**1. Introduction**

The reduction in the vulnerability to all the possible hazards (in many cases unpredictable) that could damage Critical Infrastructures (CIs) by improving the level of their protection and by increasing their resilience is one of the main goals of the European Union. The objective is to limit as much as possible the probability of widespread negative effects on EU's citizens and economy by ensuring services even in the case of significant disruptive events, coherently with the objectives of the Stockholm Programme [1] and of the EU Internal Security Strategy [2].

The United Nations International Strategy for Disaster Reduction (UNISDR) defined the resilience as "the ability of a system, community or society exposed to hazards to resist, absorb, accommodate to and recover from the effects of a hazard in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions" [3]. This general statement applies also to the CIs.

With respect to these aspects, different reviews of the proposed studies are available in literature, as those carried out by Ouyang [11], Griot [12], Wang et al.

*Resilience of Critical Infrastructures: A Risk Assessment Methodology for Energy Corridors*

Considering the quantitative methodologies for evaluating the resilience of CIs, two studies prepared by the JRC can be firstly mentioned. In particular, Galbusera et al. [15] proposed a feasibility study for the application of stress tests (like those adopted in the nuclear and economic sectors) to the evaluation of CI resilience against several hazards. Giannopoulos et al. [16] carried out an analysis of the state of the art related to the risk assessment methodologies that could be useful for the protection of CIs. A general approach to risk analysis and management of system-of systems can be found in the studies performed by Haimes et al. [17] and by Ariel Pinto et al. [18]. Eusgeld et al. [19] analysed instead the alternative modelling options (integrated and coupled models) for system-of-systems and proposed a specific High Level Architecture (HLA) for modelling Supervisory Control and Data Acquisition (SCADA) and "System under Control" (SuC, like gas supply system or power supply system). Labaka et al. [20, 21] suggested a holistic framework (based on the identification of resilience policies, on their influence and on the methodology for their implementation) aiming at increasing the resilience of CIs by identifying their resilience level, their weaknesses and the possible improvements to be implemented. Mao et al. [22] highlighted that different measures aiming at increasing the resilience of CIs can be coherent or conflicting among each other, due to a missing systemic approach. Consequently, they proposed a framework based on a quality function deployment (QFD) that takes into account the correlations between resilience improvement actions at different stages of the CIs lifecycle. Nan et al. [23] proposed a method for resilience estimation, which combines a hybrid multi-layer model (for capturing the interaction between different subsystems) and an integrated metric (for the quantification of the resilience, considering the different resilience capabilities). Ouyang et al. [24] focused on the CIs protection, starting from the actions that can be adopted to protect weak system components before a disruptive event happens and comparing the robustness-based approach (mainly related to the remaining functionality level of the system after the event and before the restoration) and the resilience-based approach (which includes the

The opportunity to model infrastructure networks as interconnected system-ofsystems in order to properly describe the cascade effects due to their strong interdependencies has been underlined by several authors. Theocharidou et al. [25] suggested a new methodology – called CRitical Infrastructures & Systems Risk and Resilience Assessment Methodology (CRISRRAM) – developed in an all-hazard perspective and based on a system-of-systems approach (a definition of system-ofsystems can be found in [26]), which introduces three layers (society, asset and system) and evaluates the direct or indirect effects on economy, environment and citizens caused by the hazards considered in each scenario. Another approach based on the system-of-systems concept, a Monte Carlo simulation and a Hierarchical Graph representation of the interdependent CIs is the one described by Ferrario et al. [27], which was applied to two case studies – concerning respectively small electric and gas grids (plus a SCADA system) and a large electrical distribution network – for the evaluation of their robustness. Kröger et al. [28] and Zio [29, 30] furtherly suggested an approach – helpful in CI protection – based on the risk and vulnerability concepts and able to allow the identification of possible vulnerabilities (both evident and hidden), thus avoiding the failures that could originate when the CIs are subject to hazards of multiple nature. Johansson et al. also focused on the opportunity to use vulnerability analyses to complete reliability studies of CIs [31] and demonstrated it by applying a Monte Carlo approach for reliability analyses and

[13] and Liu et al. [14].

