Analysis of SCADA Interdependencies

Research Report no. 11, June 2007

Analysis of Interdependencies and Risk in Oil & Gas Infrastructure Systems

Yacov Y. Haimes, Project Director Joost R. Santos

Kenneth G. Crowther Matthew H. Henry

Chenyang Lian Zhenyu Yan

Center for Risk Management of Engineering Systems University of Virginia

June 8, 2007

This work was supported under grant number 2003-TK -TX-0003 from the U.S. Department of Homeland Security, Science and Technology Directorate. Points of view in this document are those of the author(s) and do not necessarily represent the official position of the U.S. Department of Homeland Security or the Science and Technology. The I3P is managed by Dartmouth College.Copyright© 2005. Trustees of Dartmouth College.

Research Report No. 11, June 2007

This work was produced under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. TheI3P is managed by Dartmouth College, and supported under Award number 2003-TK-TX-0003 from the U.S. Department ofHomeland Security, Science and Technology Directorate. Points of view in this document are those of the author(s) and do notnecessarily represent the official position of the U.S. Department of Homeland Security, the Science and Technology Directorate,the I3P, or Dartmouth College.

Copyright © 2007. Trustees of Dartmouth College.

June 2007

TABLE OF CONTENTS

Introduction ....................................................................................................................................2 Section 1: Filtering and Prioritizing SCADA Risk Scenarios...............................................4

Stage 1: Develop a Hierarchical Holographic Model (HHM) ................................................4 Stage 2: Partition based on temporal domain and level of decision-making .................4

Strategic Risk Scenarios .........................................................................................................5 Tactical Risk Scenarios ...........................................................................................................7

Stage 3: Risk Scenario Filtering and Ranking.........................................................................7 Strategic Risk Scenarios .........................................................................................................7 Tactical Risk Scenarios ...........................................................................................................8

Stage 4: Evaluation of Effects on System Dependability .....................................................9 Insights....................................................................................................................................... 12

Section 2: Quantifying Risk in Interdependent Infrastructures..................................... 13 Modes of Infrastructure Coupling ........................................................................................ 14

Physical Coupling ................................................................................................................. 14 Information and Logical Coupling .................................................................................... 15 Interregional Economic Coupling...................................................................................... 16 Inter-sector Economic Coupling ....................................................................................... 16

Risk Modeling for Analysis..................................................................................................... 17 Inoperability Input-output Model (IIM)............................................................................ 17 Hierarchical Holographic Model (HHM)............................................................................ 18 Hierarchical Coordinated Bayesian Model (HCBM) ........................................................ 19 Network Security Risk Model (NSRM) ............................................................................... 20 Petroleum Infrastructure Response Model (PIRM) ......................................................... 20 Model Integration for Multi-level Risk Assessment ...................................................... 21

Section 3: Managing Risk in Interdependent Infrastructures ......................................... 22 Section 4: Illustrative Examples.............................................................................................. 24

Network Risk Assessment and Management ...................................................................... 24 Regional Preparedness and Risk Management ................................................................... 26 Dynamic Recovery Analysis ................................................................................................... 27

Section 5: Conclusions and Future Work.............................................................................. 31 References .................................................................................................................................... 32

1 of 34 12/19/2005

est. 1987 Center for Risk Management of Engineering Systems

Analysis of Interdependencies and Risk in Oil & Gas Infrastructure Systems

A Report for the

Institute for Information Infrastructure Protection (I3P)

Prepared by the Center for Risk Management of Engineering Systems

University of Virginia, Charlottesville

June 8, 2007

Introduction This report documents the analytical contributions of the Center for Risk Management of Engineering Systems at the University of Virginia (UVA Risk Center) to the Process Control Network Security project conducted by the Institute for Information Infrastructure Protection (I3P) from 2005 to 2007. The focus of the UVA Risk Center’s effort was to understand, quantify, and develop methodologies for managing the risk of cyber attacks on interdependent infrastructures, particularly infrastructures employed in the production, refining, and distribution of Oil & Gas commodities. The results of the two-year study include (1) an assessment of the various sources of risk to Oil & Gas infrastructures due to cyber and other threats, (2) methodologies for the quantification of cyber and other risk at the facility, infrastructure, and economic levels, (3) several case studies that illustrate the utility of the models developed, and (4) methodologies and recommendations to manage cyber and other risks to interdependent infrastructures. The motivating problem that precipitated the methodological and analytical developments over the last two years can be stated as follows: Given a sufficiently sophisticated and executed cyber attack on one or more process control networks embedded in Oil & Gas infrastructure, what is the likelihood and severity of consequences, as measured at the facility, infrastructure, and economic levels. Furthermore, what can and should be done to manage the risks posed by cyber and other threats at the multiple levels of decision-making. In this problem, the infrastructure systems of interest are highly interconnected and interdependent both within the Oil & Gas industry and with external supporting and dependent infrastructure and economic sectors. Moreover, the interdependencies are manifested at many different levels. At the macroeconomic level, interdependencies exist between economic sectors, between geographic regions, and between economic sectors in one region with different sectors in other regions. At the infrastructure level, interdependencies exist between crude oil producers and importation facilities, refinery operations, and pipeline capacity. At the facility level, interdependencies exist

2 of 34 12/19/2005


between process control components functionality and controlled process operations. Furthermore, during an attack, interdependencies exist between the attacker’s tactical decisions in pursuit of infrastructure disruption and the network security system in its role of detecting and managing intrusions. Untangling these complex interdependencies resulted in a multi-scale approach to modeling for a cost-effective capability to estimate tradeoffs among various risk management options. Assessment of risk must take into account interdependencies at all levels. However, the problem quickly becomes intractable due to the different domains in which interdependencies manifest themselves. The first step in addressing the larger problem is decomposing it into coupled sub-problems that can be more easily digested and addressed with analytical tools. Figure 1 illustrates the problem decomposed into functional domains. Different models and methodologies are used across functional domains to assess the risks associated with disruptions propagating from lower-level domains. In particular, the risk of cyber attack on facility-level process control networks is quantified by resolving the effects of Information Coupling in the Process Control Domain to evaluate the degree of Process Control Disruption, which when considered in conjunction with Physical Process Coupling in the Production Domain gives a measure of the likelihood and severity of Product Disruption. In the Infrastructure Domain, Commodity Disruption is a product of local Product Disruption at the facility level and Physical Regional Coupling across the interconnected infrastructures that produce, import, refine, and distribute Oil & Gas commodities. Risk is given as a measure of the likelihood and severity of Commodity Disruption after resolution of infrastructure interdependencies. In the Economic Domain, risk is measured as the likelihood and severity of Sector Disruption, a product of regional Commodity Disruption and Transactional Regional Coupling, which accounts for inter-sector and inter-regional interdependencies.

Figure 1 Problem Domain Decomposition

The remainder of this report is organized as follows. Section 1 discusses risk scenarios generated via four parallel HHM sessions at the initial I3P workshop in Houston, Texas. Section 2 enumerates and describes several analytical models and methodologies employed by the UVa Risk Center throughout this project, including

3 of 34 12/19/2005


several that have been developed during the course of the project. Section 3 develops methodologies and recommendations for risk management. Section 4 presents some analytical results based on select case studies. Finally, Section 5 discusses opportunities for future work in interdependencies analysis in the Oil & Gas industry and in general.

