Complex approach to assessing resilience of critical infrastructure elements

(1)

Availableonlineatwww.sciencedirect.com

journalhomepage:www.elsevier.com/locate/IJCIP

Complex

approach

to

assessing

resilience

of

critical

infrastructure

elements

David

Rehak

a,∗

_,

_Pavel

_Senovsky

a

_,

_Martin

_Hromada

b

_,

_Tomas

_Lovecek

c

a_Faculty_of_Safety_Engineering,_VSB_{– Technical}_University_of_Ostrava,_Lumirova_13,₇₀₀₃₀_Ostrava,_Czech_Republic b_Faculty_of_Applied_Informatics,_Tomas_Bata_University_in_Zlin,_Czech_Republic

c_Faculty_of_Security_Engineering,_University_of_Zilina,_Slovak_Republic

a

r

t

i

c

l

e

i

n

f

o

Articlehistory:

Received29November2018 Revised9January2019 Accepted25March2019 Availableonline29March2019

Keywords: Criticalinfrastructure Resilienceassessment Robustness Recoverability Adaptability Elements

a

b

s

t

r

a

c

t

Theresilienceofelementsinacriticalinfrastructuresystemisamajorfactordetermining thereliabilityofservicesandcommoditiesprovidedbythecriticalinfrastructuresystemto society.Resiliencecanbeviewedasaqualitywhichreducesthevulnerabilityofanelement, absorbstheeffectsofdisruptiveevents,enhancestheelement’sabilitytorespondand re-cover,andfacilitatesitsadaptationtodisruptiveeventssimilartothoseencounteredinthe past.Inthisrespect,resilienceassessmentplaysanimportantroleinensuringthe secu-rityandreliabilityofnotonlytheseelementsalone,butalsoofthesystemasawhole.The paperintroducestheCIERAmethodologydesignedforCriticalInfrastructureElements Re-silienceAssessment.Theprincipleofthismethodisthestatisticalassessmentofthelevel ofresilienceofcriticalinfrastructureelements,involvingacomplexevaluationoftheir ro-bustness,theirabilitytorecoverfunctionalityaftertheoccurrenceofadisruptiveeventand theircapacitytoadapttopreviousdisruptiveevents.Thecomplexapproachthusincludes boththeassessmentoftechnicalandorganizationalresilience,aswellastheidentification ofweakpointsinordertostrengthenresilience.AnexampleoftheapplicationoftheCIERA methodispresentedintheformofacasestudyfocusedonassessingtheresilienceofa selectedelementofelectricalenergyinfrastructure.

1. Introduction

Thefunctioningofamodernsocietyisbasedonthe exten-siveuse ofinfrastructurewhich ensuresthebasicfunction ofthestatefromtheperspectivesofbothgovernance(state andterritorial)andtheinfrastructureprovidinggoodsand ser-vices(supply,transport,electricpower,communications,etc.). Althoughthe significanceoftheseinfrastructureshas long beenknown,theybegantoberesearchedinamorecomplex

∗_{Corresponding}_author.

E-mailaddress:[email protected](D.Rehak).

wayrelativelyrecently.Theterm“criticalinfrastructure” (CI), whichtheseinfrastructureshavecometobeidentifiedwith, didnotcomeintomoreextensiveuseuntilthepublicationof theCriticalFoundationsstudy[1].

Eachstatedetermineswhichinfrastructureelements (sec-tors)areincludedfromthecompletelistofinfrastructure el-ements(sectors) initscritical list.A comparisonofcritical infrastructuresectorsoftheEuropeanUnionMemberStates waspublished,forexample,inthe ENISAstudy[2].In indi-vidualsectorsandsub-sectors,thestatesthendeterminethe nationalcriticalinfrastructureelements,whoseoperationis governedbytherelevantlegislation– intheCzechRepublic, forexample,theCrisisManagementAct[3].Inthiscontext,

https://doi.org/10.1016/j.ijcip.2019.03.003

(2)

criticalinfrastructurecanbeunderstoodasacomprehensive systemandindividualsectorsandsub-sectorsasits subsys-tems,whicharemadeupofindividualelements.These ele-mentsmaybeofastructuralorequipmentnature.

Itisimperativethattheseinfrastructuresmaintainahigh levelofreliabilityandsecurity.Consequently,suchsystem in-frastructuresshouldbehighlyresilienttotheeffectsofboth internalandexternalthreats.Resilienceinthecontextof crit-icalinfrastructurewasfirstdefinedin2009as“theabilityto ab-sorb,adaptto,and/orrapidlyrecoverfromapotentiallydisruptive event“[4].However,in developing CIresilience,emphasis was increasinglyplacedontheadaptationofcriticalinfrastructure tochangingconditionsovertime[5].

Intheinterveningperiod,thesystemofcritical infrastruc-tureunderwentextensiveresearchwithrespecttothe assess-ment ofitsresilience.Thefirstcomprehensivestudy defin-ing thecomponentsofcriticalinfrastructureresiliencewas theResilienceMeasurementIndex[6].Itclassifiesthese com-ponentsinfourbasicgroups:Preparedness,Mitigation Mea-sures,ResponseCapabilitiesandRecoveryMechanisms. How-ever,thisclassificationisnotcompleteinthatitfailsto ad-dressadaptabilityastheabilityofacriticalinfrastructure sub-systemtoadapt todisruptiveeventssimilartothoseithad encounteredinthepast.

The Measuring Critical Infrastructure Resilience study

[7]presentspossibleindicatorsofresiliencebutdoesnot pro-videanyprocedureforitsevaluation.Thefirstevaluation con-ceptwasintroducedaspartoftheGuidelinesforCritical In-frastructureResilienceEvaluation[8].Evaluationinlinewith these guidelines is framed infour dimensions: logical and physical(technical),personal,organizationalandcooperative. Inrecentyears,anumberofstudieshavebeenpublished presentingvariousmethodicalapproachestoevaluating crit-icalinfrastructureresilience(e.g.,[9–11]).Whilethese publi-cationsbroughtnumerousnewfindingsasregardsresilience quantification,theirapproachtotheissuewasmostly system-based[12].Evaluationthusfocusedprimarilyonthesystemor sectorlevelofcriticalinfrastructure[13],altogetheromitting theelementarylevel.Infact,thislevelofcriticalinfrastructure shouldnotbeignoredbecauseitisatthelevelofelementsthat protectivemeasures,ormeasuresaimedatstrengthening re-silience,areoftenimplemented.Acomplexevaluationof in-frastructureelementscanprovidevaluablefeedbacktohelp identifyweakpoints.Suchinformationcanthenactas sup-portindecidingtheallocationofresourcestoinitiate activi-tiesforthepurposeofstrengtheningresilience.Forexample, Labakaet al.[14]arguesforthe needtomodifycrisis man-agementasthetoolforrespondingtounexpectedevents,as distinctfromtheGovernmentofCanada[15],whichbasesits actionplanonriskmanagement.Bothapproaches,however, employresilienceasthemeansbywhichtoachievethese ob-jectives.Therefore,managementinitsvariousformscanbe saidtoperformanintegralroleinensuringthefunctionsand protectionofcriticalinfrastructure.