*DOI: http://dx.doi.org/10.5772/intechopen.94755*

possible restoration path and the related rapidity).

**39**

According to the definition firstly given by the European Community in the 2004 Communication on "Critical Infrastructure Protection in the fight against terrorism" [4], the Critical Infrastructures are crucial systems, facilities, networks or assets which disruption would lead to relevant impacts on the socio-economic condition and development of a Member State (MS). For enhancing their protection not only against terrorism, but also against all the other hazards (thus including natural disasters), the European Programme for Critical Infrastructure Protections (EPCIP) was set [5, 6]. The aim of this programme was to define a general framework based on several principles including subsidiarity, sector-by-sector approach, complementarity, confidentiality, proportionality and stakeholder cooperation. It focused on the identification of the European Critical Infrastructures (ECI) defined as CIs located in EU's MS which disruption would significantly affect at least two MS [5]. It also addressed their possible interdependencies, the assessment of their risk by means of common approaches, the measures that could be set to improve their protection, the impacts that hazards and accidents external to EU's borders could have on the EU, the contingency plans to reduce or mitigate the negative effects of CI disruptions [5].

One of the most relevant documents for the implementation of the ECIP is the 2008 Directive on "the identification and designation of European critical infrastructures and the assessment of the need to improve their protection" [7]. It represents the first approach to identify ECI and to evaluate the need for increasing their protection level, and it refers to only two specific sectors (energy and transport), pointing out the necessity of future reviews meant to include other sectors, like the information and communication technology (ICT) one. It also requires owners/operators of the identified ECI to produce Operator Security Plans (OSP), which define the options existing or being implemented for the ECI protection.

In 2013, a revision of the EPCIP was introduced [8], aiming at organising the implementation of the activities along three work streams (prevention, preparedness and response), at deepening the analysis of the interdependencies (both crosssector and cross-border) and at taking into account critical ICT infrastructures and their relationship with other CIs (especially electricity generation and transmission infrastructures).

In 2017, an evaluation aiming at assessing the implementation of the 2008 Directive and focusing on its relevance, coherence, effectiveness, efficiency, EU added value and sustainability has been launched by the European Commission. The assessment process ended in 2019. It puts into evidence the need of revising the Directive, including further sectors besides the energy and transport ones and taking into account the interdependencies among sectors. Furthermore, it highlights the relevance that new threats – including those related to the artificial intelligence, the introduction of advanced ICT solutions that can create new vulnerabilities and the involvement of third countries in the ownership and operation of CIs – can assume [9, 10].

In order to effectively enhance the protection of CIs, quantitative methodologies, able to evaluate their resilience and to assess, in a holistic way, the different dimensions involved are needed. In particular, the approaches proposed in the scientific literature focus on some key aspects related to the concept of infrastructure resilience, namely: ad hoc risk assessment methodologies for quantifying the resilience of CIs, interlinks and interdependencies among CIs, analysis of the infrastructure vulnerability with respect to different kind of threats. Some of these approaches also try to assess the multi-dimensional (energy, social, environmental and economic) impacts due to disruptive events involving CIs.

*Resilience of Critical Infrastructures: A Risk Assessment Methodology for Energy Corridors DOI: http://dx.doi.org/10.5772/intechopen.94755*

With respect to these aspects, different reviews of the proposed studies are available in literature, as those carried out by Ouyang [11], Griot [12], Wang et al. [13] and Liu et al. [14].