Section 1: Filtering and Prioritizing SCADA Risk Scenarios The purpose of this exercise is to identify, filter and prioritize risk scenarios associated with cyber intrusion into Supervisory Control and Data Acquisition (SCADA) process control networks that monitor and control Oil & Gas infrastructure. Risk filtering and ranking comprise the first stages of the Risk Filtering, Ranking and Management methodology discussed in [16]. The purpose of filtering and ranking risk scenarios is to partition the scenarios of interest into different temporal and operational domains and then to prioritize analytical or risk management tasks based on the severity of risk associated with the filtered scenarios. In the case of the SCADA risk scenarios identified at the I3P SCADA Task 1 Workshop (Houston – June, 2005), the risk filtering and ranking exercise will help to direct the efforts of the tasks more focused on risk management (Tasks 2, 4 and 5). SCADA systems in the oil and gas industry involve hundreds or thousands of components and subsystems that are vulnerable to various forms of attack, e.g., cyber attacks on SCADA software systems or comprehensive cyber-enabled physical or physical-enabled cyber attacks on process control and associated infrastructure. The hierarchical holographic modeling (HHM) method ([7], [9], and [11]) was used to capture the risks to SCADA systems and associated interdependent and interconnected infrastructures [8]. The HHM is a preparatory step for conducting the risk filtering and ranking, which winnows the field of risk scenarios to those which should be given highest priority for risk management solution development [16]. Immediate courses of action can then be more efficiently taken to address those components or subsystems affected by the highest priority risk scenarios, i.e., those that are most seriously demanding of attention because of likelihood of successful attack and severity of potential consequences, and risk management policies can be recommended to decision-makers for those deemed to be most critical in the long run.

Stage 1: Develop a Hierarchical Holographic Model (HHM) The HHM was introduced as a methodology for analyzing large-scale, complex systems of systems. The HHM developed at the Task 1 Workshop identified a myriad of risk scenarios corresponding to interactions between the system of systems that is the SCADA operating environment. The results are presented in Figure 2.

Stage 2: Partition based on temporal domain and level of decision-making This stage partitions the risk scenarios into different temporal and operational domains for more detailed analysis. The partitioning reflects the level of activity or decision-making on the part of attackers required for different risk scenarios to materialize. This generally corresponds to the level of activity and decision-making on the part of the system defenders to manage the associated risks. For this analysis, the

4 of 34 12/19/2005


5 of 312/

4 19/2005


risk scenarios were divided into two groups: strategic and tactical risk scenarios. Strategic scenarios are those for which significant planning and resource collection and allocation is required on the part of attackers and system defenders. Tactical scenarios are those corresponding to “real-time” attacker-system interaction and represent methods which might be combined to form an attack or defense strategy. Note that the partitioning is imperfect. For many of the risk scenarios, a sound case could be made for identifying them with either group. The grouping presented here was expedient for filtering and prioritization.

Strategic Risk Scenarios (Long-term goal-setting, system configuration and resource collection and allocation) Investing in inherent security of emerging technologies Employee education and security incentives Too few IT-skilled employees embedded in SCADA-user teams On-sight contractors Connectivity to business LAN Vulnerability of distribution networks Social engineering – identification of disgruntled or easily bought employees Social engineering – development of insider threat Dependence on external infrastructures (e.g. telecom, electric power, water, gas) Incorporation of “secure” components or subsystems into “non-secure” legacy systems Shared incentives between operators and vendors to develop system-wide security solutions Availability of confidential or authentication information in dumpster Publicly available list of key personnel Publicly available emergency response plan Vulnerability of deemed “non-critical” components or subsystems, particularly in as much as they provide a path to critical components or subsystems Availability and use of open-source protocols Observability of targets by potential attackers

4 19/2005


6 of 312/

Figure 2 SCADA Risk Scenario HHM

Tactical Risk Scenarios (Real-time attack/defense action and re-action) Port scanning E-mail traffic monitoring Keyboard stroke monitoring Communication monitoring Packet spoofing (via protocol discovery) Remote access via protocol discovery Remote access via operating system vulnerability or poorly configured firewalls Password theft/replication Mail-distributed scripts Remote access via wireless connection Remote access via contractor account Remote access via software-implemented backdoor Disable key personnel Exploit emergency response plan Horde and catastrophically release mechanical, thermal, electrical or chemical energy via controllable mechanisms Lack of bandwidth (by design or by DOS/DDOS) in legacy systems to handle network security system overhead

Stage 3: Risk Scenario Filtering and Ranking This portion of the analysis attempts to filter and prioritize the risks identified and partitioned in Stages 1 and 2. The result is a narrower focus on higher likelihood/higher consequence scenarios. The analysis has different implications for the partitions in Stage 2. The strategic risk sources do not map to specific scenarios, but rather indicate the degree of risk associated with particular strategic interdependence, resource allocation or system configuration decisions. The tactical risk sources, alternatively, constitute attack or reconnaissance scenarios with estimable likelihood and consequences. In general, this analysis can be updated regularly as new intelligence provides better likelihood or consequence estimates. Figure 3 and Figure 4 illustrate the ranking for the strategic and tactical risk scenarios, respectively. Note the bracketed expressions preceding each of the tabulated scenarios indicate the risk order – e.g., [S1] bears the greatest risk amongst the identified strategic risk scenarios – and that it is a scenario of strategic [S*] or tactical [T*] scope. The level of risk roughly increases from the lower left corner to the upper right corner. The equally shaded areas correspond to approximately equivalent levels of risk.

Strategic Risk Scenarios In the chart provided in Figure 3, the risk scenarios indicate the degree of risk associated with a particular strategic interdependence, resource allocation or system configuration decision. The filtering and ranking is done on the basis of how likely a decision is to succeed in making critical assets vulnerable to planned attacks and how effective those attacks might be. In the case of risk management decisions, e.g.

7 of 34 12/19/2005


“investing in inherent security of emerging technologies” and “employee education and security incentives,” the filtering and ranking in based on the strategic decision being made to not take these risk-managing actions.

Figure 3 Strategic Risk Scenario Ranking

Tactical Risk Scenarios In Figure 4, the risk scenarios consist of a singe method of attack or reconnaissance. In the case of attack, the interpretation of likelihood and consequences is clear. In the case of reconnaissance, the filtering and ranking is done on the basis of how likely a reconnaissance method is to succeed in yielding information useful to an attacker and the accessibility to or privilege in secured networks any information gleaned might give the attacker. In terms of the “effect” column levels, the degree of accessibility or privilege maps to the degree to which information gleaned from the reconnaissance method will yield destructive consequences as a result of heightened access or privilege in the secured network.

8 of 34 12/19/2005


Figure 4 Tactical Risk Scenario Ranking

Stage 4: Evaluation of Effects on System Dependability In this stage of the analysis, the objective is to evaluate how the highest-risk scenarios at the strategic and tactical levels can potentially affect system resilience, robustness and redundancy. Resilience is defined in [16] to be the ability of a system to recover from a disturbance. Robustness is defined as the ability of a system to withstand a disturbance without loss of capability. Redundancy is the degree to which parallel fault paths inhibit system failure. The highest risk scenarios are tabulated below in Table 1 and Table 2 in order of risk level, as indicated in Figure 3 and Figure 4 above.