Thetechnicalaspectsofresiliencehavebeenstudied,for example, by Dueñas-Osorio et al. [16], who examined the fragility ofnetworkinfrastructure interms ofits ability to withstandseismicactivity.Severalstudiesalsofocusonthe interdependence of elements in critical infrastructure net-works and their fragility (e.g.,[17–19]).However, these

ap-proaches focus on the critical infrastructure network as a whole.Suchinformationisusefulforstrategicnetwork man-agementbutdoesnotprovidetheinformationneededto im-plementsafeguardsattheelementlevel.

Inthecontextoftheabove,waslaunchedin2015the re-searchprojectoftheMinistryoftheInterioroftheCzech Re-public,entitled“RESILIENCE2015:DynamicResilience Evalua-tionofInterrelatedCriticalInfrastructureSubsystems”,which focusesonthedynamicevaluationofcriticalinfrastructure sectors,namelytheelectricity,transportandICTsectors.One ofthemaingoalsoftheprojectwastodevelopeffective meth-odsforevaluatingtheresilienceofindividualelementsof crit-icalinfrastructure.

Element resilience is the factor determining the re-silienceofhighercriticalinfrastructuresubsystemsformed bytheseelements.ThisledtheauthorstodeveloptheCIERA method(Critical InfrastructureElements Resilience Assess-ment),whichprimarilyfocusesonequipmentevaluation,as part of the above-mentioned project. The method and its components,proceduresandmethodologiesarepresentedin moredetailbelow.Itsbasicpremiseshavealreadybeen pub-lishedrecentlyinthepaperentitledResilienceofCritical In-frastructureElementsanditsMainFactors[20].

2. Basic premises of resilience assessment in

a critical infrastructure system

Thetermresiliencewasfirstdefinedin1973byHolling[21]as theabilityofasystemtoabsorborresisttheeffectsoffailures andotherstressfactorswithoutanychangestothe function-ingofthesystem.Althoughthiswordingwasfirstappliedto ecologicalsystems,overtimethetermresiliencebeganto ap-pearinotherscientificfields,includingsociology,psychology andeconomics.Therelativelyyoungestfield,withrespectto systemresilienceresearch,isengineering.

However,eachofthesefieldsviewsresilience somewhat differently.Whileecologyemploysresilienceasatooltolearn moreaboutthedynamicsofanecologicalsystem’sresponse toexternalor internalimpulses thatdisruptits functional-ity,inanthropogenicsystems(suchascriticalinfrastructure systemsorcommunities)resilienceisregardedmoreasthe desirabletarget status[20].Societyingeneralexpectsthese systemstobehighlyresilient.

Whereas ecosystem resilience is, to a certain extent, formedautonomously,the resilience ofanthropogenic sys-tems,asthedesirabletargetstatus,mustbedevelopedand strengthenedartificially.Thatiswhytheexistingrisk man-agementsystemsarenotsufficienttostrengthenresilience, as theyfail to cover the entire spectrumof resilience. Re-silienceessentiallyprovidesamuchbroaderviewofthe is-sue of safety – it contains both processing and technical components.

2.1. Cycle of critical infrastructure resilience

Resilienceisoneofthekeyfactorscontributingtothe preser-vationofthe functionalityofcriticalinfrastructure subsys-tems,i.e.sectors,subsectorsandelements[13].Itrepresents

(3)

Fig. 1 – Critical infrastructure resilience cycle [23].

the abilityofthesesubsystems tomitigatetheintensity of impactscausedbyadisruptiveeventandtoreducethe du-ration oftheirfailure ordisruption[22].Fromthis perspec-tive,resilience is amajorfactor determining the reliability ofcriticalinfrastructuresubsystemsandmaybeunderstood asacyclicprocessbasedonthecontinualenhancementof systemprevention,absorption,recoveryandadaptation[23].

Fig.1showsonecyclewithinwhichresilienceisstrengthened fromitsoriginallevel(i.e.theblackdashedline)toanewone (i.e.thereddashedline).Thedifferencebetweenthesetwo levelsisunderstoodasthedegreetowhichresiliencehas beenstrengthened.

The initial phase of the resilience cycle is prevention, wherebysubsystemsarecontinuallypreparedforfuture dis-ruptiveevents.Absorption,thesecondphaseoftheresilience cycle,isdeterminedbytherobustnessofcriticalinfrastructure subsystemsandinvolvestheabilityofsubsystemstoabsorb theeffectsoftheseeventswithoutthemcausingfluctuations intheprovisionofservices.Therecoveryphasestartsafter theeffectsofadisruptiveeventhavewornoffandis charac-terizedbyrecoverability,whichisthecapacityofasubsystem torecoverits functiontotherequiredlevelofperformance. Thefinalphaseoftheresiliencecycleisadaptation,whichis essentiallytheabilityofanorganizationtoadaptutilized sub-systemstothepotentialrecurrenceofdisruptiveevents.

2.2. Framework for assessing the resilience of critical infrastructure elements

Theassessmentoftheresilienceofcriticalinfrastructure el-ementsisaspecificandprofessionallydemandingprocess. Somebasicprinciples,includingtheprinciplesofcomplexity, specificity,adequacy,impartialityandexpertise,should there-forebeappliedinitsimplementation[24].Moreover,the as-sessmentprocessshouldbebasedonclearlydefined proce-duresandquantitativesupportingdata.

For thepurposesofassessingCI resilience,theresearch team focusedprimarilyon the basicstructuraland perfor-mance parameters of the element concerned,the existing safety measuresoftheelementbeingassessed,the organi-zationalprocessessupportingthestrengthening ofelement resilience and,last but notleast, specificdisruptive events againstwhichtheelement’sresilienceistobeassessed(see

Fig.2).

Theassessmentinvolveselementswhichtheorganization identifiedasofinterest.Thestructuralandperformance pa-rametersmainlyrepresenttheinternalarrangementofthese elementswithinthecriticalinfrastructuresystemasawhole. Fromastructuralpointofview,theycanhavethecharacterof pointelements,lineelementsorarealelements(i.e.apoint el-ementincludingtwoormorekeytechnologies).Performance parametersthenreferespeciallytothequantityand perfor-manceofkeytechnologies.

Thecurrentlevelofresilienceisdeterminedbythe exist-ing(alreadyadopted)safetymeasureswithinthecontextof assessmentsfocusedprimarilyonelementrobustnessand re-coverability.Thisrequirescurrentknowledgeofthelevelof crisispreparedness,redundancy,detectioncapability, respon-siveness,physicalresistance(i.e.technicalmeansand orga-nizationalorsystemmeasures),aswellasmaterial,financial andhumanresourcesorprocessesrequiredforelement re-coveryfollowingadisruptiveevent.

Organizationalprocessesareanotherimportantsourceof supportingdatawhichhelpsformtheresilienceassessment framework.Goodknowledgethereofallowsassessmentofthe level of adaptability of the element to previous disruptive events.Theprocessesofriskmanagement,innovation, edu-cationanddevelopmentareofparticularinterestinthis con-text.

