Abstract
The aim of this paper is to present a problem of insufficient understanding of vulnerability of critical infrastructure. The paper looks at this issue with regard to the definition of vulnerability of critical infrastructure, its content as well as the limitations of current approaches to critical infrastructure protection. The recent events linked to the Covid-19 crisis showed the necessity to shift current approach to critical infrastructure protection from prevention-oriented to resilient-based. The implemented in this research methodology is based on a critical analysis of the existing literature.
Specifically, this paper emphasizes the need to understand the concept of vulnerability of critical infrastructure in terms of attributes of the system rather than flaws. It also highlights the marginalization of identification of vulnerability of critical infrastructure only to pre-event actions and its limited applicability solely to physical domain. Due to inability to foresee and prevent all threats from occurring, the approach to critical infrastructure protection requires adaptation of a new strategy based on identification of root causes of vulnerability related to capacity, competence and performance of critical infrastructure.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Critical infrastructure is a broad term that still evolves. Generally speaking critical infrastructure provides the most important services to society such as water, food, financial, ICT, energy, transportation and health services. Any dysfunction of critical infrastructure poses a threat to continuity of functioning of the country and the well-being of citizens [1]. Therefore, effective protection of critical infrastructure is crucial, but it also poses a great challenge, what exemplify recent events. Namely, the Covid-19 pandemic proved that the security of critical infrastructure for a long time has been taken for granted. The pandemic caused the change in demands for critical services, what found many critical infrastructure operators unprepared to respond effectively [2]. It also revealed the importance of vulnerability identification that has been marginalized or not included in risk assessment methodologies [3]. In case of future unexpected or difficult to estimate threats, the identification of root causes of vulnerability of critical infrastructure plays a vital role. However, to comprehend the applicability of the concept of vulnerability of critical infrastructure, it is necessary to first understand the meaning of this term. This would contribute to enhancing the resilience of critical infrastructure by eliminating or reducing the vulnerabilities of critical infrastructure that might contribute to crisis situation or any kind of the incapacitation. The situation caused by Covid-19 can be used as a lesson learnt which might in future contribute to more effective protection of critical infrastructure based on resilience with identification of vulnerabilities and application of appropriate countermeasures.
2 Limitations of the Current Understanding of Vulnerability of Critical Infrastructure
The concept of vulnerability of critical infrastructure is relatively new and it still evolves [4]. Broadly speaking, vulnerability of critical infrastructure is a term which does not have one, common definition. It can be defined as a flaw or weakness in the design, implementation, operation or management of the critical infrastructure which makes it more susceptible to incapacitation when exposed to a threat [5]. ISO 27001 describes vulnerability as “a weakness of an asset or control that could potentially be exploited by one or more threats.” [6]. The perception of vulnerability in this case is evaluative, identifying vulnerability with some kind of an error made at different stages. This however is not always the case. According to other definitions, vulnerability of critical infrastructure can be described as an operational attribute, physical feature that makes critical infrastructure more susceptible to exploitation by a threat, or as a system property focusing on degree of consequences in relation to the impact of a threat, degree of exposure to the threats and degree of resilience [5, 7]. These definitions do not indicate the necessary negative aspect of vulnerability, but rather define it as a feature of the system. This approach seems to be more accurate, especially in case of vulnerabilities resulting from interdependencies between different critical infrastructures or environmental contexts within which the system is embedded [8]. In that event vulnerability should not be understood as a flaw, but rather as an attribute of the system.
It should also be noted that presented definitions suggest the dual nature of vulnerability, namely its physical, technical dimension relating to the vulnerabilities of the hard-components and its operational, social character referring to established procedures and management capabilities. However, due to adopted in many European Union countries understanding of critical infrastructure in terms of assets or hard technologies, the physical as well as operational dimension of vulnerability would relate to vulnerabilities affecting only those critical objects, facilities [9, 10]. Recent events linked to Covid-19 pandemic proved that critical infrastructure has grown in scope to include the network of people who are essential in terms of operating of critical infrastructure, but also in scale. Namely, the crisis spawned by the outbreak of Covid-19 exposed the importance of frontline health care workers as well as the healthcare system dependency on other systems, including transport of necessary equipment such as personal protective equipment or ventilators to hospitals [11]. It demonstrates that critical infrastructure should rather be perceived as an interconnected process, aiming to deliver essential service, which involves various stakeholders. Such understanding of critical infrastructure is in line with the recently proposed European Union Directive on the resilience of critical entities, which defines critical infrastructure as critical entities providing essential services [12]. This shift in defining critical infrastructure as a complex system composed of technological and social components implies the necessity to rethink the notion of vulnerability, which should also be more elaborate and applicable to other domains [10, 13].
