Академический Документы
Профессиональный Документы
Культура Документы
Sara Bouchon
EUR 22205 EN
European Commission
Directorate-General Joint Research Centre
Institute for the Protection and Security of the Citizen
Contact information
European Commission - DG Joint Research Centre, Institute for the Protection and Security of
the Citizen, Traceability and Vulnerability Assessment Unit,
TP 361, Via Fermi 1,
I-21020 ISPRA (VA) ITALY
sara.bouchon@jrc.it
Tel: +39 0332 78 5007
Fax: +39 0332 78 5813
http://www. http://ipsc.jrc.cec.eu.int/
http://www.jrc.cec.eu.int
Legal Notice
Neither the European Commission nor any person acting on behalf of the Commission is
responsible for the use which might be made of this publication.
EUR 22205 EN
Luxembourg: Office for Official Publications of the European Communities
European Communities, 2006
Reproduction is authorised provided the source is acknowledged
Printed in Italy
TABLE OF CONTENTS
1. Executive summary....................................................................................................... 4
2. Introduction................................................................................................................... 7
3. Definition and characterization of a spatial system of interdependent critical
infrastructures................................................................................................................... 9
3.1. Defining, characterizing a system and the system approach ............................. 9
3.1.1.
Definition of a system................................................................................. 9
3.1.2.
The systems approach ............................................................................... 12
3.1.3.
Systems characteristics ............................................................................ 14
3.2. Complex systems of interdependent critical infrastructures ........................... 15
3.2.1. A systemic approach to Critical Infrastructures.............................................. 16
3.2.2. Interdependent Critical infrastructures systems.............................................. 16
3.2.3. Conceptual framework for systems of interdependent infrastructures ........... 19
3.3. Complex spatial systems of critical infrastructures.......................................... 21
3.3.1. The application of the systems approach to space......................................... 21
3.3.2. From system analysis to spatial analysis of critical infrastructures............. 23
3.3.3 Critical infrastructures systems as spatial networks ...................................... 25
3.3.4. Definition and characterization of spatial systems of critical infrastructures. 27
3.4. Types of complex spatial systems of critical infrastructures ........................... 29
3.4.1. The scaling factor........................................................................................ 29
3.4.2.
The boundaries of a system........................................................................ 30
3.4.3. Processes to be modeled .............................................................................. 32
3.5. Conclusion ............................................................................................................ 32
4.
List of tables
Table 1: Examples of definition for system across various fields (p. 9)
Table 2: Characterizing a system of interdependent critical infrastructures (p.20)
Table 3: System and spatial approaches to analyze critical infrastructures (p.23)
Table 4: Corresponding properties of networks and systems (p.26)
Table 5: Elements of definition for Critical Infrastructures (p.40)
Table 6: Evolution of criticality criteria and infrastructures considered as critical in US
(p.45)
Table 7: Actors perceptions of criticality (p.46)
Table 8: Vital services provided by Critical Infrastructures (in Netherlands) (p.52)
Table 9: Examples of risk definitions in the field of disaster management (p.62)
Table 10: Properties and characteristics of hazards (p.65)
Table 11: Potential hazards to critical infrastructures (p.76)
Table 12: Intentional and unintentional acts as hazards for critical infrastructures (p.76)
Table 13: Direct and indirect Vulnerability of Critical Infrastructures systems (p.81)
Table 14: Cascading hazards in time after electric power supply failure (p.86)
List of Figures
Figure 1: The systemic paradigm (p.11)
Figure 2: The structural approach of a system (p.12)
Figure 3: The functional approach of a system (p.13)
Figure 4: The six systems characteristics (p.15)
Figure 5: The electric power infrastructure dependencies (p.17)
Figure 6: A system of critical infrastructures systems and their interdependencies (p.18)
Figure 7: one example of a systemic approach to space: the Von Thunens model (p.22)
2
List of maps
Map 1: Main energy infrastructure in North-West Europe (p.50)
Map 2: Main energy infrastructure in north Italy. (p.50)
Map 3: Nodes criticality of the energy infrastructure in North Italy (p.83)
Map 4: Degree of accessibility of NUTS-regions to the energy infrastructure (p.84)
1. Executive summary
The main objective of this report is to provide a state-of-the art on the existing
conceptual background dealing with the vulnerability of critical infrastructures systems,
in order to highlight the main issues for decision-making processes and to provide an
overview of all the dimensions of the problem.
The first Chapter addresses the terminology and the epistemological background for the
analysis of spatial systems of interdependent Critical Infrastructures. It analyses first
the definition of a system and of the systems approach. It focuses then on the definition
of spatial systems of critical infrastructures, following the background of the spatial
analysis of networks. It ends with the study of the factors that affect the construction of
systemic models, i.e. the scale of analysis, the choice of the sub-systems and processes to
analyze according to the objectives and goals of the analysis. Main conceptual issues are
summarized in the following figure representing the territorial dimension of critical
infrastructures systems.
Territorial
background
Context
Legislation
Technical capacities
Political,
Socio-economical
requirements
Critical infrastructure
planning and management
Environment
Level of development
Economical
Social
Political/administrative
cultural
Material infrastructure
Regulation
service
Critical
Infrastructures
owners
Critical
Infrastructures
Territory
Logic of development
Objectives
Territorial constraints
Hierarchy
Accessibility
Dependency
Discontinuity
Other stakeholders
The second chapter focuses and the definition of critical infrastructures, highlighting
the conceptual debates addressing the notion of criticality. It details the existing
approaches to criticality, the complexity of the term infrastructure that reveals various
possible levels of analysis and recalls the evolution in time and space of criticality. It
underlines as well the various understandings of criticality as a function of actors
perception. These elements of a conceptual debate have very specific implication for the
decision-making process. The chapter ends therefore with a dedicated subsection on the
main policy issues raised by the concept of criticality. The following figure summarises
the main issues addressed in chapter 4.
Theological
/ systemic
approaches
Criticality criteria
National Security and safety
Defense, Public health
Business security
Social well-being
CIP Context/
Objectives
CRITICAL
Actors
perception
Decision
makers
Owners
Experts
Stakeholders
Insurers
To which part?
Interdependencies
Infrastructure support
Info-structure
Service
INFRASTRUCTURE
Time/Scale
factors
Critical situation
Scope
Severity of
consequences
Effects of time
The last chapter provides a review of existing definitions of risks, hazards, vulnerability
and resilience within the field of disaster management literature. It allows us defining the
following model of vulnerability:
Level of exposure
Hazard-independent Vulnerability
Hazard
Hazard-dependent Vulnerability
Resilience
Susceptibility
Effective impacts
balanced by capacities
Likelihood of hazard
Differential exposure
Sensitivity/capacity of the
system at risk
Coping Capacity
Recovery
State of emergency
Time
Potential losses
Effective losses
External side
Internal side
Crisis
Vulnerability Model
This review led to the analysis of the specificity of the field of critical infrastructures
protection. In this context, the concept of systemic risk appears more appropriate, as the
shift towards the concepts of threats, cascading hazards and cascading vulnerability. The
focus on the cascading vulnerability shows that various levels of exposed elements can be
considered within critical infrastructure systems, whose vulnerability depends on their
level of dependency. Since vulnerability is also affected by time and geographical scale
issues, these factors have been further analysed, as the question of the definition of
accurate parameters and indicators to express it.
The conclusion highlights the necessity to adopt a holistic, multi-disciplinary approach to
the vulnerability analysis of critical infrastructures systems.
2. Introduction
Past years have seen an increased numbers of events affecting vital infrastructures our
society is relying on: the explosion of the AZF factory (Toulouse, September 2001),
terrorist attacks targeting the underground in Madrid (March 2004) and London (July
2007), fire of a petrol deposit (Buncefield, December 2005), etc. Although these events
might appear different they have lots in common:
- They affected different types of infrastructures that are all considered as critical
infrastructures. Critical infrastructures are those of whose services are so vital that
their incapacity or destruction would have a debilitating impact on the deface or
economic security of any state: electric power, gas and oil production and distribution,
telecommunications, banking and finance, water supply systems, transportation, health
care, emergency and government services, food supply ((COM (2004) 702 final)).
These infrastructure systems are heavily dependent upon one another. Disruption in any
of the systems could jeopardize the continued operation of the entire infrastructure
system. The adjective critical is related to a key function for the society, highly
dependent, and thus highly vulnerable to a potential disruption of these infrastructures.
- They were triggered by various sources of hazards but showed the importance of an
expanding spectrum of threats including terrorism or other manmade disasters,
modifying the understanding of the risks triggering event. This kind of hazard is highly
unpredictable and therefore difficult to assess and to prevent.
- They had large consequences in societies, well beyond the impact zone. In this view
they revealed various aspects of the vulnerability our societies to this kind of systemic
risks. The vulnerability assessment of critical infrastructure has thus to face the challenge
of providing a multi-scale analysis related to the organisation of a network (several areas
related between them through a network), which might be in contradiction with the
different areas of competencies of the different administrative and political levels.
Following these events, the awareness and the need to better understand the multidimensional vulnerability of our territory against events affecting critical infrastructures
appeared clearly. This has been expressed in October 2004 in the Communication
Critical Infrastructure Protection in the fight against terrorism (COM (2004) 702
final) and in November 2005 in the Green paper On a European Programme for
Critical Infrastructure Protection (COM (2005)576 final) provided by the European
Commission. .
The final objective is to define appropriate measures for a Critical Infrastructure
Protection Strategy, in order to ensure an adequate level of security for European citizens.
This means adopting the standpoint of decision-makers, who have to deal and manage
risks and vulnerability over their territories of competency. Existing literature on critical
infrastructures is most often technical, which does not allow decision-makers assessing
the multi-dimensional vulnerability of the territory against the disruption of
interdependent critical infrastructures systems. In this view, there is a need:
- To define and characterize clearly which are the critical infrastructures for our
societies and how they are distributed over the territory, i.e. how they form spatial
systems of critical infrastructures.
To understand what vulnerability and risks mean, when referring to this critical
infrastructures.
To identify stakeholders to be involved and to define a coherent strategy for
Critical Infrastructure Protection (CIP)
The main issue is related to the specific features of vulnerability and risk related to
Critical Infrastructures. Classical risk and vulnerability analysis show some limits and
there is therefore a need to define specific definitions, tools, methodologies for critical
infrastructures. A systemic approach appears particularly appropriate, since it allows
embracing the complexity of interdependent critical infrastructures systems. This requires
thus a preliminary work on the epistemological and conceptual background:
- How to define, delimit, and characterize the spatial systems formed by critical
infrastructures? What are the epistemological foundations of a systemic
approach? To which extent does it allow a better understanding of the inherent
complexity of critical infrastructures? (Chapter 3)
- To what does the adjective critical refers? Which are existing criticality criteria?
To which extents are they valid and to what kind of infrastructure or piece of
infrastructure do they apply? (Chapter 4)
- How to define the concept of vulnerability of critical infrastructures? What are the
exposed elements? Exposed to what? How do criticality and vulnerability interact
in time and space? (Chapter 5)
The analysis of existing definitions, as well as the epistemological background shows that
debates exist on the understanding of the main concepts. These debates are the result of:
- The diversity of fields and approaches using these terms;
- The diversity of approaches among various actors dealing with territorial
management;
- The inherent difficulties related to the concepts themselves.
The main objective of this report is therefore to provide a state-of-the art on the existing
conceptual background dealing with the vulnerability of critical infrastructures systems,
in order to highlight the main issues for decision-making processes and to provide an
overview of all the dimensions of the problem.
3.
spatial
system
of
In this chapter, we address the conceptual and etymological aspects of the definition of a
spatial system of interdependent infrastructures, focusing on the application of the
principles of system analysis to interdependent critical infrastructures and to the spatial
system they form. The objective is to provide working definitions to decision-makers,
whose first task is to identify, characterize and delimit the territory under analysis. This
implies defining and characterizing a system and the system approach (3.1.), defining and
characterizing a system of interdependent critical infrastructures (3.2.), defining spatial
systems of critical interdependent infrastructures (3.3) and analysing the criteria allowing
distinguishing various types of those spatial systems (3.4).
http://www.cogsci.princeton.edu/cgi-bin/webwn
ibid.
3
ibid.
