The development of civilization means that a single person cannot function in his own domain (as an individual or as a group) by undertaking supervision over his/her security, understood as an access to all goods – products and services that can guarantee basic human needs, for example, physiological or safety needs indicated in the Maslow’s Pyramid. It leads to the explanation why the society is more and more dependent on the condition of infrastructure, particularly critical infrastructure (CI).
CI has been widely described in the literature. In Poland, it is referred to systems and their functionally interconnected objects, equipment, installations, and services essential for the security of the state and its citizens to ensure the efficient functioning of the public administration, institutions, and businesses (Dz.U. 2019, Item 209, Article 3).
The law of the European Union defines CI as an asset, system, or part located in a member state, which is essential for the maintenance of vital societal functions, health, safety, security, or economy. Any destruction or disruption may have a significant negative impact on the security and the well-being of citizens (Council Directive 2008/114/WE, Article 2b). The US (United States) law defines CI as those systems and assets, whether physical or virtual, which are so vital to the USA that the incapacitation or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters (Presidential Policy Directive, 2013).
Regardless of the definition, CI entities are exposed to various types of threats related to human activities, natural disasters, and military, terrorist, or cyberspace attacks. Therefore, the ability to identify and predict threats toward CI entities and the capability to indicate how to proceed when they occur is nowadays a common subject of many research initiatives.
In the management of CI security, the following are currently observed:
lack of a common conceptual system that allows to determine the characteristics of CI and the exchange of information between the entities responsible for CI security, lack of a dedicated methodology for the management of CI security that allows to take actions to eliminate or mitigate the effects of adverse events Adverse event – an event resulting from the fulfillment of the threat, having negative effects on the organization, natural environment, or population. entities responsible for CI security do not include the risk of loss of CI functionality in protection activity planning process.
Hence, the goal of my work was to develop an integral model of CI security Integral model of CI security (IMCIS) – a set of concepts enabling model mapping of the CI situation, such as CI entities, recognition of adverse events, estimation of risk resulting from threats to which CI is vulnerable, and determination of the decision problem regarding CI security against the identified threats. Methodology of situational management of CI safety (MSMCIS) – a set of stages allowing for specifying the CI situation, estimating the risk value depending on the CI situation, and determining a decision problem aimed at identifying safeguards that maintain the availability of functionality above the safety threshold, where the results obtained from the recent stage constitute input data for the next stage.
Literature survey indicates a strong relationship between national security and the efficiency of CI, for which protective activities were planned as a part of the civil planning process (Fig. 1).
The civil planning process Civil planning – activities aimed at preparing public administration for crisis management and planning to support the Armed Forces of the Republic of Poland in the event of their use, and planning the use of the Armed Forces of the Republic of Poland to implement tasks in the field of crisis management (Dz.U., 2019, Item 209).
The civil planning process is supplemented by the crisis management process when the adverse event or crisis situation Crisis situation – a situation that has a negative effect on the level of people safety, property of significant size, or the environment, which causes significant limitation of the ability of the relevant public administration authorities to act due to inadequacy of the forces and measures in their possession (Dz.U., 2019, Item 1566, Article 3, Point 1).
The crisis management process consists of two periods and four phases:
Period of stabilization – includes the prevention and preparation phases. The stabilization period refers to entirety of organizational activities undertaken at all levels of public administration, including the preparation and implementation of measures to prevent threats, as well as the development and implementation of operational procedures:
prevention phase – focuses on eliminating or limiting the risk by implementation of safeguards against identified threats, preparation phase – includes activities to ensure protection against identified threats that cannot be avoided. Implementation period – includes the response and reconstruction phases. The implementation period covers all actions taken as a result of materialization of the threat that led to the emergence of a crisis situation and actions aimed at restoring the state from before materialization of the threat:
response phase – includes projects undertaken at the time of crisis, reconstruction phase – conducting activities that regulate living conditions in terms of returning to the desired state of functioning of the object under consideration.
Therefore, CI operators as well as entities involved in both processes at various administrative levels, and the Government Centre for Security (GCS), coordinating all activities related to CI protection, constitute a set of entities responsible for CI security (Table 1).
