**3.2 Extending the model for resilience**

Let ¼ f g *threat* be the set of *k* natural or human-related threats that may affect the quality of service provided by the generic node *vi*. The damage *Di*ð Þ*t* associated with the perturbation *<sup>t</sup>* is usually an s-shaped function. Let <sup>ℂ</sup>*vi* <sup>¼</sup> *<sup>c</sup> vi* <sup>1</sup> , … ,*c vi l* � � be the set of *l vi* security controls that may be implemented in a system/infrastructure *vi* to improve their resilience against threats (e.g. restoration security controls, redundancy security controls etc).

By combining Resilience and Threat variables with the directed graph model of interdependent POIs, we can perform a granular analysis of the risk imposed by POI interdependencies based on their risk and resilience levels. We opt to use the multi-risk dependency analysis method as proposed in [23–25] and implemented later in [15].

#### **3.3 Resilience mapping**

metrics to quantify the level of each dependencies in the smart grid. A different approach for simulating common-cause and cascading effects was also introduced by the authors in [16]. Similarly, authors in [17] proposed to use access graph models to analyze trust between systems and the security exposure of a large scale smart grid environments. In [18], authors developed a graph-based workflow model for assessing the security risks from cybersecurity incidents on electric grids

The presented approach is mostly based on the methodologies presented in [15]. We aggregate data into dependency matrices and utilize models from real-world urban systems to map them into dependency graphs. The presented approach is based on network modeling and path analysis. It depicts dependencies of the connected urban infrastructures as a graph and identifies high risk, critical paths that are either modeled as flows of information, power or other related type of dependency. Similar techniques have been used in uniform [19, 20] or flow models

We consider a directed graph *G* ¼ ð Þ *V*, *E* where *V* ¼ f g *vi* , *i* ¼ 1, … *m*, is the set of nodes (infrastructures, components or Point of Interest–POIs hereafter) and

� � is the set of edges (or dependencies) and *deg v*ð Þ*<sup>i</sup>* is the degree of node *vi*.

Our model extends the cumulative dependency risk model of [23, 24]. Without loss of generality, let *v*<sup>0</sup> ! *v*<sup>1</sup> ! … ! *vn* be a dependency chain, involving *n* þ 1 nodes and their corresponding *n* dependencies. Let *Lv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* be the likelihood that a disruptive event (threat) that happened in node *v <sup>j</sup>*�<sup>1</sup> will also affect (cascade) to node *v <sup>j</sup>* due to their dependency and let *Iv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* be the relevant impact (damage) caused to *v <sup>j</sup>*. We should note here that *L* is not the likelihood of threat manifestation, but rather the likelihood of an already manifested threat to cascade (i.e. affect)

Based on the definitions of [23], the risk exhibited by a node due to its *n*-th order

Then the *cumulative dependency risk* which includes the *overall* risk exhibited by

*i*¼1

*i*¼0

Y *i*

*j*¼1

*Lv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* !

*Lvi*,*vi*þ<sup>1</sup> � *Ivn*�1,*vn :* (1)

� *Ivi*�1,*vi*

*:* (2)

An edge *eij* from node *vi* to *v <sup>j</sup>* denotes a dependency (and consequently a risk relation) denoted with *vi* ! *v <sup>j</sup>* that is derived from the dependence of node *v <sup>j</sup>* on a service provided by node *vi*. A dependency is defined as a "one-directional reliance of an asset, system, network or collection thereof – within or across sectors – on an input, interaction or other requirement from other sources in order to function properly" [22]. A node could thus represent a *consumer* or a *producer* of a service

provided by another node (or both), depending on its role in the system.

*Rv*0, … ,*vn* <sup>¼</sup> *Lv*0, … ,*vn* � *Ivn*�1,*vn* � <sup>Y</sup>*<sup>n</sup>*�<sup>1</sup>

*DRv*0, … ,*vn* <sup>¼</sup> <sup>X</sup>*<sup>n</sup>*

*i*¼1

all the nodes within the sub-chains of an *n*-order dependency is defined as:

*Rv*0, … ,*vi* � <sup>X</sup>*<sup>n</sup>*

**3. Time-based and resilience-aware dependency analysis**

and build relevant scenarios.

