Methodology of Situational Management of Critical Infrastructure Security

The development of civilization means that a single person cannot function in his own domain (as an individual or as a group) by undertaking supervision over his/her security, understood as an access to all goods – products and services that can guarantee basic human needs, for example, physiological or safety needs indicated in the Maslow’s Pyramid. It leads to the explanation why the society is more and more dependent on the condition of infrastructure, particularly critical infrastructure (CI).

CI has been widely described in the literature. In Poland, it is referred to systems and their functionally interconnected objects, equipment, installations, and services essential for the security of the state and its citizens to ensure the efficient functioning of the public administration, institutions, and businesses (Dz.U. 2019, Item 209, Article 3).

The law of the European Union defines CI as an asset, system, or part located in a member state, which is essential for the maintenance of vital societal functions, health, safety, security, or economy. Any destruction or disruption may have a significant negative impact on the security and the well-being of citizens (Council Directive 2008/114/WE, Article 2b). The US (United States) law defines CI as those systems and assets, whether physical or virtual, which are so vital to the USA that the incapacitation or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters (Presidential Policy Directive, 2013).

Regardless of the definition, CI entities are exposed to various types of threats related to human activities, natural disasters, and military, terrorist, or cyberspace attacks. Therefore, the ability to identify and predict threats toward CI entities and the capability to indicate how to proceed when they occur is nowadays a common subject of many research initiatives.

In the management of CI security, the following are currently observed:

lack of a common conceptual system that allows to determine the characteristics of CI and the exchange of information between the entities responsible for CI security,

Hence, the goal of my work was to develop an integral model of CI security

Integral model of CI security (IMCIS) – a set of concepts enabling model mapping of the CI situation, such as CI entities, recognition of adverse events, estimation of risk resulting from threats to which CI is vulnerable, and determination of the decision problem regarding CI security against the identified threats.

Literature survey indicates a strong relationship between national security and the efficiency of CI, for which protective activities were planned as a part of the civil planning process (Fig. 1).

Figure 1

The civil planning process

Civil planning – activities aimed at preparing public administration for crisis management and planning to support the Armed Forces of the Republic of Poland in the event of their use, and planning the use of the Armed Forces of the Republic of Poland to implement tasks in the field of crisis management (Dz.U., 2019, Item 209).

Figure 2

The civil planning process is supplemented by the crisis management process when the adverse event or crisis situation

Crisis situation – a situation that has a negative effect on the level of people safety, property of significant size, or the environment, which causes significant limitation of the ability of the relevant public administration authorities to act due to inadequacy of the forces and measures in their possession (Dz.U., 2019, Item 1566, Article 3, Point 1).

The crisis management process consists of two periods and four phases:

Period of stabilization – includes the prevention and preparation phases. The stabilization period refers to entirety of organizational activities undertaken at all levels of public administration, including the preparation and implementation of measures to prevent threats, as well as the development and implementation of operational procedures: -

prevention phase – focuses on eliminating or limiting the risk by implementation of safeguards against identified threats,

Therefore, CI operators as well as entities involved in both processes at various administrative levels, and the Government Centre for Security (GCS), coordinating all activities related to CI protection, constitute a set of entities responsible for CI security (Table 1).

In addition, GCS is a point of information exchange between the CI of Poland and the European CI

European CI – constitutes those designated critical infrastructures which are of the highest importance for the community and which, if disrupted or destroyed, would affect two or more MS, or a single member state if the critical infrastructure is located in another member state (Dz.U., 2019, Item 209, Article 3).

The lack of this methodology, in the author’s opinion, is due to the lack of a well-defined pattern of CI characteristic, which refers to the Model of CI Situation.

In order to determine this pattern, the legal requirements of the civil planning and the crisis management processes were analyzed. It allowed indicating the canon of CI characterization (Fig. 3), which consists of data-describing resources, functionalities, threats, and security.

Figure 3

The CI characteristic canon is the major element of both IMCIS and MSMCIS. The analysis of national risk assessment methodologies for crisis management has been already implemented in Poland, German, Sweden, the Netherlands, Ireland, Canada, USA, and Australia.

Legal requirements of EUCPM (European Civil Protection Mechanism), the civilian planning, and crisis management processes allowed to indicate (Fig. 4):

stages of the MSMCIS – rectangles,

Figure 4

The IMCIS is divided into four parts: Model of CI Situation, Method of Adverse Events Scenario Generation, Method of Risk Estimation, and Method of Decision Problem Determination.

The Model of CI Situation (Fig. 5), based on Kłykov’s Model of Situation (Kłykow and Jurek, 1988, pp.71–73), was implemented into the canon of CI characterization (Fig. 3) and made up for CI set and threat dependencies (Eq. 1): (1)<V, Φ, Z, H, M, G, T>< {\rm{V}},\,\Phi ,\,{\rm{Z}},\,{\rm{H}},\,{\rm{M}},\,{\rm{G}},\,{\rm{T}} > where:

V – is considered CI,

Figure 5

All elements included in this model are connected to each other, as depicted in a relational database (Fig. 6). Each element has been written up with a set of attributes that are required to perform the model’s methods. Moreover, elements of the CI situation model can be described with additional attributes required by applicable national or international law.