Moreover, it should be emphasized that the previously mentioned definitions of vulnerability have one crucial aspect in common, namely the threat-centric perception of vulnerability. Meaning that the vulnerability identification is driven by the set of identified threats to critical infrastructure. The spectrum of threats that could affect critical infrastructure is usually broad, including physical, cyber-attacks, natural disasters or accidents occurring on daily basis [14]. They are however mostly physically, cyber- oriented what also results from aforementioned understanding of critical infrastructure through the prism of objects, assets. Accordingly, the risk management methods focus mostly on asset hardening, physical resistance of critical infrastructure to endure the identified threats and to prevent critical infrastructure from failure [15]. Due to fast changing threat landscape, including the unpredictability of future impacts of climate change on critical infrastructure, state-sponsored hybrid actions, biological threats or new technologies, traditional approach to protection of critical infrastructure based on prevention seems to be ineffective. In case of black swan events, such as the Covid-19 pandemic, difficult to foresee, precisely estimate and prepare for, the overreliance on prepared in advance protection plans with risk assessment based on identification of vulnerabilities to selected threats might endanger the undisturbed continuity of functioning of critical infrastructure [16,17,18].
In addition, due to concentration on identification and assessment of threats, the risk management cycle refers to the vulnerability only in the context of pre-event actions such as prevention, protection and pre-event mitigation. This implies that the drivers of vulnerability would be considered only before the occurrence of the threat and the damage. The vulnerability then would be identified solely in terms of capabilities to detect the possible threats and to determine the scale of potential consequences. This means that the vulnerabilities relating to post-event actions such as mitigation, response and recovery would not be considered [19, 20]. It should be emphasized that the reduction of vulnerabilities before they occur as failures is crucial. Nevertheless, due to increasing level of interdependencies and interconnectivity of critical infrastructure, the capability of critical infrastructure operator to react to and respond to future unanticipated threats as well as adapt to changes rather than only overcome them is becoming more and more important [21]. Furthermore, the growing complexity of critical infrastructure creates additional vulnerabilities to the system which might as well result in indirect, cascading consequences not limited to one domain. Therefore, it is becoming very difficult to precisely analyze all of the components of critical infrastructure and estimate their vulnerabilities prior the adverse event [15]. This suggests the need to focus on vulnerabilities that might negatively influence the response actions and degree of loss after the adverse event [19]. It requires taking into consideration not only current vulnerabilities to specific, identified threats, but also system’s potential vulnerabilities to the future, unknown events, combined with expectation of inability to prevent all threats from occurring and capability to respond to them [8].
3 The Multidimensional Nature of Vulnerability of Critical Infrastructure
To make critical infrastructure more secure, especially in case of future unknown unknowns, the designed and applied countermeasures should focus on enhancing critical infrastructure resilience. The term resilience can be understood as “the ability of an infrastructure to prepare to cope with changing conditions and adapt to them, and to resist and recover rapidly from disruption, including deliberate attacks, accidents or natural events” [22]. The level of resilience of critical infrastructure is largely determined by the process of identification of vulnerabilities. However, the implementation of resilient approach to critical infrastructure protection requires a paradigm shift from the focus on threats towards identification, assessment and management of vulnerabilities [21]. The identification of root causes of vulnerability should consider broader scope of critical infrastructure domains where vulnerabilities might be embedded at different stages of operating, namely before as well as after the occurrence of the adverse event.