Considering the quantitative methodologies for evaluating the resilience of CIs, two studies prepared by the JRC can be firstly mentioned. In particular, Galbusera et al. [15] proposed a feasibility study for the application of stress tests (like those adopted in the nuclear and economic sectors) to the evaluation of CI resilience against several hazards. Giannopoulos et al. [16] carried out an analysis of the state of the art related to the risk assessment methodologies that could be useful for the protection of CIs. A general approach to risk analysis and management of system-of systems can be found in the studies performed by Haimes et al. [17] and by Ariel Pinto et al. [18]. Eusgeld et al. [19] analysed instead the alternative modelling options (integrated and coupled models) for system-of-systems and proposed a specific High Level Architecture (HLA) for modelling Supervisory Control and Data Acquisition (SCADA) and "System under Control" (SuC, like gas supply system or power supply system). Labaka et al. [20, 21] suggested a holistic framework (based on the identification of resilience policies, on their influence and on the methodology for their implementation) aiming at increasing the resilience of CIs by identifying their resilience level, their weaknesses and the possible improvements to be implemented. Mao et al. [22] highlighted that different measures aiming at increasing the resilience of CIs can be coherent or conflicting among each other, due to a missing systemic approach. Consequently, they proposed a framework based on a quality function deployment (QFD) that takes into account the correlations between resilience improvement actions at different stages of the CIs lifecycle. Nan et al. [23] proposed a method for resilience estimation, which combines a hybrid multi-layer model (for capturing the interaction between different subsystems) and an integrated metric (for the quantification of the resilience, considering the different resilience capabilities). Ouyang et al. [24] focused on the CIs protection, starting from the actions that can be adopted to protect weak system components before a disruptive event happens and comparing the robustness-based approach (mainly related to the remaining functionality level of the system after the event and before the restoration) and the resilience-based approach (which includes the possible restoration path and the related rapidity).

The opportunity to model infrastructure networks as interconnected system-ofsystems in order to properly describe the cascade effects due to their strong interdependencies has been underlined by several authors. Theocharidou et al. [25] suggested a new methodology – called CRitical Infrastructures & Systems Risk and Resilience Assessment Methodology (CRISRRAM) – developed in an all-hazard perspective and based on a system-of-systems approach (a definition of system-ofsystems can be found in [26]), which introduces three layers (society, asset and system) and evaluates the direct or indirect effects on economy, environment and citizens caused by the hazards considered in each scenario. Another approach based on the system-of-systems concept, a Monte Carlo simulation and a Hierarchical Graph representation of the interdependent CIs is the one described by Ferrario et al. [27], which was applied to two case studies – concerning respectively small electric and gas grids (plus a SCADA system) and a large electrical distribution network – for the evaluation of their robustness. Kröger et al. [28] and Zio [29, 30] furtherly suggested an approach – helpful in CI protection – based on the risk and vulnerability concepts and able to allow the identification of possible vulnerabilities (both evident and hidden), thus avoiding the failures that could originate when the CIs are subject to hazards of multiple nature. Johansson et al. also focused on the opportunity to use vulnerability analyses to complete reliability studies of CIs [31] and demonstrated it by applying a Monte Carlo approach for reliability analyses and

of its essential basic structures and functions" [3]. This general statement applies

*Issues on Risk Analysis for Critical Infrastructure Protection*

According to the definition firstly given by the European Community in the 2004 Communication on "Critical Infrastructure Protection in the fight against terrorism" [4], the Critical Infrastructures are crucial systems, facilities, networks or assets which disruption would lead to relevant impacts on the socio-economic condition and development of a Member State (MS). For enhancing their protection not only against terrorism, but also against all the other hazards (thus including natural disasters), the European Programme for Critical Infrastructure Protections (EPCIP) was set [5, 6]. The aim of this programme was to define a general framework based on several principles including subsidiarity, sector-by-sector approach, complementarity, confidentiality, proportionality and stakeholder cooperation. It focused on the identification of the European Critical Infrastructures (ECI) defined as CIs located in EU's MS which disruption would significantly affect at least two MS [5]. It also addressed their possible interdependencies, the assessment of their risk by means of common approaches, the measures that could be set to improve their protection, the impacts that hazards and accidents external to EU's borders could have on the EU, the contingency plans to reduce or mitigate the negative

One of the most relevant documents for the implementation of the ECIP is the 2008 Directive on "the identification and designation of European critical infrastructures and the assessment of the need to improve their protection" [7]. It represents the first approach to identify ECI and to evaluate the need for increasing their protection level, and it refers to only two specific sectors (energy and transport), pointing out the necessity of future reviews meant to include other sectors, like the information and communication technology (ICT) one. It also requires owners/operators of the identified ECI to produce Operator Security Plans (OSP), which define the options existing or being implemented for the ECI protection. In 2013, a revision of the EPCIP was introduced [8], aiming at organising the implementation of the activities along three work streams (prevention, preparedness and response), at deepening the analysis of the interdependencies (both crosssector and cross-border) and at taking into account critical ICT infrastructures and their relationship with other CIs (especially electricity generation and transmission