4
www.nbc-med.org/SiteContent/glossary.asp
2
4. (Biology) A group of physiologically or anatomically related organs or parts; "the body has
a system of organs for digestion"5
5. (Structural sciences)A complex of methods or rules governing behaviour: they have to
operate under a system they oppose; that language has a complex system for indicating
gender 6
6. (Communication Sciences) An organized collection of interrelated elements that performs
one or more functions. (The Communication Handbook); "A system divides all of the
Universe into a) all of the Universe outside the system, b) all of the universe inside the system,
and c) the little bit of remaining Universe which comprises the system that separates the
macrocosm from the microcosm". (Buckminster Fuller)7
7. An organized structure for arranging or classifying 8
8. (Ecology/Environmental sciences) The region under consideration, as distinguished from
the rest of the universe (the environment). Systems may be separated from environments by
boundaries that prevent the transfer of mass (a closed system), of heat (an adiabatic system), or
of any energy (an isolated system). Systems that exchange mass with the environment are open
systems. Sometimes the word system is also used to refer to all possible compositions defined
by a particular set of components (for example, the MgO-SiO2 system)9.
9. (Telecommunications) Any organized assembly of resources and procedures united and
regulated by interaction or interdependence to accomplish a set of specific functions. 2. A
collection of personnel, equipment, and methods organized to accomplish a set of specific
functions.(Glossary of Telecommunication terms)10;
10. (Electricity sector)An integrated combination of generation, transmission and
distribution of electricity or natural gas that may be used by 1.) a utility, 2.) a group of utilities
through a power pool or 3.) an operator that manages services for more than one system11
11. (Physical geography): A system is a set of interrelated components working together
towards some kind of process.(http://www.geog.ouc.bc.ca/physgeog/physgeoglos/s.html)
12. (Regional sciences) A group of independent but interrelated elements comprising a
unified whole; a vast system of production and distribution and consumption keep the country
going12
13. Organizations that are linked together in the provision of services/products (e.g.
transportation system, K-college education system, child welfare). An interdependent linking of
organizations that rely on each other for the exchange of resources13
14. A set of actors or entities bound together by a set of rules and relationships into a unified
whole. A systems health is dependent on the health of the whole pattern, which can sometimes
be reflected (and thus measured) in the status of a key part of the system14.
http://www.cogsci.princeton.edu/cgi-bin/webwn
http://www.cogsci.princeton.edu/cgi-bin/webwn
7 www.worldtrans.org/whole/wholedefs.html
8
http://www.cogsci.princeton.edu/cgi-bin/webwn
9
expet.gps.caltech.edu/~asimow/glossary.html
10
http://www.its.bldrdoc.gov/fs-1037/dir-001/_0063.htm#JP1
11
http:// www.niagaramohawk.com/glossary/gloss_s.html
12
http://www.cogsci.princeton.edu/cgi-bin/webwn
13
www.childpc.org/about/glossary.asp
14
www.state.nj.us/dep/dsr/sustainable-state/glossary.htm
6
10
Following these definitions and existing theories of systems, we can assume that a system
is (Walliser, 1977):
-
Evolution
ENVIRONMENT
Structure
OBJECTIVES
Processes
11
Chann
els of
Comm
unicat
ion
Component
Component
Inputs
Component
Sub-system 1
Sub-system 2
Outputs
ENVIRONMENT
Requirements
Constraints
Resources
12
The functional analysis (Figure 3) is based on the analysis of the function rather than on
the list of components. The preliminary task is to identify the systems objectives: they
refer to the goal and the services a given system has to fulfill or provide. The
performances of the system can be measured, with respect to the required level of
expected output or service.
Most of functional approaches are called input-output approaches or efficiency
approaches, having the objective to identify the trouble spots and especially the places
where there is waste and then proceed to remove the inefficiency. The input-output
approach relies on the principle that system are entities into which are imputed various
types of resources and out of which comes some kind of product or service. It aims at
exploring what kinds of activities should go inside the system in order to produce the
most satisfactory kind of output. This requires assessing the overall performance of the
system. In this view, there is a need to develop a measure of performance that is to be
maximized, where a weighted environment is partly expressed as output minus the cost of
input, where the weights are determined by standards of quality. The performance of each
component and their contribution to the performance of the overall system and the
allocation of internal resources15 show the internal inputs-outputs processes.
Resources are the internal means that the system uses to accomplish its objectives. Resources are for
instance money, man hours, equipment, technological; advancesetc. To the difference with the
environment, resources are the things the system can change and use to its own advantages.
16
http://fwie.fw.vt.edu/rhgiles/Lastingforests/LFConcept1.htm
17
http://www.worldtrans.org/whole/wholedefs.html
13
3.1.3.
Systems characteristics
All systems are not similar and following their characteristics, it is possible to distinguish
various types of systems. Six main characteristics of systems (Figure 4) are mainly
related to the four essential properties of systems: autonomy; coherency; permanence;
organization (Dupuy, 1985)
(1) Emergence: a system reacts in a different way than the sum of its parts, because of
the interactions among these parts (property of coherence);
(2) System-environment relation: in the case of quasi-isolated systems, the system is
influenced by its environment through processes of inputs, is internally modifying these
inputs, has an impact on its environment through processes of outputs. Systems vary as a
function of the degree of their openness-closure, depending on the amount of inputoutput flows. The output of one system can constitute the input for another system or for
the system itself (within-puts) (property of autonomy);
(3) Stability, stationary and equilibrium: Static is applied to systems subject to constant
interactions with their environment and showing constant interactions among their
subsystems; Stationary is applied to systems showing constant transformation processes
between inputs and outputs flows with the environment and among their subsystems;
Stable is applied to a system that recovers its initial shape after having experienced a
marginal modification; Equilibrium is applied to systems when they show an equilibrium
between inputs and outputs among subsystems. This can refer to immobility or constancy
of flows. Homeostasis expresses the capacity of an open system to maintain its structure
and its functions thanks to dynamic equilibriums controlled through regulations
mechanisms. All these terms refer to the permanency of systems.
(4) Causality and finality: in a causal system, the relationship between inputs and outputs
expresses a cause-consequence relation. In a system having a finality, the system keeps
following its finality, even though it is subject to external pressures. This finality can be
optimized (relative to the highest performances) or satisfactory (ensuring a minimum
level of performances).
(5) Organization: the organization is related to the existence of sub-systems. Each subsystem might be consisting of sub-sub-systems and so on, until black boxes, considered
as basic elements. Systems differ as a function of the types of existing interactions and
hierarchy among their subsystems;
(6) Adaptation, regulation: a system can have the capacity to adapt its behavior to
external pressures, maintaining its finality and its permanency. Adaptation can be
possible thanks to external regulation, or through internal auto-regulation capacities. The
capacity of auto regulations allows assessing the degree of autonomy of a system.
14
After Roger Lewin (1992) Complexity: Life and the Edge of Chaos
Steven Johnson (2001) Emergence: The Connected Lives of Ants, Brains, Cities, and Software
http://en.wikipedia.org/wiki/Image:Complex-adaptive-system.jpg
15
16
First the focus can be laid on one critical infrastructure system and on the others
critical infrastructures systems it is depending on. Figure 5 shows for instance the critical
infrastructures the electric power infrastructure is depending on.
System control
Repair Crew to Sites
Fuel resupply
System Status
SCADA/EMS
Component
shipping
Operation and
Repair Crew
Communication
E-Commerce
ROAD
Materials
Procurement
TELECOM
BANKING and
FINANCE
Transport to
operations
Center
Component
shipping
AIR
ELECTRIC
POWER
NATURAL
GAS
Financial
services
Fuel for
generators
Aerial
Inspection
WATER
Component
shipping
RAIL
OIL
Cooling
Fuel resupply
Component
shipping
Emissions
Control
Fuel
Maintenance
Fuel for
Generators
On the contrary to the first approach, the second approach can focus on one critical
infrastructure system and on others critical infrastructures systems that are depending on
the services provided by the system under focus.
Finally, the last approach aims at embracing a whole system of various critical
interdependent infrastructures interacting with each others. Figure 6 gives an example of
some existing interdependencies existing among various critical infrastructures systems.
17
Fuels, lubricants
Fuel Transport, Shipping
ants
r fo r
Powe witches
s
,
g
g
lin
ippin
Signa
rt, Sh
o
p
s
Tran
F u el
WATER
ELECTRIC
POWER
SCADA
,
Po
compr wer for
essors
Contro , storage,
l syste
m
Fuel fo
r Gene
rators
SCADA,
Communications
r coolin
g
Comm
un
ications
NATURAL GAS
A, ons
AD icati
C
S un
t
mm Hea
Co
Power
for switches
Water fo
Shipping
TELECOM
,
n
on
cti uctio
u
d
d
o
e
pr s r
for sion
r
e
is
t
W a , em
g
n
oli
co
18
SCADA,
Communications
Water for p
roduction,
cooling, em
issions redu
ction
TRANSPORTATION
ing
ipp
ls, l
ubri
c
Sh
Fu e
OIL
monitoring system status and system control. During emergencies or after components
failures the electric power infrastructure will have potentially different yet critical
dependencies on the same infrastructures. For example, the utility may require petroleum
fuels for its emergency vehicles and emergency generators and road transportation to
dispatch repair crews and replacement components.
The system approach allows addressing the complexity of interdependent critical
infrastructures. The definition of the system remains though function of the objectives
and scope of the analysis. Once the system is delimited, its characteristics must be
analysed.
3.2.3. Conceptual framework for systems of interdependent infrastructures
Identifying, understanding, and analysing interdependent critical systems are significant
challenges magnified by the complexity of these infrastructures. Further complicating
this challenge is a broad range of interrelated factors and system conditions described in
terms of six dimensions that affect systems characteristics, and which are summarised
in Table 2 (Rinaldi and al.2001).
Once they are identified, the choice of the boundaries of the system to analyse and its
characterisation are depending on the scope of the analysis. In the view of assessing the
vulnerability against the disruption of critical infrastructure systems, the decision-maker
needs to identify the spatial system he has to deal with. As it has been presented the
modelling of systems does not show the spatial characteristics of the system considered.
This dimension is though fundamental since decision-makers do not think on an abstract
space, but on a territory, which characteristics must be included under the identification
of spatial systems of interdependent Critical infrastructures.
19
2. Types of
interdependencies
(characterize
organisation and
emergence)
3. Coupling and
response behaviour
(characterize
organization, stability,
causality, finality,
adaptation and
regulation)
4. Infrastructure
characteristics
(characterize
organization, systemenvironment relation,
adaptation, stability)
5. Types of failures
(characterize
organization, causality
and finality, types of
interactions)
6. The state of
operation of an
infrastructure
(characterize stability,
system-environment
relation, organization,
adaptability)
Definition
Framework in which the owners and
operators
establish
goals
and
objectives, construct value systems
for defining and viewing their
businesses, model and analyse their
operations, and make decisions that
affect infrastructure architectures and
operations.
Bi-directional relationship between
two infrastructures, through which the
state of each infrastructure influences
or is correlated to the state of the
other.(Gheorghe and Schlapfer,
2004) Interdependencies and the
resultant infrastructure topologies can
create
subtle
interactions
and
feedback mechanisms that often lead
to unintended behaviours and
consequences during disruptions.
Are
conditioning
infrastructure
responses to perturbations. The
coupling characteristics and nature of
interacting agents in turn directly
influence whether the infrastructures
are adaptive or inflexible when
perturbed or stressed. (Perrow, 1984)
They refer to time and space
dimensions of the system of
interdependent infrastructures.
Factors/ variables
Economic and business
opportunities, concerns
Public policy
Government investment
decision
Technical and security
issues
Social and political
concerns
Physical interdependency
Cyber interdependency
Geographic
interdependency
Logical interdependency
(not mutually exclusive and
to various degrees)
Degree of coupling
Coupling order
Linear or complex
interactions
Characteristics of the
agents
Scale
Infrastructure dynamics
Operational factors
Organizational
considerations
Cascading failure
Escalating failure
Common cause failure
Normal operating
conditions, (from peak to offpeak conditions)
Times of severe stress or
disruptions
Time when repair and
restoration activities
20
21
Figure 7: One example of a systemic approach to space: the Von Thunens model20
20
www.csiss.org/ classics/content/9.
22
Systemic approach
Nature/quantity-quality of the
service delivered/ boundaries of
the system
Composition
Sub-systems,
components
building the system (technical,
human, organizational)
Channels of communication and
hierarchy of the relationships
among the components and subsystems
(connection,
connectivity), competencies of
various
actors
on
the
infrastructure
Types de flux, variations dans le
temps
Types of flows, variations in time
and space
Types of interactions with the
environment
Types of interdependencies
Organization
Processes
system-environment relations
Interdependencies
Spatial approach
Areas where the service is
delivered (as a function of the
scale)/ boundaries between these
areas
Location of the components of
the
infrastructure,
distance
among them.