*Issues on Risk Analysis for Critical Infrastructure Protection*

**3.1 Definitions and set up**

[12, 21].

*E* ¼ *eij*

different nodes.

**94**

dependency is defined as:

A many-to-many mapping may exist between the threats and the security controls, i.e. a security control may mitigate, at some extent, one or more threats, while a security threat may require one or security controls. For each security control, different weights can be used to define the effectiveness of a control against different threats and also for their application to specific infrastructures. This is a realistic modeling of resilience, since many controls do not have the same effect against all threats and different infrastructures are benefited more than others from specific security controls, given the nature of the infrastructure and the intrinsic characteristics of each threat.

For example, if infrastructure (node) *v*<sup>1</sup> is affected by a power outage (i.e. the initiating threat event), then a node *v*<sup>2</sup> which is depended on *v*<sup>1</sup> might suffer a partial unavailability (modeled as impact *Iv*1,*v*<sup>2</sup> ) at a certain extend quantified as the likelihood *Lv*1,*v*<sup>2</sup> . *Lv*1,*v*<sup>2</sup> depicts the possibility that a power outage would affect node *v*<sup>2</sup> and *Iv*1,*v*<sup>2</sup> depicts the amount of damage done to *v*<sup>2</sup> due to its partial unavailability incident.

In the aforementioned example, node *v*<sup>1</sup> could have implemented the use of a redundant power generator as a security control with quantified measurements (i) *Lv*1,*v*<sup>2</sup> and (ii) *Iv*1,*v*<sup>2</sup> depicting (i) the resilience influence of control *c* on node *v*<sup>2</sup> for the given threat (in our case, the power outage), and (ii) the extent of reduction to the initial estimated damage *Iv*1,*v*<sup>2</sup> , respectively. The existence of the control *c* will reduce the possibility of a power outage to affect *v*<sup>2</sup> by *Lv*1,*v*<sup>2</sup> percent, and/or the corresponding impact from the same threat on *v*<sup>2</sup> by *Iv*1,*v*<sup>2</sup> .

Generalising this to *n* nodes, this gives us with a Resilience series calculation that can be depicted as follows:

$$\text{Res}\_{v\_0,\dots,v\_n} = \sum\_{i=1}^n \left( \prod\_{j=1}^i \overline{L}\_{v\_{-1},v\_j} \right) \cdot \overline{I}\_{v\_{i-1},v\_i} \tag{3}$$

where *Res* depicts the overall resilience of a network against a specific *threat*∈ when the security control *c* is implemented in all nodes. It should be noted, that the resilience expressed by Eq. (3) depicts the resilience of a network due to the existence and the efficacy of security control *c*. However, the Resilience of a network depends also on the vulnerability of the node *v <sup>j</sup>* to specific threats that may produce a disservice of the network.

For example, if we consider an electric substation, in order to increase its resilience against a seismic threat, there might be several options aiming to reduce the likelihood of the threat that produces a failure and/or to reduce the magnitude of

the impact e.g. to enhance the structural properties of the building or increment the number of technical crews so that in case of a failure the duration of outage can be reduced.

the time period over which a dependency between two infrastructures exhibits its maximum expected impact *Ii*,*j*, and *Gi*,*<sup>j</sup>* denotes the expected growth of the failure. The growth rates used in this model are split into three types, namely: slow, linear

*Integrating Resilience in Time-based Dependency Analysis: A Large-Scale Case Study…*

Growth rates *Gi*,*<sup>j</sup>* are defined based on the maximum potential Impact *Ii*,*<sup>j</sup>* and a

*I t*ðÞ¼ *I t*

*I t*ðÞ¼ *I* �

in which incidents impose a very fast impact growth rate that gradually

decreases in speed. For any *t*> ¼ *T*, impact growth caps at *I t*ðÞ¼ *I*.

expert knowledge and quantification of infrastructure characteristics.

• *I*ϵ½ � 1*::*9 , where 1 is the lowest impact and 9 is the highest impact.