Entities responsible for CI security (
Local government level | State | Government Security Center (State level) | ||
Governmental Crisis Management Team (GCMT) | ||||
Province | ||||
Provincial Crisis Management Team (PCMT) | Provincial Center for Crisis Management | |||
District | ||||
District Crisis Management Team (DCMT) | District Center for Crisis Management | |||
Community | ||||
Commune Crisis Management Team (CCMT) | Commune Center for Crisis Management | |||
The level of the CI operator | Systems of CI | CI entities |
In addition, GCS is a point of information exchange between the CI of Poland and the European CI European CI – constitutes those designated critical infrastructures which are of the highest importance for the community and which, if disrupted or destroyed, would affect two or more MS, or a single member state if the critical infrastructure is located in another member state (Dz.U., 2019, Item 209, Article 3). differences in CI definitions, differences in the definition of CI protection, various lists of CI systems (Table 2), and lack of a dedicated methodology of CI security management.
List of CI systems in the EU and Poland (
European CI systems | Polish CI systems |
---|---|
Electricity Oil Gas Road transport Rail transport Air transport Inland waterways transport Ocean and short-sea shipping and ports | Energy, fuel and energy supply systems Communication systems Tele-information network systems Financial systems Food supply systems Water supply systems Health protection systems Transportation systems Rescue systems Systems ensuring the continuity of public administration activities Systems of production, storing and use of chemical and radioactive substances, including pipelines for hazardous substances |
The lack of this methodology, in the author’s opinion, is due to the lack of a well-defined pattern of CI characteristic, which refers to the Model of CI Situation.
In order to determine this pattern, the legal requirements of the civil planning and the crisis management processes were analyzed. It allowed indicating the canon of CI characterization (Fig. 3), which consists of data-describing resources, functionalities, threats, and security.
The CI characteristic canon is the major element of both IMCIS and MSMCIS. The analysis of national risk assessment methodologies for crisis management has been already implemented in Poland, German, Sweden, the Netherlands, Ireland, Canada, USA, and Australia.
Legal requirements of EUCPM (European Civil Protection Mechanism), the civilian planning, and crisis management processes allowed to indicate (Fig. 4):
stages of the MSMCIS – rectangles, elements of the IMCIS, which are the vital utilities for the methodology – circles.
The IMCIS is divided into four parts: Model of CI Situation, Method of Adverse Events Scenario Generation, Method of Risk Estimation, and Method of Decision Problem Determination.
The Model of CI Situation (Fig. 5), based on Kłykov’s Model of Situation (Kłykow and Jurek, 1988, pp.71–73), was implemented into the canon of CI characterization (Fig. 3) and made up for CI set and threat dependencies (Eq. 1):
V – is considered CI, Ф – is a set of CI functionalities, Z – a set of threats, H – a set of excitation of threats, M – a set of security, G – a set of CI dependencies between CI entities, and T – is the moment of determining CI characteristic.
All elements included in this model are connected to each other, as depicted in a relational database (Fig. 6). Each element has been written up with a set of attributes that are required to perform the model’s methods. Moreover, elements of the CI situation model can be described with additional attributes required by applicable national or international law.
The Model of CI Situation provides data, which allows determining the level of the risk resulting from threats. The Method of Risk Estimation, which has been developed (Eq. 2), is based on the classic risk pattern, which was implemented to the canon of CI characteristics.
α - is the CI index, β - the index of threat, γ - the index of functionality of the considered CI, Rα,β - the level of risk [0..100]%, Pα,β - the probability of β threat on the scale [0..1], Uα,β - the CI vulnerability to β threat on the scale [0..1], ΔΦα,γ - the effect of β threat occurrence [0..100]%, and Mα,β - is the impact of security on vulnerability of CI to β threat on a scale [0..1].
This allows us to describe the risk of losing functionality depending on:
the probability of a threat occurring; losing functionality, which is caused by threat occurrence; CI vulnerability; and
the impact of applied securities for CI resistance.
Computing the risk of losing functionality allows determining the future level of functionality after threat occurrence. This can be done by subtraction of the risk of losing functionality from the current level of functionality value (Eq. 3):
Φα,γ(tn+1) - is the expected level of functionality at the moment tn+1, Φα,γ(tn) - the measured/estimated functional level at the moment tn resulting from the Model of CI Situation, and RΦα,γ(tn) - is the level of risk of losing functionality at the considered moment tn.
In consequence, it is possible to determinate the threshold of CI security (Eq. 4). The security threshold has to be greater than the level of functionality, which assumes threat occurrence.
If the threshold of CI security is not achieved, the CI operator is required to formulate a decision problem, whose solution will allow identification of the safeguards limiting the risk value to an acceptable level.
