CI: Risk Management Approach
WAYNE L. PICKERING and PETER JOHNSTON
© 2008 FrontLine Security (Vol 3, No 2)

Introduction
Critical Infrastructure consists of those ­physical and information technology facilities, networks, services and assets which, if disrupted or  destroyed, would have a serious impact on the health, safety, security or economic well-being of Canadians or the effective functioning of government.  


The 1998 ice storm had a major impact on the functioning of critical infrastructure in Central Canada. (Photo: Hydro One)

An event caused by a natural or accidental hazard, or a deliberate threat that disrupts the availability or integrity of a portion of our CI, could degrade the functioning of Canada’s economic and government activities – with cascading effects throughout Canadian society. Recent events that have affected CI in ­central Canada include the 1998 ice storm and the 2003 power blackout.

The Government of Canada has grouped CI into the 10 Sectors, shown in Figure 1. Stakeholders for the 10 CI Sectors include all levels of government in Canada and the private sector. The private sector and non-government organizations control over 80 percent of Canadian CI. Disruption of CI does not respect organizations, sectors or borders, and a disruption of CI in Canada has the potential to affect CI in the United States and elsewhere.

Critical Infrastructure Protection (CIP) refers to ensuring the availability, integrity and confidentiality of the physical systems, cyber-networks and economic processes supporting our nation’s CI. The primary responsibility for protecting CI rests with its owners and operators. CIP is complicated by the interconnectedness, diversity, complexity and interdependencies of CI. Interconnectedness and interdependence, in particular, make CI sectors vulnerable to disruption or destruction. Because many CI sectors are dependent on the resilience of systems belonging to other CI sectors to maintain their functionality, a failure in one sector may have a significant impact on the ability of other sectors to perform their functions. For example, a disruption in the energy, communications or finance ­sectors could rapidly cascade through many other CI sectors, causing unexpected and increasingly more serious failures of essential services.

Corporate consolidation, industry rationalization, efficient business practices and the concentration of population in urban areas have exacerbated the immediacy of disruptions to CI. To complicate the challenges to CIP, over the past decade, the nation’s CI has become more dependent on common information technologies, including the Internet.

CIP Model and Risk Management
Because of the complexity of CI and its interdependencies, it is not possible to design a protection system that will completely and always protect all CI assets against every possible threat and hazard. Therefore, a CIP program must prioritize protective measures, so that safeguards are applied where they offer the most benefit for deterring threats, minimizing the effects of hazards, reducing vulnerabilities, and minimizing the consequences of disruptive events. This requires a risk management approach. Risk management involves a continuous, proactive and systematic process to understand, manage and communicate threats, vulnerabilities and risks.

A model has been developed to facilitate the risk management approach (see Figure 2). This model, similar to those used in other risk management domains, covers preparedness, prevention/mitigation, response and recovery, and follows the generally accepted risk management methodologies outlined below:

  • Mission and Business Objectives Analysis. CIP Planning begins with the conduct of an analysis to confirm the mission, objectives and purpose of the CI. The analysis is done under the direction of the facility’s senior management and must consider the actual mission and objectives of the organization.
  • Criticality Assessment. A criticality assessment is performed to identify and prioritize the structure and products of the organization, using a recognized methodology such as Network Analysis or the CARVER tool. In all cases, the criticality of CI is based on its support to mission-critical functions identified by the mission analysis. The criticality assessment must answer the questions: What must be protected? and What portions must be protected first? To identify the components of CI, critical paths must be followed, both from a cyber perspective, through its information systems, and through its business lines to determine nodes where safeguards must be established to protect the overall CI. Although tools exist to determine which assets are the most critical to accomplishing the mission, the final arbitrator in defining criticality remains senior management.
  • Threat Assessment. All threats and hazards to CI are considered in the threat assessment. Threats and hazards can be grouped as deliberate, natural, and accidental, and further re-grouped as internal or external to the CI provider. It is very difficult for a CI facility or sector to conduct an assessment of threats external to the facility or sector without the assistance of government security agencies. For this reason, the need to share information between the government and the private sector is critical.
  • Vulnerability Assessment. A vulnerability is an exploitable weakness in an asset. A vulnerability assessment determines the susceptibility of critical assets, so identified and prioritized by the criticality assessment, to disruption by threats and hazards identified by the threat assessment. Vulnerability assessments can be conducted using the facility’s personnel, external expertise, or a combined team.
  • Risk Assessment. The assessment of risk considers the impact (severity) and probability (likelihood) of a threat or hazard exploiting a vulnerability in a critical asset to disrupt the functioning of CI. For CIP, the impact of a threat agent or hazard exploiting a vulnerability takes precedence over its likelihood. There are a number of methodologies and tools available to assist management in assessing and prioritizing risk. Figure 3 is a simplified example of a risk assessment tool.
  • Risk Management. The risk assessment establishes the criteria for risk management decisions. This involves the commitment of resources within the purview of the senior management of the facility. Risk management decisions are made to address the highest risks, and may include establishing redundancy, building in resiliency and selecting safeguards, as well as the assumption of remaining (residual) risks by the authorities responsible for providing the CI. Safeguards are implemented to maintain the safe provision of services from the infrastructure and may include security measures, and emergency and business continuity plans. There is little room for traditional risk management in CIP – such as accepting a known risk that is assessed as unlikely to occur, but where the impact will be critical.
  • Incident Response. It is not possible to prevent all disruptive events to CI. In cases where resiliency, redundancy and safeguards have not been effective in preventing a disruption, effective response capabilities must be planned, coordinated, tested and maintained. In the event of a major disruption, much of the response may come from municipal, provincial and federal agencies. For that reason, the coordination function must be considered during emergency planning, exercised and not developed after a disruptive event has occurred.
  • Consequence Management. For CIP, consequence management includes the recovery and restoration of all critical facilities and services. Not all components of CI can be recovered or restored at once. Consequence management planning determines the priorities for recovery and restoration and ensures timely remediation in order to contribute to mission success and reassure the clients.

The results of risk management must not end with dusty reports and unused plans, and the resulting plans must be tested through exercises, which assess and recommend further improvements to CIP and clarify management roles and responsibility.

Conclusion
Critical Infrastructure Protection refers to ensuring the availability, integrity and confidentiality of physical systems, cyber-networks and economic processes supporting the nation’s CI. It is not possible to protect all CI assets against every possible threat or hazard, therefore a risk management approach is required. Canada cannot afford to ignore CIP, as Canada’s CI is vital to our economic vitality, way of life and national security.

====
Peter D. Johnston is a retired naval officer and is Vice President of both Lansdowne Technologies Incorporated and the Critical Infrastructure Institute of Canada.

Wayne L. Pickering is a retired army officer and an associate of Lansdowne Technologies.

The authors wish to acknowledge the assistance of Cdr A. Gale of the Canadian Forces in the development of this article.
© FrontLine Security 2008

RELATED LINKS

Comments

CLICK HERE TO COMMENT ON THIS ARTICLE