Types of spatial organization of
the network (graphs theory,
density), areas of competencies
of various actors
Administrative,
geographical,
economical spatial context
Location of interdependencies
Adopting a spatial perspective allows identifying which areas are depending on a critical
service, forming various regions. Usually, a region is defined as a sub-national
administrative entity, within a country, between the level of the sovereign state, and the
local government, encompassing multiple municipalities, counties, or provinces with a
certain degree of autonomy in a varying number of matters, including vulnerability and
risk management. A regional system, defined as a complex distributed spatial system,
consisting of all existing critical infrastructures, the socio-economic and political systems
and the interactions amongst all these elements (Gheorghe and al., 2000), might be
different from the boundaries of the administrative region (Figure 8).
23
Subsystem of CI 1
e.g.
economic
system
e.g. Social
system
e.g. Energy
Etc.
e.g.
Political
system
e.g. Transport
Subsystem of CI 3
A regional system,
defined as a
complex
distributed spatial
system, consisting
of all existing
critical
infrastructures, the
socio-economic
and political
systems and the
interactions
amongst all these
elements
Subsystem of CI 2
The anisotropic region is a region in which the spatial features are organized
following one or more axis or network. This refers to a region regrouping non contiguous
areas connected by a critical infrastructure (e.g. a transportation corridor).
24
This raises a major issue for risk and vulnerability management: the definition of a region
as a system is closer to the real characteristics and dynamics of a territory and allows
identifying the area where critical infrastructures are at risk and pose a risk; however the
region seen as an administrative entity, and which is the territory level of reference for
the decision-making addressing risks might be different from the regional system at risk.
3.3.3 Critical infrastructures systems as spatial networks
Following Bullock21, recent years have seen a resurgence of interest in the use of graphs
and networks as models of many kinds of complex systems. Since critical
infrastructures, seen as interacting agents are based the exchange of flows between their
components, they can be analyzed through the network analysis perspective. First issue is
to shift from a technological approach of the critical infrastructures system to their
representation as complex networks. The second issue is related to the localization of this
system in the space, in order to analyze the interactions with other systems over a
territory. For instance, as far as the transportation is concerned, localization is
fundamental to understand how flows originate and what their destination is. The analysis
of critical infrastructures systems can therefore not be dissociated from the spatial
analysis of networks and their territorial implications.
The analysis of networks is one of fundamental principle of spatial analysis, since it
focuses on the relations between objects or places. Spatial units, which are not
contiguous, may be linked together through an exchange of relations. Basically a network
can be defined has an ensemble of lines, communication roads, channels, that deliver a
service to the same geographical unit. Natural networks such as rivers or human
networks such as electricity network or administrative network put in relation various
spatial units. Network can refer to material and physical infrastructure (network
infrastructure) or to a relation network referring to the exchanges and types of flows
supported by these infrastructures. Networks are most often described using the graph
theory. Represented as graphs, they show an ensemble of nodes and links, which refers to
the topology of the network (Batty, 2003).
Among existing definitions, following properties of networks have been identified:
- Connection: refers to the property of networks to link objects or places, through
exchanges and circulation of various flows. It allows characterizing the ensemble of
existing links among nodes within a network. If we consider, a set of two nodes as every
node is linked to the other, connection is the fact that a movement between two nodes is
possible, whatever its direction. Knowing connections makes it possible to find if it is
possible to reach a node from another node within a graph.
- The multiplicity of possible links, the existence of alternative pathways, enhancing
the interconnectivity level of a network is called connectivity. A complete graph is
described as connected if for all its distinct pairs of nodes there is a linking chain.
Direction does not have importance for a graph to be connected, but may be a factor for
the level of connectivity. There are various levels of connectivity, depending on the
degree at which each pair of nodes is connected.
21
www.comp.leeds.ac.uk/seth/cluster/cluster.ps
25
System
Autonomy
Permanency
Coherency
Organization
Network
Connection
Connectivity
Isotropy
Homogeneity
Centrality
After Dupuy, 1985
Table 4: Corresponding properties of networks and systems
Critical infrastructures systems analyzed as networks allow identifying the related spatial
systems that must be considered as the region of reference for risk and vulnerability
analysis.
26
Territorial
background
Context
Critical infrastructure
planning and management
Legislation
Technical capacities
Political,
Socio-economical
requirements
Environment
Level of development
Economical
Social
Political/administrative
cultural
Material infrastructure
Regulation
service
Critical
Infrastructures
owners
Critical
Infrastructures
Territory
Logic of development
Objectives
Territorial constraints
Hierarchy
Accessibility
Dependency
Discontinuity
Other stakeholders
27
28
continuous area, networks imply spatial discontinuity. Territories are not anymore the
result of proximity, but the result of a link joining spatial units, that have in common to
be dependent on the same network. The accessibility to the services or functions of a
network is characterized by entry points (e.g. stations for railways, access to roads, etc.),
which are not equally spread over the territorial background. Networks create therefore
hierarchies among spatial units and are a factor for the differentiation of space.
In order to characterize a spatial system of critical infrastructures, the role of each
subsystem must be assessed, since they determine various types of systems. The
objectives of the analysis, as well as the scale of work are other factors that need to be
taken on board.
Closely related is the notion of geographic scales given that infrastructures span physical
space, ranging in scale from cities, regions, and nations to international levels. The
particular scale of interest is largely a function of the objective of the analysis.
Deliberations on national energy policies may require analysis at the infrastructure,
interdependent infrastructure, national, international levels, whereas an analysis of the
failure of a single natural gas compressor might require studies at the system level and
below. These granularity considerations lead to trade-offs in model fidelity and
database/computational requirements. A high level of detail implies more data on the
infrastructures their components and interdependencies as well as more intensive
computational requirements. Spatial scale has clear implications for the way in which
interdependencies are included in analysis. The characteristic of critical infrastructures
systems is that what happens to one infrastructure can directly and indirectly affect other
infrastructures, impact large geographic regions, and send ripples throughout the national
and global economy. There is therefore a need to adopt a dynamic view on the scaling
factor, allowing shifting from local scale to a much broader area (Figure 10).
The variations of scale in space are associated with the variations in time. A system of
critical infrastructures refers to various time scales: while the setting up of the material
infrastructures might take years (the construction of road networks for instance), the
delivery of the service must be analysed at daily scale for instance, while an emergency
management should be dealt in an even shorter delay.
29
The boundaries of a system, the choice of the subsystems, processes that will be modeled,
must be defined as a function of the scale of analysis and of the objectives of the analysis.
Since reality is complex, the definition of the system must rely on a selection of the most
accurate elements. Boundaries can range from the delimitation of an elementary model,
focusing on basic components to the delimitation of a complex system, including more
subsystems. Figure 11 shows for the transportation system, examples of possible
delimited systems.
30
Complex
system
level
Spatial system
approach
All vehicles
Networks of
transportation
infrastructures
Drivers
Vehicle
Driver
transportation
infrastructures
Technical system
approach
transportation
infrastructures
Elementary
system level
Vehicle
Driver
Driver
Vehicle
31
The choice of the boundaries of the system is also depending on the actors analyzing the
system of interdependent critical infrastructures. For instance, following the standpoint of
decision makers, the system under analysis might be delimited within the limit of their
administrative limits of competency (a city, a province, a region, etc.). On the contrary, in
the logic of critical infrastructures owners, the limits of the system will be extended to
the spatial inscription of the infrastructure. The difficulty lies in the combination of these
approaches, in order to take on board the requirements of various types of actors. This
implies thus to define which process will be modeled and represented.
3.4.3.
Processes to be modeled
The representation of all processes within the boundaries of a system might trigger
confusion. There is therefore a need to choose the representation of the spatial system for
one criterion, e.g. the repartition of the material infrastructure in space, the accessibility
of various connected areas to the service, the polarization of one node of the network
over the system of over an area, the quantity of flows, etc. The processes to be modeled
vary as a function of the entry point in the system: this can be one particular node of the
system, a particular link between two nodes, a particular deserved area or a combination
of this.
3.5. Conclusion
The identification of spatial systems of interdependent critical infrastructures answers the
problems and objectives set up by the context of their analysis. A systemic approach
allows embracing the organisation, location and functioning of critical infrastructures
systems, based on human, technical, political, geographical, social sub-systems,
according to a territory. Though, the territorial dimensions of critical infrastructures
systems might be different from the administrative levels of reference for decisionmakers and risk management. This highlights the need to carry out the vulnerability
assessment in the context of a participative process, involving various actors and
encouraging interdisciplinary collaboration.
The system approach allows addressing the complexity of interdependent systems of
critical infrastructures. Further reflection on the concept of critical infrastructures allows
defining hierarchies and priorities for vulnerability analysis within these complex
systems.
32
22
33
public institutions including schools, post offices, and prisons.24 Other definitions
include banking and financial institutions, oil and gas supplies, health and emergency
services, as these infrastructures ensure daily survival for each and every one of us25.
Following the field of interest, infrastructure is defined more precisely: in Technology,
infrastructure refers to the basic, fundamental architecture of any system (electronic,
mechanical, social, political, etc.) determining how it functions and how flexible it is to
meet future requirements26. In Economy, infrastructure is the basic physical systems
of a business or nation, needed for a country to be efficient and productive27. For a
cyber-system, infrastructure is the stock of basic facilities and capital equipment
needed for the functioning of a country or area28. In the military field, they are all
building and permanent installations necessary for the support, redeployment, and
military forces operations (e.g. barracks, headquarters, airfields, communications,
facilities, stores, port installations, and maintenance stations)29. In an urban planning
context, the term is used most often to denote the facilities that support specific land uses
and built environment. Two groups of infrastructures are distinguished: transportation
modalities (roads, rail, etc.) and utilities. Infrastructure may also refer to necessary
municipal or public services, whether provided by the government or by private
companies30.
Common elements to these definitions are thus (Figure 12):
Infrastructure is the underlying base, architecture or foundation for an organisation
or system. However, what is considered to be infrastructure depends heavily upon the
context in which the term is used. Historically, the sense of the word infrastructure has
been evolving: it has been first used in the context of technical debates about public
works, designing thus urban networks and facilities. The term also has had specific
application to the permanent military installations necessary for the defence of a country.
The role of infrastructure for the economic development and as one of the main sector of
public investment lead to the inclusion of economic networks, referring to technical and
more immaterial networks. Nowadays, infrastructure is used in an even more broad
sense, referring to almost any kind of substructure or underlying system. Big corporations
are said to have their own financial infrastructure of smaller businesses, for example, and
political organizations to have their infrastructure of groups, committees, and admirers.
24
The American Heritage Dictionary of the English Language, Fourth Edition, Houghton, Mifflin
Company, Boston, MA. 2000
25
http://www.answers.com/topic/infrastructure
Transport: Roads, Highways, Railroads, Public transport, Airports, Ship transport such as ferry and barge,
Bike paths, Sidewalks;
Public utilities: Electricity, Natural gas, Coal delivery, Water supply, Sewers, Telephone service, Radio,
and television;
Public services: Fire service or fire department, Flood protection, Police protection, Waste management,
public education, public health system, social insurance system;
National Services: Defense, Monetary system, Postal system
26
http://www.computerlanguage.com/at.html
27
http://www.investopedia.com/
28
Word Net 1.7.1 Copyright 2001 by Princeton University.
29
US Department of Defense Dictionary of Military and Associated Words, 2003.
30
http://www.answers.com/topic/infrastructure
34
Infrastructure can refer to a physical, material structure (e.g. roads, pipelines,
school, etc.) and/or to immaterial networks (e.g. banking system). Both aspects are not
exclusive, since an infrastructure may rely on physical elements (e.g. built elements) and
immaterial elements (e.g. rules for the good functioning of the network, personal
interrelationships, etc.). Some authors distinguish though hard infrastructure, i.e.
infrastructure embedded in the landscape and soft infrastructure that denotes
institutions that maintain the health and cultural standards of the population, e.g. public
education, public health systems.
Material/ Immaterial
structures
Infrastructure
as underlying
basis of the
system
Functioning
procedures
Infrastructuresupport
Control systems
Hard/soft
infrastructures
Regulation
Fee-policies
Info-structure
Etc.
Nature
Service
Flows: Quantity/Quality
Areas of delivery/Accessibility
Supply/ Demand constraints
Etc.
35
32
33
E.g. "a critical point in the campaign"; "the critical test" http://www.answers.com/topic/critical
http://amethyst.epa.gov/revatoolkit/MethodsData/Criticality.jsp
http://www.answers.com/topic/critical
36
Infrastructure
if
disrupted
will lead
to
is
required
in case
of
CRISIS
34
37
Statement of Dr. Samuel G. Varnado, Sandia National Laboratories, United States House of
Representatives Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, July
9, 2002 http://www.whisprwave.com/msu-hs-class/critical-infrastructure-protection.htm
38
This table shows that the above definitions consider as infrastructures various
elements such as systems, networks, assets, facilities, services considered in their
physical, virtual, immaterial dimensions. This is coherent with the broad sense of
infrastructure, which is not limited to the technical aspects. There is a clear focus on
telecommunications and information infrastructures, which are most often common to all
other systems. However, the elements considered remain quite general, so that one can
not know which level of the infrastructure is considered (technical, regulatory, service).