Sinceresilienceassessmentcanonlybecarriedoutwith regard tospecific disruptive event scenarios,it is essential that we proceed based on threats which the element be-ingassessedmaybeexposedto.Themethodincludeseight basicthreat groups tofacilitate the process ofassessment (seeTable1).Inselectingindividualgroups,theteamrelied onthePERILdisasterevent classificationusedindatabases oflarge-scale event consequences [25]. From these events, theteamselectedgroupswhereinthreatsprimarilyconcern infrastructure.

Forthepurposesofassessment,thethreatshavebeen clas-sifiedasinternalandexternal.Thefurtherdivisioninto natur-ogenic,technogenicandanthropogeniccausesisbasedonthe generalnatureofeachthreat.However,thePERILframework

[25]takes into account only technological threats.In order to carryouttheassessmentofcriticalinfrastructureresilience itwasnecessarytodifferentiatebetweenthreatsarisingfrom meretechnologicalfailuresandthosecauseddirectlyby hu-mans(e.g.sabotageorterroristattacks).Thegroupof cascad-ingeffectswasaddedtoallowforthecapturingoffailure prop-agationacrossthecriticalinfrastructuresystemviacascading effects[26].

Theclassificationofthreatsgivenaboveisonlygeneralin natureandtheoperatorsofcriticalinfrastructureelements canmodifyittobetterreflectthecharacterofthreatstowhich theirparticularelementsareexposed.

2.3. Components and variables determining the resilience of critical infrastructure elements

The initial stage in preparing the CIERA method involved a comparative analysis of the relevant papers published to date. The results were used to propose the structural componentsandsomevariables.Thisstructureisprimarily basedonthecriticalinfrastructureresiliencefinalreportand

(4)

Fig. 2 – Framework for assessing the resilience of critical infrastructure elements.

Table1– Classificationofthreatsforassessingtheresilienceofcriticalinfrastructureelements.

Naturogenic Technogenic Anthropogenic

Internalthreats – Process-technologicalthreats Personnelthreats

Externalthreats Geologicalthreats Cascadingthreats Cyberthreats

Meteorologicalthreats Physicalthreats

recommendationsdocument[4];however,italsopartially re-flectstwootherimportantstudiespublishedin2012[27,28]. Thesubsequentphaseconsistedofdefininganypotentially measurableitems.Thedefinitionoftheseitemswasbasedon publicationsaddressingissuesrelatedtoresilience measure-mentindicators[6–8].

Basedon the availabledata, theauthors of themethod proceededtoformulateindividualdeterminingfactorsof re-silience.Thispreparationstagehingedontheimplementation ofallvariablesdeterminingallphasesofresilience,i.e. pre-vention,absorption,recoverabilityandadaptability.The defi-nitionofthesedeterminantswaslimitedbysomefactorsthat stemfromthefocusoftheproject.Therefore,theassessment components areprimarilyfocusedonindividualcritical in-frastructureelements,asopposedtothesectororsubsector asawhole.Theselectionwasalsoinfluencedbytheplanned utilizationoftheresultsasthebasisforthelong-term man-agementofelementresilience.Accordingly,theassessmentis principallyfocusedontheissueofmanagement.

Thisstageresultedinthespecificationof12variablesand 167measurableitemsbeingdiscussedwithselectedoperators andownersofcriticalinfrastructureelementsattheproject workshopheldatthe beginningof2017.Thevariables and measurableitemsweresubsequentlyclassifiedintotwo ba-sicareas,namely(1)technologicalandphysicalprotectionof elementsand(2)organizationmanagement.

Resilience in the first area,referred to as technical re-silience,isdeterminedbytherobustnessandrecoverability ofinfrastructureelements.Theenhancementoftechnical re-silienceisinvariablyachievedexclusivelyinrelationtoa par-ticularelementorgroupofidenticalorverysimilarelements. Agoodexampleistheelectricitysector,whererobustnessand recoverabilitywillbesecuredindifferentwaysandby differ-entmeansdependingonwhetherwearedealingwithsystems fortheproductionofelectricityorsystemsemployedforits transmissionanddistribution.

The second area constituting element resilience is or-ganization management. This type of resilience, known

(5)

Table2– Areas,componentsandvariablesdeterminingtheresilienceofcriticalinfrastructureelements.

Areas Technicalresilience Organizationalresilience

Components Robustness Recoverability Adaptability

Variables Crisispreparedness Materialresources Riskmanagement Redundancy Financialresources Innovationprocesses

Detectioncapability Humanresources Educationanddevelopmentprocesses Responsiveness Recoveryprocesses

Physicalresistance

as organizational resilience, is determined by the level of an organization’s selected internal processes focused on the creation of optimum conditions for the adaptation of criticalinfrastructureelementstodisruptiveevents. Organi-zational resilience isformed simultaneously for all critical infrastructureelementsoperatedbyanorganization.

For variables determiningthe individual components of theresilienceofcriticalinfrastructureelementsseeTable2.

Robustnessistheabilityofanelementtoabsorbthe im-pactsofadisruptiveevent.Theseimpactsmaybeabsorbedvia thestructuralqualitiesofbuildingsorthetechnologiesused (i.e.structuralrobustness)and/orviasecuritymeasures(i.e. securityrobustness).Thelevelofrobustnesscanonlybe as-sessedrelativetoaparticulardisruptiveeventor,rather,the intensitythereof.Wherethislevelreaches100%,theelement concernedbecomesresistanttotheimpactsofthegiven dis-ruptiveevent.Thismeansthatitisabletofullyresistits ef-fectswithoutperceptiblenegativeimpactsontheelementof theserviceprovided.

Recoverabilityisthecapacityofanelementtorecoverits functiontotheoriginal(required)levelofperformanceafter theeffectsofadisruptiveeventhaveended.Withrespectto criticalinfrastructure,recoverabilityisunderstoodas repara-bility,inwhichcaseonlythedamagedordestroyed compo-nentsofanelementarerepairedorreplaced.Providedthe re-coverability(seethevariableslistedinTable2)resourcesare adequate,resiliencecanalreadybestrengthenedatthisstage. Theimplementationofmoremoderntechnologies,meeting highersecuritystandardsand ensuringgreaterelement ro-bustness,canbeusedasanexample.

Adaptabilityistheabilityofacriticalinfrastructure oper-ator(i.e.anorganization)toprepareanelementforthe po-tential effectsofdisruptiveevents similartothosethat oc-curred inthe past. Furthermore,it represents thedynamic (long-term)abilityofanorganizationtoadapttochangesin circumstances.

In the context given above,individual components and variablesdeterminingresiliencecanbesaidtoaffectthe dy-namicsoftheperformanceoftheservicesprovidedbyan el-ementinresponsetoadisruptiveevent(seeFig.3).This dy-namiccanvarydependingonthetypeofinfrastructureand thedisruptiveeventandthemannerofitsmanagement.