Impact, while a value of 9 reflects catastrophic impact of an incident.

• *T*, *t*ϵ½ � 1*::*10 , which is a granular time scale that uses the unavailability time periods: 1 = 15 min, 2 = 1 h, 3 = 3 h, 4 = 12 h, 5 = 24 h, 6 = 48 h, 7 = 1w, 8 = 2w,

• *G*ϵ½ � 1*::*3 , where the value of 1 represents the slow growth rate, and values (2) and (3) represent the linear and fast evolution rates for impact respectively.

Each Impact value reflects a different qualitative criterion, based on the needs and threats of any given infrastructure. Nevertheless, quantification is uniform amongst all possible implementations, where a value of 1 reflects minimum to no

The city center of Rome was chosen as a case study due to the high concentration of various commercial activities and power centres both local and international as well as the presence of CIs which are essential to maintain vital societal functions (**Figures 2** and **3**). In particular, the area of interest holds the major Italian

All the values are assigned from the following Likert scales:

whereas "fast" impact growth rates are calculated using a logarithmic approach

In real-world implementations of the methodology, all aforementioned values for *Ti*,*<sup>j</sup>* and *Gi*,*<sup>j</sup>*, along with *Ii*,*<sup>j</sup>* and *Li*,*<sup>j</sup>*, are obtained through on-site assessment,

The above equations need some sort of value ranges in order to quantify results. To support calculation of these equations, we opted to use the same scales as in [15].

which begins at a slow pace and gradually increases in speed. "Linear" growth

*t*

*<sup>T</sup>* (5)

*<sup>T</sup>* (6)

*I t*ðÞ¼ *I* � log *<sup>T</sup>t* (7)

growth relation between time step *t* and *Ti*,*j*. Specifically, "slow" growth rates

or fast. Finally, let *t* denote an examined time period after a failure.

follow a exponential evolution of type

*DOI: http://dx.doi.org/10.5772/intechopen.97809*

rates follow a typical approach

**3.5 Qualitative ranking scales**

9 = 4w and 10 = more than 4w.

**4. Case study: City of Rome**

**97**

In a complex study of a large CI system, such as the city of Rome, the interplay among network topology, size, quality and distribution of technical systems along the network, emergency management ability do have an impact on the evolution and the duration of a crises and thus influence the system resilience. They have been thus studied in order to establish the "sensitivity" of the resilience score with respect to each one of the described properties [3].

Conveniently, the Resilience introduced by a security control against a specific threat on the entire network of interdependent nodes can be algorithmically modeled as a matrix multiplication. For the first matrix, columns represent existing nodes, while rows represent different security controls. Cell values depict the possibility of a security control to mitigate some part of the impact of a specific threat for each node present in the graph. The second matrix depicts the impact reduction that can be achieved by security controls onto the existing interdependent nodes. Similarly, columns represent existing nodes, while rows represent different security controls, but, here cell values depict the maximum potential impact reduction achieved at each node by the implementation of each security control. Thus, in this matrix, cells have negative values. Resilience is then modeled as the matrix multiplication of the two matrices (threat reduction and impact reduction matrices), as depicted in **Figure 1**.

### **3.4 Calculating cumulative dependency risk in the presence of resilience controls**

By combining Eq. 1 and Eq. 2 with Eq. 3, the cumulative dependency risk in the presence of resilience controls can be defined as follows:

$$DR\_{v\_1,\ldots,v\_n}^{Res} = \sum\_{i=1}^n \left[ \left( \prod\_{j=1}^i L\_{v\_{-1},p\_j} \right) \cdot I\_{v\_{i-1},p\_i} - \left( \prod\_{j=1}^i \overline{L}\_{v\_{-1},p\_j} \right) \cdot \overline{I}\_{v\_{-1},p\_j} \right] \tag{4}$$

As discussed above, *Lv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* introduces a likelihood for the security controls (actions). Specifically, it quantifies the possibility of one security control to mitigate some part of the impact of a threat.

