The Vulnerability of Interdependent Critical Infrastructures Systems

The Vulnerability of interdependent
Critical Infrastructures Systems:

Epistemological and Conceptual Stateof-the-Art
Sara Bouchon
Institute for the Protection and Security of the

Citizen
2006
EUR 22205 EN
European Commission
Directorate-General Joint Research Centre
Institute for the Protection and Security of the Citizen
Contact information
European Commission - DG Joint Research Centre, Institute for the Protection and Security of
the Citizen, Traceability and Vulnerability Assessment Unit,
TP 361, Via Fermi 1,
I-21020 ISPRA (VA) ITALY
sara.bouchon@jrc.it
Tel: +39 0332 78 5007
Fax: +39 0332 78 5813
http://www. http://ipsc.jrc.cec.eu.int/
http://www.jrc.cec.eu.int
Legal Notice
Neither the European Commission nor any person acting on behalf of the Commission is
responsible for the use which might be made of this publication.
EUR 22205 EN
Luxembourg: Office for Official Publications of the European Communities
European Communities, 2006
Reproduction is authorised provided the source is acknowledged
Printed in Italy
TABLE OF CONTENTS
1. Executive summary....................................................................................................... 4
2. Introduction................................................................................................................... 7
3. Definition and characterization of a spatial system of interdependent critical
infrastructures................................................................................................................... 9
3.1. Defining, characterizing a system and the system approach ............................. 9
3.1.1.
Definition of a system................................................................................. 9
3.1.2.
The systems approach ............................................................................... 12
3.1.3.
Systems characteristics ............................................................................ 14
3.2. Complex systems of interdependent critical infrastructures ........................... 15
3.2.1. A systemic approach to Critical Infrastructures.............................................. 16
3.2.2. Interdependent Critical infrastructures systems.............................................. 16
3.2.3. Conceptual framework for systems of interdependent infrastructures ........... 19
3.3. Complex spatial systems of critical infrastructures.......................................... 21
3.3.1. The application of the systems approach to space......................................... 21
3.3.2. From system analysis to spatial analysis of critical infrastructures............. 23
3.3.3 Critical infrastructures systems as spatial networks ...................................... 25
3.3.4. Definition and characterization of spatial systems of critical infrastructures. 27
3.4. Types of complex spatial systems of critical infrastructures ........................... 29
3.4.1. The scaling factor........................................................................................ 29
3.4.2.
The boundaries of a system........................................................................ 30
3.4.3. Processes to be modeled .............................................................................. 32
3.5. Conclusion ............................................................................................................ 32
4.
How critical are critical infrastructures? ......................................................... 33

4.1. The existing definitions of critical infrastructures........................................ 33
4.1.1. The definition of infrastructure ................................................................... 33
4.1.2. The adjective critical and the concept of criticality................................. 36
4.1.3. Defining Critical infrastructures and their interdependencies..................... 38
4.2. The notion of criticality ................................................................................... 43
4.2.1. The evolution in time and space of criticality................................................. 43
4.2.2. A subjective standpoint on criticality ............................................................. 45
4.2.3. Two differing but interrelated ways of understanding criticality ................... 48
4.2.4. The scaling factor in time and space............................................................... 49
4.2.5. To which infrastructure or to which part of the infrastructure does the concept
of criticality apply? ................................................................................................... 51
4.3. Main policy issues for the identification of critical infrastructures ................ 55
4.3.1. Allocate the resources in the most efficient way ............................................ 55
4.3.2. Identifying roles and responsibilities to define the objectives of the critical
infrastructures assessment......................................................................................... 56
4.3.3. Define a methodology to identify Critical Infrastructures and critical
interdependencies...................................................................................................... 56
4.4. Conclusion ............................................................................................................ 58
5. The concepts of risk and vulnerability applied to critical infrastructures ............ 60
5.1. Existing definitions of the basic concepts in risk analysis ................................ 60

5.1.1. The concept of risk.......................................................................................... 60
5.1.2. Properties of hazards....................................................................................... 64
5.1.3. The concept of vulnerability ........................................................................... 66
5.1.4. The concepts of resilience and adaptation ...................................................... 69
5.1.5. Components of vulnerability........................................................................... 72
5. 2. The application of risk analysis concepts to critical infrastructures ........... 74
5.2.1. From risks to systemic risks............................................................................ 74
5.2.2. From the hazard to the threat concept............................................................. 75
5.2.3. From vulnerability to systemic vulnerability.................................................. 80
5.3. Main issues raised by the application of the concept of vulnerability to
Critical Infrastructures .............................................................................................. 82
5.3.1. Vulnerability and criticality ............................................................................ 82
5.3.2. Vulnerability as scale and time-dependent property of systems..................... 85
5.3.4. Which parameters, indicators to express vulnerability? ................................. 88
5.4. Conclusion ............................................................................................................ 91
6. Conclusions.................................................................................................................. 92
7. References.................................................................................................................... 93
List of tables
Table 1: Examples of definition for system across various fields (p. 9)
Table 2: Characterizing a system of interdependent critical infrastructures (p.20)
Table 3: System and spatial approaches to analyze critical infrastructures (p.23)
Table 4: Corresponding properties of networks and systems (p.26)
Table 5: Elements of definition for Critical Infrastructures (p.40)
Table 6: Evolution of criticality criteria and infrastructures considered as critical in US
(p.45)
Table 7: Actors perceptions of criticality (p.46)
Table 8: Vital services provided by Critical Infrastructures (in Netherlands) (p.52)
Table 9: Examples of risk definitions in the field of disaster management (p.62)
Table 10: Properties and characteristics of hazards (p.65)
Table 11: Potential hazards to critical infrastructures (p.76)
Table 12: Intentional and unintentional acts as hazards for critical infrastructures (p.76)
Table 13: Direct and indirect Vulnerability of Critical Infrastructures systems (p.81)
Table 14: Cascading hazards in time after electric power supply failure (p.86)
List of Figures
Figure 1: The systemic paradigm (p.11)
Figure 2: The structural approach of a system (p.12)
Figure 3: The functional approach of a system (p.13)
Figure 4: The six systems characteristics (p.15)
Figure 5: The electric power infrastructure dependencies (p.17)
Figure 6: A system of critical infrastructures systems and their interdependencies (p.18)
Figure 7: one example of a systemic approach to space: the Von Thunens model (p.22)
2
Figure 8: a regional system of critical infrastructures (p.24)