9 of 34 12/19/2005


Table 1 Assessment of Effects on System Dependability - Strategic Risk Scenarios

Scenario Effect on Resilience Effect on Robustness Effect on Redundancy

[S1] On-sight contractor or disgruntled employee (insider threat)

Impediment to automated emergency response systems

Expert knowledge of “weak” spots in system Softens target prior to attack

Disables spares and recoverability systems

[S2] Use of open-source protocols

Impediment to automated emergency response systems Provides a consistent path for attack until protocol changed

Public knowledge of “weak” spots in system

Potentially disables spares and recoverability systems

[S3] Connectivity to business LAN

Impediment to emergency response personnel alerting

Provides consistent path to SCADA network

[S4] (Not) investing in employee education

Impedes the ability of an organization to respond and recover from an attack

Makes social engineering and access theft more likely to succeed

[S5] Dependence on external infrastructure

Impediment to emergency recovery and external communications

Path for system failure

Failure of an external infrastructure removes one level of redundancy

[S6] Vulnerable “non-critical” assets provide path to “critical” assets

Creates a weak spot in the system

Potentially disables redundant components or subsystems

[S7] Lack of system-wide security solutions

Multiple paths for system failure

[S8] (Not) investing in secure emerging technologies

Improved technologies will enable faster and more reliable fault recovery

Improved technologies will enhance security via authentication and other intrusion prevention measures

10 of 34 12/19/2005


Table 2 Assessment of Effects on System Dependability - Tactical Risk Scenarios

Scenario Effect on Resilience Effect on Robustness Effect on Redundancy

[T1] Exploit emergency response plan

Impediment to emergency response procedures

Softens response systems to augment effectiveness of attack


[T2] Horde and release energy

Renders multiple components or subsystems inoperable

Renders multiple components or subsystems inoperable

[T3] DOS/DDOS Impediment to automated emergency response systems

Disables system communications


[T4] Password theft Access to confidential data may yield knowledge of “weak” spots in system

Attacker may disable spares and recoverability systems

[T5] Remote access Impediment to automated emergency response systems Impediment to external communications

Provides “weak spot” and path for attack

Attacker may disable spares and recoverability systems

[T6] Mail-distributed scripts

Impediment to automated emergency response systems

Softens of target prior to attack

Disable spares and recoverability systems

[T6] Packet Spoofing Impediment to automated emergency response systems

Enables local process control manipulation

Disable spares and recoverability systems

11 of 34 12/19/2005


Insights The RFRM analysis in this section describes how identified risk scenarios should be viewed in terms of their likelihood, consequences and the nature of their effects on the target systems. Moreover to be consistent with the RFRM process, the analysis is not exhaustive and should be constantly refined by identifying more detailed risk scenarios and adopting some measure of likelihood estimation based on available intelligence data [16]. In spite of these limitations, the analysis yields valuable insight into risks posed by vulnerable SCADA systems for this interdependency study. One conclusion that can be drawn from this analysis is that the risk scenarios of greatest severity require risk management solutions of a multi-scale nature. For example, the dominant risk scenario in each of the operational partitions, the insider threat and exploitation of emergency response plans, pose complex problems that require a comprehensive management policy development effort, addressing challenges posed by organizational, technical and operational systems. Another conclusion that can be drawn is the degree to which infrastructure interdependence poses risk to SCADA systems. This is highlighted by the risks associated with accessibility via IP networks, dependence on utility infrastructure and the vulnerability of critical assets via interdependence with ostensibly non-critical components or subsystems. Finally, the need for comprehensive technological security measures in SCADA systems is clear, particularly the need for better authentication technologies, improved system-wide security measures and more secure communication protocols. This calls for a systematic and systemic life-cycle approach to security implementation processes in which all of the stakeholders need to participate, from the development of system requirements to the implementation of systems that can securely evolve as requirements change and capability is added in the form of new hardware and software subsystems. Future work in the area of risk identification and characterization in SCADA systems includes a more comprehensive and detailed identification of risk scenarios, and a process for continual improvement and adaptation. This analysis, for example, would benefit from a more thorough development of an initial HHM. As it currently exists, the HHM was developed in a short period of time and lacks the depth and detail that would ideally come from a more exhaustive modeling effort. While the HHM exercise yielded much-needed insight into potential sources of risk in Oil & Gas SCADA and infrastructure systems, the current HHM entries are largely conceptual describing dimensions and scales of risk without reference to detailed risk scenarios. The value of having specific scenarios is that the filtering and ranking exercises undertaken by this analysis yields a more meaningful prioritization of risk management tasks with respect to allocating resources and developing realizable solutions.

12 of 34 12/19/2005


Section 2: Quantifying Risk in Interdependent Infrastructures Interdependent infrastructures can be characterized by different modes of coupling for the purposes of risk modeling, assessment, and management. Similarly, systems can be modeled from different perspectives and levels of abstraction to provide analytical support to decision-makers at various levels within an organization or system of organizations. Consider the interdependent systems graphically represented in Figure 5. At the lowest level, a process control system manages extracting, refining, or petrochemical manufacturing plant operations. This information level connects organizations, protocols, operators, and machines based upon defined operations, and it allows the vulnerabilities present in any aspect of the system to affect other parts of the system. The middle layer of the diagram illustrates the larger physical and business interconnections. Plants and buildings are physically connected, and products can flow and be shared between plants. This physical layer is governed by business objectives subjective to physical constraints of purchasing, moving, and utilizing commodities and services. At the highest level, these plant units interoperate with other businesses, economic sectors, and infrastructure sectors. It is an abstraction of the physical layer that is accomplished as business and corporations are aggregated according to similar operation by region. The aggregations result in equilibrium and momentum of production recipes to come into play for a large-scale interdependency analysis. At each level of this hierarchy, risk is experienced and analyzed according to the objectives and requirements of the respective decision-makers. Correspondingly, analyses require hierarchies of connected models and simulations in an effort to understand how changes in micro-level activities affect the behavior of macro-level systems. These interactions are bi-directional in the sense that events in one micro-level system will influence the events and decisions made in other micro-level systems by way of interdependencies, which are observable and experienced at a general level. It is the role of the risk analyst to determine the appropriate hierarchy of questions to ask, systems to model, and information to collect when assessing risk in interdependent systems and providing insights for risk management.

Figure 5. Types and layers of interdependencies.

13 of 34 12/19/2005


Risk assessment is the pursuit of understanding how adverse consequences might arise as the result of destructive forces acting upon systems of interest. Furthermore, by understanding how the state of the system contributes to its vulnerability to different sources of risk, risk assessment provides insight into how to manage risk by changing the state of the system in such a way that its vulnerability, and consequently the risk of adverse consequences, is reduced.

Kaplan and Garrick [20] posed the risk assessment triplet: 1. What can go wrong? 2. What is the likelihood? 3. What are the consequences?

Ideally, the process of risk assessment fully develops answers to these questions and thus holistically captures all sources of risk and assesses their associated likelihoods and consequences. Most traditional assessment methodologies decompose systems into isolated subsystems for analysis and recombination to create system-level measures [21]. This approach, however, is inadequate for the analysis of complex and interdependent systems of systems. Rinaldi et al. [27] underscore the need to enhance interdependency analysis. In their words, “it is clearly impossible to adequately analyze or understand the behavior of a given infrastructure in isolation from the environment or other infrastructures; rather, we must consider multiple interconnected infrastructures and their interdependencies in a holistic manner.” Current work seeks to address this gap and improve methods for interdependency assessment.

Modes of Infrastructure Coupling Risk assessment and management in large-scale systems requires an understanding of how and to what degree the systems are interdependent. For any given analysis, a subset of particularly relevant interdependencies will tend to dominate the modeling activity, depending on the questions that have been asked and the decision-maker who will ultimately use the analytical results for developing risk management policies. The role of the modeler is to isolate the relevant interdependencies and build analytical tools to address the questions asked by decision-makers. The remainder of this section reviews several fundamental modes of coupling, each of which is characterized by different functional and structural relationships. In addition, each is subject to risk in different ways. This is due to the variety of vulnerabilities that can be exploited by potential adversaries; the differing degrees of robustness, resilience, and redundancy that provide risk-mitigating mechanisms; and the diverse types and levels of associated consequences.

Physical Coupling Physical coupling between subsystems and components can be described as the means by which energy, information bits, or matter is physically transferred from one component to another. In the case of interdependent infrastructures, physical couplings are manifested in the transmission of (1) electricity from distribution networks to electro-mechanical loads via transformers and transmission wires, (2) water and gas from distribution infrastructures to points of consumption via plumbing, (3) materials from one process to another, or one facility to another, via plumbing, pipeline, or other transport, and (4) information from one network

14 of 34 12/19/2005


component to another via electrical transmission and reception of physical signals. Physical couplings have the capacity to render multiple systems inoperable if disrupted. For example, refineries cannot ship their products to consumers by way of a pipeline if the valves that enable flow from the holding tanks to the pipeline are immovably shut. Due to their high degree of criticality to most systems, physical couplings tend to be highly robust and are often redundant. However, they are typically neither adaptable nor resilient due to structural and mechanical constraints. Therefore, the risks associated with physical couplings tend to be characterized by significant consequences, yet with relatively low degrees of likelihood.

