**Author details**

*ph* ∈*CAk* (0≤ *h*≤*g*). In other words, each census area is colored according to the maximum risk value of a subchain that includes some nodes *v <sup>j</sup>* that are located in

Results depicted in **Figure 4** indicate cascading events between infrastructures. Each one of the four scenarios was validated to be true against real world data and historical analysis of such infrastructures. Following this, results indicate that the presented methodology is able to both (i) effectively project adverse effects from cascading events and accurately predict potential impact over time periods, and also (ii) highlight direct and indirect dependency vulnerabilities between highly

On the latter, results delineate the criticality behind dependencies of Telecommunications and the Electrical sector. The sharp increase in impact over a very short time period (purple line, scenario 1) clearly shows that potential unavailability of the Electrical sector quickly and critically affects the Telecommunications. We followed up on this finding and results are proven true both from empirical analysis

Another potential use of the presented methodology includes capturing the effect of applying security controls and how these controls affect the resilience of systems over time. By analyzing the impact escalation and trajectory in analyzed attack paths, we see that the level of risk reduction for each of the presented scenarios is directly related with the time of deployment. Early application of security controls (scenario CD1, ES1, BTS1, GO1, ES2) seems to reduce the overall risk by 25% in less than two hours after the initiation of the attack path, while controls implemented later during the exposure to the adverse event show relatively

Red areas shown in **Figure 5** are highly populated areas containing electric nodes thus producing possible high impact in case of failure. This explains why several nodes of the subchains with high cumulative dependency risk are concentrated in this area.

By extending previous time-based dependency analysis models and by integrating the effect of resilience-related security controls, in this paper we have examined the effect of possible mitigation strategies in dynamically reducing the consequences of cascading effects. The model was applied to a real case study involving an urban area of Rome where a number of critical infrastructures deliver services to inhabitants and businesses. The model was set up by considering a precomputed dependency graph that exhibits the cyber dependencies of a set of infrastructures. The results highlight the most critical dependency chains and the areas with high concentration of critical nodes. The model was integrated into CIPCast Decision Support System allowing all actors involved in securing critical infrastructures to plan mitigation strategies aiming at reducing the overall risk of service degradation

Authors wish to acknowledge the funding of project RAFAEL (MIUR ARS01\_ 00305) which has partly funded the research activities carried out for this work.

and also from historical data on locations analyzed by the tool.

*Issues on Risk Analysis for Critical Infrastructure Protection*

smaller mitigation percentages of the overall risk (around 18%).

that area (i.e. *v <sup>j</sup>* ∈*CAk*).

dependent CIs.

**5. Conclusions**

in the considered area.

**Acknowledgements**

**106**

Vittorio Rosato<sup>1</sup> \*, Antonio Di Pietro<sup>1</sup> , Panayiotis Kotzanikolaou<sup>2</sup> , George Stergiopoulos<sup>3</sup> and Giulio Smedile<sup>4</sup>

1 Laboratory for Analysis and Protection of Critical Infrastructures, Enea, Casaccia Research Centre, Rome, Italy

2 Department of Informatics, University of Piraeus, Greece

3 Department of Information and Communication Systems Engineering, University of Aegean, Samos, Greece

4 Degree in Informatics Engineering, Rome Tre University, Rome, Italy

\*Address all correspondence to: vittorio.rosato@enea.it

© 2021 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