The Method of Adverse Event Scenario Generation allows to create a model of dependence between CIs and the considered threats (Fig. 7).
It enables:
to examine whether the Model of CI Situation contains all threats to which the CI is exposed, and to generate adverse event scenario which may occur in the considered CI.
Determination of The method of Problem Decision is the last method of the IMCIS. It allows to determine decision areas resulting from threats to which CI is exposed. Then, it is possible to establish the relation between contradictions and elementary decisions. Those elements connected to the edge (Fig. 8) cannot be together in one solution to the decision problem.
The decision problem can be solved by indicating all combinations of elementary decisions, one from each decision area (Eq. 5) (Wiśniewski, 2019, p.75).
α - is the CI index, β - the index of threat, i - the number of all available security, and j - is the number of threats to which the CI is vulnerable.
Subsequently, the cost assessment of all combinations can be estimated, and it makes a base for determining which decision is desired by the CI operator (Fig. 9).
Making a decision allows to calculate the risk of losing functionality which is included into account new security. Consequently, the new level of functionality can be estimated. It shows whether the required safety threshold has been reached.
Development of the integral CI security model allowed to specify the stages of the Methodology of Situational Management of CI Security (Fig. 4).
Each of the seven stages is described in Table 3, which contains:
goal of the stage, utilities supporting execution of the stage, input data for the stage, output data for the stage, and procedure of stage execution.
An example of synthetic characteristics of the stage of MSMCIS (
The name of the stage | Establishment of a team | ||
---|---|---|---|
The goal of the stage | Used utilities | Input data | Output data |
Establishment of the list of members in the analytical team responsible for CI security | Model of CI situation | Characteristics of CI | List of analytical team members |
Procedure | analysis of stakeholders considered IK and selection of team members evaluation of matrix of analytical team competence |
MSMCIS was supplemented by two procedures of its execution, for the case of flat and hierarchical decision problems (Fig. 10).
A flat decision problem assumes that the choice of using additional security is made only on one decision level, for example, by the CI operator. The hierarchical decision problem assumes that the decision on additional security involves at least two decision levels, for example, the CI operator has to consult his decision with the commune authorities.
The case of a hierarchical decision problem requires executive iteration computing, which is illustrated in Fig. 10 by grey.
The MSMCIS has been evaluated on the basis of two computational experiments. The first experiment was built on a flat decision problem and the second one using a hierarchical decision problem.
The object taken under investigation in this study was the Refinery PKN ORLEN Inc. in Płock. Data were obtained from the Crisis Management Plan of Płock (Plan Zarządzania Kryzysowego Powiatu Płockiego, 2015) district and the ORLEN Group Integrated Report (Raport Zintegrowany Grupy ORLEN, 2106). A list of CI entities, their functionality, threats, and safeguards was established by the Crisis Management Plan. The ORLEN Group Integrated Report allowed to determine the level of functionality performed by the analyzed object. Based on the available data, the author was able to evaluate the following:
stage of CI characteristics determination, stage of risk estimation, stage of adverse event scenario generation, and stage of decision problem determination.
It is also worth to clarify that as a refinery in Płock, we understand actually three different entities:
Refinery Orglan Inc., Basell Orlen Poliolefins Ltd, and Production Facility Orlen Oil Ltd.
These enterprises are managed by three CI operators, and their characteristic according to the Model of CI Situation is presented in Table 4.