All the definitions are then based on the description of the conditions leading to a
critical situation: this might be a disruption, destruction, or degradation, loss of continuity
or of reliability affecting these infrastructures. This places the analysis of critical
infrastructures in the perspective of a risk and vulnerability analysis.
38
http://www.tisn.gov.au/agd/WWW/CriptHome.nsf/Page/What_is_Critical_Infrastructure
www.melani.admin.ch/glossar/
40
http://www.atis.org/tg2k/_critical_infrastructure.html
39
39
Conditions for a
critical situation
If disrupted or
destroyed;
The incapacity
or destruction of
such systems and
assets
If degraded or
rendered
unavailable for an
extended period
Disabling any of
them
[Non]
continuous,
reliable operation
Criticalitys criteria
Serious
debilitation
impact
on,
would
incapacitate / so vital to,
essential to:
The entire system
The national public
health,
Safety
National Security
National defence.
National
economic
security
Minimum operations of
the economy and the
effective
functioning
government
Social or economic
well-being of citizens or of
the nation
Quality of life
Or any combination of
those matters
41
Banking and finance: entities such as retail and commercial organizations, investment institutions,
exchange boards, trading houses, and reserve systems, and associated operational organizations,
government operations, and support activities that are involved in all manner of monetary transactions,
including its storage for saving purposes, its investment for income purposes, its exchange for payment
purposes, and its disbursement in the form of loans and other financial instruments (Moteff, Copeland,
Fisher, 2003).
42
Transportation: physical distribution systems critical to supporting the national security and economic
well-being of this nation, including the national airspace systems, airlines, and aircraft, and airports; roads
and highways, trucking and personal vehicles; ports and waterways and the vessels operating thereon; mass
transit, both rail and bus; pipelines, including natural gas, petroleum, and other hazardous materials, freight
and long haul passenger rail; and delivery services (Moteff, Copeland, Fisher, 2003).
43
Electric power systems: generation stations, transmission and distribution networks that create and
supply electricity to end-users so that end-users achieve and maintain nominal functionality, including the
transportation and storage of fuel essential to that system (Moteff, Copeland, Fisher, 2003).
44
Gas and oil production storage and transportation. The production and holding facilities for natural gas,
crude and refined petroleum, and petroleum-derived fuels, the refining and processing facilities for these
fuels and the pipelines, ships, trucks, and rail systems that transport these commodities from their source to
systems that are dependent upon gas and oil in one of their useful forms (Moteff, Copeland, Fisher, 2003).
45
Water supply system: sources of water, reservoirs, and holding facilities, aqueducts and other transport
systems, the filtration, cleaning, and treatment systems, the pipelines, the cooling systems and other
delivery mechanisms that provide for domestic and industrial applications, including systems for dealing
with water runoff, waste water and fire fighting (Moteff, Copeland, Fisher, 2003).
46
Emergency Services: medical, police, fire and rescue systems and personnel that are called upon, when
an individual or community is responding to emergencies. These services are typically provided at the local
level. In addition state and federal response plans define emergency support functions to assist in the
response and recovery (Moteff, Copeland, Fisher, 2003).
47
Information and Communications: computing and telecommunications equipment, software, processes,
and people that support (Moteff, Copeland, Fisher, 2003).
40
The severity of the potential crisis has to refer to the criticalitys criteria
considered: the analysis of these definitions allows assuming that if an infrastructure is
considered critical, it is both because its potential disruption or lack may lead to an
emergency situation and because in case of en emergency situation, they may be
used to solve a crisis situation (Figure 14). Criticalitys criteria are therefore related to
strategic objectives of a National State, i.e. the maintaining of the national security,
defence, public health, economy, the national well-being of citizens. These objectives are
understandable, but from an operational standpoint, they do not allow identifying
precisely which infrastructures are considered. Existing definitions leave plenty of room
for interpreting which infrastructure fit the definition, which may lead to the
consideration that every infrastructure is critical.
Criticality criteria
National Security and
safety
Infrastructure as underlying
basis of the system
Defense
Infrastructure-support
Public health
Info-structure
Economical security
Service
is required in
case of
Social well-being
if disrupted
will lead to
Critical situation
Scope: Extent of the impact
Severity of consequences on
public, economy, environment,
interdependencies, psychology
Effects of time
41
The specific sectors that have been listed are illustrative but do not form an
exhaustive list. We may distinguish critical infrastructures:
(1) related to governments continuity and credibility to perform essential national
security missions and to ensure the general public health and safety (key government
services, public administrations, national icons, defence base and emergency services,
public health);
(2) related to the maintaining of order and to the delivering of minimum essential public
services (energy and water systems, agriculture, food supply, industrial base);
(3) related to the private sector to ensure the orderly functioning of the economy and the
delivery of essential services (transportation, telecommunications and information
systems, banking and finance systems, energy and water systems, postal and shipping).
One of the given definitions highlights the fact that these infrastructures do not
exist in isolation of one another and that interdependency is increasing. A number of
facilities and services depend on each other. Airports and railways depend on electricity
and communications. The power grid itself depends on communication among power
plants and distribution nodes, and the telecommunications network depends on power
supply for the transmission links and the exchange nodes. Disruption in any of the
systems could jeopardize the continued operation of the entire infrastructure system.
Gheorghe and Schlapfer define the concept of interdependency as a bi-directional
relationship between two infrastructures, through which the state of each infrastructure
influences or is correlated to the state of the other. They identified four main types of
interdependencies (not mutually exclusive and to various degrees) among Critical
Infrastructures (Gheorghe and Schlapfer, 2004):
- The physical interdependency: two infrastructures are physically interdependent if
the state of each is dependent on the material output of the other;
- The cyber interdependency: if the state of an infrastructure depends on
information transmitted through the information infrastructure;
- The geographic interdependency: if a local environmental event can create state
changes in all of them;
- The logical interdependency: two infrastructures are logically interdependent if
the state of each depends on the state of the other via a mechanism that is not a
physical, cyber or geographic connection.
The analysis of critical infrastructures requires therefore requires a system-of-systems
perspective given their interdependencies, while all the definitions provide just a list of
single infrastructures.
42
due to various degree of damage of the infrastructure. This implies thus the
understanding of the level of vulnerability and resilience of each infrastructure, in
order to evaluate their level of criticality. In addition the criticality of an
infrastructure has to be understood in two but complementary ways: an
infrastructure is considered critical because its potential disruption or lack may
lead to an emergency situation and because in case of en emergency situation,
they may be used to solve a crisis situation.
A critical situation is defined with respect to the strategic objectives of a National
state. However, the given criticality criteria leave problematic room for
interpretation. They are limited to the standpoint of the authorities, while the
criticality of an infrastructure might be different for the owner, insurer, or other
stakeholder. They refer as well to a national scale, while the criticality might be
different at regional or local level. Finally, they are valid at a certain time but they
might evolve, as political concerns evolve themselves.
The given lists are illustrative but not exhaustive and they do not address the
existing interdependencies between the infrastructures.
43
Twenty years ago, infrastructure was defined primarily with respect to the adequacy of
the nations public works, which were believed to be suffering from severe problems of
deterioration, technological obsolescence and insufficient capacity to serve future growth.
In the mid-1990s, however, the growing threat of international terrorism led policy
makers to reconsider the definition of infrastructure in the context of homeland
security. The number of infrastructure sectors and the type of assets considered to be
critical for purposes of homeland security has been expanded, as the focus of public
policy debates shifted from infrastructure adequacy to infrastructure protection.
On July, 15, 1996 President Clinton signed Executive Order 13010 establishing the
Presidents Commission on Critical Infrastructures Protection. Infrastructure was defined
as the framework of interdependent networks and systems comprising identifiable
industries, institutions (including people and procedures), and distribution capabilities
that provide a reliable flow of products and services essential to the defence and
economic security of the United States, the smooth functioning of government at all
levels, and society as a whole. If the general concept of vital or critical infrastructures
was not entirely new, the EO 13010 did break new ground in listing what was considered
to be critical infrastructures, which was much broader than that reported on the national
Council on public Works Improvement. Further definitions, in the presidential Decision
Directive 63, signed on May 22, 1998, added the cyber infrastructures. After the
attacks of September 11, 2001, the Executive Order 13228, signed in October 16, 2001
by President Bush, included nuclear sites, special events, and agriculture. In addition to
national security and national economic security, the criterion of public health and safety
was added. The USA PATRIOT Act of 2001 introduces the concept of key resources
defined as publicly or privately controlled resources essential to the minimal operations
of the economy and government. They are distinct from Critical infrastructures but
require the same protection.
The last updated definition is found in The National Strategy for Homeland Security,
issued in July 2002. It restates the same definition but expands it, listing specific
infrastructures sectors as critical (see the above mentioned list of 13 critical sectors).
Furthermore, it introduces a new criterion to assess criticality: the importance of some
infrastructures or assets to the nations morale. With respect to previous lists it includes
chemicals (because they can be a source of materials that could be used as Weapon of
Mass Destruction), and postal and shipping services, due to their economic importance.
The cyber infrastructure is considered apart. Key resources are replaced by the concept of
key assets, as individual targets whose destruction would not endanger vital systems, but
could create locale disaster or profoundly damage our Nations morale or confidence.
This includes the diverse array of national monuments, symbols and icons, facilities and
structures that represent the national economic power and technological advancement,
structures where large number of people regularly congregate to conduct business or
personal transactions, shop or enjoy recreational pastime. The following table (Table 6),
taken from Moteff, Copeland, Fisher, 2003, shows how various infrastructures are
considered critical as a function of the criteria of criticality considered.
44
Telecommunications
information networks
Energy
Banking/finance
Transportation
Water
Emergency services
Government
Health services
National defence
Foreign intelligence
Law enforcement
Foreign affairs
Nuclear facilities, in
addition to power plants
Special events
Food/agriculture
Manufacturing
Chemical
Defence industry
Postal/shipping
National monuments
icons
x
x
x
x
x
x
x
X
X
x
X
x
x
x
x
x
X
x
x
Source: Moteff, Copeland, Fisher, 2003,
Criteria to assess the criticality of an infrastructure reflect thus the major political
concerns and might evolve as these matters evolve. In Europe, the strategy to protect
Critical Infrastructures has been launched in the context of the fight against terrorism.
Though, this raises the problem to know if these criteria are accurate and precise enough
to assess criticality.
4.2.2. A subjective standpoint on criticality
Metger highlights that the classification of what critical is lies mainly in the eye of the
beholder (Metzger, 2004). Government has different priorities for classifying
infrastructure as critical, than an organization or an individual. Different types of
stakeholders are concerned with the definition of critical infrastructures. Each of them, as
a function of its own interests, has a different perception of what criticality represents
for him and refers to what would constitute a crisis situation. We may distinguish
standpoints on criticality:
45
- National authorities and decisions- makers have to guarantee national interests and so
far, they have been the most active in defining the criticality. The main existing concern
is now the protection of most critical infrastructures against intentional acts. Existing
criteria of national defence, national economy security, public health and safety, nations
morale are therefore criteria representing their matters of concern.
- Owners of infrastructures and assets: The main concern of the owners of
infrastructures, most often private ones, is the reliability of the service delivery. The
criticality of their infrastructure lays in the potential loss of quality, competitiveness,
reliability of the service delivered. Criteria are therefore for them business continuity,
infrastructure reliability and service competitiveness.
- Insurers: For the insurance and reinsurance companies, the most critical infrastructures
are the one, which, if damaged, will be the most expensive to insure. The criticality level
is determining to define their insurances fees, and even to decide not to insure one or
more assets. Criticality criteria are thus related to the insurance company sustainability
and business continuity.
- Experts and scientists: They aim at defining criticality in an objective way, assessing
the potential impact of the disruption of one or more infrastructure. However, as a
function of the scientific background of each type of experts, the criticality will refer to
technical, economical, geographical, social criteria.
- Other stakeholders and the general public: The availability of a large number of
services, such as electricity, water supply, telecommunications, etc. is taken as given in
our societies. Criticality refers thus for the public to the degree of dependency of the
society to these services.
The following table (Table 7) shows that criticality is expressed through different criteria
following various actors concerned. Infrastructures are viewed today either as objects to
be protected in the fight against crime and terrorism, as competitive advantages in the
private sector, as technical/operative systems, as defence-relevant strategic assets, or as
objects that are relevant for the formulation of national and international security policy.