Assoonasanelementbeginstobeaffectedbyadisruptive event,theabsorptioncapacityoftheelementcanbebroken downintotwophases.Inthefirstphase,thesystemisable toabsorbtheimpactsofadisruptiveeventwithouttheneed toemployredundantcapacities,uptotheboundaryofthe el-ement’sabilitytoabsorbfullytheimpactsoftherespective

disruptiveevent(seepointAinFig.3).Inthesecondphaseof absorption,theredundantcapacitiesavailabletotheelement areemployedandtheelementisstillcapableofdeliveringits fullperformanceasrequired.Atthispoint,thereisstillan op-portunitytodetectadverseeventsandinitiateasuitable re-sponse[20].

Onlyaftertheredundantcapacitiesoftheelementhave beenexhausted,i.e.thelimitofitsabilitytoabsorbthe im-pactsofadisruptiveeventhasbeenreached(seepointBin

Fig.3),dothe negativeconsequencesoftheevent beginto manifestinadeclineoffunctionsperformedbytheelement. Thenatureofthisdeclineisdeterminedbythecapabilitiesof theelementtodefendagainsttheeffectsoftheevent.Where suchcapabilitiesexist,thedeclineinperformanceofthe ele-mentmaybegradual;however,ifthesecapabilitiesare over-comebytheintensityofthedisruptiveevent,thedeclineis likelytobeabruptorevenimmediate[20].

3. Assessing the resilience of critical

infrastructure elements

TheCIERA methodwas created to assess the resilience of criticalinfrastructureelements.Thismethodwasdeveloped aspartofthegrantprojectoftheMinistryoftheInteriorof theCzechRepublicentitled“RESILIENCE2015:Dynamic Re-silienceEvaluationofInterrelatedCriticalInfrastructure Sub-systems”.Itwasdesignedfortheassessmentofelement re-silienceintechnically oriented sectorssuchasenergy, wa-termanagement,transportandcommunication/information systems.However,the mannerofassessmentand someof themetrics,whenmodified,canalsobeappliedtoother sec-tors;forexample,toevaluatetheresilienceofelementsinthe emergencyservicesorhealthsectors.

AstheproposedCIERAmethodfocusesonassessingthe resilienceofelementswithoutthepossibilityoffactoringin thenetworkcharacteristicsofcriticalinfrastructure,the fol-lowinglimitingconditionshavebeensetforitsapplication:

– Theassessmentfocuses onindividual/specificelements ofcriticalinfrastructure.Thesubjectoftheassessmentis the internalabilityofcritical infrastructureelements to countertheeffectsofbothinternalandexternaldisruptive events.

– Theassessmentmustalwaysbeaimedataparticular dis-ruptiveevent.

– Thecreated resilience modelis static – theassessment takesplaceinthephaseofzerointensitywithrespectto

(6)

Fig. 3 – Graphical representation of components and variables determining the resilience of critical infrastructure elements [20].

thedisruptiveevent,i.e.atapointwheretheeventisnot affectingthecriticalinfrastructureelement.

3.1. Resilience assessment procedure

ThecrucialphaseoftheCIERAmethodcreationinvolvedthe establishmentofthe resilienceassessmentprocedure. This procedureisbasednotonlyongeneralmethods(e.g.[29]),but italsoincorporatesfeaturesfromspecificmethodologies(e.g.

[9–11]).

Theprocedure forassessingthe resilienceofcritical in-frastructure elements includes nine consecutive activities. These activitiesconsistofselecting anddescribingthe ele-mentbeingassessed,identifyinganddescribingthethreats againstwhich theelement istobeassessed,assessingthe levelofindividualcomponentsthatdeterminetheelement’s resilience,calculatingtheelement’sresilience,evaluatingthe weakpointsandproposingmeasuresaimedatstrengthening theelement’sresilience.Thesequenceofindividualactivities isshowninFig.4below.

There are no restrictions as to the selection of an el-ement (Activity 1). In developing the method, the research teamfocusedprimarilyontechnicalsectors.Themethodwas testedondesignatedelementsoftheelectricity(seeSection4

herein),transportandhealthsectors.However,theteam pre-sumesthepossibilityofawiderapplicationofthemethod’s principles.

Subsequentlytheselectedelementisdescribed(Activity2) astoitsstructuralandperformanceparametersand catego-rizedwithin thestructureofthecriticalinfrastructure. Ele-mentcategorizationisbasedonthesector,subsectororany other structuralspecification (e.g. production,transmission or distribution withregard to the electricity sector) within whichitwasfirstdeterminedonthebasisofsectoral crite-ria.Conversely,theperformanceparametersspecifythe ele-ment’stechnologicalstructure,whichhighlightsthenumber andcapacityofkeytechnologies.

Forthepurposesoftheassessment,itisnecessaryto iden-tify(Activity 3),classify and describe all threats (Activity 4) whichhavethe potentialtoinitiatedisruptive events lead-ingtoamajordeclineoreveninterruptionintheprovision ofservices.Theassessmentshouldbeconductedseparately foreach identifiedthreat.Scenariosdescribingtheprogress ofsucheventscouldbeutilizedasanappropriatesupporting tool.Inaddition,thesescenarioscouldalsobeviewedasa by-productoftheproposedmethod;applicable,forexample,to thedynamicmodelingofresilience,reflectingthecourseof thedisruptiveevent’sintensity;ortothemodelingof cascad-ingandsynergisticeffectswithinacriticalinfrastructure sys-tem(forexample[13,30,31]).Activities1and2mustbedone sequentially.Similarapproachshouldbedonewithactivities 3and4.However,bothsequences(i.e.,1,2and3,4)couldbe solvedatthesametime.

Theassessmentofrobustness(Activity5)hingeson assess-ingtheelement’sabilitytoabsorbtheimpactsofdisruptive

(7)

Fig. 4 – Procedure for assessing the resilience of critical infrastructure elements.

events.Thelevelofallmeasurableitemswhichdeterminea variablemustbeassessedforeachofthevariables.The as-sessmentisbasedonascalefrom1(worst)to5(best).For ex-ample,themeasurableitem“Activationspeedofsubstitution linkages” isassessedonthefollowingscale:

5:Immediateactivation(noreductioninperformance). 4:Delayedactivationcausingashort-termreductionin

per-formanceoftheassessedelement.

3:Delayedactivationcausingashort-termlossof perfor-manceoftheassessedelement.

2:Delayedactivationcausingamedium-termlossof per-formanceoftheassessedelement.

1:Delayedactivation causingalong-termlossof perfor-manceoftheassessedelement.

Elementrobustnessistobeassessedwithrespecttoa se-lectedparticularthreat.Basedonthis,oneoftheassessment formsisusedfortheassessment.Assessmentsof recoverabil-ity(Activity6)andadaptability(Activity7)arecarriedout sim-ilarly.Eachassessmentactivityhasitsownmeasurableitems withaspecificassessmentscale.

The core activity of the procedure isthe calculation of theelement’sresilience(Activity8).Forthepurposesofthis method,wehaveoptedforaquantitativeassessmentmodel. Thismodelisbasedonthepercentageexpressionofthe de-greeoffulfillmentofindividualcomponentsdeterminingthe

element’sresilience.Thistypeofexpressionalreadyincludes comparativevaluesandcanbereadilyusedinother appli-cations;forexample,inthemodelingofcascadingand syn-ergistic effects within a critical infrastructure system (see

[13,30,31]).