Impact *I* in Eqs. 1 through 4 is assigned values that reflect the maximum expected impact for each modeled dependency. This first implies that eqs will always calculate produce the worst case cascading risk *DRRes v*1, … ,*vn* , and also that all modeled dependencies exhibit the same impact growth rate; something that is not true in real-world situations, where different infrastructure resilience allows for different impact growth rates over time. Thus, we use the same modeling approach as in [15] and incorporate a dynamic time-based analysis model where *Ti*,*<sup>j</sup>* denotes


**Figure 1.**

*Resilience security control calculation for the entire network against a single threat* ∈*.*

*Integrating Resilience in Time-based Dependency Analysis: A Large-Scale Case Study… DOI: http://dx.doi.org/10.5772/intechopen.97809*

the time period over which a dependency between two infrastructures exhibits its maximum expected impact *Ii*,*j*, and *Gi*,*<sup>j</sup>* denotes the expected growth of the failure. The growth rates used in this model are split into three types, namely: slow, linear or fast. Finally, let *t* denote an examined time period after a failure.

Growth rates *Gi*,*<sup>j</sup>* are defined based on the maximum potential Impact *Ii*,*<sup>j</sup>* and a growth relation between time step *t* and *Ti*,*j*. Specifically, "slow" growth rates follow a exponential evolution of type

$$I(t) = I^\dagger \tag{5}$$

which begins at a slow pace and gradually increases in speed. "Linear" growth rates follow a typical approach

$$I(t) = I \cdot \frac{t}{T} \tag{6}$$

whereas "fast" impact growth rates are calculated using a logarithmic approach

$$I(t) = I \cdot \log\_{\,T} t \tag{7}$$

in which incidents impose a very fast impact growth rate that gradually decreases in speed. For any *t*> ¼ *T*, impact growth caps at *I t*ðÞ¼ *I*.

In real-world implementations of the methodology, all aforementioned values for *Ti*,*<sup>j</sup>* and *Gi*,*<sup>j</sup>*, along with *Ii*,*<sup>j</sup>* and *Li*,*<sup>j</sup>*, are obtained through on-site assessment, expert knowledge and quantification of infrastructure characteristics.

#### **3.5 Qualitative ranking scales**

the impact e.g. to enhance the structural properties of the building or increment the number of technical crews so that in case of a failure the duration of outage can be

In a complex study of a large CI system, such as the city of Rome, the interplay among network topology, size, quality and distribution of technical systems along the network, emergency management ability do have an impact on the evolution and the duration of a crises and thus influence the system resilience. They have been thus studied in order to establish the "sensitivity" of the resilience score with

Conveniently, the Resilience introduced by a security control against a specific

threat on the entire network of interdependent nodes can be algorithmically modeled as a matrix multiplication. For the first matrix, columns represent existing nodes, while rows represent different security controls. Cell values depict the possibility of a security control to mitigate some part of the impact of a specific threat for each node present in the graph. The second matrix depicts the impact reduction that can be achieved by security controls onto the existing interdependent nodes. Similarly, columns represent existing nodes, while rows represent different security controls, but, here cell values depict the maximum potential impact reduction achieved at each node by the implementation of each security control. Thus, in this matrix, cells have negative values. Resilience is then modeled as the matrix multiplication of the two matrices (threat reduction and impact reduction matrices), as

**3.4 Calculating cumulative dependency risk in the presence of resilience**

presence of resilience controls can be defined as follows:

Y *i*

*j*¼1

always calculate produce the worst case cascading risk *DRRes*

*Resilience security control calculation for the entire network against a single threat* ∈*.*

*Lv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* !

By combining Eq. 1 and Eq. 2 with Eq. 3, the cumulative dependency risk in the

As discussed above, *Lv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* introduces a likelihood for the security controls (actions). Specifically, it quantifies the possibility of one security control to mitigate

Impact *I* in Eqs. 1 through 4 is assigned values that reflect the maximum expected impact for each modeled dependency. This first implies that eqs will

modeled dependencies exhibit the same impact growth rate; something that is not true in real-world situations, where different infrastructure resilience allows for different impact growth rates over time. Thus, we use the same modeling approach as in [15] and incorporate a dynamic time-based analysis model where *Ti*,*<sup>j</sup>* denotes

� *Ivi*�1,*vi* � <sup>Y</sup>

" #

*i*

*j*¼1

*Lv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* !

