**1. Introduction**

Critical infrastructures consist of physical and cyber assets, systems, and networks, that are essential for the functioning of a society and economy. The damage to a critical infrastructure, caused by natural (e.g., earthquakes, fire) or anthropic (e.g., hacking, sabotage, vandalism) events may produce a significant negative impact for other systems and thus amplify the effects and reducing the system capability to return to an equilibrium state.

categorised dependencies in critical infrastructures as Physical, Cyber/informational, Geographic, Logical and Social dependencies, and later in where authors created taxonomies for disruptions or outages and marked them as cascading, escalating, or common-cause [5]). Critical infrastructure modeling events where first defined as cascade initiating (i.e., an event that causes an event in another CI) and cascade resulting (i.e., an event that results from an event in another CI) by the

*Integrating Resilience in Time-based Dependency Analysis: A Large-Scale Case Study…*

Basic modeling approaches usually fall within one of the following six categories

1.Aggregate supply and demand tools, which evaluate the total demand for infrastructure services in a region and the ability to supply those services

2.Dynamic simulations, which analyze the effects of disruptions, and their

3.Agent-based models, which model operational attributes and states of

4.Physics-based models, which utilize standard engineering techniques such as

6.Leontief input–output models, which utilize linear, time-independent analysis

Our approach can be classified as both dynamic simulation and agent-based model. It utilizes operational attributes to model interdependencies in urban environments as a graph, while still allowing for dynamic input of data in order to analyze the effects of disruptions in the urban web along with quantifying their

Each critical infrastructures sector has its own group of research publications that utilize some of the aforementioned techniques to model and analyse risk. For example, in the water sector, OpenMI [8] supports federated modeling and simulation for water systems, while multiple publications exist that analyze interdependencies at the transportation sector using traffic flow simulation models [9], Bayesian networks to model the correlation structure of highway networks [10] etc. The Energy sector is also a highly researched area. Wide Area Measurement Systems (WAMS) have been extensively researched, especially for the detection of optimal locations for metering device placement, in order to achieve increased robustness of the WAMS infrastructure. Modeling and quantifying dependencies between the electrical and information infrastructures of WAMS in smart grids has been recently studied in [11]. Topological observability of power systems has been fully described in [12]. Still, cross-sector approaches do exist that opt to combine combine models from multiple sectors and enable integrated or federated

infrastructure operation; usually on a graph model.

of commodities among infrastructure sectors.

simulations. Some examples include DIESIS [13] and EPIC [14].

The North American Electric Reliability Corporation (NERC) has recently developed Critical Infrastructure Protection (CIP) standards which introduce cyber security compliance requirements for power systems [15]. Various research has developed methodologies that aim to quantify these requirements. In [15], authors proposed a risk-based dependency analysis for modeling and quantifying dependencies over time, which was also later used in [11] along with electrical centrality

power flow and stability analyses for electric power grids.

5.Population mobility models that focus on geospatial movement.

empirical study of Van Eeten et al. [6].

*DOI: http://dx.doi.org/10.5772/intechopen.97809*

associated consequences.

associated consequences.

**93**

categories [5, 7]:

In a scenario consisting of multiple infrastructures with several dependencies among them, the implementation of mitigation controls that may affect the resilience level of the systems, is valuable to preserve and restore the essential societal services. Since resilience-related controls will positively affect the capability of a system to resist, absorb, adapt and/or recover from the effects of a hazard in a timely and efficient manner, it is important to analyse the effect of such controls, in order to support decision making related to the selection and prioritization of alternative mitigation controls. For example, when electric transmission or distribution networks are affected by disturbances such as floods, in general, mitigation and restoration actions are performed through protection and automation devices and manual interventions to reduce the duration of the outage and preserve the power supply to critical systems such as hospitals [1–3].

In the US, in order to support the different players involved in modeling, simulation, and analysis of the nation's critical infrastructures, the National Infrastructure Simulation and Analysis Center (NISAC) was established. NISAC analysts assess critical infrastructure risk, vulnerability, interdependencies, and event consequences. In Europe, in order to support the different players involved in the resilience enhancement, emergency and response management of critical infrastructures to natural and man-made hazards, the Infrastructure Simulation and Analysis Centre (EISAC) is aiming at establishing a collaborative, European-wide network of national centres empowered by core technologies.

This paper extends a recent work on critical infrastructure dependency analysis and introduces time-based analysis models to study the evolution of restoration actions in a scenario of dependent systems. This model was integrated into CIPCast Decision Support System, named CIPCast hereafter, that is part of the on-going products and activities developed in the context of the Italian node of EISAC, called I-EISAC, aiming to support infrastructure and civil protection operators operators in the risk assessment of critical infrastructures.