Theresiliencelevelofthecriticalinfrastructureelementis calculatedasthearithmeticmeanofthecomponentvalues thatdetermineit(Formula(1)):

R= 1 n n i =1 K_i (1)

whereR= theresilienceofthecriticalinfrastructureelement [%];K=theresiliencecomponentsofthecritical infrastruc-ture element, i.e. robustness, recoverability and adaptabil-ity[%];n=thetotalnumberofcomponentsdetermining re-silience.Forapossiblegraphicalrepresentationofthecritical infrastructureelement’slevelofresilience,seeFig.5.

ThelevelsofindividualcomponentsoftheCIelement’s re-siliencearedetermined bytheweightedaverageofits vari-ables(Formula(2)): Ki = m j=1 P_jv_j (2)

(8)

Fig. 5 – The resilience level of the critical infrastructure element.

whereK_i= theithcomponentofthecriticalinfrastructure el-ement’sresilience[%];P_j=thejthvariable ofthecritical in-frastructureelement’sresilience[%];v_j=thejthnormalized weight ofthe jthvariable ofthe critical infrastructure ele-ment’sresilience[0;1];m=thetotalnumberofvariablesin theithcomponent.Thenormalizedweightsofthevariableare presentedinthefollowingpartofthepaper.

Forapossiblegraphicalrepresentationofthelevelofthe selectedresiliencecomponentofthecriticalinfrastructure el-ementanditsvariables,seeFig.6.

Thelevelsoftheresiliencevariablesofthecritical infras-tructureelementaredeterminedbytheweightedaverageof individualmeasurableitems(Formula(3)).Sincethelevelof measurableitemsisexpressedonapointscaleinintervalsof 1–5,itisnecessarytomultiplytheexpressioninFormula(3) by20,wherebytheresultisexpressedinpercentagepoints.

Pj = 20

l k =1

MP_kw_k (3)

whereP_j=thejthvariable ofthe critical infrastructure ele-ment’sresilience [%];MP_k= the kthmeasurableitemofthe criticalinfrastructureelement’sresilience[numberofpoints];

w_k=thekthnormalizedweightofthekthmeasurableitemof thecriticalinfrastructureelement’sresilienceatinterval0;1;

l=thetotalnumberofmeasurableitemsinthejthvariable. Calculationofformulas(1)–(3)useslinearaggregation of weightedvalues.Thismethodofcalculationmaybesubject toanumber ofproblems.Particularlysignificantisthe im-plicitpossibilityofsubstitution,i.e.,thepossibilityof offset-tingalowervalueofonevariablebyahighervalueofthe sec-ondvariable.Thispresentsaproblem,especiallyiftheresult shouldbecompared,forexample,todifferentelements. How-ever,thecurrentversionofthemethodologydoesnotallow forthis use.Theendeavor to“game” thesystemis techni-callypossiblebutmakespracticallynosense,becausenothing compelstheoperatortousethisparticularsystemof evalua-tion.

Theadvantageoflinearaggregationistheeaseof under-standing and relative simplicity ofinterpreting the results, whichwerethemainreasonsforchoosingthismethodof cal-culationbytheauthoringteamofthemethodology.However,

Table3– Comparativetableforassessingtheresilienceof theelementanditscomponentsandvariables.

TheresilienceleveloftheelementR ,componentsK andvariablesP

Highlevelofresilience 85–100% Acceptablelevelofresilience 69–84%

Lowlevelofresilience 53–68%

Unsatisfactorylevelofresilience 37–52% Criticallevelofresilience ≤36%

ifinthefuture,theproblemofcomparabilityacrosselements weresolved,thenformulas(1)–(3)wouldneedtoberevised usingnon-compensatorymethods(e.g.,[32,33]).

Inview ofthe above-mentionedrelationships(Formulas (1)–(3)),theaggregateformulaforcalculatingthelevelofthe criticalinfrastructureelement’sresiliencecanbedefinedas follows(Formula(4)): R=1 n n i =1 m j=1 20v_j l k =1 MP_kw_k (4)

Thevaluesofindividualvariablesandcomponentsare cal-culatedusingthe assessmentformsofrobustness, recover-abilityand adaptability.Theresultingleveloftheelement’s resilienceisdeterminedandthefinalassessmentcompleted inthelastassessmentform.

Thefinal activity ofthe procedureto assess the critical infrastructureelement’sresilience consistsofassessingthe resilience level,identifying any weakpointsand proposing measurestostrengthenthe element’sresilience (Activity9). Thelevelofresiliencemaybeassessedatthelevelofthe el-ement(i.e.complexassessment),thecomponent(i.e.partial assessment) orthe variable (i.e.elementaryassessment).A comparativetableisusedtoassessthelevelofresilience(see

Table3).

The division of the resilience acceptability levels in

Table3isbasedon thefailuremode, effectsandcriticality analysis[34]method,whichusesmultiplevariablesto deter-minetherisklevel,andisbasedonvariationsintheirextreme values.Similarly,individualresiliencelevelshavebeen deter-mined,whichtakeintoaccountvariationsinextremevalues (i.e.,1and5)forfivevariables:

– Criticallevel:1,1,1,1,5= >∅ 1.8= >36% – Insufficientlevel:1,1,1,5,5=>∅2.6=>52% – Lowlevel:1,1,5,5,5=>∅3.4=>68% – Acceptablelevel:1,5,5,5,5=>∅4.2=>84% – Highlevel:5,5,5,5,5=>∅5.0=>100%

Thedivisionofresilienceacceptabilityintofivegradesof assessmentisguidedbyanefforttomotivateuserstoexplore inmoredetailthecompositionofresilience,i.e.,the retrospec-tivedecompositionofcomponentresilienceandvariable rat-ings.Inviewofthefactthatthemethodologyisnotintended toserveformutualcomparisonacrosselements,theauthors considertherequirementforaweakconsistencyof assess-ment[35]tobesufficient.

(9)

Fig. 6 – The robustness level of the critical infrastructure element.

ThelevelofresilienceRindicatestheoverallconditionof theelement(i.e.itsabilitytoabsorbtheimpactsofdisruptive eventsandtorecoveritsfunctiontotheoriginal/requiredlevel ofperformanceafterthe effectsofadisruptive eventhave ended)andtheconditionoftheorganization(i.e.theability ofacriticalinfrastructureoperatortoprepareanelementfor therecurringeffectsofapreviousdisruptiveevent).Thelevel ofresilienceKindicates theconditionofindividual compo-nents,whilethelevelofresiliencePindicatestheconditionof individualvariables.

Wheretheresiliencelevelreaches≤68%,itwillbe neces-sarytoidentifytheweakpointsthroughthedecompositionof theresilienceassessmentresults,whichistobedoneatthe leveloftheaffectedmeasurableitems.Incaseswhere mea-surableitemsshowaresiliencepointvalueof3andless,the affectedareasoftheassessedelementwillneedtoberevised andtheprocessoftheiradjustmentandrecoveryinitiated.