� *Iv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>*

, and also that all

*v*1, … ,*vn*

(4)

respect to each one of the described properties [3].

*Issues on Risk Analysis for Critical Infrastructure Protection*

reduced.

depicted in **Figure 1**.

**controls**

*DRRes*

**Figure 1.**

**96**

*<sup>v</sup>*1, … ,*vn* <sup>¼</sup> <sup>X</sup>*<sup>n</sup>*

some part of the impact of a threat.

*i*¼1

The above equations need some sort of value ranges in order to quantify results. To support calculation of these equations, we opted to use the same scales as in [15]. All the values are assigned from the following Likert scales:


Each Impact value reflects a different qualitative criterion, based on the needs and threats of any given infrastructure. Nevertheless, quantification is uniform amongst all possible implementations, where a value of 1 reflects minimum to no Impact, while a value of 9 reflects catastrophic impact of an incident.

#### **4. Case study: City of Rome**

The city center of Rome was chosen as a case study due to the high concentration of various commercial activities and power centres both local and international as well as the presence of CIs which are essential to maintain vital societal functions (**Figures 2** and **3**). In particular, the area of interest holds the major Italian

government offices, *San Giovanni Calibita Fatebenefratelli Hospital* located in the Tiber Island and *Termini Railway Station*, one of the most important railway stations of Italy as it connects Northern and Southern Italy.

As reported in **Table 1**, we considered 8 categories including CI and Point of Interests and selected a set of specific components (nodes, hereafter) for each category that are located in the area of interest. In particular, we considered the

*Integrating Resilience in Time-based Dependency Analysis: A Large-Scale Case Study…*

i. the Electric Distribution Network (EDN) of Rome consisting of 40 Medium

ii. the Mobile Telecommunication System consisting of 31 Base Transceiver

iii. the Water Supply Network (WSN) consisting of 1 water pumping station;

In order to model the interdependencies among the different nodes, we assumed a cyber risk assessment as the case scenario. In particular, we considered a *dependency matrix* [26] that allows to reveal the potential vulnerability of a given node to the unavailability, corruption or disclosure of data from an interdependent node regardless of the current state of the shared data infrastructure. In other words, we assume a cyber threat *threat*∈ affecting the considered nodes and we use a *precomputed* dependency matrix as a means to assign a cyber vulnerability to each

**Category Subcategory Acronym Nr.** Energy MV Electric substation ES 40 Telecommunications Base Transceiver Station BTS 31 Finance Cash Dispenser CD 20 Government Government Office GO 15

Transport Railway Station RS 12 Health Medical Office DO 15

Food Restaurant RE 10 Water Water Pumping station WP 1 **Total:** 182

Embassy EM 20

Pharmacy PH 12 Hospital HP 5

following categories:

Voltage (15 kV) substations;

*DOI: http://dx.doi.org/10.5772/intechopen.97809*

iv. the Railway system including 12 stations;

vi. a set of government offices and embassies;

v. a set of hospitals, medical offices and pharmacies;

node w.r.t. the data disruption from all interdependent nodes.

Stations (BTS);

vii. a set of cash dispensers;

viii. a set of restaurants.

**4.1 Dependency graph**

**Table 1.**

**99**

*CI categories and components modeled in the case study.*

#### **Figure 2.**

*The area of interest: an urban district of Rome. The map was anonymized and MV Electric substations and Base Transceiver Stations were removed to hide sensitive information.*

**Figure 3.** *The dependency graph used in the case study.*

## *Integrating Resilience in Time-based Dependency Analysis: A Large-Scale Case Study… DOI: http://dx.doi.org/10.5772/intechopen.97809*

As reported in **Table 1**, we considered 8 categories including CI and Point of Interests and selected a set of specific components (nodes, hereafter) for each category that are located in the area of interest. In particular, we considered the following categories:


iv. the Railway system including 12 stations;

v. a set of hospitals, medical offices and pharmacies;

vi. a set of government offices and embassies;