Figure 9: Spatial system of critical infrastructures (p.27)
Figure 10: From reality to the model: the scale factor (p.30)
Figure 11: The boundaries of a system: Example of transportation (p.31)
Figure 12: The three levels of analysis for infrastructures (p.35)
Figure 13: Criticality and crisis (p.37)
Figure 14: Criticality criteria to identify critical infrastructures (p.41)
Figure 15: Two approaches to criticality (p.49)
Figure 16: Main issues related to the definition of critical Infrastructures (p.54)
Figure 17: Policy issues of critical infrastructures assessment (p.58)
Figure 18: Crichtons risk equation (p.63)
Figure 19: Properties of Hazard (p.65)
Figure 20: The evolution of the definition for vulnerability (p.66)
Figure 21: Hazard-independent and hazard-dependent Vulnerability (p.69)
Figure 22: Features of Systems resilience (p.71)
Figure 23: Vulnerability model (p.73)
Figure 24: Risk Model for Critical Infrastructures (pp.77-78)
Figure 25: Cascading Hazards after Electric Power disruption (p.79)
Figure 26: Criticality, Dependence, Exposure (p.82)
Figure 27: The effects of disastrous events on a society during the development process
(p.87)
Figure 28: Conceptual diagram of social levels and examples of relevant characteristics
identified for the assessment of vulnerability (p.89)
List of maps
Map 1: Main energy infrastructure in North-West Europe (p.50)
Map 2: Main energy infrastructure in north Italy. (p.50)
Map 3: Nodes criticality of the energy infrastructure in North Italy (p.83)
Map 4: Degree of accessibility of NUTS-regions to the energy infrastructure (p.84)
1. Executive summary
The main objective of this report is to provide a state-of-the art on the existing
conceptual background dealing with the vulnerability of critical infrastructures systems,
in order to highlight the main issues for decision-making processes and to provide an
overview of all the dimensions of the problem.
The first Chapter addresses the terminology and the epistemological background for the
analysis of spatial systems of interdependent Critical Infrastructures. It analyses first
the definition of a system and of the systems approach. It focuses then on the definition
of spatial systems of critical infrastructures, following the background of the spatial
analysis of networks. It ends with the study of the factors that affect the construction of
systemic models, i.e. the scale of analysis, the choice of the sub-systems and processes to
analyze according to the objectives and goals of the analysis. Main conceptual issues are
summarized in the following figure representing the territorial dimension of critical
infrastructures systems.
Territorial
background
Context
Legislation
Technical capacities
Political,
Socio-economical
requirements
Critical infrastructure
planning and management
Environment
Level of development
Economical
Social
Political/administrative
cultural
Material infrastructure
Regulation
service
Critical
Infrastructures
owners
Critical
Infrastructures
Territory
Logic of development
Objectives
Territorial constraints
Hierarchy
Accessibility
Dependency
Discontinuity
Other stakeholders
A systemic approach to spatial systems of critical infrastructures
The second chapter focuses and the definition of critical infrastructures, highlighting
the conceptual debates addressing the notion of criticality. It details the existing
approaches to criticality, the complexity of the term infrastructure that reveals various
possible levels of analysis and recalls the evolution in time and space of criticality. It
underlines as well the various understandings of criticality as a function of actors
perception. These elements of a conceptual debate have very specific implication for the
decision-making process. The chapter ends therefore with a dedicated subsection on the
main policy issues raised by the concept of criticality. The following figure summarises
the main issues addressed in chapter 4.
Theological
/ systemic
approaches
Criticality criteria
National Security and safety
Defense, Public health
Business security
Social well-being
CIP Context/
Objectives
CRITICAL
Actors
perception
Decision
makers
Owners
Experts
Stakeholders
Insurers
To which part?
Interdependencies
Infrastructure support
Info-structure
Service
INFRASTRUCTURE
Time/Scale
factors
Critical situation
Scope
Severity of
consequences
Effects of time
Main issues related to the definition of critical Infrastructures
The last chapter provides a review of existing definitions of risks, hazards, vulnerability
and resilience within the field of disaster management literature. It allows us defining the
following model of vulnerability:
Level of exposure
Hazard-independent Vulnerability
Hazard
Hazard-dependent Vulnerability
Resilience
Susceptibility
Effective impacts
balanced by capacities
Likelihood of hazard
Differential exposure
Sensitivity/capacity of the
system at risk
Coping Capacity
Recovery
State of emergency
Time
Potential losses
Effective losses
External side
Internal side
Crisis
Vulnerability Model
This review led to the analysis of the specificity of the field of critical infrastructures
protection. In this context, the concept of systemic risk appears more appropriate, as the
shift towards the concepts of threats, cascading hazards and cascading vulnerability. The
focus on the cascading vulnerability shows that various levels of exposed elements can be
considered within critical infrastructure systems, whose vulnerability depends on their
level of dependency. Since vulnerability is also affected by time and geographical scale
issues, these factors have been further analysed, as the question of the definition of
accurate parameters and indicators to express it.
The conclusion highlights the necessity to adopt a holistic, multi-disciplinary approach to
the vulnerability analysis of critical infrastructures systems.
2. Introduction
Past years have seen an increased numbers of events affecting vital infrastructures our
society is relying on: the explosion of the AZF factory (Toulouse, September 2001),
terrorist attacks targeting the underground in Madrid (March 2004) and London (July
2007), fire of a petrol deposit (Buncefield, December 2005), etc. Although these events
might appear different they have lots in common:
- They affected different types of infrastructures that are all considered as critical
infrastructures. Critical infrastructures are those of whose services are so vital that
their incapacity or destruction would have a debilitating impact on the deface or
economic security of any state: electric power, gas and oil production and distribution,
telecommunications, banking and finance, water supply systems, transportation, health
care, emergency and government services, food supply ((COM (2004) 702 final)).
These infrastructure systems are heavily dependent upon one another. Disruption in any
of the systems could jeopardize the continued operation of the entire infrastructure
system. The adjective critical is related to a key function for the society, highly
dependent, and thus highly vulnerable to a potential disruption of these infrastructures.
- They were triggered by various sources of hazards but showed the importance of an
expanding spectrum of threats including terrorism or other manmade disasters,
modifying the understanding of the risks triggering event. This kind of hazard is highly
unpredictable and therefore difficult to assess and to prevent.
- They had large consequences in societies, well beyond the impact zone. In this view
they revealed various aspects of the vulnerability our societies to this kind of systemic
risks. The vulnerability assessment of critical infrastructure has thus to face the challenge
of providing a multi-scale analysis related to the organisation of a network (several areas
related between them through a network), which might be in contradiction with the
different areas of competencies of the different administrative and political levels.
Following these events, the awareness and the need to better understand the multidimensional vulnerability of our territory against events affecting critical infrastructures
appeared clearly. This has been expressed in October 2004 in the Communication
Critical Infrastructure Protection in the fight against terrorism (COM (2004) 702
final) and in November 2005 in the Green paper On a European Programme for
Critical Infrastructure Protection (COM (2005)576 final) provided by the European
Commission. .
The final objective is to define appropriate measures for a Critical Infrastructure
Protection Strategy, in order to ensure an adequate level of security for European citizens.
This means adopting the standpoint of decision-makers, who have to deal and manage
risks and vulnerability over their territories of competency. Existing literature on critical
infrastructures is most often technical, which does not allow decision-makers assessing
the multi-dimensional vulnerability of the territory against the disruption of
interdependent critical infrastructures systems. In this view, there is a need:
- To define and characterize clearly which are the critical infrastructures for our
societies and how they are distributed over the territory, i.e. how they form spatial
systems of critical infrastructures.
To understand what vulnerability and risks mean, when referring to this critical
infrastructures.
To identify stakeholders to be involved and to define a coherent strategy for
Critical Infrastructure Protection (CIP)
The main issue is related to the specific features of vulnerability and risk related to
Critical Infrastructures. Classical risk and vulnerability analysis show some limits and
there is therefore a need to define specific definitions, tools, methodologies for critical
infrastructures. A systemic approach appears particularly appropriate, since it allows
embracing the complexity of interdependent critical infrastructures systems. This requires
thus a preliminary work on the epistemological and conceptual background:
- How to define, delimit, and characterize the spatial systems formed by critical
infrastructures? What are the epistemological foundations of a systemic
approach? To which extent does it allow a better understanding of the inherent
complexity of critical infrastructures? (Chapter 3)
- To what does the adjective critical refers? Which are existing criticality criteria?
To which extents are they valid and to what kind of infrastructure or piece of
infrastructure do they apply? (Chapter 4)
- How to define the concept of vulnerability of critical infrastructures? What are the
exposed elements? Exposed to what? How do criticality and vulnerability interact
in time and space? (Chapter 5)
The analysis of existing definitions, as well as the epistemological background shows that
debates exist on the understanding of the main concepts. These debates are the result of:
- The diversity of fields and approaches using these terms;
- The diversity of approaches among various actors dealing with territorial
management;
- The inherent difficulties related to the concepts themselves.
The main objective of this report is therefore to provide a state-of-the art on the existing
conceptual background dealing with the vulnerability of critical infrastructures systems,
in order to highlight the main issues for decision-making processes and to provide an
overview of all the dimensions of the problem.
3.
Definition and characterization of

interdependent critical infrastructures
spatial
system
of
In this chapter, we address the conceptual and etymological aspects of the definition of a
spatial system of interdependent infrastructures, focusing on the application of the
principles of system analysis to interdependent critical infrastructures and to the spatial
system they form. The objective is to provide working definitions to decision-makers,
whose first task is to identify, characterize and delimit the territory under analysis. This
implies defining and characterizing a system and the system approach (3.1.), defining and
characterizing a system of interdependent critical infrastructures (3.2.), defining spatial
systems of critical interdependent infrastructures (3.3) and analysing the criteria allowing
distinguishing various types of those spatial systems (3.4).
3.1. Defining, characterizing a system and the system approach
3.1.1. Definition of a system