Figure 6

The Model of CI Situation provides data, which allows determining the level of the risk resulting from threats. The Method of Risk Estimation, which has been developed (Eq. 2), is based on the classic risk pattern, which was implemented to the canon of CI characteristics. (2)Rα,β=Pα,β*|ΔΦα,γ|*(Uα,β−Mα,β){{\rm{R}}_{\alpha ,\beta}} = {{\rm{P}}_{\alpha ,\beta}} * |\Delta {\Phi _{\alpha ,\gamma}}| * ({{\rm{U}}_{\alpha ,\beta}} - {{\rm{M}}_{\alpha ,\beta}}) where:

α - is the CI index,

This allows us to describe the risk of losing functionality depending on:

the probability of a threat occurring;

Computing the risk of losing functionality allows determining the future level of functionality after threat occurrence. This can be done by subtraction of the risk of losing functionality from the current level of functionality value (Eq. 3): (3)Φα,γ(tn+1)=Φα,γ(tn)−RΦα,γ(tn){\Phi _{\alpha ,\gamma}}({{\rm{t}}_{{\rm{n}} + 1}}) = {\Phi _{\alpha ,\gamma}}({{\rm{t}}_n}) - {{\rm{R}}_{{\Phi _{\alpha ,\gamma}}}}({{\rm{t}}_n}) where:

Φ_α,γ(t_n+1) - is the expected level of functionality at the moment t_n+1,

In consequence, it is possible to determinate the threshold of CI security (Eq. 4). The security threshold has to be greater than the level of functionality, which assumes threat occurrence. (4)ΦPB≤Φα,γ(tn)−RΦα,γ(tn){\Phi ^{{\rm{PB}}}} \le {\Phi _{\alpha ,\gamma}}({{\rm{t}}_n}) - {{\rm{R}}_{{\Phi _{\alpha ,\gamma}}}}({{\rm{t}}_n})

If the threshold of CI security is not achieved, the CI operator is required to formulate a decision problem, whose solution will allow identification of the safeguards limiting the risk value to an acceptable level.

The Method of Adverse Event Scenario Generation allows to create a model of dependence between CIs and the considered threats (Fig. 7).

Figure 7

It enables:

to examine whether the Model of CI Situation contains all threats to which the CI is exposed, and

Determination of The method of Problem Decision is the last method of the IMCIS. It allows to determine decision areas resulting from threats to which CI is exposed. Then, it is possible to establish the relation between contradictions and elementary decisions. Those elements connected to the edge (Fig. 8) cannot be together in one solution to the decision problem.

Figure 8

The decision problem can be solved by indicating all combinations of elementary decisions, one from each decision area (Eq. 5) (Wiśniewski, 2019, p.75). (5)Zα,β{Mα,β,1,Mα,β,λ+1,…,Mα,β,I}Zα,β+1{Mα,β+1,1,Mα,β+1,λ+1…,Mα,β+1,i}…{…,…,…,…}Zα,j{Mα,j,1,Mα,j,λ+1…,Mα,j,i}\matrix{{{{\rm{Z}}_{\alpha ,\beta}}} \hfill & {\{{{\rm{M}}_{\alpha ,\beta ,1}},} \hfill & {{{\rm{M}}_{\alpha ,\beta ,\lambda + 1}},} \hfill & {\ldots ,} \hfill & {{{\rm{M}}_{\alpha ,\beta ,{\rm{I}}}}\}} \hfill \cr {{{\rm{Z}}_{\alpha ,\beta + 1}}} \hfill & {\{{{\rm{M}}_{\alpha ,\beta + 1,1}},} \hfill & {{{\rm{M}}_{\alpha ,\beta + 1,\lambda + 1}}} \hfill & {\ldots ,} \hfill & {{{\rm{M}}_{\alpha ,\beta + 1,{\rm{i}}}}\}} \hfill \cr \ldots \hfill & {\{\ldots ,} \hfill & {\ldots ,} \hfill & {\ldots ,} \hfill & {\ldots \}} \hfill \cr {{{\rm{Z}}_{\alpha ,{\rm{j}}}}} \hfill & {{\rm{\{}}{{\rm{M}}_{\alpha ,j,1}},} \hfill & {{{\rm{M}}_{\alpha ,{\rm{j}},\lambda + 1}}} \hfill & {\ldots ,} \hfill & {{{\rm{M}}_{\alpha ,j,{\rm{i}}}}\}} \hfill} where:

α - is the CI index,

Subsequently, the cost assessment of all combinations can be estimated, and it makes a base for determining which decision is desired by the CI operator (Fig. 9).