In 2017, an evaluation aiming at assessing the implementation of the 2008 Directive and focusing on its relevance, coherence, effectiveness, efficiency, EU added value and sustainability has been launched by the European Commission. The assessment process ended in 2019. It puts into evidence the need of revising the Directive, including further sectors besides the energy and transport ones and taking into account the interdependencies among sectors. Furthermore, it highlights the relevance that new threats – including those related to the artificial intelligence, the introduction of advanced ICT solutions that can create new vulnerabilities and the involvement of third countries in the ownership and operation

In order to effectively enhance the protection of CIs, quantitative methodologies, able to evaluate their resilience and to assess, in a holistic way, the different dimensions involved are needed. In particular, the approaches proposed in the scientific literature focus on some key aspects related to the concept of infrastructure resilience, namely: ad hoc risk assessment methodologies for quantifying the resilience of CIs, interlinks and interdependencies among CIs, analysis of the infrastructure vulnerability with respect to different kind of threats. Some of these approaches also try to assess the multi-dimensional (energy, social, environmental

and economic) impacts due to disruptive events involving CIs.

also to the CIs.

effects of CI disruptions [5].

infrastructures).

**38**

of CIs – can assume [9, 10].

a vulnerability analysis to an electric power system. Moreover, Johansson et al. [32] proposed a model that could be useful in the framework of vulnerability analyses of interdependent infrastructures that are described by both a network model (based on the graph theory) and a functional model. Stergiopoulos et al. [33] explored the interdependencies among CIs that cause cascading effects in the case of failure. For this purpose, the authors started from the dependency risk methodology proposed by Kotzanikolaou et al. [34, 35] and introduced graph centrality metrics in order to identify the nodes that mainly affect the risk paths and that can thus be controlled in order to improve risk mitigation. Furthermore, Stergiopoulos et al. [36] extended the studies performed by Kotzanikolaou et al. [34, 35, 37] by considering the time evolution of each dependency (using fuzzy models) and the concurrent commoncause cascading failures, developing a supporting tool for decision making (named CIDA, i.e. Critical Infrastructure Dependency Analysis). This tool can be useful in assessing the CI's resilience under different scenarios and the effectiveness of possible mitigation actions. Fu et al. [38] also focused on the opportunity of treating infrastructure networks as interdependent system-of-systems, while Utne et al. [39] proposed a methodological approach to model the interdependencies among CIs built starting from the use of relatively simple cascade diagrams. Furthermore, the JRC developed the Geospatial Risk and Resilience Assessment Platform (GRRASP), a graphical tool for analysing network systems that can be adopted to identify the critical elements of the network and to evaluate the cascading effects of CI disruptions, taking into account cross-sectoral and cross-border interdependencies [40].

account its spatial dimension) with respect to the socio-economic damage (measured in economic unit) caused by the failure. Furthermore, the possibility to estimate the distance from the criticality status even in case of non-critical scenarios and to compare the criticality condition with a risk acceptability criterion (identifying – for the most critical sections – the need for undergoing structural tests) could give a valuable support in prioritising investments and in defining suitable

*Resilience of Critical Infrastructures: A Risk Assessment Methodology for Energy Corridors*

The proposed approach starts from the concept of energy corridor. A corridor can be defined as an extensive infrastructure (like natural gas and oil pipelines and large power lines), characterised by a start point and an end point, that links production/refining facilities with distribution hubs. Energy corridors are usually strategic elements for the economy of the countries that are connected to them, and

their influence spreads over a large area not limited to the geographical neighbourhood of the infrastructure. In a future world that is expected to be increasingly interconnected with large scale energy markets, the role of energy corridors could become crucial: the diversification of the sources and the possibility to ensure the functionality of the infrastructures could significantly impact on the security of energy supply and on the economic systems of several countries, espe-

cially those characterised by a high level of energy import dependency.