Table 7: Actors perceptions of criticality
Types of actor
National authorities and
decisions- makers
Owners of infrastructures
and assets
Crisis situation
Incapacity to insure national
interests, the security and
safety of the citizens, the
continuity
of
the
government, generating loss
of trust in the power and a
political crisis.
Incapacity to deliver a
service with a qualitative
and quantitative reliability,
generating economic losses,
loss of competitivity, loss of
customers trust.
Criticality criteria
national defence,
national economy security,
public health and safety,
nations morale
Technical
and
service
reliability
Service competitiveness
Business continuity
46
Insurers
Incapacity
to
provide
insurances funds in case of
a too expensive damage,
generating an economic
disruption of the insurance
company.
Disruption of services,
invalidating the reliable
continuity of daily activities
and threatening life and
economic
well-being
standards.
Insurance
company
sustainability
Business continuity
Service
continuity
following the degree of
dependency.
47
48
Theological
approach
Systemic
approach
Inherently critical
(Role for the national
identity, interests)
Relatively critical
(Role within a whole system of
interdependent
infrastructures)
Infrastructure
Human targets
and national
symbols
Infrastructure-support
Info-structure
Service
Complex
systems of
infrastructures
This shows that the expected output of a discussion on the concept of criticality is the
definition of the infrastructures or piece of infrastructures to which the concept must
apply. This is strongly related with the spatio-temporal dimensions of the analysis.
4.2.4. The scaling factor in time and space
Criticality varies in time and space and is therefore strongly determined by the scale and
the time of analysis. As far as the geographical scale is concerned, one infrastructure
might be critical at national level (e.g. foreign intelligence) but less relevant at regional or
local level. On the contrary a critical infrastructure at regional or local level might not be
relevant at national or international level. The scale affects thus the choice of accurate
criteria of criticality and the involved actors must be aware of the time and space
dimension of these criteria, in order to adapt their objectives.
For a given infrastructure (e.g. the electricity infrastructure), the elements of the
infrastructure to be considered must correspond to the scale of analysis. The map 1 shows
for instance that at the level of a NUTS-level 3 Region, the transmission lines and the
production sites considered critical are those having a national or international capacity of
delivery (Logtmeijer,C., Di Mauro, C., Nordvik, J-P., 2006).
49
50
Criticality varies as well in time: A service is more or less critical as a function of the
hour, the day, week, month, etc. For instance, a blackout might more easily turn into a
crisis situation in winter than in summer, because the demand is much more important in
winter. This is also related to the geographical position: a blackout in summer, happening
in a country were ventilation systems are heavily needed will trigger a crisis situation
more easily than in a region were, in summer, temperatures averages are lower.
In addition to the spatio-temporal scaling factor, there is a need to know to what the
concept of criticality exactly applies.
4.2.5. To which infrastructure or to which part of the infrastructure does the
concept of criticality apply?
The last concern about the concept of criticality is to understand exactly to what it does
apply. Existing definitions provide illustrative lists of infrastructures. However the fuzzy
set of criteria did not allow so far providing an exhaustive list of infrastructures. Some
authors contest the necessity of giving a too precise list, since it might appear restrictive.
On the contrary, some authors assume that they should be less inclusive as not all
infrastructures should be considered critical. With the view of defining measures for the
protection of critical infrastructure, there is somehow a need to know which
infrastructures have to been in priority protected, keeping in mind that the criticality
of individual assets is potentially fluid, since criticality varies as a function of time, scale,
risk, and market changes. If there is a quite common agreement on the importance of
some infrastructures, such as the telecommunications and information networks, together
with energy, which are at the heart of almost all other infrastructures, there are still
debates on the criticality of others infrastructures. One of the ongoing debate is for
instance to know whether means of persuasion, like computer or radio or television
technology, must be considered as critical, as it is more belief-sustaining than lifesustaining. The argument parallel those for means of protection, with conservatives
generally asserting that belief in a common view of reality, especially in emergency
services, is critical to survival. This can be achieved through a precise definition of the
criteria of criticality.
Another issue is the need to clarify what is meant to be protected. Metzger assumes: is it
really the infrastructures that we need to protect above anything else? The answer is no,
because it is rather the services, the physical and electronic (information) flows, their
role and function, and in particular the core values symbolised by the
infrastructures that are the real focus of our protective interests. In order to take into
account the actual system dynamics involved and our own protective interests, it would
actually make more sense to speak of critical services robustness or critical services
sustainability rather than critical infrastructures (Metzger, 2004). Following table
(Table 8) details vital services provided by critical infrastructures in Netherlands (Luiijf
E., Burger H., Klaver M., 2003)
51
infrastructure are most essential to its function, or pose the most significant danger to life
and property if threatened or damaged. The European Green Paper on the protection of
Critical infrastructures lists following elements, whose criticality has to be assessed
(COM (2005) 576):
- Material elements;
- Non-material elements (sensors, command, information systems);
- Human elements (decision-maker, expert);
- Access to information (databases, reference systems);
- Dependence on other systems (energy, telecoms);
- Specific procedures (organisation, management of malfunctions, etc.)
Taking the example of the transportation sector, Moteff, Copeland and Fisher show that
not all components of the transportation network are equally critical: they start with the
assumption that if a bridge is destroyed by a terrorist attack: how badly would the local
economy and interstate commerce suffer? They show, on the basis of two cases-studies,
that although the transportation system is frequently congested in urbanized areas, there
are usually alternative transportation routes or facilities that come into play. There are
few instances where this is not the case and these are probably the real critical pieces of
transportation infrastructure (Moteff, Copeland and Fisher, 2003).
Finally, providing lists of critical infrastructures might lead to overlook the
interdependencies between infrastructures that might be very critical elements in a system
of infrastructures. The identification of interdependencies between assets on others
systems is another important issue for the prioritization process.
53
Theological
/ systemic
approaches
Criticality criteria
National Security and safety
Defense, Public health
Business security
Social well-being
CIP Context/
Objectives
CRITICAL
Actors
perception
Decision
makers
Owners
Experts
Stakeholders
Insurers
To which part?
Interdependencies
Infrastructure support
Info-structure
Service
INFRASTRUCTURE
Time/Scale
factors
Critical situation
Scope
Severity of
consequences
Effects of time
54
55
4.3.2. Identifying roles and responsibilities to define the objectives of the critical
infrastructures assessment.
The identification of critical infrastructures that need to be protected requires the
involvement of all concerned stakeholders. The identification of what constitute critical
services must be the result of a comprehensive review of each actors perception,
combined with the political objectives of such a strategy. The choice of the stakeholders
must be coherent with the scale chosen for the critical infrastructures assessment (at
international, national, regional, local levels). The role and responsibilities of each of
them must then be defined. The responsibility of private actors owning infrastructures is
in this view particularly relevant. Infrastructures providers have vast experience
responding to and mitigating day-to-day outages or minor disruptions, and therefore
know well how critical is there infrastructure. Authorities must be responsible for the
definition of what could lead to a political crisis, on the basis of publics concerns as well
as experts studies. They remain the entity of reference to coordinate policies and actions.
Through a process of consultation, there is a need to define a strategy for critical
infrastructure protection, which requires first to have defined the criticalitys perspective.
Metzger identifies following perspectives:
The system-level, technical perspective: CIP is approached as an IT-security or
information assurance issue, with strong focus on Internet security.
The business perspective: CIP is seen as an issue of business continuity.
The law-enforcement perspective: CIP is seen as an issue of protection of society
against (cyber-) crime.
The defence perspective: This view is either military- or civil protection-centred.
The regulatory policy perspective: The smooth and routine operation of infrastructures
and questions like privacy, or hardware and software standards must be regulated.
The national and international security policy perspective.
This issue is complicated by the fact that there might be some conflicts of interests in the
definition of what criticality is, namely between infrastructures providers and authorities:
one of the main problems is to adopt a position between everyday routine and crisis
situations. When is critical infrastructure protection a maintenance issue of business
continuity for an individual, corporate or local actor, and when is it the subject of
national and, where necessary, even international security policy?
The objectives of the criticality assessment must then result from the consultation of the
involved stakeholders. Objectives must be coherent with the ongoing policy concerns and
with the scale considered.
4.3.3. Define a methodology to identify Critical Infrastructures and critical
interdependencies
Once roles and responsibilities have been clarified and that the objectives of the
criticality assessment have been defined, there is a need to identify critical infrastructures
at the chosen scale. The aim of a methodology is to prioritize and rank most critical
infrastructures or assets requiring protection. There is thus a need to develop a
56
uniform methodology for identifying critical assets and establish and implement a more
consistent standard for what constitutes a critical asset.
The FEMA provides decision makers with the following methodology, to establish
mitigation priorities at local level. The assets and infrastructures criticality must be
assessed considering (FEMA, 2003):
- Is it an element of one of the communitys critical infrastructures?
- Does it play a key role in the communitys government, economy or culture?
- What are the consequences of destruction failure or loss of function of the assets
in terms of fatalities and/or injuries, property losses and economic impacts?
- What is the likelihood of cascading or subsequent consequences should the asset
be destroyed or its function lost?
- What is the level of resilience of the given asset or infrastructure?
The difficulty lays in the fact that the criticality approach must be based on a multidimensional approach, i.e. addressing the technical, regulatory, service-providing aspects.
This requires a multi-disciplinary quantitative and qualitative vulnerability and resilience
assessment.
The same methodology must be developed at the infrastructure or assets level. Some
elements within a critical infrastructure are far more critical: they may be lightly used or
somewhat redundant. One option is therefore would be to focus on identifying the truly
critical assets and doing things to harden or toughen them against attack or to reduce the
impact of their loss either by building in redundancies or through relocation or redesign
(to reduce associated hazards) over time. Individual critical infrastructure sectors have
implemented independent and often varying approaches for identifying their own critical
assets. For example the June 2001 security guidance issued by the national Petroleum
Council for oil and gas infrastructure stated:
The first step in the risk management process is to identify and put a value on each of
the key assets of the organization. These key assets can be people, facilities, services,
processes, programs, etc. Next, the impact of loss for each of these assets is estimated.
This is a measure of the loss to the company if the assets is damaged or destroyed. A
simple rating system based on user-defined criteria can be used to measure the value of
the asset (e.g. very low, low, moderate, high, and extremely high) and the impact of its
loss. In a more complex risk management system, the value of an asset and impact of loss
can be calculated in monetary units. These values may be based on such parameters as
the original cost to create the asset, the cost to obtain a temporary replacement for the
asset, the permanent replacement cost for the asset, costs associated with the loss of the
revenue, an assigned cost for the loss of human life or degradation of environmental
resources, costs to public/stakeholder relations, legal and liability costs, and the costs of
increased regulatory oversight (Moteff, Copeland, Fisher, 2003)
It is up to individual companies to determine the specific basis for criticality in their
security assessments. It is important to note that criteria chosen to express potential losses
must be adapted to the criticality criteria adopted, e.g. potential loss to the company
that private companies tend to use, versus, broader economic or social welfare impacts
This emphasis illustrates the practical challenge of relying on private companies to
identify critical assets in the context of national infrastructure security.
57
Step 2:
Definition of the objectives of the critical infrastructures assessment;
- Definition of the criticality criteria expressing these objectives.
58
The choice at different scales of the type of actors that need to be involved in
critical assessment. These actors are not the same, as a function of the geographical
level considered.
The definition of possible objectives for criticality assessment (e.g. business
continuity vs. exceptional crisis) as a function of the criticalitys perception of each
actors and the scale considered.
For each possible objective, the definition of criticality criteria as a function of
ongoing political concerns and of the scale of analysis.
Listing of the areas, infrastructure (and appropriated level of analysis that must be
considered, i.e. technical, regulatory, service) and interdependencies that must be
considered critical as a function of these objectives and criteria. This list should be
the starting point of the vulnerability and resilience analysis. The output of this
analysis should be the ranking of most critical areas, infrastructures,
interdependencies.
59
http://www.worldbank.org
http://www.iadb.org
50
http://www.adb.org
51
i.e. the 11 September 2002 attack on the Twin Towers in New York, USA, various blackouts that
occurred in 2003 (USA, Sweden, Italy), several successful attempts of hackers regarding the dissemination
of viruses across the world wide web, anthrax episodes, SARS dilemma, etc.
49
60
hope of a favourable outcome. These general definitions show that risk refers to a
potential outcome, that could be both negative and positive, and depending on a level of
exposure and of probability. In economy for instance, higher risk means a greater
opportunity for high returns... and a higher potential for loss (Mechler, 2003). In
management terms, risk is also seen as a measure of uncertainty about the achievements
of set objectives.