Information and Logical Coupling Logical couplings provide mechanisms by which coupled systems will conditionally behave based on shared measurements and functional relationships. In distributed control systems, logical couplings are implemented in the payload of information data packets, whereas, by contrast, information coupling is implemented in the routing header. Locally, a logical coupling is characterized by the rules embedded in automation software that govern the functionality of controlled processes in response to other processes wit which they are interdependent. Logically coupled systems are by nature prone to risk associated with the propagation of erroneous data or control signals. By understanding the logical coupling in a system, an attacker could potentially disrupt the operation of a critical system by manipulating measurement or other data used to make system control decisions. A well-executed attack of this kind would be difficult to detect if the data appeared to be within normal ranges. For this reason, risk analysis of logically interdependent systems must take into account the propagation of apparently innocuous data manipulation or error. Information couplings are those mechanisms by which information is physically transferred from one device to another by way of signal transmission. Economic and infrastructure sectors over recent years have become increasingly dependent on networked information systems (NIS) for efficient operations and timely delivery of products and services. The ubiquity of NIS in infrastructure sectors introduces risk associated with the so-called triad for security in information systems: availability, integrity, and confidentiality [2]. As a case in point, the 1999 Olympic Pipeline rupture was caused in part by the failure of the supervisor control and data acquisition (SCADA) system to deliver timely and accurate information. Although not due to cyber attack, this incident resulted in a massive leakage of gasoline and total loss of pipeline operation, which demonstrated how information failure can lead to catastrophic results1 . The National Transportation Safety Board report [26] indicated that the incident was caused by the “slow response” or “nonresponse” of the Olympic SCADA system. From a homeland security perspective, the fact that an event such as this one could have been triggered at will by a malicious agent is of grave concern, especially when considering that a well-placed 1 In June 1999, system failure of a SCADA system was believed to have caused leakage of

277,000 gallons of gasoline from the Olympic Pipeline in Washington State. This incident caused the shutdown of the pipeline for nearly 1.5 years. Tanker trucks and barges were used for petroleum transport during this time, which consequently led to higher retail prices.

15 of 34 12/19/2005


attack could cause widespread damage due to infrastructure interdependencies. Therefore, in order to ensure the security of critical infrastructure sectors, it is imperative not only to understand their inherent physical and economic linkages, but also the additional information and logical interdependencies associated with NIS.

Interregional Economic Coupling Interregional couplings exist when commodity production, distribution, and consumption are dictated in part by regional interdependencies defined by physical infrastructure, import and export flows, and relative geographic distances. These couplings are often evident in the aftermath of massively disruptive events such as natural disasters, major plant closures, or adversarial geopolitical activity. Typically, interregional couplings act to dampen the propagation of disruption by way of the inherent viscosity in supply chains and consumption patterns provided by competitive markets, excess capacities, and consumer adaptation in the form of substitution and income effects. In the case of oil and gas infrastructure, geographic couplings were evident in the wake of hurricanes Katrina and Rita, where immediately after the storms, the supply of crude oil to refineries increased with distance from the epicenter of the storm damage2 . This suggests that supplies of crude from other regions were more available to refineries that were less geographically dependent on Gulf sources. Risk associated with interregional interdependencies is often manifested in economic effects; however, other relationships can create and propagate risk. For example, the water distribution infrastructure poses risk by way of geographic coupling due to the fixed nature of the water assets. Hazardous chemical releases in one region threaten consumers of water in neighboring regions by way of natural hydrology and engineered water distribution infrastructure. Similarly, through geographic coupling, ecological risks associated with oil and gas infrastructures are propagated to regions not directly associated with the infrastructure itself. Therefore, analyses interested in the degree to which communities in the vicinity of accident-prone systems are at risk must take into account geographic interdependencies.

Inter-sector Economic Coupling In a complex economic system, the flow of commodities between economic sectors can yield insight into how disruptions in one sector will affect dependent sectors. Interdependencies are characterized by the production functions used by manufacturers of one commodity and the commodities upon which they are dependent for production. Furthermore, as production is driven by demand, disruptions in the marketplace, where commodities are consumed by households, will propagate back to the producers that supply the end products as well as constituent ingredients and other support commodities. A thorough understanding of these interdependencies enables regional and national preparedness planners to better pre-position materials for rapid rehabilitation of critical sectors in the aftermath of a major disaster.

2 This observation was made after compiling and summarizing more than one hundred EIA

Hurricane Rita Situation Reports.

16 of 34 12/19/2005


Risk Modeling for Analysis In order to provide answers to the triplets of risk assessment and risk management questions, we construct models of the systems being considered, potential sources of risk, and appropriate coupling to other systems that might provide linkages to risk. The models provide insight into the state of the system and how changing the state of the system can reduce the likelihood of adverse consequences, thereby providing a means of evaluating the efficacy of different risk management options. Several modeling methodologies have been developed at the UVa Risk Center to gain insight into systems and associated risk. This section will describe several of the most useful for interdependent systems analysis, namely, (1) the Inoperability Input-output Model (IIM) ([1], [4], [15], [22], [24], [28]) and its derivatives, the Multi-Regional IIM (MR-IIM) developed by Crowther and Haimes [3],[5] and the Dynamic IIM (DIIM) developed by Lian and Haimes [23]; (2) the Hierarchical Holographic Model (HHM) developed by Haimes [9] and its derivatives, the Adaptive Multi-Player HHM (AMP-HHM) developed by Haimes and Horowitz [12] and the Risk Filtering and Ranking Method (RFRM) developed by Haimes, Kaplan, and Lambert [16]; (3) the Hierarchical Coordinated Bayesian Model (HCBM) developed by Yan, Haimes, and Waller [31]; (4) the Network Security Risk Model (NSRM) developed by Henry [17] and Haimes [18]; and (5) the Petroleum Infrastructure Response Model (PIRM) developed by Jurko [19] and Henry [17].

Inoperability Input-output Model (IIM) Several models have been proposed to address and study economic couplings. Input-output analysis, based upon the Nobel Prize-winning work by Wassily Leontief, is a useful tool for determining the economic ripple effects associated with a disruption in a particular sector of the economy. Extending this model, the UVa Risk Center has developed the Inoperability Input-output Model (IIM). This is an industry-level interdependency analysis tool to model the interconnectedness and interactions of various sectors of the economy. Given a perturbation from one or multiple sectors of the economy, the IIM estimates the ripple effects measured in industry inoperability or dollar loss. For example, a disruption to the oil and gas sector will show impacts to these dependent sectors: petroleum and coal products, manufacturing, pipeline transportation, utilities, air transportation, chemical manufacturing, and mining. Figure 6 illustrates the IIM as a snapshot of sector interdependencies, where

, notionally represents a sector with financial, physical, and commercial linkages to other sectors, as depicted by the interconnecting dotted lines. These linkages are mapped to a series of linear equations, as illustrated in the figure, where the parameters aij quantify the linkage between sectors i and j based on inter-sector transaction data collected and processed by the U.S. Bureau of Economic Analysis (BEA).