Considering critical infrastructure as a complex system, composed of various, interacting components, the root causes of vulnerability can be divided into following factors:
• capacity, which would include mission identification, supporting system identification, dependencies and interdependencies, system reconstitution and related to them infrastructure, equipment and staff;
• competence relating to knowledge and skills of personnel including operation and management attributes such as responsibilities, communication, organization, logistics, knowledge about the environment in which critical infrastructure operates and critical infrastructure endurability;
• performance understood as capability of critical infrastructure to function under all circumstances and public-private cooperation in protection of critical infrastructure [4, 14].
The first factor, referring to capacity of critical infrastructure, aims to identify vulnerabilities related to identification of the critical infrastructure most important functions to fulfil the mission of the delivery of essential service. It requires thorough analysis of the processes, sub-processes and supporting them key assets, systems, networks, hardware, software and also essential staff. This also involves identification of internal and external dependencies and interdependencies between infrastructures. As a result of in-depth analysis of the system, through conduct of the Business Process Analysis (BPA) and Business Impact Analysis (BIA), critical infrastructure operator will be able to identify existing vulnerabilities and apply proper countermeasures or prepare for potential vulnerabilities resulting from identified relationships between infrastructures as cascading failures [23, 24]. The conduct of BIA, defined as: ‘‘a process of analyzing operational functions and the effect that a disruption might have upon them’’ would also enable to gather required information to prepare business continuity plan [25, 26]. The analysis of capacity of critical infrastructure would also involve understanding and estimation of reconstitution time in case of occurrence of the adverse event including acceptable time delays, repair parts requisitions and fix implementation. Moreover, this would enable to prioritize the most important parts of critical infrastructure system, crucial for the delivery of essential services to the country and society under all circumstances. It should also be noted that the critical infrastructure as an entity is not static and therefore requires constant technology upgrades. The recognition of critical infrastructure capacity is crucial not only in order to understand the system better and eliminate the vulnerabilities, but also to be able to react more effectively in case of crisis caused by impossible to mitigate vulnerabilities [14].
The second factor, namely the competence, relates to the importance of organizational resilience. According to ISO 22301 competence is described as an “ability to apply knowledge and skills to achieve intended results” [25]. It involves issues such as internal organization of critical infrastructure, the management skills of the personnel and knowledge about internal and external factors, which might affect critical infrastructure operations. The PESTLE framework can be used to monitor and analyze the environment within which critical infrastructure functions, and notice any changing conditions. The PESTLE acronym stands for Political, Economic, Social, Technological, Legal and Environmental factors which might create vulnerabilities that can affect critical infrastructure [27]. The clear division of roles and responsibilities, as well as implementation of the procedures and policies are crucial, however they should not be overestimated. The competence is directly linked to ability to adapt to unexpected crisis situation for which procedures, rules have not been prepared. To mitigate the possible vulnerabilities caused by this factor, the trainings, exercises are required to test the existing strategies, communication within organization and with other stakeholders as well as the ability of the staff to be creative and innovative when faced with unanticipated problems. These exogenous and endogenous factors need to be addressed in order to facilitate adaptation of critical infrastructure to changing conditions. Moreover, in case of endurability the development and constant update of prepared contingency plans, back-up systems, spares are necessary in order to reduce the effects of adverse events and to maintain the critical functions of critical infrastructure [8, 27].
The performance factor relates to capabilities of critical infrastructure and public-private partnership. The term capability refers to a capacity combined with competence. It relates to comprehensive implementation and management of all resources required for critical infrastructure to operate. It highlights the need of holistic approach to identification of vulnerabilities at different stages, namely before, during and after the adverse event. It directly relates to the required capabilities of critical infrastructure to anticipate, absorb, adapt to and recover from a disruptive event. It includes the onsite and offsite capabilities relating to crisis management. The onside capabilities include measures undertaken by critical infrastructure operator aiming to implement following properties which characterize the resilient system, namely: robustness, redundancy, resourcefulness and rapidity [17, 28]. The offside capabilities involve the interactions, information exchange between critical infrastructure operator and public sector such as law enforcement, emergency medical response, fire response or intelligence services. These actions would help to raise awareness of the complexity of the system, including dependencies and interdependencies between critical infrastructures and thereby prepare suitable strategies, protection plans and programs [29]. The effective cooperation between emergency responders and critical infrastructure operator, based on agreed procedures, joint exercises, trainings would help to eliminate the vulnerabilities which might hinder the coordination and response actions to all disruptive events [20]. In addition, the cross-sectoral partnerships between critical infrastructure operators involving civil society should be established in the process of building resilient critical infrastructure [30].