Basically, a system is defined asa group of independent but interrelated elements
comprising a unified whole1 and is a set of parts coordinated to accomplish a set of
goals (West Churchman, 1968). Among the authors having proposed a general theory of
systems (Wiener, 1947; Shannon and Weaver, 1949; Bertalanffy, 1973; Le Moigne,
1977), the definition of a system is based on following properties: Organization, Finality,
Adaptation, Openness, Evolution, Totality, Reproduction, Differentiation, Centralization,
and Hierarchy.
A large amount of definitions have been provided in various fields, having in common
the objective to develop a new approach, going beyond the classical analytical causal
approach. Table 1 shows some examples of these definitions.
Table 1: Examples of definition for system across various fields
1. (Technical field) Instrumentality that combines interrelated interacting artefacts designed to
work as a coherent entity: "he bought a new stereo system"; "the system consists of a motor and
a small computer2;
2. (Physical chemistry) A sample of matter in which substances in different phases are in
equilibrium: in a static system oil cannot be replaced by water on a surface"3;
3. (Medical) A composite, at any level of complexity, of personnel, procedures, materials,
tools, equipment, facilities, and software. The elements of this composite entity are used
together in the intended operational or support environment to perform a given task or to
achieve a specific production, support, or mission requirement4.
1
http://www.cogsci.princeton.edu/cgi-bin/webwn
ibid.
3
ibid.
4
www.nbc-med.org/SiteContent/glossary.asp
2
4. (Biology) A group of physiologically or anatomically related organs or parts; "the body has
a system of organs for digestion"5
5. (Structural sciences)A complex of methods or rules governing behaviour: they have to
operate under a system they oppose; that language has a complex system for indicating
gender 6
6. (Communication Sciences) An organized collection of interrelated elements that performs
one or more functions. (The Communication Handbook); "A system divides all of the
Universe into a) all of the Universe outside the system, b) all of the universe inside the system,
and c) the little bit of remaining Universe which comprises the system that separates the
macrocosm from the microcosm". (Buckminster Fuller)7
7. An organized structure for arranging or classifying 8
8. (Ecology/Environmental sciences) The region under consideration, as distinguished from
the rest of the universe (the environment). Systems may be separated from environments by
boundaries that prevent the transfer of mass (a closed system), of heat (an adiabatic system), or
of any energy (an isolated system). Systems that exchange mass with the environment are open
systems. Sometimes the word system is also used to refer to all possible compositions defined
by a particular set of components (for example, the MgO-SiO2 system)9.
9. (Telecommunications) Any organized assembly of resources and procedures united and
regulated by interaction or interdependence to accomplish a set of specific functions. 2. A
collection of personnel, equipment, and methods organized to accomplish a set of specific
functions.(Glossary of Telecommunication terms)10;
10. (Electricity sector)An integrated combination of generation, transmission and
distribution of electricity or natural gas that may be used by 1.) a utility, 2.) a group of utilities
through a power pool or 3.) an operator that manages services for more than one system11
11. (Physical geography): A system is a set of interrelated components working together
towards some kind of process.(http://www.geog.ouc.bc.ca/physgeog/physgeoglos/s.html)
12. (Regional sciences) A group of independent but interrelated elements comprising a
unified whole; a vast system of production and distribution and consumption keep the country
going12
13. Organizations that are linked together in the provision of services/products (e.g.
transportation system, K-college education system, child welfare). An interdependent linking of
organizations that rely on each other for the exchange of resources13
14. A set of actors or entities bound together by a set of rules and relationships into a unified
whole. A systems health is dependent on the health of the whole pattern, which can sometimes
be reflected (and thus measured) in the status of a key part of the system14.
7 www.worldtrans.org/whole/wholedefs.html
8
9
expet.gps.caltech.edu/~asimow/glossary.html
10
http://www.its.bldrdoc.gov/fs-1037/dir-001/_0063.htm#JP1
11
http:// www.niagaramohawk.com/glossary/gloss_s.html
12
13
www.childpc.org/about/glossary.asp
14
www.state.nj.us/dep/dsr/sustainable-state/glossary.htm
6
10
Following these definitions and existing theories of systems, we can assume that a system
is (Walliser, 1977):
-
One ensemble aiming at fulfilling through various processes a goal, a function, or

at providing a service. The system approach is a dynamic and not structural one.
One ensemble having reciprocal exchanges with an environment; these exchanges
ensure a relative autonomy of the system. Autonomy refers here to the fact
internal interactions are determined by internal processes and not by external
processes.
One ensemble composed by a structure of components or subsystems interacting
with each others, ensuring a relative coherency. If one of these elements is
modified, the rest of the system is affected as well.
One ensemble subject to modifications, pressures, more or less important within
the time, but maintaining permanent features.
One ensemble constituted by a given structure corresponding to its organization.
The organization means here that existing interacting processes are depending one
upon another, as it can be understood from the etymological roots of system:
holds together.
In summary, a system can be defined as an organised ensemble of sub-systems or

components and of interacting processes, which is coherent enough to keep a relative
degree of autonomy (Figure 1)
Evolution
ENVIRONMENT
Structure
OBJECTIVES
Processes
Figure 1: The systemic paradigm
11
3.1.2. The systems approach

Following West Churchman, the systems approach relies on the analysis of what the
whole system is, the environment in which it lives, what its objectives are, and how it is
supported by the activities of the parts. There are therefore two complementary ways of
analyzing a system (West Churchman, 1968):
1- The structural approach answers the question: what is the system made of?
2- The functional approach answers the question: how is it working?
The structural analysis (Figure 2) consists first in identifying the boundary between the
system and its environment. The systems environment refers to the fixed constraints, i.e.
what lies outside of the system. Environment is what cannot be changed by the activities
of the system. It also determines how the system performs: for instance climate
conditions are often part of the environment: if the system is operating in a very cold
climate so that its equipment must be designed to withstand various kinds of severe
temperature changes, then, temperature changes are in the environment because they
dictate the given possibilities of the system performances and yet the system can do
nothing about the temperatures changes. The environment can be analyzed with the help
of a matrix showing the requirements schedule that constrain the system.
The second step is to identify the elements (components, sub-systems or black
boxes) of the system. Since systems are always embedded in larger systems, the concept
of element does not refer here to a single component but is relative to the whole it is part
of. These elements are themselves systems (and therefore sub-systems). The level of
analysis, and then the boundaries must be defined as a function of the scope of the
analysis, so that accurate boundaries of the system and subsystems could be identified.
The analysis must then rely on the decision to consider some subsystems as black boxes,
which means that these subsystems wont be analysed as such but as interacting
component with other subsystems.
The last step is to identify existing channels of communication allowing
exchanges between elements, i.e. the organization of the system.
SYSTEM
Chann
els of
Comm
unicat
ion
Component
Component
Inputs
Component
Sub-system 1
Sub-system 2
Outputs
Boundaries of the system
ENVIRONMENT
Requirements
Constraints
Resources
Figure 2: The structural approach of a system
12
The functional analysis (Figure 3) is based on the analysis of the function rather than on
the list of components. The preliminary task is to identify the systems objectives: they
refer to the goal and the services a given system has to fulfill or provide. The
performances of the system can be measured, with respect to the required level of
expected output or service.
Most of functional approaches are called input-output approaches or efficiency
approaches, having the objective to identify the trouble spots and especially the places
where there is waste and then proceed to remove the inefficiency. The input-output
approach relies on the principle that system are entities into which are imputed various
types of resources and out of which comes some kind of product or service. It aims at
exploring what kinds of activities should go inside the system in order to produce the
most satisfactory kind of output. This requires assessing the overall performance of the
system. In this view, there is a need to develop a measure of performance that is to be
maximized, where a weighted environment is partly expressed as output minus the cost of
input, where the weights are determined by standards of quality. The performance of each
component and their contribution to the performance of the overall system and the
allocation of internal resources15 show the internal inputs-outputs processes.
Figure 3: The functional approach of a system16

A fundamental principle of cybernetics is the possibility to apply the systems theory to
various approaches: Systems theory or systems science argues that however complex or
diverse the world that we experience, we will always find different types of organization
in it, and such organization can be described by principles which are independent from
the specific domain at which we are looking. Hence, if we would uncover those general
laws, we would be able to analyze and solve problems in any domain, pertaining to any
type of system17.
15
Resources are the internal means that the system uses to accomplish its objectives. Resources are for
instance money, man hours, equipment, technological; advancesetc. To the difference with the
environment, resources are the things the system can change and use to its own advantages.
16
http://fwie.fw.vt.edu/rhgiles/Lastingforests/LFConcept1.htm
17
http://www.worldtrans.org/whole/wholedefs.html
13
3.1.3.
Systems characteristics
All systems are not similar and following their characteristics, it is possible to distinguish
various types of systems. Six main characteristics of systems (Figure 4) are mainly
related to the four essential properties of systems: autonomy; coherency; permanence;
organization (Dupuy, 1985)
(1) Emergence: a system reacts in a different way than the sum of its parts, because of
the interactions among these parts (property of coherence);
(2) System-environment relation: in the case of quasi-isolated systems, the system is
influenced by its environment through processes of inputs, is internally modifying these
inputs, has an impact on its environment through processes of outputs. Systems vary as a
function of the degree of their openness-closure, depending on the amount of inputoutput flows. The output of one system can constitute the input for another system or for
the system itself (within-puts) (property of autonomy);
(3) Stability, stationary and equilibrium: Static is applied to systems subject to constant
interactions with their environment and showing constant interactions among their
subsystems; Stationary is applied to systems showing constant transformation processes
between inputs and outputs flows with the environment and among their subsystems;
Stable is applied to a system that recovers its initial shape after having experienced a
marginal modification; Equilibrium is applied to systems when they show an equilibrium
between inputs and outputs among subsystems. This can refer to immobility or constancy
of flows. Homeostasis expresses the capacity of an open system to maintain its structure
and its functions thanks to dynamic equilibriums controlled through regulations
mechanisms. All these terms refer to the permanency of systems.
(4) Causality and finality: in a causal system, the relationship between inputs and outputs
expresses a cause-consequence relation. In a system having a finality, the system keeps
following its finality, even though it is subject to external pressures. This finality can be
optimized (relative to the highest performances) or satisfactory (ensuring a minimum
level of performances).
(5) Organization: the organization is related to the existence of sub-systems. Each subsystem might be consisting of sub-sub-systems and so on, until black boxes, considered
as basic elements. Systems differ as a function of the types of existing interactions and
hierarchy among their subsystems;
(6) Adaptation, regulation: a system can have the capacity to adapt its behavior to
external pressures, maintaining its finality and its permanency. Adaptation can be
possible thanks to external regulation, or through internal auto-regulation capacities. The
capacity of auto regulations allows assessing the degree of autonomy of a system.
14
After Roger Lewin (1992) Complexity: Life and the Edge of Chaos
Steven Johnson (2001) Emergence: The Connected Lives of Ants, Brains, Cities, and Software
Figure 4: The six systems characteristics18