6,...,2,1, =isi

The IIM is an inexpensive, holistic method for estimating economic impacts and sector interdependencies. It models the nation or some region of contiguous states or counties as an interdependent set of linear causal relationships, with perfect communication between all economic sectors. Thus, the resulting effects of a perturbation are estimated uniformly across the entire region and without temporal recovery details. This lack of spatial and temporal explicitness in IIM risk analysis results in only average estimates across geography and time. Such estimates may lead to overlooking geographically concentrated risks or significant cross-regional

17 of 34 12/19/2005


interdependencies and dynamic effects associated with post-event recovery. Extensions to the IIM have been developed to address these problems. The Dynamic IIM (DIIM) describes the temporally interdependent recovery of sectors after an attack or natural disaster. The concept of resilience is incorporated so that the improvement of various sectors can be quantified and managed over time. Like the IIM, the DIIM shows economic loss and the number of sectors affected when considering different policy options, which directly or indirectly change the recovery dynamics of different sectors, as quantified by resilience coefficients in the dynamic model. The MR-IIM surveys available, relevant geo-spatial databases and integrates them to derive estimated impacts to multiregional systems for risk analysis. This model generates multiple scenarios, which serve the purpose of estimating higher-order impact propagations across multiple regions and industry sectors.

Figure 6. The modeling principle of the IIM as a snapshot of interdependencies.

Hierarchical Holographic Model (HHM) The HHM ([9], [11], [16], [21]) provides a construct for capturing the multifarious nature of a complex system of interest in order to drive subsequent detailed analysis. For example, the HHM in Figure 7 represents a simplified taxonomy of interdependency analysis. The major topics, displayed in the second row of double-lined blocks, describe considerations for interdependency models, and resulting subtopics cover ranges that may be included in the modeling effort. The value in approaching complex modeling in this way is that questions and analytical activities can be more narrowly and appropriately defined by way of careful system decomposition. Moreover, the reconstruction of the model and analysis follow the reverse process and yield a much more comprehensive and useful product for policy analysis and formulation.

18 of 34 12/19/2005


Interdependencies

FailurePropagation

ModelDescriptions of

CouplingsResponse Times

CriticalConnecting

Infrastructure

Types ofCouplings

Physical

Cyber

Economic

Geographic

Logical

Real-time

Time-lag

Days

Months

Equilibrium

Cascading

Amplifying

Dampening

Distributed

Linear/Non-linear

Adaptive/Fixed

Deterministic/Random

PipelineTransportation

Electric PowerDistribution

Telecom.

Air, Road, RailTransportation

Financial Sector

String/Mesh

Other

Figure 7. Introductory taxonomy for interdependency analysis.

Derivatives of the HHM, the AMP-HHM [12] and the RFRM ([11], [16]) provide more extensive frameworks for collaborative and resource allocation analyses, respectively. In particular, the AMP-HHM is a framework for making more structured use of experts from different points of view when analyzing risk in specific assets or classes of systems. In conducting an AMP-HHM exercise, each of several teams of experts is charged with constructing an HHM from its specified point of view, after which the HHMs are combined to build a richer model of the system of interest. For example, two teams, one representing asset owners and the second representing potential adversaries, would build two separate HHMs to capture, from each perspective, the possible paths of attack, methods of defense, and so forth. The combined HHM, then, serves as a seed for future HHM adaptation on the part of each team. The RFRM makes use of HHM development to construct risk scenarios, which are then filtered and ranked according to assessed likelihood and consequence in order to make reasoned judgments for risk management.

Hierarchical Coordinated Bayesian Model (HCBM) It is well known that when estimating the distributions of parameters with traditional statistical methods, such as maximum likelihood estimation, larger data sets give more accurate estimates, with smaller confidence intervals and standard errors. However, when the traditional statistical methods are applied to very small data sets, they produce large confidence intervals, with standard errors so large that they are described as unstable. Because problems in risk analysis often involve extreme events, which are rarely happening or even hypothetical at the time of the assessment, directly related empirical data for these problems are almost always lacking. Thus, how best to analyze sparse data is an important issue for risk analysts. The HCBM ([31], [32]) is a statistical data analysis tool developed by the UVa Risk Center for analyzing the sparse data gathered from extreme events. By decomposing

19 of 34 12/19/2005


the database into multiple perspectives, HCBM can integrate both direct data and indirect data from multiple sources and make inferences on extreme event likelihoods and consequences using hierarchical coordination. Thus, HCBM can largely reduce the estimation variance and enhance estimation accuracy relative to direct estimation methods for extreme event data analysis.

Network Security Risk Model (NSRM) At the facility level, interdependencies exist between system components within the facility, between system components and facility objectives, and between system components and adversary objectives. The role of new facility-level models currently under development is to capture these interdependencies in useful models that can provide a means of assessing risk and of evaluating the efficacy of risk management by estimating the difference in assessed risk as a result of candidate risk management measures. Several modeling paradigms have been employed, including scenario development, stochastic shortest path models, and dynamic risk management. The NSRM ([17], [18]) was developed for assessing the risk of cyber attacks on process control networks in facilities that produce or distribute commodities over large infrastructures. The methodology develops scenario-based state machine models for risk assessment. Scenarios permit models to be developed to explore different sources of risk and conditions under which risk may emerge as a result of facility operation, intelligent adversary interaction, and evolution of system vulnerability with respect to adversary adaptation. Stochastic shortest path modeling provides a state machine analysis that yields insight into how an attack on an asset might proceed as a result of the interdependencies between adversary objectives and facility system response. Furthermore, these interactions provide insight into how attacks might disrupt or disable facility operability as a result of the interdependencies between facility objectives and system components, all or some of which may be disabled by an attack on the facility.

Petroleum Infrastructure Response Model (PIRM) At the industry level, interdependencies exist between producers, distributors, and consumers of petroleum products. In particular, refineries consume crude oil produced domestically or imported at tanker terminals. In turn, they produce refined products such as fuels, lubricants, and specialty chemicals that are then distributed to downstream consumers, including chemical manufacturers and the public. All of these processes are interconnected by distribution networks, of which pipelines comprise the highest capacity components. The PIRM ([19], [17]) was developed to assess the propagation of disruptions to commodity production or distribution processes. It is formulated as a series of input-output relationships parameterized by equilibrium values estimated from Department of Energy (DOE) databases. By finding new equilibria in the model, given a perturbation to one or more components in the model related to production, importation, refining, or distribution, is an estimate of commodity shortages in each of the five Petroleum Administration for Defense Districts (PADDs), as shown in Figure 8.

20 of 34 12/19/2005


PADD 1

PADD 2

PADD 3

PADD 4

PADD 5

Refining

Imported FinishedImported

Crude

Domestic Crude

Crude to Other PADDs

Finished to Other PADDs

Finished to Export

Finished Distribution

Crude from Other PADDs

Finished from Other PADDs

Crude Distribution

Petroleum Administration forDefense Districts (PADD)

Figure 8 PIRM and PADDs

Note that the PIRM complements the more sophisticated system dynamics model developed by the National Infrastructure Simulation and Analysis Center (NISAC) at the Sandia National Laboratory. If used in conjunction with NISAC, the PIRM can be used to quickly identify scenarios of high consequence for more detailed and dynamic analysis by NISAC.

Model Integration for Multi-level Risk Assessment Recalling the functional decomposition illustrated in Figure 1, we note that the models and methodologies have been developed to address different components of the broader risk assessment. Moreover, interfaces have been developed to integrate them for multi-level analysis. In particular, the NSRM provides facility-level risk assessments for specific networks and infrastructure systems. Risk assessed at this local level is propagated over the physical infrastructure by way the PIRM, where regional estimates of commodity disruption provide a basis for constructing MR-IIM perturbations to assess economic impacts. Details of this integration are provided by Henry [17].