GDP (Gross Domestic Product) with losses at different scales.

a simplified case study have been eventually discussed (Section 3).

**2.1 Identification of the parameters and their interdependencies**

with respect to all the possible extreme natural events.

For these reasons, the quantitative evaluation of the resilience of the energy corridors against possible adverse events through the numerical estimation of their criticality level and the simultaneous identification of suitable criteria for risk acceptability are essential in order to identify the sections that require attention and investments for preventing potentially severe failures which could impact on the

According to the methodology described in the following sections, a set of parameters influencing the criticality status of the corridor and their interdependencies have been firstly defined (Section 2.1). A relationship linking these parameters has then been built to define a new Criticality Index (Section 2.2). A criterion for the risk acceptability (Section 2.3) and the application of the whole procedure to

The proposed methodology focuses on the quantitative assessment of the criticality of a single section of an energy corridor under an all-hazard perspective, i.e.

For this purpose, the first step has been represented by the definition of a set of parameters that could affect the criticality level of an energy infrastructure, by their clustering into different groups and by the analysis of their interdependencies. Moreover, in order to take into account the spatial dimension of the energy corridors, the possible dependency of each parameter on the geographical position *zc* (ranging between 0 and the corridor length *lc* and measured in km) along the corridor itself has been explored. In fact, an infrastructure like a pipeline can typically run over long lengths and the natural environment surrounding it could significantly change along the route: consequently, certain natural hazards could be considered only for a limited set of branches and not for the overall length of the corridor. Eventually, the effects of a variation in the value of each parameter on the damage have been estimated. In particular, in this study 15 parameters and 4 groups

countermeasures and protective actions.

*DOI: http://dx.doi.org/10.5772/intechopen.94755*

**2. Methodology**

**41**

Finally, with reference to the impact analysis of different threats on CIs, specific models have been developed in order to assess the physical security and the resilience of CIs themselves against single kinds of hazards. In particular, Khalil et al. [41] focused on the modelling of physical security of CIs under attack scenarios by using a Monte Carlo-based probabilistic dynamic approach. Urlainis et al. [42] implemented instead a supporting tool for decision making suitable to evaluate the risk related to oil & gas critical infrastructures after the occurrence of a seismic event. This tool adopts fault-trees, decision trees and fragility curves and allows the identification of the most critical sections of the analysed system based on the damage state of its components. Shakou et al. [43] proposed a framework for increasing the resilience of CIs with respect to climate change phenomena, based on different timescales and promoting flexibility, modularisation and diversification.

In comparison with the mentioned studies available in the scientific literature, the new methodological approach proposed in this paper mainly focuses on single large infrastructures (like energy corridors for oil and gas supply) and aims at taking into account their geographical dimension, allowing analyses characterised by a high spatial granularity. Furthermore, the proposed procedure is able to consider the most relevant interdependencies among the parameters that could impact on the criticality of an infrastructure with a simple mathematical formulation. Therefore, this work aims at being a supporting tool not only for infrastructures management companies and for the civil protection but also for public administrations.

The paper considers the energy CIs: according to the 2008 EU Directive, this category includes facilities and infrastructures for power generation and transmission, for oil and gas production, treatment, storage and transmission and LNG terminals [7]. In particular, it focuses on the energy corridors (oil and gas pipelines, power lines).

Its goal is to define a methodology for the evaluation of a criticality index, related to the failure of an energy infrastructure due to extreme natural hazards like earthquakes, floods, storms, landslides and wildfires. This criticality index is useful to assess the criticality level of each section of the infrastructure itself (taking into

*Resilience of Critical Infrastructures: A Risk Assessment Methodology for Energy Corridors DOI: http://dx.doi.org/10.5772/intechopen.94755*

account its spatial dimension) with respect to the socio-economic damage (measured in economic unit) caused by the failure. Furthermore, the possibility to estimate the distance from the criticality status even in case of non-critical scenarios and to compare the criticality condition with a risk acceptability criterion (identifying – for the most critical sections – the need for undergoing structural tests) could give a valuable support in prioritising investments and in defining suitable countermeasures and protective actions.
