**Abstract**

Resilience and risk are fundamental concepts for critical infrastructure protection, but it is complex to assess them. Modelling critical infrastructure interdependency helps in evaluating the resilience and risk metrics. We propose the MHR approach as a road-map to model infrastructures and it is implemented using CISIApro 2.0. MHR suggests considering three different layers in each infrastructure: holistic, service and reductionist agents. In this chapter, this framework has been tested in a scenario made of a modern telecommunication network, a hospital ward and a smart factory. The scenario takes into account cyber attacks and their consequences on the components, services and holistic nodes. The proposed framework is under validation within the EU H2020 RESISTO project with good results and in various test-beds.

**Keywords:** resilience metric, risk management, critical infrastructure modelling, simulation

## **1. Introduction**

Critical Infrastructure is an evolving concept. Critical infrastructure was linked to aging public works in the 1980s: the National Council on Public Works Improvement in 1988 focused on public sector infrastructure. In the 1990s, infrastructure was redefined in terms of national security as a consequence of increased international terrorism. The number of critical infrastructure sectors in the National Infrastructure Protection Plan [1] has been enlarged to 17 since 9/11: it includes agriculture and food systems, the defense-industrial base, electricity systems, public health and health care facilities, national monuments, banking and financial systems, drinking water systems, chemical services, commercial buildings, dams, emergency services, nuclear power plants, information technology networks, telecommunications systems, postal and shipping services, transportation systems, and government facilities. Critical infrastructure is identified in Europe under the term "essential services" [2].

Shifting the concept of critical infrastructures has led to more flexibility and adaptability. The sophistication of an already complicated field, on the other hand, is increased, creating more confusion and more doubts. The definition of "lifeline system", [3] was then established by some researchers to assess the efficiency of large, geographically distributed networks during crises caused by adverse events,

such as natural disasters or cyber-attacks. Lifelines are classified into six major systems: electricity, gas and liquid fuels, telecommunications, transportation, waste management, and water provision. The economic well-being, security, and protection of our lives are closely related to those systems. Thinking of critical infrastructure across the sub-set of lifelines helps to simplify features common to important support structures and to enhance the performance of large networks, offering visibility into the technical challenges.

Lifeline systems, mostly on the basis of physical proximity and operational interaction, are interdependent. Cables and pipes are placed alongside each other in crowded area, resulting in an elevated risk due to proximity. Damage to one infrastructure component, such as an electrical cable, will easily ripple into damage to adjacent components, such as telecommunications cables and gas mains, with system-wide implications.

Lifeline systems are dependent on each other. Electric power networks, for example, supply electricity for pumping stations, storage facilities, and equipment control for transmission and distribution systems for oil and natural gas. Oil provides fuel and lubricants for generators, and natural gas provides energy for generating stations, compressors, and storage, all of which are required for the operation of electric power networks.

percent; in picture is defined as normal performance. If the system is fully robust, it remains at 100 percent even during disruptions. Total loss of service results in 0 percent of *Q t*ð Þ. If system disturbance occurs at time *t*0, in response to, for example, an earthquake or hurricane, damage to the infrastructure may reduce the performance to less than 100 percent, the emergency threshold. Level of service, as reflected by the robustness of the system, is a function of the probability and consequences of damage. Robustness is restored over time; at time *t*1, the system is returned to its original capacity. We called "duration of degradation" the time for

For a community or an infrastructure, the loss of resilience, *R*, can be measured as the expected loss in quality (probability of failure) over the time to recovery,

The resilience indicator, *R*, is a simple measure for quantifying resilience. In [5], additional mathematical developments of this notion cover the probabilistic and

The modeling method used in this chapter is based on the methodology of Mixed Holistic Reductionist (MHR), where each infrastructure is divided into components (reductionist layer), services (service layer) and holistic nodes (holistic layer). The MHR approach is a guideline on how we can decompose each infrastructure and how we can define the interconnection among the different components. It also allows the identification of the right abstraction level due to the available

The agent-based simulator, called CISIApro 2.0, is then used to implement this approach. This simulator presents the consequences of adverse and positive events in an interdependent scenario. In real-time, this simulator runs connected to a SCADA (Supervisory Control And Data Acquisition) control center to receive current information on faults and linked to an Intrusion Detection System (IDS) to acquire actual threats and on-going cyber-attacks. CISIApro 2.0 integrates heterogeneous data to improve the situational awareness of operators and their

*Q t*ð Þ*dt* (1)

*R* ¼ ð*t*1 *t*0

the system to bounce back to an acceptable performance.

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation*

*DOI: http://dx.doi.org/10.5772/intechopen.94506*

*t*<sup>1</sup> � *t*0. Thus, mathematically, *R* is defined as:

multidimensional aspects of resilience.