21 of 34 12/19/2005


Section 3: Managing Risk in Interdependent Infrastructures Risk management is the set of decisions that place decision-makers in a position where they understand and accept the range of possible consequences and trade-offs for decisive action in an uncertain environment. The intertwined processes of risk assessment and management provide an analysis and decision structure for policy formulation in interdependent systems that accounts for uncertainty and extreme events. Developing risk management policy can be effectively framed as the process of answering the risk management questions posed by Haimes [10]: 1. What can be done and what options are available? 2. What are the trade-offs in terms of costs, benefits, and risks? 3. What are the impacts of current decisions on future options? The previous section reviewed several methodologies that permit answers to the first two questions. Specifically, the identification of candidate risk management policies can be accomplished through HHM and AMP-HHM, where measures are elicited to mitigate either the likelihood or consequence of disruptive events. Furthermore, RFRM can assist in allocating priority to addressing specific risk scenarios. Evaluating tradeoffs requires the quantitative assessment of risk for comparison with the costs of risk management. For large-scale economic systems, IIM and its extensions DIIM and MR-IIM, provide quantitative estimates of the economic impact stemming from the disruption of commodity production or distribution. The NSRM and HCBM provide tools for assessing the risk of cyber attacks on process control networks at a facility level. These risk models provide a means of evaluating the efficacy of candidate risk management policies by producing a measure of risk with and without the policy in place. These assessments, when compared against the estimated cost of risk management policies, permit an evaluation of cost-benefit-risk tradeoffs. For example, Figure 9 plots the results of an analysis conducted using the MR-IIM to assess the losses due to Hurricane Katrina (2006) to different sectors of the economy. Figure 10 illustrates an assessment of the of what the benefits of proactive risk management might have been to Gulf Coast residents prior to Hurricane Katrina in 2006 based on an hypothetical capability of reducing the hurricane consequences across specific sectors [6]. The analysis illustrates, furthermore, how cost and benefit could be distributed amongst different interest groups to evaluate the efficacy of different risk management policies with respect to disruption of specific economic sectors. Addressing the third question requires a new approach to employ the risk models in a dynamic decision framework that evaluates the cost-benefit-risk tradeoffs in the context of constrained future options due to past and present decisions. Henry [17] and Haimes [18] developed an envelope-based methodology for evaluating the efficacy or risk management policies based on the envelope approach to multiobjective optimization problems [25]. For facility-level analysis, the NSRM is used as a risk assessment engine to provide measures of risk for evaluation of candidate policies over the course of several decision periods, which correspond to corporate resource

22 of 34 12/19/2005


allocation cycles. Finally, minimax envelopes provide an analysis that is robust to uncertainty associated with cyber attack scenario. At a macroeconomic level, the MR-IIM is embedded in the minimax envelope framework to evaluate preparedness and emergency response policies at a regional level.

1.E+02

1.E+03

1.E+04

1.E+05

0 100 200 300 400 500 600

Thousands of Employees

Econ

omic

Los

s pe

r Em

ploy

ee(d

olla

rs o

n a

log

scal

e)Petro. Refining

Utilities

Oil & Gas Extraction

Trans.

Resources RecreationBanks & Info.

Wholesale&Retail

Mfg.

Services

Mostly Direct Effects

Mostly Indirect Effects

Figure 9 Approximate distribution of direct and indirect impacts across Louisiana economic sectors during for month after Katrina [6]

1.E+02

1.E+03

1.E+04

1.E+05

0 100 200 300 400 500 600

Thousands of Employees

Econ

omic

Los

s pe

r Em

ploy

ee(d

olla

rs o

n a

log

scal

e)

Petro. Refining

Oil & Gas Extraction

Trans.

Resources

RecreationBanks & Info.

Wholesale&Retail

Mfg.

Services

Mostly Direct Effects

Mostly Indirect Effects

Utilities

Figure 10 Hypothetical redistribution of impacts from preparedness activity [6]

23 of 34 12/19/2005


Section 4: Illustrative Examples This section reviews two that illustrate risk assessment and management at the network and regional preparedness levels. Both examples are illustrative and are used to demonstrate how the models can be used to support resource allocation decisions for managing risk. This section outlines the concepts of how the tools are used. Details can be found in [17].

Network Risk Assessment and Management Consider the pipeline pump station and its process control network illustrated in Figure 11. The HHM and NSRM methodologies can be used to assess the risk of cyber attack on the facility for different attack scenarios, where scenarios are defined by different points of access on the network and different assumed attacker objectives. To assess risk for each scenario, the process control network is decomposed into representative components according to its security structure, and the infrastructure is decomposed according to different failure modes and effects. The decomposition induces a state space for an attack model, where the attacker solves a shortest path problem to find optimal attack trajectories. The solution to the shortest path problem yields a state transition matrix which, when applied in conjunction with failure mode and effects analysis, provides a measure of risk for the network in its present configuration.

Figure 11 Example Pump Station and Process Control Network

24 of 34 12/19/2005


To evaluate the efficacy of different risk management options, then, the localized effects of each option are mapped to the attack model parameter space for each of the attack scenarios, inducing new measures of risk due to the implemented risk management policy. Minimax envelopes are found as the solution to a multiobjective optimization problem, providing a Pareto frontier for the set of risk management options in the objective space, where the objectives are to minimize risk and minimize the cost of risk management. Consider, for example, that five options are being considered: (1) implement two-factor authentication for all machines, (2) encrypt all communication channels, (3) upgrade the intrusion detection system, (4) implement fail-safe control logic in all devices, and (5) implement redundant controls for all processes. Each of these options has an assumed cost of implementation and an estimated effect on some characteristic of the security configuration. By mapping these local effects to the NSRM parameter space, the value of each option is ascertained fro a system perspective and, when compared to the cost of implementation, provides a basis for making informed decisions with respect to resource allocation. Figure 12 illustrates the Pareto frontier that results from assessing the tradeoffs for multiple attack scenarios, where the minimax envelope is robust to the scenario uncertainty. Each point on the frontier represents the multiobjective value of the combination of three options, where each option is denoted by A (authentication), I (intrusion detection), E (encryption), F (fail-safe logic), R (redundant controls), or N (do nothing). The decision-maker then assesses the tradeoffs between risk and the cost of managing risk in order to choose the best combination from the efficient set.

Figure 12 Efficient Frontier for Pump Station Example

25 of 34 12/19/2005


Regional Preparedness and Risk Management This example calls attention to the problem of allocating resources at a regional level, where the sources of risk include cyber and physical attacks on critical infrastructure, natural disasters, and others. In making decisions, policy makers must weigh the relative costs and benefits of policy options when the sources of risk are unknown until an event takes place. In other words, policy makers must account for multiple risk scenarios and will in general have no a priori knowledge of relative event likelihood, particularly in the case of extreme events. To illustrate how the suite of tools can be used to address this problem, consider three scenarios, where the first corresponds to a cyber-enabled physical attack on a major tanker terminal, the second corresponds to a distributed cyber attack on the finished products pipeline infrastructure, and the third corresponds to a massive hurricane and its effects on refining capacity ion particular. Each of these scenarios, if materialized, has the potential to disrupt portions of the Petroleum infrastructure, whether in the upstream processes, refining activities, or distribution systems. The PIRM provides a useful tool for estimating the effects of local disruptions in terms of regional commodity shortages across the country. Mapping these shortages to the MR-IIM then gives an estimate of economic damage associated with each scenario. In considering risk management policy options, then, the effects of each option are mapped to the disruption parameter, where the difference may be provided by NSRM analysis, as in the case of a cyber attack on a facility, or another consequence model. In doing so, the propagated effects and economic consequences associated with the new disruption provide a measure of the value of each policy option. This, in combination with the cost of implementing each option, a multiobjective optimization analysis can be conducted to provide insight for resource allocation. For this example, consider three policy options: (1) requiring two-factor authentication (A) in all petroleum infrastructure control systems, (2) mandating fail-safe devices (F) that can withstand extreme conditions induced by malicious control, and (3) constructing a strategic reserve of finished products (R). Option 1 addresses the cyber security portions of the first two scenarios, Option 2 addresses the second scenario, and Option 3 addresses the third scenario. The Pareto frontier is illustrated in Figure 13. Here again, each point on the frontier corresponds to the multiobjective value of a combination of policy options. In deciding how to allocate resources, the policymaker must first assess tradeoffs with respect to the objectives of minimizing the economic impact of extreme events and minimizing the cost of managing risk.