4 Conclusions
For a long time the identification of vulnerability of critical infrastructure has been underestimated and mostly referred to physical flaws of critical infrastructure. Due to fast changing threat landscape, growing complexity and interconnectedness between critical infrastructures, the protection of critical infrastructure requires a shift from prevention-based approach to resilience-based [9]. It should be highlighted that the resilience of critical infrastructure is largely determined by the process of identification of vulnerabilities. In this case, the vulnerability should rather be understood in terms of features or attributes of the system. The identification of root causes of vulnerability of critical infrastructure should include the wider scope of domains where vulnerabilities might be embedded, taking also into account the post-event stage. This would require the analysis of the following factors, namely the capacity, competence and performance. These factors reflect the complex nature of critical infrastructure, which consists of various, interacting technical and social components, which to manage require adequate skills and knowledge as well as onside and offside capabilities to identify vulnerabilities which might hamper crisis management actions, and also well-functioning public-private cooperation [4, 14]. The proper identification of vulnerabilities would enable to understand the system better and notice any warning signs which might result in crisis situation. Consequently, these actions would contribute greatly to more secure and resilient critical infrastructure.
References
Klaver, M., Luiijf, H., Nieuwenhuijsen, A.: RECIPE : good practices manual for Cip policies, for policy makers in Europe (2011)
Carvalhaes, T., Markolf, S., Helmrich, A., Kim, Y., Li, R., Natarajan, M., et al.: COVID-19 as a Harbinger of Transforming Infrastructure Resilience. Frontiers in Built Environ. 6(148), 1–8 (2020). https://doi.org/10.3389/fbuil.2020.00148
Theocharidou, M., Giannopoulos, G.: Risk Assessment Methodologies for Critical Infrastructure Protection. Part II: a New Approach, Joint Research Centre, European Commission, Luxembourg (2015). https://doi.org/10.2788/621843
Zio, E.: Challenges in the vulnerability and risk analysis of critical infrastructures. Reliab. Eng. Syst. Saf. 152, 137–150 (2016). https://doi.org/10.1016/j.ress.2016.02.009
Kröger, W., Zio, E.: Vulnerable Systems. Springer (2011). https://doi.org/10.1007/978-0-85729-655-9
ISO, BS: 27001: 2013. Information technology – Security techniques – Information security management systems - Requirements. BSI (2013)
Department of Homeland Security, DHS Risk Lexicon- 2010 edition, Washington, DC (2010). 21 Apr 2022 https://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-2010.pdf
Brooks, N.: Vulnerability, risk and adaptation: A conceptual framework. Tyndall Centre Working Papers, 38, (2003)
Tomalska, A.: Preparing critical infrastructure for the future: Lessons learnt from the Covid-19 pandemic. Secur. Defence Q. (2022). https://doi.org/10.35467/sdq/146603
Egan, M.: Anticipating future vulnerability: defining characteristics of increasingly critical infrastructure-like systems. J. Contingencies Crisis Manage. 15, 4–17 (2007). https://doi.org/10.1111/j.1468-5973.2007.00500.x
Ranney, M., Griffeth, V., Jha, A.: Critical Supply Shortages - The Need for Ventilators and Personal Protective Equipment during the Covid-19 Pandemic. N. Engl. J. Med. 382(18), e41 (2020). https://doi.org/10.1056/NEJMp2006141
European Commission: Proposal for a Directive of the European Parliament and of the Council on the resilience of critical entities. COM (2020) 829 final. European Commission, Brussels (2020)
Galbusera, L., Cardarilli, M., Giannopoulos, G.: The ERNCIP Survey on COVID-19: Emergency & business continuity for fostering resilience in critical infrastructures. Saf. Sci. 105161, 139 (2021). https://doi.org/10.1016/j.ssci.2021.105161