Synthetic record of the situation of the Refinery ORLEN inc., the Basell Orlen Polyolefins ltd. and the Production Facility Orlen Oil ltd (
CI | Functionalities | Threats | Vulnerability | |||||||
---|---|---|---|---|---|---|---|---|---|---|
Mark | Value of functionality | Mark | Type | Excited threat | Probability | Effect | Mark | Degree of reduction of vulnerability | ||
V1 | Φ1,1 | 93% | Z1,1 | IN | explosion, environmental contamination | 0.7 | −47% (Φ1,1) | M1,1,1 | 0.46 | 0.88 |
−37% (Φ1,2) | ||||||||||
−13% (Φ1,3) | M1,1,2 | 0.31 | ||||||||
Φ1,2 | 93% | Z1,2 | IN | fire | 0.56 | −42% (Φ1,1) | M1,2,1 | 0.16 | 0.31 | |
−36% (Φ1,2) | ||||||||||
−46% (Φ1,3) | ||||||||||
Φ1,3 | 93% | Z1,3 | IN | - | 0.81 | −9% (Φ1,1) | M1,3,1 | 0.16 | 0.31 | |
−9% (Φ1,3) | ||||||||||
V2 | Φ2,1 | 93% | Z2,1 | IN | explosion, environmental contamination | 0.42 | –94% (Φ2,1) | M2,1,1 | 0.27 | 0.56 |
M2,1,2 | 0.18 | |||||||||
Z2,2 | IN | fire | 0.35 | −48% (Φ2,1) | M2,2,1 | 0.17 | 0.94 | |||
Z2,3 | IN | - | 0.61 | −5% (Φ2,1) | M2,3,1 | 0.52 | 0.82 | |||
V3 | Φ3,1 | 93% | Z3,1 | IN | explosion, environmental contamination | 0.58 | −55% (Φ3,1) | M3,1,1 | 0.05 | 0.92 |
−34% (Φ3,2) | ||||||||||
−65% (Φ3,3) | M3,1,2 | 0.75 | ||||||||
Φ3,2 | 93% | Z3,2 | IN | fire | 0.52 | −41% (Φ3,1) | M3,2,1 | 0.14 | 0.83 | |
−27% (Φ3,2) | ||||||||||
−38% (Φ3,3) | ||||||||||
Φ3,3 | 93% | Z3,3 | IN | - | 0.49 | −18% (Φ3,1) | M3,3,1 | 0.26 | 0.36 | |
−19% (Φ3,2) | ||||||||||
−15% (Φ3,3) |
Based on the situation of the entities of CI under consideration, the risk of losing functionality was computed (Table 5) for all functionalities of the entities.
Synthetic record of the risk of functionality loss for considered CI entities (
CI | Threat | Probability | Effect | Vulnerability | Safeguard | Inherent risk | Residual risk | |
---|---|---|---|---|---|---|---|---|
Vα | Zα,β | P | Φα,γ | ΔΦα,γ | Uα,β | Mα,β | Ri | Rr |
V1 | Z1,1 | 0.7 | Φ1,1 | 47% | 0.88 | 0.77 | 28.95% | 3.62% |
Φ1,2 | 37% | 22.79% | 2.85% | |||||
Φ1,3 | 13% | 8.01% | 1.00% | |||||
Z1,2 | 0.56 | Φ1,1 | 42% | 0.81 | 0.16 | 19.05% | 15.29% | |
Φ1,2 | 39% | 17.69% | 14.20% | |||||
Φ1,3 | 46% | 20.87% | 16.74% | |||||
Z1,3 | 0.81 | Φ1,1 | 9% | 0.31 | 0.16 | 2.26% | 1.09% | |
Φ1,3 | 9% | 2.26% | 1.09% | |||||
Sum of risk for | Φ1,1 | 50.26% | 20.00% | |||||
Φ1,2 | 40.48% | 17.05% | ||||||
Φ1,3 | 31.13% | 18.84% | ||||||
V2 | Z2,1 | 0.42 | Φ2,1 | 94% | 0.56 | 0.45 | 22.11% | 4.34% |
Z2,2 | 0.35 | Φ2,1 | 48% | 0.91 | 0.17 | 15.29% | 12.43% | |
Z2,3 | 0.61 | Φ2,1 | 5% | 0.82 | 0.52 | 2.50% | 0.92% | |
Sum of risk for | Φ2,2 | 39.90% | 17.69% | |||||
V3 | Z3,1 | 0.58 | Φ3,1 | 55% | 0.92 | 0.8 | 29.35% | 3.83% |
Φ3,2 | 34% | 18.14% | 2.37% | |||||
Φ3,3 | 65% | 34.68% | 4.52% | |||||
Z3,2 | 0.52 | Φ3,1 | 41% | 0.83 | 0.14 | 17.70% | 14.71% | |
Φ3,2 | 27% | 11.65% | 9.69% | |||||
Φ3,3 | 38% | 16.40% | 13.63% | |||||
Z3,3 | 0.49 | Φ3,1 | 18% | 0.36 | 0.26 | 3.18% | 0.88% | |
Φ3,2 | 19% | 3.35% | 0.93% | |||||
Φ3,3 | 15% | 2.65% | 0.74% | |||||
Sum of risk for | Φ3,1 | 50.22% | 19.42% | |||||
Φ3,2 | 33.15% | 12.99% | ||||||
Φ3,3 | 53.73% | 18.89% |
Next, a model of CI entities’ dependence was developed (Fig. 11) and calculations for a 1000 random cases of threats excitation were performed.
