CI: We Need a Measuring Stick
© 2008 FrontLine Security (Vol 3, No 2)

Novice SCUBA divers first learn to find “up”– where the­ ­surface and safety lie, basically the direction of ­bubbles – knowing “up” enables them to maintain normal orientation and control. While this may seem obvious and intuitive, it is not. When you are 60 feet down (3 atmospheres) and lose visibility and orientation, it is easy to panic and make fatally bad decisions. You might lose orientation in thousands of ways: someone or something around you stirs up a silt cloud, the setting sun suddenly disappears behind a cloud and you can’t see to the bottom anymore, or you accidentally rip your own face mask off because it snags on a piece of gear – and it sinks away. As long as you can figure out where your bubbles are headed (watch them or feel them passing over your body), you can find the safety. Like SCUBA diving, assessing the risks around critical infrastructure (CI) interdependency starts by understanding which way is “up” – the normal orientation. In the context of CI interdependency, “up” is interdependency under normal operating conditions.

CI itself is broadly identified by “species” according to the good or service produced and delivered. Any taxonomy of CI species is not absolute and usually reflects an aggregate of professional and/or policy-maker opinion. All national governments seem to group and name the critical goods and services within their economies similarly, but differently. Furthermore, these groupings evolve and morph regularly depending on the administration in power. For the purposes of this article, sector definitions (see table on page 15), representing Canadian, American and European CI definitions will be applied.

Critical Infrastructure Interdependency is a feature of all societies and economies, modern or not. CI sectors supply each other with goods and services and are dependent upon one another to greater or lesser extent. The relationship between two CIs is always bi-directional but not usually equal or proportional, for instance, a given sector may have a greater dependence on another.

Understanding CI interdependency is fundamental to understanding how threats and impacts can cascade through CI sectors and amplify initial impacts, making recovery and remediation that much more difficult. A black-out means pumps for fuel and water quickly cease to function. If the black-out persists, food will soon run out as trucks stop running and the health infrastructure will become overloaded as black-water contamination makes the population sick. A data centre fire and a coincidental but unrelated back-hoe cable-cut at a second location result in an overload and subsequent failure in the national telecommunications network at newly emerged choke-points. Since all telecommunication converges onto an “IP backbone,” the financial transaction systems stall and people can’t buy food. Hospitals can’t get timely laboratory results or order new inventory of pharmaceuticals. These are simplistic examples of cascading interdependencies among CI sectors. The reality is that interdependencies are far more complex than we can imagine or intuit.

The normal, natural orientation of CI interdependency, our ‘‘up,’’ is the state of interdependence under normal operating conditions. This is the state from which a CI will be wrenched when a threat materializes, and the state to which the CI will strive to return. Understanding what normal conditions looks like, allows CIs to gauge and assess their degree of disorientation (impact of the threat and resulting risk) and invoke more appropriate remediation, recovery and response.

Risk assessments on CI interdependencies and cascade risks must start with a thorough understanding of normal conditions of interdependency in order to evaluate the impacts associated with different threats. There are typically thousands of viable, credible threats against any specific CI sector or industry, and probably tens of thousands of viable, credible threats against all the currently defined CI industries. Trying to select the most pertinent threats and then assess them in the context of risk is a daunting process as there are too many threats to consider.

An “all-hazards” approach to the tens of thousands of combined physical and logical (IT or systems) threats facing CI industries is possibly meaningful for specific asset owners and specific assets, but quixotic at the CI sector level and not applicable to managing inter-sector interdependency.

Risk assessments focused on specific assets are possible, because the owners are innately aware of their normal operating conditions – they understand their baseline and can apply the risk assessment results to it. In the case of CI Interdependency risk assessment, the baseline is poorly understood and always incomplete. Additionally, measures used for establishing interdependency will vary from relationship to ­relationship and are typically one-sided in perspective. (A understands how urgently and why it needs B, but B is scarcely aware of A – it simply assumes A is there.)

The adoption of standard methodologies and metrics for measuring and mapping CI Interdependency under normal operating conditions has advantages for those trying to manage and understand CI ­cascade risks.

  • Cascading risks, by definition, flow through, and to, all sectors – but with differing degrees of intensity. To compare and model these cascades, a single system or measurement among all sectors must be employed – apples to apples.
  • Cascade risks must be assessed from a full 360° view, with all CI sectors  included in the model. Anecdotal or intuitive approaches to CI interdependency only include the cascade risks which are known, remembered or understood. “We don’t know what we don’t know” in the area of CI cascade risks.
  • In approaching the management of cascade risks, a wide and diverse set of industries, interests and objectives must be addressed in unambiguous, empirical terms to facilitate participation and adoption. There is no place for unsubstantiated opinion: just the facts, please.

The challenge associated with establishing a baseline metric for CI interdependency under normal operating conditions is commonality of measurement. How do you measure “interdependency”? What do you measure? How do you compare the strength of interdependency between Telecoms and Energy with Telecoms and Food? Health to Manufacturing? Health to Government? In total, if you have 10 CI ­sectors defined you will have a total of 90 inter-sector relationships and 10 intra-sector relations. Think of this as a table with 10 rows and 10 columns so that each sector has a cell in the table representing a relationship with every other sector. But what is the common denominator? For SCUBA divers, bubbles present a simple solution to a potentially complex problem; finding a common denominator for CI interdependency requires far more effort.

The development of CI interdependency “common denominators” has begun, to establish the CI “up.”

Tyson Macaulay, author of “Critical Infrastructure: Understanding its component parts, Vulnerabilities, Operating Risks and Interdepedencies” is involved with Customer-CISO (C-CISO) at Bell Canada. His assessment proposes normal operating condition ­metrics for the 100 inter and intra sector dependencies. Whitepapers and references can be found at
© FrontLine Security 2008