CIPCast can provide an operational (24/7) forecast and risk analysis for different infrastructures in a specific area showing risk maps of infrastructure elements which could be damaged by different events e.g. earthquakes. In particular, CIPCast allows: (i) Assessing the seismic vulnerability of different EDNs components; (ii) estimating possible earthquake-induced physical damage; (iii) estimating the impact on service(s) functionality in terms of outage duration associated with the predicted physical damage and considering the known inter-dependencies; (iv) estimating the consequences of the predicted outages, according to several metrics accounting for economic losses and reduction of citizens well-being.

The remainder of the paper is organized as follows. Section 2 presents related works in the area. In Section 3, we introduce notions of time-based and resilienceaware dependency analysis. In Section 4, we apply the analysis to a case study related to the area of Rome. Finally, in Section 5, some conclusions and ideas for future works are drawn.

## **2. Related work**

Modeling critical infrastructures and urban systems for risk assessment purposes is a well-known and established research field. Preliminary work that laid the foundation in this area is often attributed to Rinaldi et al., first in [4] where authors *Integrating Resilience in Time-based Dependency Analysis: A Large-Scale Case Study… DOI: http://dx.doi.org/10.5772/intechopen.97809*

categorised dependencies in critical infrastructures as Physical, Cyber/informational, Geographic, Logical and Social dependencies, and later in where authors created taxonomies for disruptions or outages and marked them as cascading, escalating, or common-cause [5]). Critical infrastructure modeling events where first defined as cascade initiating (i.e., an event that causes an event in another CI) and cascade resulting (i.e., an event that results from an event in another CI) by the empirical study of Van Eeten et al. [6].

Basic modeling approaches usually fall within one of the following six categories categories [5, 7]:


Our approach can be classified as both dynamic simulation and agent-based model. It utilizes operational attributes to model interdependencies in urban environments as a graph, while still allowing for dynamic input of data in order to analyze the effects of disruptions in the urban web along with quantifying their associated consequences.

Each critical infrastructures sector has its own group of research publications that utilize some of the aforementioned techniques to model and analyse risk. For example, in the water sector, OpenMI [8] supports federated modeling and simulation for water systems, while multiple publications exist that analyze interdependencies at the transportation sector using traffic flow simulation models [9], Bayesian networks to model the correlation structure of highway networks [10] etc. The Energy sector is also a highly researched area. Wide Area Measurement Systems (WAMS) have been extensively researched, especially for the detection of optimal locations for metering device placement, in order to achieve increased robustness of the WAMS infrastructure. Modeling and quantifying dependencies between the electrical and information infrastructures of WAMS in smart grids has been recently studied in [11]. Topological observability of power systems has been fully described in [12]. Still, cross-sector approaches do exist that opt to combine combine models from multiple sectors and enable integrated or federated simulations. Some examples include DIESIS [13] and EPIC [14].

The North American Electric Reliability Corporation (NERC) has recently developed Critical Infrastructure Protection (CIP) standards which introduce cyber security compliance requirements for power systems [15]. Various research has developed methodologies that aim to quantify these requirements. In [15], authors proposed a risk-based dependency analysis for modeling and quantifying dependencies over time, which was also later used in [11] along with electrical centrality

to a critical infrastructure, caused by natural (e.g., earthquakes, fire) or anthropic (e.g., hacking, sabotage, vandalism) events may produce a significant negative impact for other systems and thus amplify the effects and reducing the system

In a scenario consisting of multiple infrastructures with several dependencies among them, the implementation of mitigation controls that may affect the resilience level of the systems, is valuable to preserve and restore the essential societal services. Since resilience-related controls will positively affect the capability of a system to resist, absorb, adapt and/or recover from the effects of a hazard in a timely and efficient manner, it is important to analyse the effect of such controls, in order to support decision making related to the selection and prioritization of alternative mitigation controls. For example, when electric transmission or distribution networks are affected by disturbances such as floods, in general, mitigation and restoration actions are performed through protection and automation devices and manual interventions to reduce the duration of the outage and preserve the

In the US, in order to support the different players involved in modeling, simulation, and analysis of the nation's critical infrastructures, the National Infrastructure Simulation and Analysis Center (NISAC) was established. NISAC analysts assess critical infrastructure risk, vulnerability, interdependencies, and event consequences. In Europe, in order to support the different players involved in the resilience enhancement, emergency and response management of critical infrastructures to natural and man-made hazards, the Infrastructure Simulation and Analysis Centre (EISAC) is aiming at establishing a collaborative, European-wide