Basically, within the disaster management literature, the definitions focus on the
potential negative outcome, e.g. potential harm, or potential losses that may arise from
some present process or from some future event. Risk as a scientific term was developed
within the context of disasters in the world of engineering (Holling 1973, Walker et al.
1993, Fiering 1982). Misunderstandings arose when the definitions were transferred from
physical sciences and engineering into the realm of social sciences, which wished to
include social, political, and economic conditions. First clarification of concepts has been
proposed by UNDRO (UNDRO, 1979). However, UNDROs definitions were never
widely accepted as a reference glossary, even if some authors still refer to them (Coburn,
2001). As a result, authors still compelled to provide their own definitions. The UN/ISDR
secretariat has presented primary terms related to disaster risk reduction to practitioners
and experts for their consideration and further refinement 52(UN/IDSR 2004). They
constitute a relevant starting point.
Some examples of risk definition in the hazard and disaster management literature are
presented in Table 9.
52
An important activity in the project has been to study the terminology in several disciplines, e.g. system
safety, reliability, information technology security, and risk management, in order to clarify how concepts
such as vulnerability, dependability, risk, and robustness can be used in the infrastructure context.
61
UN/IDSR,
2004
62
that the potential negative consequences have become reality due to the occurrence of a
hazard.
(2) Therefore, the concept of risk combines the likelihood or chance of potential
consequences and the severity or magnitude of these consequences. Likelihood refers to
the probability of an event occurring, based on its passed frequency or estimation and
forecasts; the severity refers to the intensity of a hazard, and therefore to the potential
consequences on targets as a function of this intensity and of the vulnerability of targets.
(3) All these definitions are probabilistic in nature, relating either to:
(i)
The probability of occurrence of a hazard that acts to trigger a disaster or
series of events with an undesirable outcome, or
(ii)
The probability of a disaster or outcome, combining the probability of the
hazard event with a consideration of the likely consequences of the hazard.
The ambiguity as to whether it is the probability of occurrence of a hazard, or the
probability of a particular outcome that is being referred to, is addressed by Sarewitz et
al. (Sarewitz et al., 2003). They define event risk as the risk of occurrence of any
particular hazard or extreme event and outcome risk as the risk of a particular
outcome. The final outcome risk combines the expected losses from all levels of hazard
severity, taking into account also of their occurrence probability.
(4) On the basis of Crichtons risk equation, we retain the following formulation of risk
(Figure 18):
63
values (Douglas and Wildavsky, 1983). Factors affecting risk perception are for
instances:
- The type of individuals or groups concerned;
- The access to the information on risks;
- The past experience with similar disasters;
- The degree to which the hazard is perceived as controllable or its effect
preventable
- The benefits which are obtained from exposure to it and to be much greater where
exposure to the risk is voluntary (as in sports) than where it is involuntary (like
natural disasters).
There is therefore a need to distinguish the real risk from the perceived risk, which
can differ and which are both relevant for risk management. For instance if the level of
real risk is quite high but if its perception is low, the final disaster might be high, since
the effect of surprise will be greater. In addition, decision-makers can have interests and
objectives in decisions other than the simple consideration of risk mitigation, and the
general public may not see things the same way as either the experts or politicians.
Effective risk management requires information about both the magnitude of the risk
faced (risk assessment: the scientific quantification of risk from data and understanding
of the processes involved) and on how much importance society places on the reduction
of that risk (risk evaluation). This involves trading off perceived risks against potential
benefits and also includes balancing scientific judgments against other factors and beliefs.
5.1.2. Properties of hazards
.
In the disaster management literature, hazard refers to a possible source of danger, a
chance of being injured or harmed, a phenomenon of given occurrence and intensity.
Most achieved definitions have been proposed by the UN/IDSR (2004): A potentially
damaging physical event, phenomenon and/ or human activity, which may cause loss of
life or injury, property damage, social and economic disruption or environmental
degradation. Hazards can be single, sequential or combined in their origin and effects. In
others definitions, hazardous situation replace the focus on hazardous event: A condition
or situation which has the potential to create harm to people, property, or the
environment (Ipenz53).
Following these definitions, hazard is defined as a function of following properties:
(1) Its probability/primacy, i.e. its shock value based on time elapsed since previous
occurrence;
(2) Its predictability, i.e. the degree of warning available;
(3) Its prevalence, i.e. the extent and duration of hazard impacts
(4) Its pressure, i.e. the intensity of impact.
Hazards can therefore be described as a function of the following characteristics (Table
10 / Figure 19):
53
http://www.ipenz.org.nz/ipenz/
64
Description
Natural, socio-natural, technological, sociopolitical, man-made hazards
Only those occurrences that exceed some
common level of magnitude are extreme
Space covered by the hazardous event
Pattern of distribution over the space in
which its impact can occur.
Length of time between the first
appearance of an event and its peak
Length of time over which a hazardous
event persist, the onset to peak period.
Duration
Frequency/Probability
Nature
Magnitude
Duration
HAZARD
Frequency
Speed of onset
Location
Probability
65
Nature
Duration
Nature
Magnitude
Duration
HAZARD
Duration
Magnitude
HAZARD
Frequency
Speed of onset
Location
Nature
Magnitude
Probability
Location
Hazard
Sensitivity
HAZARD
Frequency
Speed of onset
Probability
Location
Hazard
Susceptibility
Degree of
exposure
ELEMENT
AT RISK
ELEMENT
AT RISK
Frequency
Speed of onset
Probability
Hazard
Susceptibility
and
capacities
Degree of
exposure
Resistance
/ resilience
capacities
ELEMENT
AT RISK
Vulnerability
Degree of losses
and damages
Technical approach
Degree of losses
and damages as a
function of the
exposure
Socio-technical approach
The growing body of literature on vulnerability and adaptation contains a sometimes bewildering array of
terms: vulnerability, sensitivity, resilience, adaptation, adaptive capacity, risk, hazard, coping range,
adaptation baseline and so on (IPCC, 2001; Burton et al., 2002). The relationships between these terms are
often unclear, and the same term may have different meanings when used in different contexts and by
different authors.
66
(1) First definitions of vulnerability focused on the degree of loss and damages
due to the impact of a hazard, i.e. on the technical dimensions of vulnerability. Historical
or social dimensions of vulnerability were not addressed. Proposed measures to reduce
vulnerability, i.e. the sensitivity of the element at risks to the impact of a given hazard,
were therefore limited to engineering and technical measures.
(2) The second step is linked to the understanding at the beginning of the 1980s
that the degree of loss and damages was determined by the degree of exposure to the
hazard. Vulnerability was therefore defined as the likelihood of being exposed to hazards
and as the susceptibility of an element at risk to suffer losses and damages as a function
of its degree of exposure to a given source of hazard. All elements at risk do not show the
same level of exposure to a hazard, as a function of their location in space for instance.
The assessment of losses and damages as a function of the degree of exposure became the
measure of vulnerability (Dow, 1992).
(3) Finally, as a result of two scientific approaches a third type of definitions was
proposed:
- On the one hand, applied sciences underlined the fact that the degree of loss and
damage depends on internal characteristics of the element at risk. Vulnerability was thus
considered as an internal risk factor, related to the resistance capacity of the element at
risk: beyond a given level of resistance, the element at risk could suffer damages.
- On the other hand, within social sciences, Susman et al (Susman and al., 1983)
introduced the topic of a populations capacity to cope with a disaster, absorb and recover
as a measure of their vulnerability. Triggers of natural disasters occur, but household and
social systems allow them to become (or prevent them from becoming) disasters through
their response. This capacity for adaptation was defined as the capacity of resilience of a
society. The definition of reference of vulnerability was proposed by Blaikie and al.:
vulnerability refers to the characteristics of a person or a group in terms of their
capacity to anticipate, cope with, resist and recover from the impact of a natural or manmade disaster, noting that vulnerability is made up of many political-institutional,
economic and socio-cultural factors (Blaikie and al., 1994).
This historical evolution leads to the distinction between two categories of definitions for
vulnerability, viewing vulnerability either (Figure 21):
(i) In terms of the amount of (potential) damages caused to a system by a particular event
or hazard (Jones and Boer, 2003), or
(ii) As a state that exists within a system before it encounters a hazard event (Allen,
2003).
(i) The biophysical vulnerability is defined by a hazards and impacts approach.
It refers to a hazard-dependent vulnerability of a human system, which is determined by
the nature of the physical hazard(s) to which it is exposed, the likelihood or frequency of
occurrence of the hazard(s), the extent of human exposure to hazard, and the systems
sensitivity to the impacts of the hazard(s)55. The term biophysical [...] suggests both a
55
- The extent to which an individual, community, sub-group, structure, service, or geographic area is
likely to be damaged or disrupted by the impact of a particular disaster hazard.; the degree of loss to a given
67
physical component associated with the nature of the hazard and its first-order physical
impacts, and a biological or social component associated with the properties of the
affected system that act to amplify or reduce the damage resulting from these first-order
impacts. Biophysical vulnerability is often viewed in terms of the amount of damage
experienced by a system as a result of an encounter with a hazard. These are indicators of
outcome rather than indicators of the state of a system prior to the occurrence of a hazard
event.
The difference with the risk is that risk combines the expected losses from all levels of
hazard severity, taking account also of their occurrence probability. Alexander, 2000
even considers using another expression such as innate risk instead of vulnerability for
risk analysis in order to avoid confusion.
(ii) The second category of definitions falls within the approach considering
vulnerability as a state, i.e. as a variable describing the internal state of a system (Allen,
2003).) In this formulation, vulnerability is something that exists within systems
independently of external hazards, i.e. is a hazard-independent vulnerability56. For
many human systems, vulnerability viewed as an inherent property of a system arising
from its internal characteristics may be termed social vulnerability (Adger, 1999;
Adger and Kelly, 1999). For vulnerability arising purely from the inherent properties of
non-human systems or systems for which the term social is not appropriate the term
inherent vulnerability might be used (FEMA, 2003). Social vulnerability refers to the
state of a society before a disaster strikes. The social vulnerability determines how a
society will respond and cope with a disaster situation.
The interaction of hazard with social vulnerability produces an outcome, generally
measured in terms of physical or economic damage or human mortality and morbidity
(Brooks and Adger, 2003). Hence social vulnerability may be viewed as one of the
determinants of biophysical vulnerability. Although, social vulnerability is not a function
of hazard severity or probability of occurrence, certain properties of a system will make it
more vulnerable to certain types of hazard than to others. We must therefore distinguish
factors such as generic determinants of social vulnerability (e.g. poverty, inequality,
health, access to resources and social status), and others such as hazard- specific factors.
element at risk or set of such elements resulting from the occurrence of a phenomenon of a given
magnitude and expressed on a scale of 0 (no damage) to 1 (total loss) (Buckle et al. 2001)
56
The conditions determined by physical, social, economic and environmental factors or processes, which
increase the susceptibility of a community to the impact of hazards. For positive factors, which increase
the ability of people to cope with hazards, see definition of capacity.
Vulnerability is the product of sets of prevailing conditions within which disasters may occur. (Lewis
1999)
68
Nature
Duration
Magnitude
HAZARD
Speed of onset
Frequency
Location
Probability
System at risk
Hazardindependent
Vulnerability:
Social or inherent
Vulnerability
Hazard-dependent
Vulnerability:
biophysical vulnerability
Outcome vulnerability
factors
The reflection on social vulnerability led to the need to understand better the concepts
of resilience and adaptation that are used to define the capacities of a society to
anticipate, cope and recover from a disaster.
69
70
Amount of
changes that
can be
absorbed
Speed / time
to return to
equilibrium
SYSTEMS
RESILIENCE
Capacity for
learning and
adaptation
Capacity for
self-organization
Efficiency of the
systems function
Maintaining the
existence of the
systems function
71
72
the system to adapt and recover from a disaster. The post-disaster vulnerability analysis
may reveal features of hazard-independent vulnerability (Figure 23).
Level of exposure
Hazard-independent Vulnerability
Hazard
Hazard-dependent Vulnerability
Resilience
Susceptibility
Effective impacts
balanced by capacities
Likelihood of hazard
Differential exposure
Sensitivity/capacity of the
system at risk
Coping Capacity
Recovery
State of emergency
Time
Potential losses
Effective losses
External side
Internal side
Crisis
73
Systemic risk: Risk that affects an entire financial market or system, and not just specific participants.
(http://www.investorwords.com/5817/systemic_risk.html).
Systemic risk is the danger that problems in a single financial institution might spread and, in extreme
situations, such contagion could disrupt the normal functioning of the entire financial system (Bank for
international Settlements, 2002).