**1.1 Contributions**

**Figure 1.**

*The resilience profile.*

information.

**5**

In the Merriam-Webster Dictionary, resilience is defined as "the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress" [4]. Definitions vary slight, but all of them relate the principle of resilience to physical stress recovery.

A notable change from securing critical infrastructures to ensuring that communities are resilient has taken place following Hurricane Katrina. Furthermore, the concept of resilience is evolving, as the idea of critical infrastructures. In its present form, a society's resilience is an overarching attribute that reflects the degree of community preparedness and the ability to respond to a crisis and rebound from it. Since lifelines are intimately linked to the economic well-being, security, and social fabric of a community, community resilience is closely related to the initial strength and gradual recovery of lifelines.

Debate over the concept of resilience is likely to persist, and refinements and elaborations of the term are to be expected. A framework for defining resilience has been suggested by the Multidisciplinary Center for Earthquake Engineering Research (MCEER) [5]. Resilience for both physical and social systems can be conceptualized as having four infrastructural qualities:


As shown in **Figure 1**, an infrastructural performance, such as robustness, *Q t*ð Þ, can be visualized as a percentage that varies with time. For buildings, *Q t*ð Þ may be the percentage of structural or functional integrity. For lifelines, *Q t*ð Þ may be the percentage of customers that successfully receive power or drinking water. Prior to a natural hazard, severe accident, terrorist act, or a general disruption, *Q t*ð Þ is at 100 *Resilience in Critical Infrastructures: The Role of Modelling and Simulation DOI: http://dx.doi.org/10.5772/intechopen.94506*

percent; in picture is defined as normal performance. If the system is fully robust, it remains at 100 percent even during disruptions. Total loss of service results in 0 percent of *Q t*ð Þ. If system disturbance occurs at time *t*0, in response to, for example, an earthquake or hurricane, damage to the infrastructure may reduce the performance to less than 100 percent, the emergency threshold. Level of service, as reflected by the robustness of the system, is a function of the probability and consequences of damage. Robustness is restored over time; at time *t*1, the system is returned to its original capacity. We called "duration of degradation" the time for the system to bounce back to an acceptable performance.

For a community or an infrastructure, the loss of resilience, *R*, can be measured as the expected loss in quality (probability of failure) over the time to recovery, *t*<sup>1</sup> � *t*0. Thus, mathematically, *R* is defined as:

$$R = \int\_{t\_0}^{t\_1} Q(t)dt\tag{1}$$

The resilience indicator, *R*, is a simple measure for quantifying resilience. In [5], additional mathematical developments of this notion cover the probabilistic and multidimensional aspects of resilience.

#### **1.1 Contributions**

The modeling method used in this chapter is based on the methodology of Mixed Holistic Reductionist (MHR), where each infrastructure is divided into components (reductionist layer), services (service layer) and holistic nodes (holistic layer). The MHR approach is a guideline on how we can decompose each infrastructure and how we can define the interconnection among the different components. It also allows the identification of the right abstraction level due to the available information.

The agent-based simulator, called CISIApro 2.0, is then used to implement this approach. This simulator presents the consequences of adverse and positive events in an interdependent scenario. In real-time, this simulator runs connected to a SCADA (Supervisory Control And Data Acquisition) control center to receive current information on faults and linked to an Intrusion Detection System (IDS) to acquire actual threats and on-going cyber-attacks. CISIApro 2.0 integrates heterogeneous data to improve the situational awareness of operators and their

decision-making process. This version of the simulator has been improved considering the telecommunication features. Specifically they are:

Threat is a "natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property" [6]. Sometimes the term hazard, which can be defined as a "natural or man-made source or cause of harm or difficulty" [6], is used instead of threat. However, a "hazard differs from a threat in that a threat is directed at an entity, asset, system, network, or geographic area, while a hazard is not directed" [6]. Vulnerability is a "physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard" [6]. Consequences are

The challenge is to determine where and how resilience integrates into risk assessment as risk is a feature of threats and hazards, weaknesses, and consequences. Resilience, as defined by DHS, is the "ability to resist, absorb, recover from or successfully adapt to adversity or a change in conditions" [6]. The DHS lexicon also states that "Resilience can be factored into vulnerability and consequence estimates when measuring risk" [6]. Therefore, the resilience will have an

On the basis of these characteristics, it is possible to develop specific indicators and metrics to assess the risk to an organization or an infrastructure. Considering a threat or hazard (man-made or natural), the vulnerability and resilience of an organization will impact the potential consequences of an event. The interaction between the elements of risk is complex and made more so when one considers the transfer of risk between assets in the case of a threat by an intelligent adversary.