The decomposition ofthe resilience assessmentresults willmakeitpossibletoproposemeasuresaimedat strength-ening the element’s resilience. Resilience must always be strengthenedatthelowestlevel,i.e.atthelevelofmeasurable items,asfollows:

– Highlevelofresilience(5):asthemeasurableitemsinthis categoryshowexcellentparameters,thereisnoneedto adoptanyfurthermeasures.

– Highlevelofresilience(4):the measurableitemsinthis categoryshowverygoodparameterswhichcanstillbe im-provedupon,butsuchimprovementsarenotnecessaryfor theoverallleveloftheelement’sresilience.

– Lowlevelofresilience(3):themeasurableitemsinthis cat-egoryshowsufficientparameters,althoughtheir improve-mentwouldleadtosubstantialstrengtheningofthe ele-ment’sresilience.

– Unsatisfactorylevelofresilience(2):themeasurableitems inthiscategoryshowverypoorparameterswhichgreatly reducetheresilienceofthevariabletowhichtheybelong.

Table4 – Normalizedweightsofvariablesdetermining therobustnessofcriticalinfrastructure elementsbased ontheelement’stopology.

Variables Point element weights Areal element weights Line element weights Crisispreparedness 0.15 0.15 0.25 Redundancy 0.15 0.20 0.25 Detectioncapability 0.25 0.25 0.20 Responsiveness 0.20 0.25 0.15 Physicalresistance 0.25 0.15 0.15 1.00 1.00 1.00

– Criticallevelofresilience(1):themeasurableitemsinthis categoryareeitherabsentorshowcriticallylow parame-ters.Itisimperativethattheseitemsarefullyrevisedand theprocessoftheiradjustmentandrestorationisinitiated assoonaspossible.

3.2. Establishing the weights of variables and measurable items

Thev_jaw_kweightsconstituteanimportantpartofthe as-sessment(seeFormulas(2)and(3)),astheweightvaluesallow differentiationofthesignificanceofindividual components oftheassessment.Followingconsultationsheldwiththe in-tendedusersofthemethod,theresearchteamarrivedatthe conclusionthattheweightsshouldbederivedseparatelyfor differenttypesofcriticalinfrastructureelements.SeeTable4

foranexampleofnormalizedweightsofvariables determin-ingtheelement’srobustness.

The values were estimated based on the expert evalu-ation of assumedfuture users and by applyingthe paired comparisonmethod.Thevaluesofthederivedweightswere

(10)

Table5– Descriptionoftheelectricitycritical infrastruc-tureelementbeingassessed.

Nameofelement Controlroomofthedistribution systemoperator

Sector/subsector: Energy/electricity/distribution system Topological

structure:

Areal element: Keytechnologies: 1.SCADA systems

(a)Controlsystemforoperatingthe distributionsystemelements

(b)Communicationcontrolsystem (c)Commandsystem

2.Geographicinformationsystem Numberof

distribution nodes:

740,000

Table6– Descriptionofthethreatagainstwhichthe ele-mentwasassessed.

Nameofthreat: Cyberattack Categoryofthreat Anthropogenic Groupofthreats: Cyber

Specificationofthreat: SCADAsystemdisruption

normalizedsothattheirsuminthevariable(w_k)andinthe component(v_j)equalled1(Formula(5)).

m j=1 v_j= l k =1 w_k= 1 (5)

Byitsverynature,theexpertevaluationandscalesderived fromitwillalwaysbesubjectivetoacertainextent.Giventhat intenseresearchisstillongoinginthisarea,thereisnowidely acceptedhierarchyofitems,andsotheassessmentmustbe somewhatsubjective.Theuseofsuchapproachesin manage-mentisnotunusual[36].Specificationsofweighting coeffi-cientsallowthissubjectivitytobetransparentlycollectedin oneplaceandadmitted.Ifnecessary,theweightingsystem canberevisedinthefuture.

4. CIERA method case study

Theinitialverificationofthemethodwasdonebyanalyzing theresultsoftherealizedcasestudiesthatwereprocessed forthesectorsofelectricity(controlroomofthedistribution systemoperator),transport(arailwaystationonan interna-tionaltrack)andpublichealth(auniversityhospital).The re-sultsweresubsequentlydiscussedwiththeoperatorsofthe elementsbeingassessedandappliedtoadjustingthemethod further.Theanonymousresultsofoneoftheassessmentsare presentedbelowwithaviewtofacilitatingtheinterpretation oftheuseoftheCIERAmethod.

Forthepurposesoftheassessment,thecontrolroomofan undisclosedpowerdistributioncompanywasselected( Activ-ity1).Thiscompanyoperatesinthreeregions,whereit dis-tributeselectricity to nearly740,000 customers (businesses andhouseholds).

Subsequently,theselectedelementwasdescribed(Activity 2)astoitsstructuralandperformanceparametersand cat-egorizedwithin the structureofcritical infrastructure.The element’sstructuralparametersspecifyitstopological struc-tureand,inthecaseofarealelements,keytechnologies.The element’sperformanceparameterwithregardtothecontrol roomisthenumberofdistributionnodes.Thesedataare pre-sentedinTable5.

Theassessmentoftheresilienceofthisparticularelement wascarriedoutwithrespecttosevenselectedthreats(Activity 3).However,duetoitsextent,thissubchapterincludesonly theassessmentresultsconcerningtheelement’sresiliencein connectionwithcyber-attacks.SeeTable6foradescriptionof thisthreat(Activity4).

Thefollowingpartofthecasestudypresentsthe assess-mentresultswithrespecttotheelement’srobustness, recov-erabilityandadaptability.Thefirststepwastoassessthe ro-bustnessoftheelement(Activity5),whichconsistedof assess-ingthecurrentcondition(level)ofitsindividualvariables,i.e. theelement’scrisispreparedness,redundancy,detection ca-pability,responsivenessand physicalresistance.For the as-sessmentresults,seeFig.7.

Thenextstepwastoassesstherecoverabilityofthe ele-ment(Activity6),whichconsistedofassessingthecurrent con-dition(level)ofindividualvariables,i.e.materialresources, fi-nancialresources,humanresourcesandrecoveryprocesses. Fortheassessmentresults,seeFig.8.

Theelement’sadaptabilitywasthelastresilience compo-nenttobeassessed(Activity7).Theassessmentofthe

ele-Table7– Identificationofweakpointsintheresilienceoftheassessedelement.

Measurableitemswithanunsatisfactorylevelofresilience Measurableitemswithacriticallevelofresilience Robustness 1.1.1CSIRT/Organization’ssecurityteam 1.3.4Incidentreporting

Recoverability – –

Adaptability 3.1.1Riskmanagementlevel 3.1.2Riskassessmentmethodology 3.1.4Disruptivescenariospecification 3.1.3Safetystandardimplementation 3.2.4Managementprocessesinnovation 3.2.1Organizationalstructure

3.2.3Managementoforganizationalprocesses 3.2.7Researchanddevelopment

(11)

Fig. 7 – Assessment of the element’s robustness with respect to cyber-attacks. Legend: P =point element, A =areal element, L =line element.

ment’sadaptabilityconsistedofassessingthecurrent condi-tion(level)ofindividualvariables,i.e.riskmanagementand innovation,educationanddevelopmentprocesses.Forthe as-sessmentresults,seeFig.9.