This paper extends a recent work on critical infrastructure dependency analysis and introduces time-based analysis models to study the evolution of restoration actions in a scenario of dependent systems. This model was integrated into CIPCast Decision Support System, named CIPCast hereafter, that is part of the on-going products and activities developed in the context of the Italian node of EISAC, called I-EISAC, aiming to support infrastructure and civil protection operators operators

CIPCast can provide an operational (24/7) forecast and risk analysis for different

The remainder of the paper is organized as follows. Section 2 presents related works in the area. In Section 3, we introduce notions of time-based and resilienceaware dependency analysis. In Section 4, we apply the analysis to a case study related to the area of Rome. Finally, in Section 5, some conclusions and ideas for

Modeling critical infrastructures and urban systems for risk assessment purposes

is a well-known and established research field. Preliminary work that laid the foundation in this area is often attributed to Rinaldi et al., first in [4] where authors

infrastructures in a specific area showing risk maps of infrastructure elements which could be damaged by different events e.g. earthquakes. In particular, CIPCast allows: (i) Assessing the seismic vulnerability of different EDNs components; (ii) estimating possible earthquake-induced physical damage; (iii) estimating the impact on service(s) functionality in terms of outage duration associated with the predicted physical damage and considering the known inter-dependencies; (iv) estimating the consequences of the predicted outages, according to several metrics

accounting for economic losses and reduction of citizens well-being.

capability to return to an equilibrium state.

*Issues on Risk Analysis for Critical Infrastructure Protection*

power supply to critical systems such as hospitals [1–3].

network of national centres empowered by core technologies.

in the risk assessment of critical infrastructures.

future works are drawn.

**2. Related work**

**92**

metrics to quantify the level of each dependencies in the smart grid. A different approach for simulating common-cause and cascading effects was also introduced by the authors in [16]. Similarly, authors in [17] proposed to use access graph models to analyze trust between systems and the security exposure of a large scale smart grid environments. In [18], authors developed a graph-based workflow model for assessing the security risks from cybersecurity incidents on electric grids and build relevant scenarios.

**3.2 Extending the model for resilience**

*DOI: http://dx.doi.org/10.5772/intechopen.97809*

dancy security controls etc).

**3.3 Resilience mapping**

istics of each threat.

can be depicted as follows:

produce a disservice of the network.

incident.

**95**

set of *l*

Let ¼ f g *threat* be the set of *k* natural or human-related threats that may affect the quality of service provided by the generic node *vi*. The damage *Di*ð Þ*t* associated

*vi* security controls that may be implemented in a system/infrastructure *vi* to

improve their resilience against threats (e.g. restoration security controls, redun-

By combining Resilience and Threat variables with the directed graph model of interdependent POIs, we can perform a granular analysis of the risk imposed by POI interdependencies based on their risk and resilience levels. We opt to use the multi-risk dependency analysis method as proposed in [23–25] and implemented later in [15].

A many-to-many mapping may exist between the threats and the security controls, i.e. a security control may mitigate, at some extent, one or more threats, while a security threat may require one or security controls. For each security control, different weights can be used to define the effectiveness of a control against different threats and also for their application to specific infrastructures. This is a realistic modeling of resilience, since many controls do not have the same effect against all threats and different infrastructures are benefited more than others from specific security controls, given the nature of the infrastructure and the intrinsic character-

For example, if infrastructure (node) *v*<sup>1</sup> is affected by a power outage (i.e. the initiating threat event), then a node *v*<sup>2</sup> which is depended on *v*<sup>1</sup> might suffer a partial unavailability (modeled as impact *Iv*1,*v*<sup>2</sup> ) at a certain extend quantified as the likelihood *Lv*1,*v*<sup>2</sup> . *Lv*1,*v*<sup>2</sup> depicts the possibility that a power outage would affect node *v*<sup>2</sup> and *Iv*1,*v*<sup>2</sup> depicts the amount of damage done to *v*<sup>2</sup> due to its partial unavailability

In the aforementioned example, node *v*<sup>1</sup> could have implemented the use of a redundant power generator as a security control with quantified measurements (i) *Lv*1,*v*<sup>2</sup> and (ii) *Iv*1,*v*<sup>2</sup> depicting (i) the resilience influence of control *c* on node *v*<sup>2</sup> for the given threat (in our case, the power outage), and (ii) the extent of reduction to the initial estimated damage *Iv*1,*v*<sup>2</sup> , respectively. The existence of the control *c* will reduce the possibility of a power outage to affect *v*<sup>2</sup> by *Lv*1,*v*<sup>2</sup> percent, and/or the