A systemic event is defined as a financial crisis that causes a substantial reduction in aggregate economic
activity, such variables as housing starts, home sales, consumption, output and employment. Systemic risk
is the possibility that a systemic event may occur In many groups of interrelated and interdependent
living things, a breakdown in the functioning of one or a few entities can spread to many others, causing
sufficient damage to harm the well being of the group or system as a whole. The nature of the event, its
timing and incidence, and its likely effects are studied in an effort to identify means of reducing potential
losses (OFHEO, 2003).
58
http://en.wikipedia.org/wiki/Main_Page
74
Following IRGC, the concept of Systemic risk denotes the embeddings of any risk to
human health and the environment in a larger context of social, financial and economic
consequences and increased interdependencies both across risks and between their
various backgrounds. Systemic risks are at the crossroads between natural events
(partially altered and amplified by human actions such as the emission of greenhouse
gases), economic, social and technological developments and policy-driven actions, both
at the domestic and the international level. These new interrelated and interdependent risk
fields also require a new form of handling risk, in which data from different risk sources
are either geographically or functionally integrated into one analytical perspective.
Handling systemic risks requires a holistic approach to hazard identification, risk
assessment, concern assessment, tolerability/acceptability judgements and risk
management. Investigating systemic risks goes beyond the usual agent-consequence
analysis and focuses on interdependencies and spill-over risk clusters (IRGC, 2005).
These definitions leave room for interpretation but show adequacies with the need to
address risks related to critical infrastructures. Indeed the concept of systemic risks
appeared in tight relation with technological advancement, which characterizes most of
critical infrastructures. Technology advancement has led to the creation of fasterperforming, more efficient and bigger systems and networks, resulting in a world where
people, goods, services and information can travel distances in less and less time. This
evolving global status quo has indeed brought the above-mentioned advantages; however,
it has also laid the foundations for a potentially vulnerable society that is becoming very
dependent on technology.
Systemic risks refer also to a potential systemic territorial impact. These impacts can
take place at global, national, regional and local level. Systemic risks characteristically
have impacts on society on large scale and their effects may spread much further from the
original source of hazard. Those risks widely affect systems that society depends on, such
as health, transport, environment, telecommunications etc., and their consequences may
be technical, social, environmental and economical.
In theory, systemic risks have always existed. However, our awareness of our evolving
vulnerability with respect to them has increased. The evolving inter-dependence of
technological and societal systems comes at a cost and needs to be better understood and
internalised into territorial systemic risk assessment and management practice. The
dynamic relationship between social and technological systems and their impacts have to
be studied in the short, medium and long terms in order to better address our changing
vulnerability. Systemic risks require therefore cross-scientific research on critical systems
and possible vulnerabilities. The shift towards vulnerability assessment is enhanced by
the difficulty to assess hazards to critical infrastructures.
5.2.2. From the hazard to the threat concept
A quick glance at existing hazards to critical infrastructures, allows highlighting how
limited the classical concept of hazard is to define them. Potential hazards are described
as a function of their nature, distinguishing human/non-human acts, internal/external
sources of hazards (Table 11). Non-human actions are related to technical components
75
and their failures, and to natural hazards. Within the human actions, intentional acts must
be distinguished from non-intentional acts (Table 12). The distinction between
internal/external sources of hazards is especially relevant for Critical infrastructures,
since hazards triggered by internal disruptions are important.
Table 11: Potential hazards to critical infrastructures
Human
Non-human
External
Intentional or
unintentional actions by
groups or individuals
outside of the system/
installation.
Stress to the system
caused by external
pressure like natural
hazards or disruptions of
other technical systems.
Internal
Intentional or unintentional
actions by employees or
contractors.
Table 12: Intentional and unintentional acts as hazards for critical infrastructures
Internal causes
Intentional
Unintentional
External causes
Infiltration,
Physical sabotage
Market manipulation,
Terrorism
Terrorist action
Cyber threats
Sabotage
War
Human factors, lack or Human factors
reduced
level
of
maintenance,
hardware
construction
or
design
errors,
inadequate
investments in production
and/or
transmission
capacities
Some authors, as far as critical infrastructures are concerned prefer, to speak about
threat instead of hazard. A threat is a very low-probability but serious event - which
some analysts may be unable to assign a probability in a risk assessment because it has
never occurred, and for which no effective preventive measure (a step taken to reduce the
probability or impact of a possible future event) is available. The difference is most
clearly illustrated by the precautionary principle which seeks to reduce threat by requiring
it to be reduced to a set of well-defined risks before an action, project, innovation or
experiment is allowed to proceed (COM (2000) 1, 02.02.2000). The case of terrorist
threat is one of the main issues of concern.
76
A more specific example is the preparedness of the United States of America prior to the
devastating attack on September 11th, 2001. Although the Central Intelligence Agency
had often warned of a "clear and present danger" of using planes as weapons, this was
considered a threat, not a risk. Accordingly, no comprehensive scenarios of probabilities
and counter-measures were ever prepared for the type of attack that occurred.
Most of the threats against the vital infrastructure are associated with considerable
uncertainty. Besides the traditional physical threats, e.g. natural disasters, technical
failures, human factors, terrorism, sabotage, etc., there is an increasing awareness about
the importance of the cyber-based threats. The rapid proliferation and integration of
telecommunications and computer systems have connected infrastructures to each other
in complex networks. The resources needed to harm the critical infrastructures are easy to
acquire and the knowledge of how to use them is relatively easy to obtain.
Consequences related to the concept of threat and associated level of uncertainty is
fundamental:
- The risk model for Critical Infrastructures is not anymore defined as a function
of the hazard but as a function of Threat, Critical assets and Vulnerability (Figure
24)
- There is a need to shift towards Vulnerability assessment of ranked critical assets,
since threats can not be identified precisely.
Where:
77
78
79
Defined here as the analysis of the degree to which a system, subsystem or system component is likely
to experience harm due to exposure to a hazard, either a perturbation or stress/stressor(Turner and al,
2003);
60
A weakness in automated system security procedures, administrative controls, physical layout, internal
controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or
disrupt critical processing www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
Vulnerability is the existence of a weakness, design, or implementation error that can lead to an
unexpected, undesirable event compromising the security of the system, network, application, or protocol
involved www.dhs.state.or.us/policy/admin/security/glossary.htm
"A vulnerability is a feature or bug in a system or program which enables an attacker to bypass security
measures."( Schultz Jr. et al. 1990)
"An aspect of a system or network that leaves it open to attack www.dfncert.de/eng/pre99papers/certterm-print.html
80
Vulnerability of
interdependent
infrastructures
Vulnerability of
dependent
territorial systems
DIRECT
DIRECT
VULNERABILITY
VULNERABILITY
INDIRECT
VULNERABILITY
INDIRECT
VULNERABILITY
Domino Effect
Domino Effect
81
The classical concepts used for risk analysis show some specificity when applied to
Critical Infrastructures, mainly related to the introduction of a systemic perspective. The
shift towards the threat concept highlights the importance of the vulnerability analysis, in
relation with the concept of criticality. The coming sub-section addresses the factors
affecting the vulnerability analysis of systems of critical infrastructures.
5.3. Main issues raised by the application of the concept of vulnerability to Critical
Infrastructures
Issues related to the application of the concept of vulnerability to critical infrastructures
systems are related to the interactions between criticality and vulnerability, time and
space scaling factors, and to the definition of accurate parameters and indicators to
express vulnerability. All these issues are related to the concern of allowing a transition
from the conceptual reflection to a more operational context.
Service of INF 2
Service of INF 3
Service of INF1
Service of INF 2
SUB S1
SUB S3
SUB S2
Service of INF 3
Level of exp. for
cascading vulnerability
82
83
- The degree of dependency refers to the other side of the degree of criticality : the more
one system is depending on the good functioning of a critical element, the more the entire
system is vulnerable against the disruption of this element. The concept of dependency
allows introducing the concept of indirect exposure of a dependent system, referring to
the indirect or cascading vulnerability. The dependent system can be either the system of
the critical infrastructure or the territorial systems depending on a critical service. The
following map shows for instance the degree of dependency of Nuts region on the main
energy infrastructures. The dependency is expressed in terms of accessibility to the
networks services and is measured as a function of the density of nodes for each region
(Map 4)
84
85
service to users as long as the condition does not occur during the peak usage period
when reserve margins are critically low (Rinaldi Peerenboom, Kelly, 2001).
Second, it refers to the way the crisis develops: time is an essential factor underlying the
evolution of vulnerability across a system and the associated areas. As the criticality is
also time-dependent, the vulnerability evolves as a function of the spreading of a
cascading failure and as a function of the succession of crisis periods: A triggering
hazards may result in cascading effects when affecting first the critical infrastructure
itself and then the dependent infrastructures and territorial systems. The lag of time
depends on the type of disruption and the way it propagates. Failures in these
infrastructures can lead to additional damage that typically emerges and grows over time.
Steetskamp & van Wijk (Steetskamp & van Wijk, 1994) characterize the effects, their
growth over time and the growth of extent of these additional damages. Table 14 shows
examples of possible effects of energy outages and the time log of these effects.
Table 14: Cascading hazards in time after electric power supply failure
Infrastructure
Transport
Communication
Waste disposal
Electricity
Drink water
Sewage
management
Gas
Telecommunication
0-2 hours
2-8 hours
8-24 hours
24 hours >>
No traffic at all,
No public
Delays increase
Depends on
transport
and ripple through fuel supply
characteristics of
problems
area and nature of to un-affected
parts of the
train-system.
system. No traffic
Electricity
at all on affected
dependent: no
parts
traffic, nondependent on
electricity: traffic
with delays. Urban
systems stop, road
traffic in chaos
Difficult to supply Information back set, more personnel
Availability of
information,
needed
personnel
decreases
outages of
transmission poles
Difficult due to traffic congestions,
Collection is difficult, possible undelay in disposal of waste
hygienic circumstances
Difficult to keep
Possible problems
communication up with fuel supply
for generators
Production: control of remote stations
Water is
Distribution: local pressure drops on stations without
guaranteed
generators, in case of loss of pressure devices: nor water on
higher floors
Low lying areas,
Flooding in higher Also flooding in
flooding
with rainfall:
areas as well
case of no rain
flooding of sewer
water after 2 hours
Generally no problems, receivers will endure problems in
In case of pressure
energy dependent systems; climate control, watersupply.
loss: temperature
drops
Telephone is assured, possible problems with GSM systems,
Telephone system
internal operators outage. No fax, congestion in telephone
assured. Possible
86
network
problems with
generators due to
fuel supply
problems
The post-crisis phase refers to the recovery and resilience of systems after the
emergency phase. The normal operation of an infrastructure and the repair of a disrupted
infrastructure generally involve multiple functions (activities, processes, or operations).
Some of the functions occur sequentially in time, whereas others occur in parallel. There
may be large uncertainties about the amount of time needed to successfully complete
each step in the repair process. Such operational complexities and the associated
uncertainties must be identified and incorporated into analysis frameworks to develop
realistic and meaningful insights into normal operations and response and recovery
strategies. In addition, taking on board the analysis of the resilience, through the analysis
of the coping capacities and the recovery process may help assessing the short-term and
long-term consequences within a vulnerability scenario. Debates are ongoing on the way
to define parameters and indicators to analyze the resilience of socio-economic systems.
One fundamental aspect is the assessment of the reversibility or irreversibility of some
consequences. This will determine the next pre-crisis phase. Vulnerability is dynamic and
its characteristics change over time. It may change slowly as a result of the development
process (Alexander, 2000) but it may also change very quickly due to a sudden disaster.
Each significant disastrous event increases the overall vulnerability of the society
abruptly and interrupts its steady developmental improvements (Figure 26).
87
According to the scale and time of the vulnerability analysis, appropriate parameters and
indicators are required to express the vulnerability.
88
parameters will not be the same. Burton proposed five criteria to assess the biophysical
vulnerability of cities: the biological sensibility of the population, importance of the
structures, risks related to the disruption of vital infrastructures, potential economical
losses, risks related to institutional or organisational disruption. Social vulnerability is
determined by factors such as poverty and inequality, marginalisation, food entitlements,
access to insurance, and housing quality financial resources, health state of the
population, existing alternative resources, experience and knowledge of the population,
existing coping capacities. (Burton and al. 2002; Blaikie et al., 1994).
Figure 27 shows for instance the possible dimensions of vulnerability and capacities.
Though, indicators expressing hazard-independent or hazard-dependent vulnerability
were different. The choice of the corresponding indicators must be based at least on three
criteria: availability and coverage, measurability and accuracy, frequency of update.
2/ In the frame of the hazard-dependent analysis, The vulnerability analysis must focus
first on the level of exposure, relative to hazard independent parameters describing the
strength or weakness of a sub-system, and its degree of dependency from the services
89
90
91
6. Conclusions
The objective of this report was to review the conceptual and epistemological background
concerning systems of interdependent critical infrastructures and associated risk and
vulnerability.