Based on available data, 93 adverse event scenarios were obtained, of which 61 scenarios had a negative impact on at least one CI under consideration and 32 scenarios did not have a negative impact on CI entities. To conclude, in terms of the analyzed cases, the security used has been sufficient.
A flat decision problem was indicated for a 20% risk of losing oil-processing functionality (Table 5). The functionality was exposed to three threats: fire, explosion, and environmental contamination. Hence, the decision problem includes three decision areas (Fig. 12). Additional security for these threats comes from the Lotos refinery where they are used (Informacja dotycząca sposobu ostrzegania i postępowania społeczeństwa w przypadku wystapienia poważnnej awarii przemysłowej dla grupy Lotos S.A., access 04.04.2018).
The solution of the decision problem allowed indicating a set of three additional securities, which were used for achieving the assumed security threshold.
Indicated safeguards reduce the level of the risk for the considered functionality from 20% to slightly over 2%. Furthermore, the indicated security has also reduced the risk of losing other functionalities of the considered CI (Table 6). Implementation of additional securities determines the new situation of the Orlen refinery.
Synthetic record of the risk of functionality loss for considered CI entities after adding new safeguards (
CI | Threat | Probability | Effect | Vulnerability | Safeguard | Inherent risk | Residual risk | |
---|---|---|---|---|---|---|---|---|
Vα | Zα,β | P | Φα,γ | ΔΦα,γ | Uα,β | ΣMα,β,λ | Ri | Rr |
V1 | Z1,1 | 0.7 | Φ1,1 | 47% | 0.88 | 0.88 | 28.95% | 0.00% |
Φ1,2 | 37% | 22.79% | 0.00% | |||||
Φ1,3 | 13% | 8.01% | 0.00% | |||||
Z1,2 | 0.56 | Φ1,1 | 42% | 0.81 | 0.72 | 19.05% | 2.12% | |
Φ1,2 | 39% | 17.69% | 1.97% | |||||
Φ1,3 | 46% | 20.87% | 2.32% | |||||
Z1,3 | 0.81 | Φ1,1 | 9% | 0.31 | 0.29 | 2.26% | 0.15% | |
Φ1,3 | 9% | 2.26% | 0.15% | |||||
Sum of risk for | Φ1,1 | 50.26% | 2.26% | |||||
Φ1,2 | 40.48% | 1.97% | ||||||
Φ1,3 | 31.13% | 2.46% |
For the following case, a hierarchical decision problem, the decision problem was followed by one of the adverse event scenarios, which may occur at the ORLEN refinery. The scenario assumes that the Refinery ORLEN Inc. and the Production Facility Orlen Oil Ltd are affected by fire, environmental contamination, and explosion.
Additionally, an assumption was made – the authorities of Płock city will co-finance a set of security, what can minimize the risk of losing functionality of the considered CI entities.
CI operators may use three alternative securities for each threat. Therefore, the operator of the Production Facility Orlen Oil Ltd has three alternative securities to choose and the ORLEN refinery operator has nine alternative scenarios. The authorities of Płock City have 27 opportunities to choose (Fig. 13).
Decision problem’s solution at successive decision levels, starting from the CI level, allowed for computing of the cost assessment at the level of city authorities (Fig. 14).
DC10 decision has the highest assessment cost, and therefore is desirable for implementation by all the city authorities. Decision at the level of city authorities indicates elementary decisions at the level of the CI operator and CI level – elements of the decision taken Fig. 13.
Results of presented experiments were used to confirm the utility of the methodology of the situational management CI security for the entities responsible for CI security in the areas of:
determination of the CI characteristics, risk estimation, adverse event scenario generation, and decision problem determination.
It was proved that the MSMCIS should be used for civil planning and crisis management processes in Poland.
The most important theoretical conclusions of the study are:
indication of the CI characteristic canon, which is based on a risk assessment method for the crisis management (utilized in Poland, USA, Canada, Australia, and selected EU countries), development of the CI Situation Model (based on the CI canon), which allows determining the CI characteristics, and development of methods based on data collected in the CI Situation Model: Method of Adverse Events Scenario Generation, Method of Risk Estimation, and Method of Decision Problem Determination.
The most important practical conclusions are:
development and evaluation of the MSMCIS, which may be used in civil planning process and crisis management in Poland, and development of two procedures of this methodology for the cases of flat and hierarchical decision problems.