Thecore activityofthe assessmentwas thecalculation oftheelement’sresilience(Activity8).Theresiliencelevelof thecriticalinfrastructureelementwascalculatedasthe arith-meticmeanofthecomponentvaluesthatdetermineit(see Formula(1)).Fortheassessmentresults,seeFig.10.

Thefinal activity ofthe procedure toassess the critical infrastructureelement’sresilienceconsistedofassessingthe resilience level, identifyingany weakpoints and proposing measures to strengthen the element’s resilience (Activity 9).Thelevel ofresilience wasassessedgradually basedon comparativevalues(seeTable3)atthreelevels.

Thelowestlevelatwhichresilienceisassessedisthe el-ementlevel.Inthisregard,theelement’sresilienceto cyber-attackscanbesaidtobe76.8%,whichisconsideredan accept-ablelevelofresilience.

Thiswasfollowedbyresilienceassessmentatthe compo-nentlevel.Theresilienceoftheelement’srobustnessand re-coverabilityis83.5%and88.3%respectively,whichcanbe re-gardedasahighornear-highlevelofresilience.However,in termsoftheelement’sadaptability,thevalueis58.6%,which isalow,nearlyunsatisfactorylevel.Sincesomevariablesof thiscomponentshowverypoorparameters,substantially

re-ducingtheelement’sresilience,itisessentialthattherelevant areasoftheassessedelementberevised.

Thefinallevelisthelevelofvariables.Inthiscase,the re-silienceofmostofthevariablesis69%ormore,whichis con-sideredtobeanacceptablelevelorresilience.Crisis Prepared-ness(60%)andInnovationProcesses(60%)canberegardedas theweakestvariables,whileRiskManagementisatacritical levelofresiliencewithamere34%(seeTable3).Itis impor-tantthattheweakpointsintheelement’sresilienceare sub-sequentlyidentifiedwithrespecttothesevariables.Thistask involvesidentifyingthemeasurableitemsthatareat unsatis-factoryorcriticallevelsintheassessment(seeTable7).

Followingtheidentificationofweakpoints,itwillbe nec-essary to formulate a proposal for measures designed to strengthentheelement’sresilience.Withrespectto measur-ableitemsatanunsatisfactorylevelofresilience(pointscore 2),werecommendfocusingespeciallyonriskmanagement, wherethescenariosofindividualdisruptiveeventsneedto beelaboratedfurther.Conversely,measurableitemsassessed tobeatacriticallylowlevelofresilience(pointscore1)are ei-therentirelymissingorshowcriticallylowparameters.This concernsparticularlytheareaofincident reportingand ac-tivitiesrelated tothe element’sorganizationalresilience.It isimperativethattheseitemsarefullyrevisedandthe pro-cessoftheiradjustmentandrestorationisinitiatedassoonas possible.

(12)

Fig. 8 – Assessment of the element’s recoverability with respect to cyber-attacks. Legend: P =point element, A =areal element, L =line element.

5. Conclusion

TheCIERAquantitativemethodpresentedinthispaperhas beendesignedforCriticalInfrastructureElementsResilience Assessment.Themethodprimarilyreliesonthecomplex as-sessmentoftherobustness,recoverabilityandadaptabilityof elementsintechnicallyorientedsectorswithrespectto dis-ruptiveeventsofnaturogenic,technogenicandanthropogenic origin.Ittakesintoaccountthefunctional,structuraland per-formanceparametersoftheelementsbeingassessed,while facilitating the identification of the element’sweakpoints. When incorporated into the riskmanagement system,this typeofinformationwillproveusefulinproposing appropri-atemeasuresaimedatstrengtheningtheelement’sresilience. Thebenefitofthismethodisthatitallowsfortheassessment tobecarriedout atthelevelofthe particularelements,for elementresilienceisthefactordeterminingtheresilienceof highercriticalinfrastructuresubsystemsformedbythese el-ements.

TheCIERAmethodhasbeendesignedtoassessseparate elementsinacriticalinfrastructuresystem.Intermsof as-sessing criticalinfrastructureasa whole,itconstitutes the firststepinassessingtheresilienceofindividualsubsystems,

withdueconsiderationgiventothedeterminedlimiting con-ditions.Thisstepcanthereforebefollowedbyacomparative evaluation(orranking)ofelementswithintheoperator’s in-frastructure.Whilethemethodcanaidthisstepintheprocess byprovidingsomeusefuldata,itwillnotsolveitbyitself.For directcomparison,itwillbenecessarytoresolvetheissueof overcomingthedifferencesbetweenthevarioustypesof el-ementsintheoperatedinfrastructures(i.e.point,areal,line infrastructures),ortoaggregatetheassessmentsintodirectly comparableunits.

Thecasestudypresentedinthefinalpartofthepaper pro-videsanexample ofthe practicalapplication oftheCIERA method.Thecriticalinfrastructureelementbeingassessedis thecontrolroomofanundisclosedpowerdistribution com-pany.Astheassessmentresultsshow,theweakestareaisthe element’sorganizationalresilience,especiallywithregardto its staticorganizationalstructure,insufficientmanagement oforganizationalprocessesand verylowinvestmentin re-searchand developmentofprotectionmechanismsagainst cyber-attacks.Concerningtheelement’stechnicalresilience, theassessmentrevealedtheabsenceofanincidentreporting process,aninadequateriskmanagementpolicyand insuffi-cientspecificationofdisruptiveeventscenarios.

(13)

Fig. 9 – Assessment of the element’s adaptability with respect to cyber-attacks.

Fig. 10 – The resilience level of the assessed element.

Funding

ThearticlewassupportedbytheMinistryoftheInteriorofthe CzechRepublic[grantnumberVI20152019049].

references

[1] President’sCommissiononCriticalInfrastructureProtection. CriticalFoundations:ProtectingAmerica’sInfrastructures, TheWhiteHouse,Washington,DC,1997.

[2] A.Sarri,K.Moulinos,Stocktaking,Analysisand RecommendationsontheProtectionofCIIs,ENISA, Heraklion,2015.doi:10.2824/534303.

[3] ActNo.240/2000Coll.onCrisisManagementandon amendmentsofcertainacts(CrisisAct)asamended. [4] NationalInfrastructureAdvisoryCouncil.Critical

InfrastructureResilienceFinalReportand

Recommendations,U.S.DepartmentofHomelandSecurity, Washington,DC,2009.

[5] PresidentialPolicyDirective(PPD-21).CriticalInfrastructure SecurityandResilience,TheWhiteHouse,Washington,DC, 2013.

[6] F.Petit,G.Bassett,R.Black,W.Buehring,M.Collins,D. Dickinson,R.Fisher,R.Haffenden,A.Huttenga,M.Klett,J. Phillips,M.Thomas,S.Veselka,K.Wallace,R.Whitfield,J. Peerenboom,ResilienceMeasurementIndex:AnIndicatorof CriticalInfrastructureResilience,ArgonneNational

Laboratory,Chicago,IL,2013.