Figure 9

Making a decision allows to calculate the risk of losing functionality which is included into account new security. Consequently, the new level of functionality can be estimated. It shows whether the required safety threshold has been reached.

Development of the integral CI security model allowed to specify the stages of the Methodology of Situational Management of CI Security (Fig. 4).

Each of the seven stages is described in Table 3, which contains:

goal of the stage,

MSMCIS was supplemented by two procedures of its execution, for the case of flat and hierarchical decision problems (Fig. 10).

Figure 10

A flat decision problem assumes that the choice of using additional security is made only on one decision level, for example, by the CI operator. The hierarchical decision problem assumes that the decision on additional security involves at least two decision levels, for example, the CI operator has to consult his decision with the commune authorities.

The case of a hierarchical decision problem requires executive iteration computing, which is illustrated in Fig. 10 by grey.

The MSMCIS has been evaluated on the basis of two computational experiments. The first experiment was built on a flat decision problem and the second one using a hierarchical decision problem.

The object taken under investigation in this study was the Refinery PKN ORLEN Inc. in Płock. Data were obtained from the Crisis Management Plan of Płock (Plan Zarządzania Kryzysowego Powiatu Płockiego, 2015) district and the ORLEN Group Integrated Report (Raport Zintegrowany Grupy ORLEN, 2106). A list of CI entities, their functionality, threats, and safeguards was established by the Crisis Management Plan. The ORLEN Group Integrated Report allowed to determine the level of functionality performed by the analyzed object. Based on the available data, the author was able to evaluate the following:

stage of CI characteristics determination,

It is also worth to clarify that as a refinery in Płock, we understand actually three different entities:

Refinery Orglan Inc.,

These enterprises are managed by three CI operators, and their characteristic according to the Model of CI Situation is presented in Table 4.

Based on the situation of the entities of CI under consideration, the risk of losing functionality was computed (Table 5) for all functionalities of the entities.

Next, a model of CI entities’ dependence was developed (Fig. 11) and calculations for a 1000 random cases of threats excitation were performed.

Figure 11

Based on available data, 93 adverse event scenarios were obtained, of which 61 scenarios had a negative impact on at least one CI under consideration and 32 scenarios did not have a negative impact on CI entities. To conclude, in terms of the analyzed cases, the security used has been sufficient.

A flat decision problem was indicated for a 20% risk of losing oil-processing functionality (Table 5). The functionality was exposed to three threats: fire, explosion, and environmental contamination. Hence, the decision problem includes three decision areas (Fig. 12). Additional security for these threats comes from the Lotos refinery where they are used (Informacja dotycząca sposobu ostrzegania i postępowania społeczeństwa w przypadku wystapienia poważnnej awarii przemysłowej dla grupy Lotos S.A., access 04.04.2018).

Figure 12

The solution of the decision problem allowed indicating a set of three additional securities, which were used for achieving the assumed security threshold.

Indicated safeguards reduce the level of the risk for the considered functionality from 20% to slightly over 2%. Furthermore, the indicated security has also reduced the risk of losing other functionalities of the considered CI (Table 6). Implementation of additional securities determines the new situation of the Orlen refinery.

For the following case, a hierarchical decision problem, the decision problem was followed by one of the adverse event scenarios, which may occur at the ORLEN refinery. The scenario assumes that the Refinery ORLEN Inc. and the Production Facility Orlen Oil Ltd are affected by fire, environmental contamination, and explosion.

Additionally, an assumption was made – the authorities of Płock city will co-finance a set of security, what can minimize the risk of losing functionality of the considered CI entities.

CI operators may use three alternative securities for each threat. Therefore, the operator of the Production Facility Orlen Oil Ltd has three alternative securities to choose and the ORLEN refinery operator has nine alternative scenarios. The authorities of Płock City have 27 opportunities to choose (Fig. 13).

Figure 13

Decision problem’s solution at successive decision levels, starting from the CI level, allowed for computing of the cost assessment at the level of city authorities (Fig. 14).

Figure 14

DC₁₀ decision has the highest assessment cost, and therefore is desirable for implementation by all the city authorities. Decision at the level of city authorities indicates elementary decisions at the level of the CI operator and CI level – elements of the decision taken Fig. 13.

Results of presented experiments were used to confirm the utility of the methodology of the situational management CI security for the entities responsible for CI security in the areas of:

determination of the CI characteristics,

It was proved that the MSMCIS should be used for civil planning and crisis management processes in Poland.

The most important theoretical conclusions of the study are:

indication of the CI characteristic canon, which is based on a risk assessment method for the crisis management (utilized in Poland, USA, Canada, Australia, and selected EU countries),

The most important practical conclusions are:

development and evaluation of the MSMCIS, which may be used in civil planning process and crisis management in Poland, and