From the epistemological standpoint, it appeared that the field of analysis for the
vulnerability of critical infrastructures comes at a scientific crossroad, encompassing
technical, socio-economical, political, scientific conceptual approaches. Various aspects
are analyzed within different fields without any multi-disciplinary overview. This raises
the problem of the comparison and reutilization of the terminology from one field to
another. While systemic risks require cross-scientific research on critical systems and
possible vulnerabilities, decision-making on risk often fails to successfully combine
scientific expertise with careful consideration of the socio-cultural aspects of risk issues.
Scientific knowledge alone cannot produce the expected basis for political decisions
(IRGC, 2004).
From a conceptual standpoint, the systemic approach appeared as a solution, since it
allows a coherent and holistic approach of the multi-dimensional characteristics of the
problem:
Applied to the analysis of the spatial systems formed by critical infrastructures,
the systemic paradigm refers to the definition of organisation, location and functioning of
critical infrastructures systems, based on human, technical, political, geographical, social
sub-systems, according to a territory.
Applied to the analysis of the criticality, the system approach allows analysing the
context, the scale, the time, the types of infrastructures, the actors perceptions leading to
various understandings of the concept of crisis and criticality, as well as the main policy
issues.
Applied to the concepts of risks, hazards and vulnerability, the systemic approach
allows characterizing systemic risks, cascading hazards and cascading vulnerability, in
tight relation with the criticality, the scale, the time and the multi-dimensional issues of
the vulnerability.
On the basis of the work, coming research should address problems related to the
identification and definition of accurate tools and methodologies, allowing decisionmakers to adopt an appropriate Critical Infrastructure Protection Strategy and taking on
board holistic, multi-disciplinary requirements.
92
7. References
ADGER, W. N. (1999). Social Vulnerability to Climate Change and Extremes in Coastal
Vietnam. World Development, 27 (2), pp. 249-269.
ADGER, W. N. (2000). Social and Ecological Resilience: Are They Related? Progress
in Human Geography 24 (3), pp. 347-364.
ADGER, W. N. (2003). Building Resilience to Promote Sustainability: An Agenda for
Coping with Globalisation and Promoting Justice. IHDP Update, pp. 2:1-3.
ALLEN, K. (2003) Vulnerability reduction and the community-based approach, in
PELLING (ed.), Natural Disasters and Development in a Globalising World. Pp. 170184.
ALEXANDRE, D.E. (2000). Confronting Catastrophe. Terra Publishing, Harpenden. 282
p.
ANDERSON, M., WOODROW, P. (1998). Rising from the Ashes: development strategies
in time of disasters. London Westview Press, intermediate technology publications.
BANK FOR INTERNATIONAL SETTLEMENTS (2002). Risk measurement and
systemic risk, Committee on the Global Financial System, Proceedings of the Third
Joint Central Bank Research Conference, 7-8 March 2002, Basel, Switzerland.
BATES, F. L. & W. G. PEACOCK (1993). Living conditions, disasters and development:
an approach to cross-cultural comparisons, Athens, USA: University of Georgia Press.
BATTY, M. (2003). Network Geography: relations, Interactions, Scaling and spatial
processes in GIS. Centre for advanced spatial analysis, Working paper series,
paper 63, pp. 1-24
BERTALANFFY, L. (1973). Theorie Generale des systemes, Dunod.
BLAIKIE, P., CANNON, T., DAVIS, I. & WISNER, B. (1994). At Risk: Natural Hazards,
Peoples Vulnerability and Disasters. London, Routledge.
BOHLE H-G. (2001) Vulnerability Article 1: Vulnerability and Criticality. In Newsletter
of the International Human Dimensions Programme on Global Environmental
Change, Nr. 2/2001
http://www.ihdp.uni-bonn.de/html/publications/update/update01_02/IHDPUpdate01_02_bohle.html
93
http://www.tyndall.ac.uk/publications/working_papers/wp26.pdf
BUCKLE P., MARS G., SYD SMALE R. (2000). New approaches to assessing
vulnerability
and resilience. Australian Journal of Emergency Management.
2000. pp. 8-16. (69)
BUCKLE, P., GRAHAM, M., and SMALE, S. (2001). Assessment of Personal and
Community Resilience and Vulnerability. Report EMA Project 15/2000. May 2001.
BULLOCK, S., COHEN, N., DI PAOLO, E., NOBLE, J. Simple Models of complex
networks. Case for support. Simple Models of Complex Networks Research
Cluster. www.comp.leeds.ac.uk/seth/cluster/cluster.ps
BURBY, R.J. (1991). Sharing Environmental Risks: How to control Governments losses
in Natural Disasters. Westview Press, Boulder.
BURTON, I., HUQ, S., LIM, B., PILIFOSOVA, O. AND SCHIPPER, E. L. (2002).
From impacts assessment to adaptation priorities: the shaping of adaptation policies.
In Climate Policy, 2, pp.145-159.
BUSH G.W. (2001). September 11/2001: Attack on America. Executive Order Critical
Infrastructure Protection in the Information Age. Office of the Press Secretary, the
White House, October 16, 2001. Downloaded from
http://www.yale.edu/lawweb/avalon/sept_11/execord_1016.htm
CANNON, T. (2000). Vulnerability analysis and disasters. In: D J Parker (ed.) Floods
Routledge.
CANNON, T. (1994). Vulnerability analysis and the explanation of "natural" disasters', in
VARLEY, A. (ed.) Disasters, development and the environment, Chichester: John
Wiley.
CHAMBERS R, PACEY A, THRUPP L (eds)(1989), Farmer first. London, Intermediate
Technology Publications
CHAPMAN, D. (1994). Natural Hazards. Oxford University Press. 174 p.
CHRISTALLER, W. (1933). Die zentralen Orte in Sddeutschland, Darmstadt :
Wissenschaftliche Buchgesellschaft, [Abt. Verl.], 1980, 3., unvernd. Aufl.,
reprograf. Nachdr. d. 1. Aufl. Jena 1933
CLARK, G., MOSER, S., RATICK, S., DOW, K., MEYER, W. EMANI, S., JIN, W.,
KASPERSON, J., KASPERSON, R., AND SCHWARZ, H. Assessing the
Vulnerability of Coastal Communities to Extreme Storms: the Case of Revere, MA.,
U.S.A. 1998.
COBURN A.W., SPENCE, R.J.S., POMONIS A. (1994) Training Manual: Vulnerability
and Risk Assessment (2d Edition). UNDP Disaster management Training
Programme. http://www.proventionconsortium.org/toolkit.htm
COM (2004) 702 final Communication from the Commission to the Council and the
European Parliament Critical Infrastructure Protection in the fight against
terrorism
http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/com/2004/com2004_0702en01.pdf
COM (2005) 576 final Green paper On a European Programme for Critical
Infrastructure Protection
europa.eu.int/eur-lex/lex/LexUriServ/ site/en/com/2005/com2005_0576en01.pdf
COM (2000) 1. European Commission (2000). COMMUNICATION FROM THE
COMMISSION on the precautionary principle, 02.02.2000.
CRICHTON, D. (1999). The Risk Triangle. In Natural Disaster Management. Jon
Ingleton (Ed) Tudor Rose, London.
94
95
96
LUIIJF E., BURGER H., KLAVER M. (2003). Critical Infrastructure Protection in the
Netherlands: A Quick-scan. EICAR Conference Best Paper Proceedings, EICAR,
Copenhagen, 2003.
MECHLER R (2003). Macroeconomic Impacts of Natural Disasters;
http://yym.marmara.edu.tr/anasayfa/yayin/yayin1/03mechler3-n%5B1%5D.ac.doc
MITCHELL J.K (ed) (1999). Crucibles of Hazard: Mega cities and Disasters in
Transition. United Nations Publications.
MOTEFF J., PARFOMAK R. (2004) Critical Infrastructure and key assets: Definition
and
Identification. CRS Report for Congress, October 1, 2004.
MOTEFF, J. COPELAND C., FISHER J. (2003) Critical Infrastructures: what makes an
infrastructure critical? Report for Congress. Updated January 29, 2003.
NRC (National Research Council) (1989). Improving Risk Communication. Washington,
DC: National Academy Press.
OFFICE OF FEDERAL HOUSING ENTERPRISE OVERSIGHT - OFHEO (2003).
Systemic risk: Fannie Mae, Freddie Mac and the role of OFHEO. OFHEO Report
February 2003.
OFFICE OF THE PRESIDENT. OFFICE OF HOMELAND SECURITY. National
Strategy for Homeland Security, July 2002.
ORGANISATION FOR ECONOMIC COOPERATION AND DEVELOPMENT (2003).
Emerging Systemic Risks in the 21st Century: An Agenda for Action. OECD
Publications Service, Paris.
ORGANISATION FOR ECONOMIC COOPERATION AND DEVELOPMENT (2004).
Summary of the Conference Discussions: First Nordic Conference on Emerging Risks
and Regional Economic Development, Karlskoga, Sweden, 24 25 November 2003.
PARK, R., BURGESS E.W. AND MCKENZIE R. D. (1925). The City. Chicago:
University of Chicago Press.
PARR AR, (1987), Disaster and Disabled Persons: an examination of the safety needs of a
neglected minority. Disasters 11, pp. 148-153
PASCUAL M, GUICHARD F.(2005). Criticality and disturbance in spatial ecological
systems. TRENDS in Ecology and Evolution, Vol.20, n.2. February 2005.
PERROW, C. (1984). Normal Accident: living with High-risk Technologies. New York:
Basic Books.
QUINLAN, A. (2003). Resilience and Adaptive Capacity: Key Components of
Sustainable Social-Ecological Systems. IHDP Update 2:4-6.
RIEBSAME, W.E. (1991). Sustainability of the Great Plains in an Uncertain Climate.
Great Plains Research 1 (1):133-151.
RINALDI S.M. (2004). Modelling and Simulating Critical Infrastructures and Their
Interdependencies. Proceedings of the 37th Hawaii International Conference on
System Sciences January 2004.
RINALDI S.M., PEERENBOOM J.P., Kelly T.K. (2001). Identifying, Understanding,
and Analyzing Critical Infrastructure Interdependencies. IEEE Control System
Magazine, 0272-1708/01, Washington, December 2001.
97
98
99
European Commission
EUR 22205 EN DG Joint Research Centre, Institute for the Protection and Security of the Citizen
Luxembourg: Office for Official Publications of the European Communities
2006 99 pp. 21x29,5 cm
Scientific and Technical Research series
Abstract
The main objective of this report is to provide a state-of-the art on the existing conceptual
background dealing with the vulnerability of critical infrastructures systems, in order to highlight
the main issues for decision-making processes and to provide an overview of all the dimensions
of the problem.
The first Chapter addresses the terminology and the epistemological background for the analysis
of spatial systems of interdependent Critical Infrastructures. It analyses first the definition of a
system and of the systems approach. It focuses then on the definition of spatial systems of
critical infrastructures, following the background of the spatial analysis of networks. It ends with
the study of the factors that affect the construction of systemic models, i.e. the scale of analysis,
the choice of the sub-systems and processes to analyze according to the objectives and goals of
the analysis.
The second chapter focuses and the definition of critical infrastructures, highlighting the
conceptual debates addressing the notion of criticality. It details the existing approaches to
criticality, the complexity of the term infrastructure that reveals various possible levels of analysis
and recalls the evolution in time and space of criticality. It underlines as well the various
understandings of criticality as a function of actors perception. These elements of a conceptual
debate have very specific implication for the decision-making process. The chapter ends
therefore with a dedicated subsection on the main policy issues raised by the concept of
criticality.
The last chapter provides a review of existing definitions of risks, hazards, vulnerability and
resilience within the field of disaster management literature. This review led to the analysis of the
specificity of the field of critical infrastructures protection. In this context, the concept of systemic
risk appears more appropriate, as the shift towards the concepts of threats, cascading hazards
and cascading vulnerability. The focus on the cascading vulnerability shows that various levels of
exposed elements can be considered within critical infrastructure systems, whose vulnerability
depends on their level of dependency. Since vulnerability is also affected by time and
geographical scale issues, these factors have been further analysed, as the question of the
definition of accurate parameters and indicators to express it.
The conclusion highlights the necessity to adopt a holistic, multi-disciplinary approach to the
vulnerability analysis of critical infrastructures systems.
The mission of the Joint Research Centre is to provide customer-driven scientific and
technical support for the conception, development, implementation and monitoring of
European Union policies. As a service of the European Commission, the JRC functions as a
reference centre of science and technology for the Union. Close to the policy-making
process, it serves the common interest of the Member States, while being independent of
special interests, whether private or national.