[7] T.Prior,MeasuringCriticalInfrastructureResilience:Possible Indicators(RiskandResilienceReport9),Eidgenössische TechnischeHochschule,Zurich,2015.

[8] G.Bertocchi,S.Bologna,G.Carducci,L.Carrozzi,S.Cavallini, A.Lazari,G.Oliva,A.Traballesi,GuidelinesforCritical InfrastructureResilienceEvaluation,ItalianAssociationof CriticalInfrastructures’Experts,Roma,2016.

[9] C.Nan,G.Sansavini,Aquantitativemethodforassessing resilienceofinterdependentinfrastructures,Reliability EngineeringandSystemSafety157(2017)35-53. doi:10.1016/j.ress.2016.08.013.

[10]A.Jovanovi´c,P.Klimek,A.Choudhary,N.Schmid,I.Linkov,K. Øien,M.Vollmer,AnalysisofExistingAssessmentResilience Approaches,IndicatorsandDataSources,Stuttgart,2018.

(14)

[11]B.Cai,M.Xie,Y.Liu,Y.Liu,Q.Feng,Availability-based engineeringresiliencemetricanditscorresponding evaluationmethodology,ReliabilityEngineering&System Safety172(2018)216-224.doi:10.1016/j.ress.2017.12.021. [12]I.Eusgeld,C.Nan,S.Dietz,“System-of-systems” approachfor

interdependentcriticalinfrastructures,Reliability EngineeringandSystemSafety96:6(2011)679-686. doi:10.1016/j.ress.2010.12.010.

[13]D.Rehak,J.Markuci,M.Hromada,K.Barcova,Quantitative EvaluationoftheSynergisticEffectsofFailuresinaCritical InfrastructureSystem,InternationalJournalofCritical InfrastructureProtection14(2016)3-17.

doi:10.1016/j.ijcip.2016.06.002.

[14]L.Labaka,J.Hernantes,J.M.Sarriegi,Aframeworktoimprove theresilienceofcriticalinfrastructures,InternationalJournal ofDisasterResilienceintheBuiltEnvironment6:4(2015) 409-423.

[15]GovernmentofCanada.ActionPlanforCritical

Infrastructure(2014-2017),PublicSafetyCanada,Ottawa, 2014.

[16]L.Dueñas-Osorio,J.I.Craig,B.J.Goodno,Seismicresponseof criticalinterdependentnetworks,EarthquakeEngineering& StructuralDynamics36:2(2007)285-306.doi:10.1002/eqe.626. [17]R.Guidotti,H.Chmielewski,V.Unnikrishnan,P.Gardoni,T.

McAllister,J.vandeLindt,Modelingtheresilienceofcritical infrastructure:Theroleofnetworkdependencies,

SustainableandResilientInfrastructure1:3–4(2016)153-168. doi:10.1080/23789689.2016.1254999.

[18]X.He,E.J.Cha,Modelingthedamageandrecoveryof interdependentcriticalinfrastructuresystemsfromnatural hazards,ReliabilityEngineering&SystemSafety177(2018) 162-175.doi:10.1016/j.ress.2018.04.029.

[19]X.He,E.J.Cha,Modelingthedamageandrecoveryof interdependentcivilinfrastructurenetworkusingDynamic IntegratedNetworkmodel,SustainableandResilient Infrastructure(2018)1-16.

doi:10.1080/23789689.2018.1448662.

[20]D.Rehak,P.Senovsky,S.Slivkova,ResilienceofCritical InfrastructureElementsanditsMainFactors,Systems6:2 (2018)21.doi:10.3390/systems6020021.

[21]C.S.Holling,ResilienceandStabilityofEcologicalSystems, AnnualReviewofEcologyandSystematics4(1973)1-23. doi:10.1146/annurev.es.04.110173.000245.

[22]D.Rehak,S.Slivkova,V.Brabcova,Evaluationtheresilienceof criticalinfrastructuresubsystems,in:M.Cepin,R.Bris(Eds.), SafetyandReliability– TheoryandApplication,CRCPress, BocaRaton,FL,2017,pp.955-962.

[23]D.Rehak,M.Hromada,FailuresinaCriticalInfrastructure System,in:T.Nakamura(Ed.),SystemofSystemFailures, IntechOpen,London,2018,pp.75-93.

doi:10.5772/intechopen.70446.

[24]M.Hromada,L.Lukas,M.Matejdes,J.Valouch,L.Necesal,R. Richter,F.Kovarik,SystemandMethodofAssessingCritical InfrastructureResilience,AssociationofFireandSafety Engineering,Ostrava,2013.(inCzech).

[25]IRDRDATAProjectWorkingGroup,PerilClassificationand HazardGlossary,IntegratedResearchonDisasterRiskIPO, Beijing,2014.

[26]S.M.Rinaldi,J.P.Peerenboom,T.K.Kelly,Identifying, UnderstandingandAnalyzingCriticalInfrastructure Interdependencies,IEEEControlSystemsMagazine21:6 (2001)11-25.doi:10.1109/37.969131.

[27]J.L.Carlson,R.A.Haffenden,G.W.Bassett,W.A.Buehring,M.J. CollinsIII,S.M.Folga,F.D.Petit,J.A.Phillips,D.R.Verner,R.G. Whitfield,Resilience:TheoryandApplication,Argonne NationalLaboratory,Lemont,IL,2012.doi:10.2172/1044521. [28]C.Béné,R.G.Wood,A.Newsham,M.Davies,Resilience:New

UtopiaorNewTyranny?ReflectionaboutthePotentialsand LimitsoftheConceptofResilienceinRelationto

VulnerabilityReductionProgrammes,IDSWorkingPapers 405(2012)1-61.doi:10.1111/j.2040-0209.2012.00405.x. [29]IEC31010,RiskManagement–RiskAssessmentTechniques,

InternationalElectrotechnicalCommission,Geneva, 2009.

[30]M.Hromada,Cascadeandsynergyeffectmodellingof interrelatedcriticalinfrastructuresub-sectors,VSB– TechnicalUniversityofOstrava,Ostrava,2016.(in Czech).

[31]V.Brabcova,S.Slivkova,D.Rehak,F.Toseroni,J.Havko, AssessingtheCascadingEffectofEnergyandTransport CriticalInfrastructureElements:CaseStudy,

Communications– ScientificLettersoftheUniversityof Žilina20:2(2018)8-15.

[32]Handbookonconstructingcompositeindicators: Methodologyanduserguide,OrganisationforEconomic Co-operationandDevelopment,Paris,2008.

[33]G.Munda,M.Nardo,Non-Compensatory/NonLinearIndexes forRankingCountries:ADefensibleSetting,Applied Economics41:12(2009)1513-1523.

doi:10.1080/00036840601019364.

[34]IEC60812,Analysistechniquesforsystemreliability– Procedureforfailuremodeandeffectsanalysis(FMEA), InternationalElectrotechnicalCommission,Geneva,2006. [35]L.A.Cox,What’sWrongwithRiskMatrices?RiskAnalysis 28:2(2008)497-512.doi:10.1111/j.1539-6924.2008.01030.x. [36]M.Grabinski,ManagementMethodsandTools,Gabler,