With regard to these elements, it is possible to apply the systems approach to
interdependent critical infrastructures. This allows highlighting the conceptual
implications of using the system theory to analyze critical infrastructures, as well as
defining characteristics of these systems.
3.2. Complex systems of interdependent critical infrastructures
The systems approach has been used to identify, characterize and analyse critical
infrastructures, here defined as those of whose services are so vital that their incapacity
or destruction would have a debilitating impact on the deface or economic security of any
state: electric power, gas and oil production and distribution, telecommunications,
banking and finance, water supply systems, transportation, health care, emergency and
government services, food supply (COM (2004) 702 final). These infrastructures do
not exist in isolation of one another and are increasingly interdependent: airports and
railways depend on electricity and communications, the power grid depends on
communication among power plants and distribution nodes, telecommunications
networks depend on power supply for the transmission links and the exchange nodes, etc.
A systemic approach is particularly accurate to model and describe systems of
interdependent critical infrastructures.
18
http://en.wikipedia.org/wiki/Image:Complex-adaptive-system.jpg
15
3.2.1. A systemic approach to Critical Infrastructures

Critical infrastructures are various in natures (e.g. physical, cybernetic and organizational
systems). One way to provide a common basis of analysis is the use of systems
approach. This appears being particularly accurate when applied to critical infrastructures
since:
Infrastructures are more than just an aggregation of their components. Typically as
large sets of components are brought together and interact with one another, synergies
emerge. Therefore, they can be seen as systems of interacting agents, based on internal
processes.
Critical infrastructures are defined by a number of processes aiming at fulfilling a
function, i.e. at providing a service. The inability/ability to provide such services
qualifies the overall performance of this specific critical infrastructure. This service must
be considered as a critical input to other systems (e.g. other interdependent critical or
other systems such as the population, the economical system, etc). The service can be
defined as a function of its nature, quantity and quality and the area of delivery;
Each critical infrastructure is placed within an environment such as the
geographical, political and economical context, etc. The operating state and condition of
each infrastructure influence the environment and the environment in turn exerts
pressures on the individual infrastructure (normal system operations, emergency
operations, repair and recovery operations).19The boundaries can be limited to the system
formed by the infrastructure itself, or to the infrastructure and dependent systems, or to a
complex system of interdependent infrastructures.
- Each critical infrastructure is made of sub-systems or components interacting among
themselves, although of various natures (physical, human, organisational, etc.). The
interactions and processes are organized as a structure having as finality the service to be
delivered.
- Critical infrastructures are subject to modifications (e.g. changes in the economy
market, political background, demographical changes, etc.) but show a capacity to a
certain extent to adapt themselves to these pressures. The vulnerability and resilience
analysis are fundamental to understand the capacity of a critical infrastructure system to
resist, reorganize, adapt to external or internal pressure.
The application of the systems approach can range from the analysis of a single type
infrastructure to interdependent systems, within a system of systems perspective.
3.2.2. Interdependent Critical infrastructures systems
Interdependencies among infrastructures dramatically increase the overall complexity of
the systems of systems. There is therefore a need to consider multiple interconnected
infrastructures and their interdependencies in a holistic manner.
We distinguish three main approaches of interdependencies (Rinaldi, Peerenboom,
Kelly, 2001):
16
First the focus can be laid on one critical infrastructure system and on the others
critical infrastructures systems it is depending on. Figure 5 shows for instance the critical
infrastructures the electric power infrastructure is depending on.
System control
Repair Crew to Sites
Fuel resupply
System Status
SCADA/EMS
Component
shipping
Operation and
Repair Crew
Communication
E-Commerce
ROAD
Materials
Procurement
TELECOM
BANKING and
FINANCE
Transport to
operations
Center
Component
shipping
AIR
ELECTRIC
POWER
NATURAL
GAS
Financial
services
Fuel for
generators
Aerial
Inspection
WATER
Component
shipping
RAIL
OIL
Cooling
Fuel resupply
Component
shipping
Emissions
Control
Fuel
Maintenance
Fuel for
Generators
Source: Rinaldi, Peerenboom, Kelly, 2001

Figure 5: The electric power infrastructure dependencies
In the figure, electric power is the supported infrastructure and natural gas, oil, transportation,
telecommunications, water and banking and finance are supporting infrastructures.
On the contrary to the first approach, the second approach can focus on one critical
infrastructure system and on others critical infrastructures systems that are depending on
the services provided by the system under focus.
Finally, the last approach aims at embracing a whole system of various critical
interdependent infrastructures interacting with each others. Figure 6 gives an example of
some existing interdependencies existing among various critical infrastructures systems.
17
Fuels, lubricants
Fuel Transport, Shipping
ants
r fo r
Powe witches
s
,
g
g
lin
ippin
Signa
rt, Sh
o
p
s
Tran
F u el
WATER
ELECTRIC
POWER
SCADA
,
Po
compr wer for
essors
Contro , storage,
l syste
m
Fuel fo
r Gene
rators
SCADA,
Communications
r coolin
g
Comm
un
ications
NATURAL GAS
A, ons
AD icati
C
S un
t
mm Hea
Co
Power
for switches
Water fo
Shipping
TELECOM
,
n
on
cti uctio
u
d
d
o
e
pr s r
for sion
r
e
is
t
W a , em
g
n
oli
co
Fuel for Gen

erators
SCADA, Com
munications
Source: Rinaldi, Peerenboom, Kelly, 2001

Figure 6: A system of critical infrastructures systems and their interdependencies
In the view of vulnerability and risk analysis, it is necessary to determine for each
infrastructure:
- Which other infrastructure it depends on continuously or nearly continuously for
normal operations,
- Which other infrastructures it depends on during times of high stress or
disruptions,
- And which it depends on to restore service following the failure of a component
or components that disrupt the infrastructure.
For instance, under normal operating conditions the electric power infrastructure requires
natural gas and petroleum fuels for its generators, road and rail transportation and
pipelines to supply fuels to the generators, air transportation for aerial inspection of
transmission lines, water for cooling and emissions control, banking and finance for fuel
purchases and other financial services, and telecommunications for e-commerce and for
18
SCADA,
Communications
Fuels for generators,

lubricants
Power for pumping
stations, storage,
Control system
W
em ate
iss r fo
Po
io n r c
we
s r ool
ed ing
rf
or
uc ,
lift an pu
tio
co st d
n
m
p
n t r a ti
o
ol
n
sy s,
ste
m
Water for p
roduction,
cooling, em
issions redu
ction
TRANSPORTATION
ing
ipp
ls, l
ubri
c
Sh
Fu e
OIL
monitoring system status and system control. During emergencies or after components
failures the electric power infrastructure will have potentially different yet critical
dependencies on the same infrastructures. For example, the utility may require petroleum
fuels for its emergency vehicles and emergency generators and road transportation to
dispatch repair crews and replacement components.
The system approach allows addressing the complexity of interdependent critical
infrastructures. The definition of the system remains though function of the objectives
and scope of the analysis. Once the system is delimited, its characteristics must be
analysed.
3.2.3. Conceptual framework for systems of interdependent infrastructures
Identifying, understanding, and analysing interdependent critical systems are significant
challenges magnified by the complexity of these infrastructures. Further complicating
this challenge is a broad range of interrelated factors and system conditions described in
terms of six dimensions that affect systems characteristics, and which are summarised
in Table 2 (Rinaldi and al.2001).
Once they are identified, the choice of the boundaries of the system to analyse and its
characterisation are depending on the scope of the analysis. In the view of assessing the
vulnerability against the disruption of critical infrastructure systems, the decision-maker
needs to identify the spatial system he has to deal with. As it has been presented the
modelling of systems does not show the spatial characteristics of the system considered.
This dimension is though fundamental since decision-makers do not think on an abstract
space, but on a territory, which characteristics must be included under the identification
of spatial systems of interdependent Critical infrastructures.
19
Table 2: Characterizing a system of interdependent critical infrastructures

