Critical Infrastructure Interdependency

TYSON MacAULAY
Dec 15, 2010

Metrics-Based Assessment and Policy Indications

Most research into Critical Infrastructure Interdepen­dency (CII) is based upon ad hoc observations, anecdotes and partial incident-accounts which describe some but not all Critical Infrastructure (CI) sectors and their conditions after the incident. ­Metrics-based systems for understanding, mapping and modeling of CII have been evolving slowly.  

Operational risks within and among CI ­sectors are complex issues. Generally, CI sectors include Financial Institutions, Telecoms, Energy, Health, Transportation, Safety (Police, Fire, EMS), Food, Water, Manufacturing and Government (regulation and social services). To the extent that analytical approaches have been applied to CII, they have been addressed through methodologies such as Threats-Risk Assessments (TRAs), which typically focus on discreet assets and ­qualitative conclusions like “high / medium / low.” However, such assessment techniques do not scale, because the resulting data-set is usually incompatible for the purposes of aggregating findings from discreet assets to an organizational and executive level.

Efforts to assess CI interdependency, through “close-up” TRAs, stall and collapse under their own weight. In the absence of ana­ly­tical approaches to managing CII risks, intuition becomes the most common basis for policy and plans. Intuition often tells planners that Energy and Transportation is core to assuring public safety and ­prosperity. Yet, empirical metrics show that other CI sectors also have substantial impact on both security and prosperity, especially from a business perspective. This gap between intuition and empirical metrics represents a fundamental risk that, in some jurisdictions, policy may not support operational reality in times of crisis, and impacts will be amplified rather than dampened.

Modelling CII with Metrics
An approach to modeling CII is to look for lowest common denominator metrics to describe CII relationships quantitatively (in standard units which remain consistant from observer to observer); measures that can be used to describe CI inter-relationships, such as items those sectors consume and produce. For instance, all CI sectors both generate and consume money (value), therefore, flows of money (representing goods and services) among these ­sectors may be a good indication of interdependency. Data (information) is also both consumed and ­generated by all CI sectors; the extent to which one sector consumes information from another sector may thus be a useful indication of interdependency. Since no single criteria can measure CII indepen­dently (the systems are far too complex), correlation of a variety of “indicator” metrics, such as money and data flows, provide insights which go well beyond opinions and intuition – and creating a more solid foundation for policy.

The metrics presented here are representative of CII under ­normal operating conditions. While metric-sets describing CII vulnerabilities and risks under crisis conditions would be most useful, you would need a unique metric-set for each unique crisis or risk. Maintaining such metrics is not scalable. Instead, metrics under normal operating conditions can be applied to expose vulnerabilities which manifest into varying degrees of risk under all-hazards risk management. Risk practitioners can then apply metrics from normal operating conditions (as the baseline) against risks associated with a specific event and organization.

Applying metrics to critical infrastructure protection in this manner is new, and the indications presented are first generation. There is much more work to be done and refinements to be applied. The metrics discussed here are not proposed as definitive, final or flawless: they are indicative and establish a starting point for assessing operational risks associated with CI, using metrics as opposed to intuition and guesswork.

Inbound and Outbound Metrics
CII metrics can be categorized as “Inbound” and “Outbound.” “Inbound” metrics indicate the level of assurance required in the goods and/or services consumed from other ­sector players. “Outbound” metrics indicate the level of assurance placed upon the goods and/or services produced in a sector, by the consuming sectors. “Inbound dependency” therefore, indicates how strongly a CI sector needs the other sectors’ goods and services, and “Outbound dependency” – how strongly other sectors need a given sector’s goods and services. Inbound metrics provide insights into a sector’s possible supply-chain vulnerabilities, while Outbound metrics provide insight into the threats a sector may pose to other players.

CII metrics versus policy focus
It is an evolved convention among CIP policy managers that Energy and Transportation industries have been the subject of the most attention and public investment; while other sectors receive varying degree of attention. Is this appropriate?

Using a risk assessment process supplemented with CII metrics, this convention is shown to posses some gaps. For instance, while Energy and Transportation are indeed shown to be the most fragile infrastructures (validating the convention in part), other infrastructure such as Healthcare are found to be equally fragile. Similarly, when considering the cascading impacts on reliant sectors, Telecoms and Finance are substantially more intertwined with safety and prosperity than either Energy or Transportation. Yet, unlike Energy and Transportation, Telecom and Finance have been the recipients of far smaller, if any, public investment in CIP.

Overlooked and Undesignated Sectors
A useful by-product of econometric analysis is that critical relationships among designated CI sectors and undesignated (not considered CI) sectors become partially visible. In several cases, dependency relationships exist which imply that typical CI sector definitions around the world require further refinement, otherwise, critical supply chain elements and CII relationships lack even basic policy-­support. Policy support is important not only because it can lead to financial support, and it can also determine logistical support under emergency conditions. The table on the previous page ­represents an econometric view of some industries that are apparently critical to CI sectors, but not considered critical themselves under most definitions. In many cases these undesignated industries are more important economically to a specific CI sector than most if not all of the other designated CI sectors.  

Alternate CI support policies – tax credits and vouchers
One conclusion is that policy and public funding based on non-quantitative understanding of CI interdependencies is prone to flaws, even with the benefit of quantitative assessment. Governments generally do not possess enough knowledge of ­complex CI sectors required to understand CII comprehensively. An alternate approach would be to let organizations and their clients decide on their requirements for assurance independently through a market-based system of tax credits or user-vouchers. These incentives could be similar in nature to the ­successful Scientific Research and Experimental Development tax credits employed in many nations, such as Canada.

As an adjunct to tax credits (or independently), CIP vouchers equating to tax credits or subsidies could be provided to CI sectors to “spend” with their most critical suppliers. The suppliers would then claim back the value – not unlike successful instances of school systems and educational vouchers.

By making info-sharing an eligibility criterion for credits or vouchers, this system could add value by providing benefits to public safety entities that promote information sharing about threats and vulnerabilities.  

___
Tyson Macaulay, the Security Liaison Officer at Bell Canada, leads security initiatives addressing complex, technology solutions including IT assets, and regulatory/legal compliance requirements.
© FrontLine Security 2010