Baker, G.: A Vulnerability Assessment Methodology for Critical Infrastructure Sites. In DHS Symposium: Rand D Partnerships in Department of Homeland Security, Boston, Massachusetts (2005)
Linkov, I., Bridges, T., Creutzig, F., Decker, J., Fox-Lent, C., Kröger, W., et al.: Changing the resilience paradigm. Nat. Clim. Chang. 4(6), 407–409 (2014). https://doi.org/10.1038/nclimate2227
Mishra, P.: COVID-19, Black Swan events and the future of disaster risk management in India. Progress in Disaster Science, 8 (2020). https://doi.org/10.1016/j.pdisas.2020.100137
Longstaff, P.: Security, resilience, and communication in unpredictable environments such as terrorism, natural disasters, and complex technology. Harvard University, Cambridge, Massachusetts, Center for Information Policy Research (2005)
Schmid, B., Raju, E., Jensen, P.: COVID-19 and business continuity – Learning from the private sector and humanitarian actors in Kenya. Prog. Disaster Sci. 11, 1–8 (2021). https://doi.org/10.1016/j.pdisas.2021.100181
McGill, W., Ayyub, B.: The meaning of vulnerability in the context of critical infrastructure protection, in Critical infrastructure protection: Elements of risk, pp.25–48, George Mason University, Fairfax (2007)
Petit, F., Bassett, G., Black, R., Buehring, W., Collins, M., Dickinson, D., et al.: Resilience measurement index: An indicator of critical infrastructure resilience, Office of Scientific and Technical Information (OSTI), Argonne National Laboratory (2013)
Cardona, O., Van Aalst, M., Birkmann, J., Fordham, M., McGregor, G., Rosa, P., et al.: Determinants of risk: Exposure and vulnerability. In: Managing the Risks of Extreme Events and Disasters to Advance Climate Change Adaptation: Special Report of the Intergovernmental Panel on Climate Change. Cambridge University Press, pp. 65–108 (2012).https://doi.org/10.1017/CBO9781139177245.005
Presidential Policy Directive – PPD21: Critical Infrastructure Security and Resilience (2013). Available at: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil, last accessed: 2022/03/24
Federal Emergency Management Agency: Business Process Analysis and Business Impact Analysis User Guide, DC: Department of Homeland Security (2019)
Cybersecurity & Infrastructure Security Agency: National Critical Functions Status Update to the Critical Infrastructure Community, U.S. Department of Homeland Security (2020)
ISO, BS: 22301: 2012. Societal security. Business continuity management systems. Requirements. BSI (2012)
Torabi, S.A., Rezaei Soufi, H., Sahebjamnia, N.: A new framework for business impact analysis in business continuity management (with a case study). Saf. Sci. 68, 309–323 (2014). https://doi.org/10.1016/j.ssci.2014.04.017
Anwar, M., Gill, A., Fitzgibbon, A., Gull, I.: PESTLE+ risk analysis model to assess pandemic preparedness of digital ecosystems. Secur. Priv. 5(1), e187 (2022). https://doi.org/10.1002/spy2.187
Bruneau, M., Chang, S., Eguchi, R., Lee, G., O’Rourke, T., Reinhorn, A., et al.: A framework to quantitatively assess and enhance seismic resilience of communities. Earthquake Spectra, (19)4, pp. 733–752, (2003). https://doi.org/10.1193/1.1623497
Fisher, M., Gamper, C.: Policy evaluation framework on the governance of critical infrastructure resilience. Inter-American Development Bank, Washington, D.C. (2017)
Monstadt, J., Schmidt, M.: Urban resilience in the making? The governance of critical infrastructures in German cities. Urban Stud. 56(11), 2353–2371 (2019). https://doi.org/10.1177/0042098018808483
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Tomalska, A. (2023). The Understanding of Vulnerability of Critical Infrastructure. In: Hämmerli, B., Helmbrecht, U., Hommel, W., Kunczik, L., Pickl, S. (eds) Critical Information Infrastructures Security. CRITIS 2022. Lecture Notes in Computer Science, vol 13723. Springer, Cham. https://doi.org/10.1007/978-3-031-35190-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-35190-7_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-35189-1
Online ISBN: 978-3-031-35190-7
eBook Packages: Computer ScienceComputer Science (R0)