates duplication of effort when safety and security concerns align, and it will obscure the situations where a trade-off between safety and security needs to be resolved. This paper proposes a risk management process that enables an organisation to carry out safety and security risk assessment within one combined process. The results show that this is possible, but changes need to be made within the organisation and the process for it to be successful. Some examples of the changes are around terminology used, culture and how threats and hazards are assessed. The combining of the risk management process for safety and security can also support compliance to safety and security standards. Often organisations will need to comply with both standards and can leverage the combined risk management process to allow compliance without creating two separate risk management processes.
Critical infrastructures risk management: case study
Theoretical and Applied Informatics
The paper concerns a risk assessment and management methodology in critical infrastructures. The aim of the paper is to present researches on risk management within the experimentation tool based on the OSCAD software. The researches are focused on interdependent infrastructures where the specic phenomena, like escalating and cascading eects, may occur. The objective of the researches is to acquire knowledge about risk issues within interdependent infrastructures, to assess the usefulness of the OSCAD-based risk manager in this application domain, and to identify directions for further R&D works. The paper contains a short introduction to risk management in critical infrastructures, presents the state of the art, and the context, plan and scenarios of the performed validation experiments. Next, step by step, the validation is performed. It encompasses two collaborating infrastructures (railway, energy). It is shown how a hazardous event impacts the given infrastructure (primary and secondary eects) and the neighbouring infrastructure. In the conclusions the experiments are summarized, the OSCAD software assessed and directions of the future works identied.