Dimensions
1. The
infrastructure
environment
(Characterize the
system-environment
relation)
2. Types of
interdependencies
(characterize
organisation and
emergence)
3. Coupling and
response behaviour
(characterize
organization, stability,
causality, finality,
adaptation and
regulation)
4. Infrastructure
characteristics
(characterize
organization, systemenvironment relation,
adaptation, stability)
5. Types of failures
(characterize
organization, causality
and finality, types of
interactions)
6. The state of
operation of an
infrastructure
(characterize stability,
system-environment
relation, organization,
adaptability)
Definition
Framework in which the owners and
operators
establish
goals
and
objectives, construct value systems
for defining and viewing their
businesses, model and analyse their
operations, and make decisions that
affect infrastructure architectures and
operations.
Bi-directional relationship between
two infrastructures, through which the
state of each infrastructure influences
or is correlated to the state of the
other.(Gheorghe and Schlapfer,
2004) Interdependencies and the
resultant infrastructure topologies can
create
subtle
interactions
and
feedback mechanisms that often lead
to unintended behaviours and
consequences during disruptions.
Are
conditioning
infrastructure
responses to perturbations. The
coupling characteristics and nature of
interacting agents in turn directly
influence whether the infrastructures
are adaptive or inflexible when
perturbed or stressed. (Perrow, 1984)
They refer to time and space
dimensions of the system of
interdependent infrastructures.
Factors/ variables
Economic and business
opportunities, concerns
Public policy
Government investment
decision
Technical and security
issues
Social and political
concerns
Physical interdependency
Cyber interdependency
Geographic
interdependency
Logical interdependency
(not mutually exclusive and
to various degrees)
Degree of coupling
Coupling order
Linear or complex
interactions
Characteristics of the
agents
Scale
Infrastructure dynamics
Operational factors
Organizational
considerations
They refer to the way disturbances

propagate
Cascading failure
Escalating failure
Common cause failure
It refers to the conditions thought of

as a continuum under which an
infrastructure is operating and
exhibits different behaviours. It can
range from optimal design operation
to complete failure with a total loss of
service to all users, including
dependent CI.
Normal operating
conditions, (from peak to offpeak conditions)
Times of severe stress or
disruptions
Time when repair and
restoration activities
20
3.3. Complex spatial systems of critical infrastructures

In Human sciences, the systemic modeling has been used combining six fundamental
systems of the society (Lapierre, 1992):
1. The biosocial system, i.e. how people interact among each other and reproduce
themselves has been defined in demography, sociology, ethnology;
2. The geographical system, i.e. the analysis of the space where these people live and that
they transform, creating social territories has been defined in geography and ecology;
3. The economical system, i.e. the analysis of the production and exchange of goods and
services required by this population to satisfy their needs has been developed in
economy, sociology..;
4. The communication system, i.e. the analysis of communication of information and
knowledge between members of the population has been proposed among others by
sociolinguist;
5. The Poesis system, i.e. the elaboration and diffusion of symbols, values, beliefs of
this population, is the topic studied by sociology, religious anthropology, etc.
6. The socio-political system refers to the social and political rules elaborated to manage
the organization of people and are analyzed within political sciences, sociologists, etc.
The identification of the systems depends on the standpoint of the expert who wants to
study reality. Economists or sociologists do not define a system in the same way. Our
focus is here on complex territorial systems, referring to a geographical approach.
Though, all systems on the basis of our society interact among each others, and the
analysis of one of this system must take account of these interactions.
3.3.1. The application of the systems approach to space
The general theory of the systems has been applied to the space, in order to analyze
various spatial organizations (e.g. city, region, state, etc.) The aim was to go beyond
sectored approaches focusing on one or more components of the territory and to provide
an integrative overview of its complexity. Fundaments of the spatial systems approach
rely on the identification of the relations existing among various spatial units. The
identification of these relations can be understood as the definition of the various logics
that are expressed through coherent and similar spatial patterns. Corresponding spatial
patterns can therefore be analyzed as a function of their finality, as a result of these
processes that allow distinguishing one type of space from another. These logics,
principles, processes are not immediately visible but patterns they produce can be
identified in relation with them. The complexity of a spatial system is due to the various
interactions between very different elements (physical, human, economic, political
components) and to the hierarchy between these interactions (flows of people, goods,
information, money, but also political, influence relationships).
Challenges associated with the tasks of building mathematical models of complex spatial
systems were mainly linked to the identification of the critical values of parameters, at
which the nature of the spatial pattern changes, because the nature of equilibrium
structure changes. This means that there is a switch from one spatial system to another,
which allows defining boundaries of existing spatial systems (E.g. Von Thunens,
Webers, Christallers, Burgessmodels).
21
Balancing land use practices and transportation costs

using von Thnen's land use model
Profit at the central market depends not only on the market value of the product but also on the
transportation costs to get the product to the market.
"Land Use" varies from products of high cost, high market value (such as dairy products and
fresh vegetables labeled as Land Use 1 in the diagram above) to low cost, low market value
products (such as grain or livestock labeled as Land Use 4 in the diagram above).
As the distance from the central market increases, the profit that would be gained from a product
decreases. In the diagram above, if the producer of "land use 1" (tomatoes, for example) needed
to transport the product 5 miles, there would be no profit made at the market. This rate of
depreciation in market value varies with different land use types. Using the same example, if the
farmer had land 4 miles from the market it would be more profitable to produce "land Use 2." An
equilibrium is met where the profit of one land use outweighs the profit of another (signified above
by the dotted lines). At this point, the land use changes.
Figure 7: One example of a systemic approach to space: the Von Thunens model20
20
www.csiss.org/ classics/content/9.
22
3.3.2. From system analysis to spatial analysis of critical infrastructures

In the view of the decision-making process dealing the vulnerability against service
disruption of critical infrastructures, it is fundamental to understand how critical
infrastructures are embedded in various territories. The systemic representation of
systems allows representing how a system is organized, the types of process between its
components or subsystems, as well as the type of interdependencies. A spatial
representation of these systems shows how elements of the system are localized in space,
shows the direction of flows, as well as the distances among sub-systems or elements.
Time can also be represented through various maps. Table 3 shows the complementary
aspects between a systemic approach and a spatial approach.
Table 3: System and spatial approaches to analyze critical infrastructures
Systems analysis
Function
Systemic approach
Nature/quantity-quality of the
service delivered/ boundaries of
the system
Composition
Sub-systems,
components
building the system (technical,
human, organizational)
Channels of communication and
hierarchy of the relationships
among the components and subsystems
(connection,
connectivity), competencies of
various
actors
on
the
infrastructure
Types de flux, variations dans le
temps
Types of flows, variations in time
and space
Types of interactions with the
environment
Types of interdependencies
Organization
Processes
system-environment relations
Interdependencies
Spatial approach
Areas where the service is
delivered (as a function of the
scale)/ boundaries between these
areas
Location of the components of
the
infrastructure,
distance
among them.
Types of spatial organization of
the network (graphs theory,
density), areas of competencies
of various actors
Orientation, direction of flows,

areas of origin and destination.
Administrative,
geographical,
economical spatial context
Location of interdependencies
Adopting a spatial perspective allows identifying which areas are depending on a critical
service, forming various regions. Usually, a region is defined as a sub-national
administrative entity, within a country, between the level of the sovereign state, and the
local government, encompassing multiple municipalities, counties, or provinces with a
certain degree of autonomy in a varying number of matters, including vulnerability and
risk management. A regional system, defined as a complex distributed spatial system,
consisting of all existing critical infrastructures, the socio-economic and political systems
and the interactions amongst all these elements (Gheorghe and al., 2000), might be
different from the boundaries of the administrative region (Figure 8).
23
Subsystem of CI 1
e.g.
economic
system
e.g. Social
system
e.g. Energy
Etc.
e.g.
Political
system
e.g. Transport
Subsystem of CI 3
A regional system,
defined as a
complex
distributed spatial
system, consisting
of all existing
critical
infrastructures, the
socio-economic
and political
systems and the
interactions
amongst all these
elements
Subsystem of CI 2
Figure 8: Regional system of critical infrastructures

