Hazards and Impacts

[20] Bay Y, Bay Q. Subsea pipeline integrity and risk management. New York: Elsevier; 2014. 405 p 978-0-

*Issues on Risk Analysis for Critical Infrastructure Protection*

[21] Li X, Chen G. Zhu H. Quantitative risk analysis on leakage failure of submarine oil and gas pipelines using Bayesian network. Process Safety and Environmental Protection, Part A. 2016;

[22] Liu C., Liao Y., Wang S., Li Y. Quantifying leakage and dispersion behaviors for sub-sea natural gas pipelines. Ocean Engineering.

Volume 216, 15 November 2020, Article

12-394432-0

**103**:167-173

number 108107.

**164**

**167**

chains.

**Chapter 9**

**Abstract**

Analyzing the Cyber Risk in

internet of things and other new cyber-embedded technologies.

industrial internet of things, security, mitigation

**1. Introduction**

**Keywords:** critical information infrastructure, cyber, risk, critical infrastructure, operational technology, industrial control systems, SCADA, internet of things,

This chapter 'Analyzing the Cyber Risk in Critical Infrastructures' discusses the concepts of critical infrastructure (CI) and critical information infrastructure (CII), highlights the need for addressing the cyber risk to CI/CII, discusses methods and challenges in assessing the cybersecurity risk for CI/CII, and highlights upcoming cyber risk. This chapter brings together views on what comprises CII in the light of technological and societal developments, and how to analyze the cyber risk of CI and CII given the complexity of CI sector structures, dependencies, and service

Following this introduction section, Section 2 introduces the concept of CII, its relation to the classical CI, and discusses the importance of analyzing the cyber risk to CI/CII. Section 3 discusses methods and challenges in analyzing the cyber risk to CI/CII both from the perspective of a single organization and across organizations e.g. across a CI sector or along a CI/CII service chain. Section 4 analyses the vulnerabilities and cyber risk of operational technology (OT) in CI. Section 5 discusses methods to analyze the cyber security risk across multiple organizations including

Information and communication technology (ICT) plays an important role in critical infrastructures (CIs). Some ICT-based services are in itself critical for the functioning of society while other ICT elements are essential for the functioning of critical processes within CIs. Moreover, many critical processes within CIs are monitored and controlled by industrial control systems (ICS) also referred to as operational technology (OT). In line with the CI-concept, the concept of critical information infrastructure (CII) is introduced comprising both ICT and OT. It is shown that CIIs extend beyond the classical set of CIs. The risk to society due to inadvertent and deliberate CI/CII disruptions has increased due to the interrelation, complexity, and dependencies of CIs and CIIs. The cyber risk due to threats to and vulnerabilities of ICT and OT is outlined. Methods to analyze the cyber risk to CI and CII are discussed at both the organization, national, and the service chain levels. Cyber threats, threat actors, and the organizational, personnel, and technological cyber security challenges are outlined. An outlook is given to near future cyber security risk challenges, and therefore upcoming risk, stemming from (industrial)

Critical Infrastructures

*Marieke Klaver and Eric Luiijf*