Generalising this to *n* nodes, this gives us with a Resilience series calculation that

Y *i*

*j*¼1

where *Res* depicts the overall resilience of a network against a specific *threat*∈ when the security control *c* is implemented in all nodes. It should be noted, that the resilience expressed by Eq. (3) depicts the resilience of a network due to the existence and the efficacy of security control *c*. However, the Resilience of a

network depends also on the vulnerability of the node *v <sup>j</sup>* to specific threats that may

For example, if we consider an electric substation, in order to increase its resilience against a seismic threat, there might be several options aiming to reduce the likelihood of the threat that produces a failure and/or to reduce the magnitude of

*Lv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* !

� *Ivi*�1,*vi* (3)

corresponding impact from the same threat on *v*<sup>2</sup> by *Iv*1,*v*<sup>2</sup> .

*Resv*0, … ,*vn* <sup>¼</sup> <sup>X</sup>*<sup>n</sup>*

*i*¼1

*vi* <sup>1</sup> , … ,*c vi l* � � be the

with the perturbation *<sup>t</sup>* is usually an s-shaped function. Let <sup>ℂ</sup>*vi* <sup>¼</sup> *<sup>c</sup>*

*Integrating Resilience in Time-based Dependency Analysis: A Large-Scale Case Study…*

The presented approach is mostly based on the methodologies presented in [15]. We aggregate data into dependency matrices and utilize models from real-world urban systems to map them into dependency graphs. The presented approach is based on network modeling and path analysis. It depicts dependencies of the connected urban infrastructures as a graph and identifies high risk, critical paths that are either modeled as flows of information, power or other related type of dependency. Similar techniques have been used in uniform [19, 20] or flow models [12, 21].

### **3. Time-based and resilience-aware dependency analysis**

#### **3.1 Definitions and set up**

We consider a directed graph *G* ¼ ð Þ *V*, *E* where *V* ¼ f g *vi* , *i* ¼ 1, … *m*, is the set of nodes (infrastructures, components or Point of Interest–POIs hereafter) and *<sup>E</sup>* <sup>¼</sup> *eij* � � is the set of edges (or dependencies) and *deg v*ð Þ*<sup>i</sup>* is the degree of node *vi*. An edge *eij* from node *vi* to *v <sup>j</sup>* denotes a dependency (and consequently a risk relation) denoted with *vi* ! *v <sup>j</sup>* that is derived from the dependence of node *v <sup>j</sup>* on a service provided by node *vi*. A dependency is defined as a "one-directional reliance of an asset, system, network or collection thereof – within or across sectors – on an input, interaction or other requirement from other sources in order to function properly" [22]. A node could thus represent a *consumer* or a *producer* of a service provided by another node (or both), depending on its role in the system.

Our model extends the cumulative dependency risk model of [23, 24]. Without loss of generality, let *v*<sup>0</sup> ! *v*<sup>1</sup> ! … ! *vn* be a dependency chain, involving *n* þ 1 nodes and their corresponding *n* dependencies. Let *Lv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* be the likelihood that a disruptive event (threat) that happened in node *v <sup>j</sup>*�<sup>1</sup> will also affect (cascade) to node *v <sup>j</sup>* due to their dependency and let *Iv <sup>j</sup>*�1,*<sup>v</sup> <sup>j</sup>* be the relevant impact (damage) caused to *v <sup>j</sup>*. We should note here that *L* is not the likelihood of threat manifestation, but rather the likelihood of an already manifested threat to cascade (i.e. affect) different nodes.

Based on the definitions of [23], the risk exhibited by a node due to its *n*-th order dependency is defined as:

$$R\_{\nu\_0,\ldots,\nu\_n} = L\_{\nu\_0,\ldots,\nu\_n} \cdot I\_{\nu\_{n-1},\nu\_n} \equiv \prod\_{i=0}^{n-1} L\_{\nu\_i,\nu\_{i+1}} \cdot I\_{\nu\_{n-1},\nu\_n}.\tag{1}$$

Then the *cumulative dependency risk* which includes the *overall* risk exhibited by all the nodes within the sub-chains of an *n*-order dependency is defined as:

$$DR\_{\nu\_0,\ldots,\nu\_n} = \sum\_{i=1}^n R\_{\nu\_0,\ldots,\nu\_i} \equiv \sum\_{i=1}^n \left(\prod\_{j=1}^i L\_{\nu\_{-1},\nu\_j}\right) \cdot I\_{\nu\_{i-1},\nu\_i}.\tag{2}$$