We identified three main types of regional systems on the basis of the typology proposed
by Dupuy (Dupuy, 1985) and on the analysis of systems (West Churchman, 1968):
The homogeneous region is characterized by the homogeneity of its sub-systems or

components with respect to a dominant factor. For our research it refers to a regional area
characterised by a high concentration of critical infrastructures (e.g. an urban region or an
industrial region).
The polarized region refers to a heterogeneous system, in which some components

play a polarizing role for the other elements. This refers to the regional area
corresponding to the area of delivery of a service provided by a critical infrastructure
(e.g. the area of the dependent population to a given hospital, or the area deserved by a
major electric transmission centre).
The anisotropic region is a region in which the spatial features are organized
following one or more axis or network. This refers to a region regrouping non contiguous
areas connected by a critical infrastructure (e.g. a transportation corridor).
24
This raises a major issue for risk and vulnerability management: the definition of a region
as a system is closer to the real characteristics and dynamics of a territory and allows
identifying the area where critical infrastructures are at risk and pose a risk; however the
region seen as an administrative entity, and which is the territory level of reference for
the decision-making addressing risks might be different from the regional system at risk.
3.3.3 Critical infrastructures systems as spatial networks
Following Bullock21, recent years have seen a resurgence of interest in the use of graphs
and networks as models of many kinds of complex systems. Since critical
infrastructures, seen as interacting agents are based the exchange of flows between their
components, they can be analyzed through the network analysis perspective. First issue is
to shift from a technological approach of the critical infrastructures system to their
representation as complex networks. The second issue is related to the localization of this
system in the space, in order to analyze the interactions with other systems over a
territory. For instance, as far as the transportation is concerned, localization is
fundamental to understand how flows originate and what their destination is. The analysis
of critical infrastructures systems can therefore not be dissociated from the spatial
analysis of networks and their territorial implications.
The analysis of networks is one of fundamental principle of spatial analysis, since it
focuses on the relations between objects or places. Spatial units, which are not
contiguous, may be linked together through an exchange of relations. Basically a network
can be defined has an ensemble of lines, communication roads, channels, that deliver a
service to the same geographical unit. Natural networks such as rivers or human
networks such as electricity network or administrative network put in relation various
spatial units. Network can refer to material and physical infrastructure (network
infrastructure) or to a relation network referring to the exchanges and types of flows
supported by these infrastructures. Networks are most often described using the graph
theory. Represented as graphs, they show an ensemble of nodes and links, which refers to
the topology of the network (Batty, 2003).
Among existing definitions, following properties of networks have been identified:
- Connection: refers to the property of networks to link objects or places, through
exchanges and circulation of various flows. It allows characterizing the ensemble of
existing links among nodes within a network. If we consider, a set of two nodes as every
node is linked to the other, connection is the fact that a movement between two nodes is
possible, whatever its direction. Knowing connections makes it possible to find if it is
possible to reach a node from another node within a graph.
- The multiplicity of possible links, the existence of alternative pathways, enhancing
the interconnectivity level of a network is called connectivity. A complete graph is
described as connected if for all its distinct pairs of nodes there is a linking chain.
Direction does not have importance for a graph to be connected, but may be a factor for
the level of connectivity. There are various levels of connectivity, depending on the
degree at which each pair of nodes is connected.
21
www.comp.leeds.ac.uk/seth/cluster/cluster.ps
25
- Homogeneity and isotropy refer to a spatio-temporal correlation. It expresses the

coherency in time and/ or on a given space, between inputs-points and outputs points.
- Centrality refers to the hierarchical position of a node within a network.
Following these properties, all networks can not be considered as a system. They have to
show the previously identified properties that characterize systems, i.e. (Dupuy, 1985):
- Autonomy: a network must have a relative autonomy to be analyzed as a system, which
means that it must have enough internal relationship internal, reducing its dependence
from the environment.
- Coherency: existing subs systems of the network must show a given level of coherency,
through their interactions and their interdependent relations characterizing a coherent
ensemble and therefore the existence of a system. This implies also a relative
homogeneity of the network. This refers to the level of connectivity and connection of a
network, as well temporal correlations ensuring homogeneity (for instance, each points of
a transport system must be reached in a given laps of time)
- Permanency: the network must have a certain permanency in order to support the
production of a permanent system. This implies permanency of physical elements of the
network, of its functions, as well a relative level of reliability insuring the permanency of
the function, depending also on the organization of the network (redundancy);
- Organization: refers to the way a network is organized and to the types of hierarchy
among various elements. The level of centrality of each nodes of a network determines
the organization of this network as a system.
In summary, to analyze networks as systems or systems as spatial networks they need to
show corresponding properties as shown in table 4
System
Autonomy
Permanency
Coherency
Organization
Network
Connection
Connectivity
Isotropy
Homogeneity
Centrality
After Dupuy, 1985
Table 4: Corresponding properties of networks and systems
Critical infrastructures systems analyzed as networks allow identifying the related spatial
systems that must be considered as the region of reference for risk and vulnerability
analysis.
26
3.3.4. Definition and characterization of spatial systems of critical

infrastructures
The application of the spatial systems theory to the analyze of the territory covered by
critical infrastructures takes place in the reflection on the definition of networked territory
and allows identifying various types of spatial systems of interdependent critical
infrastructures. Networks can be analyzed as territorial systems, where the spatial
territory is not anymore considered as an administrative product but as the product of the
paradigm system/network.
A territory is a portion of the earth surface, appropriated by a group, in the view of
ensuring its reproduction and the satisfaction of its vital needs. This appropriation goes
necessarily through the control of the mobility within the territory and through the setting
up of permanent links among various units of the territory. Each territory is therefore the
result of a combination of subsystems that are summarized in the figure 9.
Territorial
background
Context
Critical infrastructure
planning and management
Legislation
Technical capacities
Political,
Socio-economical
requirements
Environment
Level of development
Economical
Social
Political/administrative
cultural
Material infrastructure
Regulation
service
Critical
Infrastructures
owners
Critical
Infrastructures
Territory
Logic of development
Objectives
Territorial constraints
Hierarchy
Accessibility
Dependency
Discontinuity
Other stakeholders
Figure 9: Spatial system of critical infrastructures
27
Critical infrastructures owners: Critical infrastructures are fully or partly created

and managed by their owners, as a response to their objectives and logic of development.
In thinking about the objectives of a system, it is natural to ask whose objectives are to be
served. Customer provides the base in terms of which the decision-making ought to occur
in the proper design of a system. The objectives determine the type of service to be
delivered, its quality and its quantity. Basically the definition of the objective can refer to
two main types of logic, as a function of the degree of government ownership and
regulation.
- Heavy regulated infrastructures are public infrastructures such as water, energy,
public transport systems. Owners focus on service provision rather than on the profit
concerns that motivate private sectors owners. Nevertheless they still need to address
economic and business concerns (e.g. cost of changes to their system architectures,
maintenance, technology upgrades, and changing service demands from growing or
contracting communities);
-Unregulated, private-sector infrastructure firms focus more on business
concerns such as profitability, economics, business concerns, cost of financing,
availability of skilled workforce, market competition, imageetc) but still need to
address issues about the quality of service.
Context and other stakeholders are determinant subsystems having an impact on
Critical infrastructures creation and management. The context refers to the existing
legislation, the socio-economic requirements, the technical capacities of societies, as well
as the political context. Other stakeholders include decision-makers, customers
association, insurers, and all the actors concerned with the critical infrastructures service.
They form the environment of the system.
Critical Infrastructures planning and management are the result of the
objectives, logic of development of the owners, as well as a response to the environment
constraints. Planning and management concern at least three levels: the material
infrastructure itself (technical, design, localization), the regulation dimension
(functioning of the infrastructure, fee policies, control systems, etc.), and the service
dimension (nature, quantity, quality).
The Critical Infrastructure territory is a result of the planning and management
activities and corresponds to the space of the material infrastructure associated with the
areas where the service is delivered. These spatial patterns are the result of the
appropriation of the territory by owners through the environment constraints. As a
function of the critical infrastructure considered, territories are very different. Railways
networks for instances have a much more limited and constrained territory than road
networks.
The combination of the Critical Infrastructure territory and of territorial
background, i.e. the economical, social, political, cultural patterns of a region is
expressed through territorial constraints. Networks express the fundamental heterogeneity
of the geographical space. With respect to the classical acceptance of a territory as a
28
continuous area, networks imply spatial discontinuity. Territories are not anymore the
result of proximity, but the result of a link joining spatial units, that have in common to
be dependent on the same network. The accessibility to the services or functions of a
network is characterized by entry points (e.g. stations for railways, access to roads, etc.),
which are not equally spread over the territorial background. Networks create therefore
hierarchies among spatial units and are a factor for the differentiation of space.
In order to characterize a spatial system of critical infrastructures, the role of each
subsystem must be assessed, since they determine various types of systems. The
objectives of the analysis, as well as the scale of work are other factors that need to be
taken on board.
3.4. Types of complex spatial systems of critical infrastructures