26 of 34 12/19/2005


Figure 13 Efficient Frontier for Regional Policy Example

Dynamic Recovery Analysis The Dynamic Inoperability Input-Output Model (DIIM) is an extension of the IIM that provides supplementary risk metrics for assessing the consequences of disasters ([13], [14]). The purpose of implementing a dynamic model is to analyze the recovery processes for various industry sectors in the aftermath of a disaster [29]. Given the initial inoperabilities caused by the disaster, recovery analysis gives the trajectory of recovery based on the interdependency and resilience characteristics of the industry sectors. In addition to the inoperability and economic loss metrics, the recovery period and resilience metrics generated from the dynamic analysis can provide insights in describing the recovery process for the affected sectors. Recovery period is the length of time required for a sector to recover to normalcy. (Note that normalcy may be defined as 99% recovery, as full recovery may be substantially long or impossible to achieve). The resilience metric is a unique feature of our dynamic analysis that represents an “exponential decay factor” calculated directly from an assumed value of the recovery period. The resilience metric can describe a system’s path of recovery from a given disaster and can pinpoint a specific state of the system within the recovery process. A higher value of the resilience metric for a particular economic sector corresponds to a faster pace of recovery. Implementing risk management to harden a particular system results in an increase of its assumed resilience metric, hence a shorter recovery time and smaller economic losses. Recovery analysis therefore extends the risk management framework originally developed from static analysis of interdependencies. The effectiveness of available risk

27 of 34 12/19/2005


management alternatives can be compared in terms of their capabilities to improve the system’s performance relative to the integrated risk metrics developed from the IIM (inoperability and economic loss,) and its dynamic extension (recovery period and resilience). To demonstrate the dynamic recovery analysis framework for assessing the security of an oil and gas SCADA system, a cyber-enabled attack scenario is considered that causes Gulf of Mexico crude oil terminals to be inaccessible to tankers for five weeks. Suppose further that this scenario results in an 80% reduction in crude availability for Gulf-area refineries and a 40% reduction of overall US crude availability for the affected time period. The impact analysis for this scenario is decomposed into several regions according to the Petroleum Administration for Defense Districts (PADD) as defined by the Department of Energy (see Figure 14). We assumed that the disruption periods for PADDs I, II, and III are roughly 10 days, and the recovery periods for these 3 PADD regions are about 12 weeks. Applying the disruption scenario as inputs to the recovery analysis, the ripple effects can be estimated for the several regions and sectors of the economy. Figure 3 gives a summary of the economic loss impact for each PADD region. Note that a limitation in this case study is the usage of non-current data in our analysis [30]; hence, regions that were relatively less interdependent such as PADD regions IV and V suffered negligible effects. Hence, the recovery and economic impact analysis of ripple effects to various sectors will be performed only for PADD regions I-III.

Figure 14 Map of PADD regions3

In the interest of space, only the detailed results for PADD I are shown here. Figure 15 shows that For PADD I, the sectors with highest inoperabilities are as follows: (1) PIPE; (2) PETR; (3) OILG; (4) MING; and (5) RENT. On the other hand, Figure 16 shows the PADD I sectors that are expected to suffer the highest economic losses as follows: (1) PETR; (2) PIPE; (3) OILG; (4) OTHR; and (5) REAL. Table 3 Economic Losses of PADDs I-V

3 http://www.eia.doe.gov/pub/oil_gas/petroleum/analysis_publications/oil_market_basics/paddmap.htm

28 of 34 12/19/2005


http://www.eia.doe.gov/pub/oil_gas/petroleum/analysis_publications/oil_market_basics/paddmap.htm

Disruption Loss ($M) Recovery Loss ($M) Total Loss ($M)PADD I $170 $980 $1,150PADD II $386 $2,459 $2,845PADD III $445 $3,561 $4,006PADD IV $0 $0 $0PADD V $0 $0 $0

Total $1,001 $7,000 $8,001 Although the first three sectors in both inoperability and economic loss rankings are virtually the same (PIPE, PETR, OILG), the resulting rankings are different in general. For example, MING (mining except oil and gas) and RENT (rental and leasing services and lessors of intangible assets) are in the top-5 most inoperable sectors, but not in the top-5 sectors with highest economic losses. Also, OTHR (other services) and REAL (real estate) are in the top-5 sectors with highest economic loss but not in the set of top-5 most inoperable sectors. The inoperability and economic loss results can provide complementary insights when developing risk management options. Economic loss describes the monetary impact, while inoperability refers to the physical functionality. The rankings generated from these two metrics typically vary because different sectors have varied levels of economic significance (i.e., economic loss represents the financial value of the impact to a sector; inoperability captures the relative impact that is normalized according to the sector’s economic value).

PIPE Pipeline transportation PETR Petroleum and coal products manufacturing OILG Oil and gas extraction MING Mining, except oil and gas RENT Rental and leasing services and lessors of intangible assets

0%

5%

10%

15%

20%

25%

30%

35%

40%

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100

Time (Days)

Inop

erab

ility

(%)

PIPE PETR OILG MING RENT

Figure 15 Recovery of Top-5 Inoperable Sectors (PADD I).

29 of 34 12/19/2005


PETR Petroleum and coal products manufacturing PIPE Pipeline transportation OILG Oil and gas extraction OTHR Other services REAL Real estate

$0

$100

$200

$300

$400

$500

$600

$700

$800

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100

Time (Days)

Econ

omic

Los

ses

($M

)

PETR PIPE OILG OTHR REAL

Figure 16 Dynamics of Top-5 Sectors with Highest Economic Losses (PADD I).

The economic analysis of dynamic recovery can be linked to a physical domain analysis of an oil and gas infrastructure (see Figure 1). For example, taking the results from analyses of plant-level incident scenarios (such as the results from an agent-based simulation), interdependency analysis can be implemented for modeling and assessing the ripple effects to other sectors of the regional economy. Given the magnitude of direct disruptions to a given sector, the dynamic recovery analysis generates two types of risk metrics to assess the consequences: inoperability and economic loss. Risk management options for reducing the impacts of the disaster on the economy can be considered by decision-makers at various levels—such as corporate executives, local officials, and federal agencies. A cost-benefit-risk analytical framework will be applied to evaluate the efficacy of each potential option identified in the case study. As a baseline, risk assessment is conducted for a particular scenario (e.g., a cyber risk scenario), assuming that no risk management actions are taken. Next, the assessment process is repeated for the scenario, implementing one or multiple risk management option(s) to counter the associated risks. Comparing the response and recovery times (and associated costs) and the impacts of the attacks with and without risk management, the net benefit of the risk management option(s) can be quantified. In addition, the underlying cost of each risk management option will be estimated and presented to the decision-makers, together with its net benefit derived from the baseline scenario. Because risk management options are grounded on explicit cost-benefit-risk tradeoff analysis, the decision-makers will have a holistic understanding of their potential costs and benefits. They can choose to take one or more of these options that are recommended for specific critical infrastructure risk scenarios.

30 of 34 12/19/2005


Section 5: Conclusions and Future Work Interdependency modeling is useful for assessing sector vulnerabilities to a given attack scenario, which ultimately aids in generating sector prioritizations based on metrics such as inoperability, economic loss, resilience, and recovery time. To secure the system components within the infrastructure, it is imperative to quantify all categories of risks and implement risk management policy options accordingly. Nevertheless, it is important to recognize and deal with the “curse of dimensionality” that is often encountered in the modeling and optimization of large-scale systems. Due to resource constraints (budget, available personnel, time), attention should be devoted to scenarios that have larger risk repercussions (both in terms of their likelihoods and consequences). Hence, the report recognizes the need for a preliminary risk identification phase that allows for a structured process of prioritizing critical risk scenarios. This report has presented a comprehensive view of risk in the interdependent system of systems that is the Oil & Gas infrastructure. Several tools have been applied to the problem of assessing and managing risk under uncertainty and in the context of multiple objectives. The case studies featured analyses of systems as viewed from different hierarchies and modeling perspectives. The framework ultimately aims to link the analyses associated with information, plant, and economic domains for modeling how cyber risk can cascade given the interdependencies across different infrastructure systems, economic sectors, and regions. A key attribute of this activity has been the development and integration of several models and methodologies that are descriptive at multiple specific scales and resolutions in response to initial risk assessments. The example case studies describe the feasibility of deploying this suite of tools for a holistic risk analysis across a complicated sector of our economy. Nevertheless, cyber security and the compounding effects of interdependencies remain an area of active research at UVA, the I3P, and other organizations. More extensive deployment and verification of the results and development of technologies for broader utilization of the existing tools are areas of active research. Due to the high level of complexity associated with critical infrastructure systems, the risk environment, and the potential impacts of infrastructure attacks with respect to the public welfare and national security, further opportunities exist to expand and build on existing models and analyses.