In literature, three main methodologies for the modelling approaches of critical infrastructure modelling are presented: agent-based simulation, input–output analysis and network modelling. Please refer to [7] for heterogeneous and/or unclassi-

Each infrastructure is considered by agent-based simulations to be a complex adaptive structure, consisting of agents representing single aspects of the infrastructure itself. Different agents can be modelled at different degrees of abstraction based on the proposed level of resolution modelling. The primary benefit of agent-based simulation is the ability to establish synergistic behaviors as agents begin to work together [8]. The second method is based on the economic theory of Input–Output proposed by Leontief in the early 1930s, but later adapted to modelling infrastructures. Haimes and Jiang developed the linear input–output inoperability model (IIM) to research the impact of interdependencies on the inoperability of interconnected networked systems [9]. The key benefit of the IIM and its improvements is that the suggested solution is simple and flexible. IIM is usually confined to the financial costs of interdependencies.

In recent years, researchers have investigated new approaches to

**4. Mixed Holistic Reductionist (MHR) approach**

interdependency modelling of infrastructures. The most promising technique is based on graph and network theory. This approach uses abstract graphs made of nodes and arcs to describe infrastructures, representing links between components within infrastructures. The key benefit is to leverage closed form expressions and numerical simulations to characterise their topology, performance and uncertainty.

In this chapter, we propose an already applied approach, for helping during the modelling phase. To maximize the benefits of holistic and reductionist approaches,

the "effects of an event, incident, or occurrence" [6].

*DOI: http://dx.doi.org/10.5772/intechopen.94506*

*Resilience in Critical Infrastructures: The Role of Modelling and Simulation*

effect on both vulnerability and consequences.

fied approaches.

**7**

**3. Literature review on modelling interdependency**


#### **1.2 Organizations**

This chapter is composed of the following sections: Section 2 analyses the idea of risk and resilience; Section 3 reviews the literature on critical infrastructures simulator; Section 4 presents the MHR approach while the simulator CISIApro 2.0 is described in Section 5; a telecommunication case study is summarised in Section 6; conclusions and future works are in Section 7.

### **2. The concepts of risk and resilience**

The concepts of risk and resilience are similar and generally closely linked: improving the system's resilience requires reducing risk. Risk is commonly structured in terms of preparedness, mitigation measures, reaction capabilities, and recovery processes; anticipation, absorption, adaptation and recovery are the typical components of resilience.

Owners and operators can improve the resilience of critical infrastructures by specific operations: withstanding specific threats, reducing or mitigating potential impacts, returning to normal operations if such degradation occurs. A resilience methodology includes increasing preparedness for an incident, implementing redundancy to mitigate the effects of an incident, and strengthening the coordination and execution of response and recovery procedures, for emergency action and business continuity.

There are five main steps in the resilience cycle: prepare, prevent, protect, response and recover. The resilience cycle must consider the consequences of interdependencies among critical infrastructures. The tool we present in this chapter, called CISIApro 2.0, aims to assess the consequences of adverse events on critical infrastructures in terms of components, services and also holistic agents. CISIApro 2.0 usually helps the operators in the recovery phase, knowing which are the possible consequences of actual adverse events.

The Department of Homeland Security (DHS) defines risk as "the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences" [6]. Thus, risk is historically characterized as a function of three elements: the threats to which an asset is susceptible, the vulnerabilities of the asset to the threat, and the consequences potentially generated by the asset's deterioration.

#### *Resilience in Critical Infrastructures: The Role of Modelling and Simulation DOI: http://dx.doi.org/10.5772/intechopen.94506*

Threat is a "natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property" [6]. Sometimes the term hazard, which can be defined as a "natural or man-made source or cause of harm or difficulty" [6], is used instead of threat. However, a "hazard differs from a threat in that a threat is directed at an entity, asset, system, network, or geographic area, while a hazard is not directed" [6]. Vulnerability is a "physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard" [6]. Consequences are the "effects of an event, incident, or occurrence" [6].

The challenge is to determine where and how resilience integrates into risk assessment as risk is a feature of threats and hazards, weaknesses, and consequences. Resilience, as defined by DHS, is the "ability to resist, absorb, recover from or successfully adapt to adversity or a change in conditions" [6]. The DHS lexicon also states that "Resilience can be factored into vulnerability and consequence estimates when measuring risk" [6]. Therefore, the resilience will have an effect on both vulnerability and consequences.

On the basis of these characteristics, it is possible to develop specific indicators and metrics to assess the risk to an organization or an infrastructure. Considering a threat or hazard (man-made or natural), the vulnerability and resilience of an organization will impact the potential consequences of an event. The interaction between the elements of risk is complex and made more so when one considers the transfer of risk between assets in the case of a threat by an intelligent adversary.