The systems approach is based on the modelling of the reality as a system, which implies
a process of generalisation, which in turns allows analysing better the reality. Even
though, the reality defies precise formulation in terms of a model, it is a way to think
about it. The construction of a spatial system model of critical infrastructure must
therefore answer the need of the actors trying to understand it and must be accurately
defined as a function of the objectives of the analysis.
3.4.1.
The scaling factor
Closely related is the notion of geographic scales given that infrastructures span physical
space, ranging in scale from cities, regions, and nations to international levels. The
particular scale of interest is largely a function of the objective of the analysis.
Deliberations on national energy policies may require analysis at the infrastructure,
interdependent infrastructure, national, international levels, whereas an analysis of the
failure of a single natural gas compressor might require studies at the system level and
below. These granularity considerations lead to trade-offs in model fidelity and
database/computational requirements. A high level of detail implies more data on the
infrastructures their components and interdependencies as well as more intensive
computational requirements. Spatial scale has clear implications for the way in which
interdependencies are included in analysis. The characteristic of critical infrastructures
systems is that what happens to one infrastructure can directly and indirectly affect other
infrastructures, impact large geographic regions, and send ripples throughout the national
and global economy. There is therefore a need to adopt a dynamic view on the scaling
factor, allowing shifting from local scale to a much broader area (Figure 10).
The variations of scale in space are associated with the variations in time. A system of
critical infrastructures refers to various time scales: while the setting up of the material
infrastructures might take years (the construction of road networks for instance), the
delivery of the service must be analysed at daily scale for instance, while an emergency
management should be dealt in an even shorter delay.
29
(Wu, David, 2002)

Figure 10: From reality to the model: the scale factor
3.4.2.
The boundaries of a system
The boundaries of a system, the choice of the subsystems, processes that will be modeled,
must be defined as a function of the scale of analysis and of the objectives of the analysis.
Since reality is complex, the definition of the system must rely on a selection of the most
accurate elements. Boundaries can range from the delimitation of an elementary model,
focusing on basic components to the delimitation of a complex system, including more
subsystems. Figure 11 shows for the transportation system, examples of possible
delimited systems.
30
Complex
system
level
All activities generating flows

(goods, passengers, information, energy)
between origin and destination
control systems,
Spatial system
approach
All vehicles
Networks of
transportation
infrastructures
Drivers
Activity generating flows

(goods, passengers, information, energy)
between origin and destination
Vehicle
Driver
transportation
infrastructures
Technical system
approach
transportation
infrastructures
Elementary
system level
Vehicle
Driver
Driver
Vehicle
Vehicle and related sub-systems
Figure 11: The boundaries of a system: Example of transportation
31
The choice of the boundaries of the system is also depending on the actors analyzing the
system of interdependent critical infrastructures. For instance, following the standpoint of
decision makers, the system under analysis might be delimited within the limit of their
administrative limits of competency (a city, a province, a region, etc.). On the contrary, in
the logic of critical infrastructures owners, the limits of the system will be extended to
the spatial inscription of the infrastructure. The difficulty lies in the combination of these
approaches, in order to take on board the requirements of various types of actors. This
implies thus to define which process will be modeled and represented.
3.4.3.
Processes to be modeled
The representation of all processes within the boundaries of a system might trigger
confusion. There is therefore a need to choose the representation of the spatial system for
one criterion, e.g. the repartition of the material infrastructure in space, the accessibility
of various connected areas to the service, the polarization of one node of the network
over the system of over an area, the quantity of flows, etc. The processes to be modeled
vary as a function of the entry point in the system: this can be one particular node of the
system, a particular link between two nodes, a particular deserved area or a combination
of this.
3.5. Conclusion
The identification of spatial systems of interdependent critical infrastructures answers the
problems and objectives set up by the context of their analysis. A systemic approach
allows embracing the organisation, location and functioning of critical infrastructures
systems, based on human, technical, political, geographical, social sub-systems,
according to a territory. Though, the territorial dimensions of critical infrastructures
systems might be different from the administrative levels of reference for decisionmakers and risk management. This highlights the need to carry out the vulnerability
assessment in the context of a participative process, involving various actors and
encouraging interdisciplinary collaboration.
The system approach allows addressing the complexity of interdependent systems of
critical infrastructures. Further reflection on the concept of critical infrastructures allows
defining hierarchies and priorities for vulnerability analysis within these complex
systems.
32
4. How critical are critical infrastructures?

In response to the London terror attacks, the UK presidency underlined the need for
urgent action to agree measures for the protection of crucial infrastructure in the event of
a terrorist attack22. Before the London attacks, the European Council of June 2004 had
already asked the Commission and the High Representative to prepare an overall strategy
to protect critical infrastructure. In October 2004, the Commission provided the
Communication from the Commission to the Council and the European Parliament
Critical Infrastructure Protection in the fight against terrorism (COM (2004) 702
final). Following the Communication, the first task is to define Critical infrastructures at
Member States level and at European level. Such lists should be established by the end
of 2005. The second objective is related to the vulnerability assessment of these Critical
Infrastructures, including the vulnerability related to their interconnectedness and
interdependence. In November 2005, a drafted Green paper On a European
Programme for Critical Infrastructure Protection (EPCIP) was provided, outlining
possible options for EPCIP (COM (2005)576 final).
These objectives show that a common definition of critical infrastructures is one of the
main issues to define an appropriate framework for CIP. How far existing definitions are
valid and what do they miss (4.1)? How to define and measure the criticality (4.2.)?
Which are mains policy issues related to the identification of Critical infrastructures
4.3.)?
4.1. The existing definitions of critical infrastructures
Most often, the definition of critical infrastructures has been elaborated in the context of
critical infrastructure protection (CIP). Reviewing world-wide CIP activities, Ritter and
Weber state that the definitions of critical infrastructures in different countries are
as diverse as the concepts of infrastructure protection that have been developed in
those countries (Ritter, Weber, 2004). In addition, these definitions have been
developed on the basis of the terms of infrastructures and critical, that may refer to
various meanings under different contexts. What are thus the etymological roots of
critical infrastructures? What do existing definitions refer to? What do they have in
common and what do they miss?
4.1.1. The definition of infrastructure
In the Dictionary, infrastructure is defined as the set of interconnected structural
elements that provide the framework for supporting the entire structure. This term can
overlap with the notion of internal improvements and public works23or as the basic
facilities, services, and installations needed for the functioning of a community or
society, such as transportation and communications systems, water and power lines, and
22
BBC News Europes anti-terror capacity; Wednesday 13 July, 2005.

http://news.bbc.co.uk/2/hi/europe/default.stm
23
http://en.wikipedia.org/wiki/Critical_infrastructure
33
public institutions including schools, post offices, and prisons.24 Other definitions
include banking and financial institutions, oil and gas supplies, health and emergency
services, as these infrastructures ensure daily survival for each and every one of us25.
Following the field of interest, infrastructure is defined more precisely: in Technology,
infrastructure refers to the basic, fundamental architecture of any system (electronic,
mechanical, social, political, etc.) determining how it functions and how flexible it is to
meet future requirements26. In Economy, infrastructure is the basic physical systems
of a business or nation, needed for a country to be efficient and productive27. For a
cyber-system, infrastructure is the stock of basic facilities and capital equipment
needed for the functioning of a country or area28. In the military field, they are all
building and permanent installations necessary for the support, redeployment, and
military forces operations (e.g. barracks, headquarters, airfields, communications,
facilities, stores, port installations, and maintenance stations)29. In an urban planning
context, the term is used most often to denote the facilities that support specific land uses
and built environment. Two groups of infrastructures are distinguished: transportation
modalities (roads, rail, etc.) and utilities. Infrastructure may also refer to necessary
municipal or public services, whether provided by the government or by private
companies30.
Common elements to these definitions are thus (Figure 12):
Infrastructure is the underlying base, architecture or foundation for an organisation
or system. However, what is considered to be infrastructure depends heavily upon the
context in which the term is used. Historically, the sense of the word infrastructure has
been evolving: it has been first used in the context of technical debates about public
works, designing thus urban networks and facilities. The term also has had specific
application to the permanent military installations necessary for the defence of a country.
The role of infrastructure for the economic development and as one of the main sector of
public investment lead to the inclusion of economic networks, referring to technical and
more immaterial networks. Nowadays, infrastructure is used in an even more broad
sense, referring to almost any kind of substructure or underlying system. Big corporations
are said to have their own financial infrastructure of smaller businesses, for example, and
political organizations to have their infrastructure of groups, committees, and admirers.
24
The American Heritage Dictionary of the English Language, Fourth Edition, Houghton, Mifflin
Company, Boston, MA. 2000
25
http://www.answers.com/topic/infrastructure
Transport: Roads, Highways, Railroads, Public transport, Airports, Ship transport such as ferry and barge,
Bike paths, Sidewalks;
Public utilities: Electricity, Natural gas, Coal delivery, Water supply, Sewers, Telephone service, Radio,
and television;
Public services: Fire service or fire department, Flood protection, Police protection, Waste management,
public education, public health system, social insurance system;
National Services: Defense, Monetary system, Postal system
26
http://www.computerlanguage.com/at.html
27
http://www.investopedia.com/
28
Word Net 1.7.1 Copyright 2001 by Princeton University.
29
US Department of Defense Dictionary of Military and Associated Words, 2003.
30
http://www.answers.com/topic/infrastructure
34