31 of 34 12/19/2005


References

[1] Anderson, C.W., J.R. Santos and Y.Y. Haimes, 2007. A Risk-Based Input-Output Methodology for Measuring the Effects of the August 2003 Northeast Blackout, Economic Systems Research, 19(2): 183-204.

[2] R.G. Bace, Intrusion Detection, Macmillan Technical Publishing, 2000. [3] K.G. Crowther, Development of a Multiregional Framework and Demonstration of its Feasibility

for Strategic Preparedness of Interdependent Regions, Ph.D. Dissertation, Department of Systems and Information Engineering, University of Virginia, 2006.

[4] K.G. Crowther and Y.Y. Haimes, Applications of the Inoperability Input-Output Model (IIM) for Systemic Risk Assessment and Management of Interdependent Infrastructures. Systems Engineering. 8(4): 323-341, 2005.

[5] K.G. Crowther and Y.Y. Haimes, Development and Deployment of the Multiregional Inoperability Input-Output Model for Strategic Preparedness of Interdependent Regions. Submitted to the Journal of Systems Engineering 2007.

[6] K.G. Crowther, Y.Y. Haimes, and G.E. Taub, Systemic Valuation of Strategic Preparedness through Application of the Inoperability Input-Output Model with Lessons Learned from Hurricane Katrina. To be published in Journal of Risk Analysis, 2007.

[7] M.J. Dombroski, Y.Y. Haimes, J.H. Lambert, K. Schlussel, and M. Sulcoski, Risk-based methodology for support of operations other than war, Military Operations Research Science, 7(1):19-38, 2002.

[8] B.C. Ezell, Y.Y. Haimes, and J.H. Lambert, Cyber attack to water utility supervisory control and data acquisition (SCADA) systems, Military Operations Research, 6(2):23-33, 2001.

[9] Y.Y. Haimes, Hierarchical holographic modeling, IEEE Transactions on Systems, Man, and Cybernetics, 11(9): 606–617, 1981.

[10] Y.Y. Haimes, Total risk management, Risk Analysis, 11(2): 169–171, 1991. [11] Y.Y. Haimes, Risk Modeling, Assessment, and Management, 2nd ed., Wiley, New York, 2004. [12] Y.Y. Haimes and B.M. Horowitz, Adaptive two-player hierarchical holographic modeling game for

counterterrorism intelligence analysis, Journal of Homeland Security and Emergency Management, 1(3), 2004.

[13] Y.Y. Haimes, B.M. Horowitz, J.H. Lambert, J.R. Santos, C.Lian, and K.G. Crowther, Inoperability input-output model (IIM) for interdependent infrastructure sectors. I: theory and methodology, ASCE Journal of Infrastructure Systems, 11(2): 67–79, 2005a.

[14] Y.Y. Haimes, B.M. Horowitz, J.H. Lambert, J.R. Santos, K.G. Crowther, and C. Lian, Inoperability input-output model (IIM) for interdependent infrastructure sectors. II: case studies, ASCE Journal of Infrastructure Systems, 11(2): 80–92, 2005b.

[15] Y.Y. Haimes and P. Jiang, Leontief-based model of risk in complex interconnected infrastructures, Journal of Infrastructure Systems, 7(1): 1–12, 2001.

[16] Y.Y. Haimes, S. Kaplan, and J.H. Lambert, Risk filtering, ranking, and management framework using hierarchical holographic modeling, Risk Analysis, 22(2): 383–398, 2002.

[17] M.H. Henry, Minimax Envelopes for Total Cyber Risk Management in Process Control Networks, Ph.D. Dissertation, Department of Systems and Information Engineering, University of Virginia, 2007.

[18] M.H. Henry and Y.Y. Haimes, A new dynamic risk assessment and management model for supervisory control and data acquisition networks, Presented at the Society of Risk Analysis Annual Meeting, December 5, 2006.

[19] R.C. Jurko and M.H. Henry. Input-output analysis of the oil and gas industry with respect to: Oil and gas extraction, petroleum and coal products manufacturing, and pipeline transportation, in preparation, 2007.

[20] S. Kaplan, and B.J. Garrick, On the quantitative definition of risk, Risk Analysis, 1(1): 11–27, 1981.

[21] S. Kaplan, Y.Y. Haimes, and B.J. Garrick, Fitting hierarchical holographic modeling into the theory of scenario structuring and a resulting refinement to the quantitative definition of risk, Risk Analysis, 21(5): 807–819, 2001.

32 of 34 12/19/2005


[22] M. F. Leung, Y. Y. Haimes, and J. R. Santos, 2007. Supply- and Output-side Extensions to Inoperability Input-Output Model for Interdependent Infrastructures. To appear in the Journal of Infrastructure Systems.

[23] C. Lian and Y.Y. Haimes, Managing the risk of terrorism to interdependent systems through the dynamic inoperability input-output model, Systems Engineering, 9(3): 241–258, 2006.

[24] C. Lian, J.R. Santos, and Y.Y. Haimes, 2007. Extreme Risk Analysis of Interdependent Economic and Infrastructure Sectors: Theory and Application, to appear in Risk Analysis, an International Journal.

[25] D. Li and Y.Y. Haimes, The envelope approach for multiobjective optimization problems, IEEE Transactions on Systems, Man, and Cybernetics, 17(6): 1026–1038, 1987.

[26] Pipeline Accident Report: Pipeline Rupture and Subsequent Fire in Bellingham, Washington, June 10, 1999, National Transportation Safety Board, Washington, DC, 2002.

[27] S.M. Rinaldi, J.P. Peerenboom, and T.K. Kelly, Identifying, understanding, and analyzing critical infrastructure interdependencies, IEEE Control System Magazine, 21(6): 11–25, 2001.

[28] J.R. Santos and Y.Y. Haimes, Modeling the demand reduction input-output inoperability due to Terrorism of interconnected infrastructures, Risk Analysis, 24(6): 1437–1451, 2004.

[29] Santos, J. R., Y. Y. Haimes, and C. Lian, 2007. A Framework for Linking Cyber Security Metrics to the Modeling of Macroeconomic Interdependencies, to appear in Risk Analysis, an International Journal.

[30] A. Turk, R. Raynor, T. Corbet, S. Conrad, W. Beyeler, and T. Brown, 1989. Simulated nation-wide consequences of disruptions to the petroleum industry in the western US gulf coast. Petroleum Storage & Transportation, National Petroleum Council.

[31] Yan, Z., Y.Y. Haimes, and M.G. Waller. Modeling Sparse Data in Risk Analysis of Complex Systems with Coordinated Hierarchical Bayesian Models. Submitted to International Journal of Systems and Statistics, 2006.

[32] Z. Yan, Y.Y. Haimes, and M.G. Waller, Hierarchical coordinated Bayesian model for risk analysis with sparse data, Presented at the Society of Risk Analysis Annual Meeting, December 5, 2006.

33 of 34 12/19/2005


Analysis of SCADA Interdependencies

Documents

Transcript of Analysis of SCADA Interdependencies