Infrastructure can refer to a physical, material structure (e.g. roads, pipelines,
school, etc.) and/or to immaterial networks (e.g. banking system). Both aspects are not
exclusive, since an infrastructure may rely on physical elements (e.g. built elements) and
immaterial elements (e.g. rules for the good functioning of the network, personal
interrelationships, etc.). Some authors distinguish though hard infrastructure, i.e.
infrastructure embedded in the landscape and soft infrastructure that denotes
institutions that maintain the health and cultural standards of the population, e.g. public
education, public health systems.
We may therefore distinguish three levels of analysis of an infrastructure: (1)

The basic material elements of the infrastructure, requiring high cost public or private
investments are the focus of a technical and engineering approach (2) The infostructure refers to the procedures, rules allowing a good functioning of the infrastructure
(e.g. signalisation for a transportation infrastructure) and is analysed through a regulatory
approach; (3) The service delivered through the infrastructure, based on the existence of
providers and end-users, an supply-demand context, a flow of goods, people, information
and whose efficiency may be qualitatively of quantitatively assessed.
Material/ Immaterial
structures
Infrastructure
as underlying
basis of the
system
Functioning
procedures
Infrastructuresupport
Control systems
Hard/soft
infrastructures
Regulation
Fee-policies
Info-structure
Etc.
Nature
Service
Flows: Quantity/Quality
Areas of delivery/Accessibility
Supply/ Demand constraints
Etc.
Figure 12: The three levels of analysis for infrastructures

The first issue regarding the definition of critical infrastructure is thus to understand
which infrastructures are concerned and to which level the adjective critical has
been applied. The existing literature shows that there is confusion between the material
infrastructure itself and the service considered.
35
4.1.2. The adjective critical and the concept of criticality

In the expression critical infrastructure, the adjective critical is used to define a
particular category of infrastructure among other infrastructures. Though, the meaning of
critical raises difficulties of interpretation.
The etymological roots of critical are linked to the term of crisis referring to a
change of state, turning point. For instance, in thermodynamics, critical refers to
the point at which a property or phenomenon suffers an abrupt change especially having
enough mass to sustain a chain reaction. Criticality is thus the condition describing the
transition between qualitatively different states, such as solid/liquid or liquid/gas. In
Mathematics, the critical point is the point at which a curve has a horizontal tangent line,
as at a maximum or minimum. In nuclear physics, a critical state refers to the point at
which a nuclear reaction is self-sustaining. In human sciences, crises are social events,
characterised by the fact that critical decisions are (or must be) taken when they arise31.
The use of the concept of criticality in ecology is particularly illustrative, since it is
associated with the concept of vulnerability and resilience (Pascual, Guichard
2005): criticality analysis assumes that prior to human disturbance, the ecological system
evolved mechanisms to recover from natural disturbances and maintain a relatively stable
system. As human activities add stressors (e.g., chemical pollutants), extract resources
(e.g., lumber), and change land cover (e.g., fragmentation) the natural feedbacks are
disrupted and the system becomes more vulnerable to radical and potentially irreversible
change. The further the system is moved away from this natural state, the greater the
probability that the system will be unable to respond to natural disturbances. The result is
that the system may move to a new and potentially undesired state and tend to remain
there. Criticality analysis calculates for instance how far the current or future state of
each watershed has been moved from the natural state (defined here as estimated prehuman conditions) to estimate the vulnerability to radical changes32.
The ecological approach has been reused to analyse the vulnerability analysis of people
in critical environment. As an example, Hans-Georg Bohle examines the resilience of
poor and marginal people to withstand heightened vulnerability in critical environments.
Critical environment refers here to the impact of dramatic economic and environmental
changes during the last decades of the 20th century, resulting in new risks and
vulnerabilities, i.e. globalisation liberalisation, deterioration of environmental resources,
demographic changes, etc (Bohle, 2001).
Being in or verging to a state of crisis may also mean being in or verging to a state of
emergency, e.g. "a critical shortage of food, an illness at the critical stage33". On the one
hand, the state of emergency or crisis is due to the lack of a critical element. For
instance, in technology, a critical element is an element, which is essential for continued
operations. Criticality is thus the degree to which an inventory items availability is
31
32
33
E.g. "a critical point in the campaign"; "the critical test" http://www.answers.com/topic/critical
http://amethyst.epa.gov/revatoolkit/MethodsData/Criticality.jsp
http://www.answers.com/topic/critical
36
critical to the continuity of production or operations.34 The risk control by criticality

analysis aims therefore at ranking critical elements: the criticality value is the measure of
the consequence of a particular failure mode and its frequency of occurrence35. On the
other hand, critical designs as well what is necessary to solve a crisis, what is urgently
needed, absolutely necessary, e.g. a critical element of the plan, critical medical
supplies, vital for a healthy society, of vital interest36 (Figure 13).
Infrastructure
if
disrupted
will lead
to
is
required
in case
of
CRISIS
Figure 13: Criticality and crisis

The second issue regarding the definition of critical infrastructure is thus to understand
how the adjective critical allows identifying some specific infrastructures among
all others infrastructure. The focus has to be laid on:
- What is the link between infrastructure and a critical situation or a state of crisis
in a system? How far the vulnerability and resilience of a system may help
determining its criticality? How to identify the non-return point, beyond which
changes are irreversible?
- Are infrastructures considered critical because their potential disruption or lack
may lead to an emergency situation?
- Are infrastructures critical because, in case of en emergency situation, they may
be used to solve a crisis situation?
34
www.pnl.com.au/glossary/cid/30/t/glossary / The American Heritage Dictionary of the English

Language, Fourth Edition, Copyright 2000 by Houghton Mifflin Company.
35
www.maintenanceresources.com
36
http://dictionary.laborlawtalk.com/critical The quality, state, or degree of being of the highest
importance.
37
4.1.3. Defining Critical infrastructures and their interdependencies

Reviewing critical infrastructure protection activities in 2002, Ritter and Weber state that
a national, compelling strategy exist only in approaches in the USA and is totally absent
in all other countries (Ritter, Weber, 2002). In this context, they refer to the absence of
clear definitions as to what needs to be achieved in the area of national Critical
Infrastructure protection. Since then, the European Commission has provided in 2004 a
definition of critical infrastructures (COM (2004) 702 final, (COM (2005)576 final) and
there are others definitions provided in various fields of research. All these definitions
are built on the same model: they focus first on infrastructures, systems, assets
considered critical with regards to some criteria, varying from one definition to another.
They most often end up with a list of infrastructures considered as critical. As a
consequence, these definitions are more describing which are critical infrastructures than
defining them. The review of existing definition allows identifying criticality criteria and
listing the infrastructures considered as critical.
The European Commission offers this broad description in the above mentioned
Communications : Critical infrastructures consist of those physical and information
technology facilities, networks, services and assets which, if disrupted or destroyed,
would have a serious impact on the health, safety, security or economic well-being of
citizens or the effective functioning of governments in the member states. Critical
infrastructures extend across many sectors of the economy, including banking and
finance, transport and distribution, energy, utilities, health, food supply and
communications, as well as key government services.
In July 2002, the USA's National Strategy for Homeland Security had defined Critical
infrastructure as those "systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems and assets would have a
debilitation impact on security, national economic security, national public health or
safety, or any combination of those matters (OPO, OHS, 2002). Thirteen sectors of
critical infrastructures were identified: Agriculture, Food, Water, Public Health,
Emergency Services, Government, Defence and Industrial Base, Information and
Telecommunications, Energy, Transportation, Banking and Finance, Chemical Industry
and Hazardous Materials, Postal and Shipping.
This definition has been completed as following by the Subcommittee on Oversight and
Investigations: "National security and the quality of life in the United States rely on the
continuous, reliable operation of a complex set of interdependent infrastructures: electric
power, oil and gas, transportation, water, communications, banking and finance,
emergency services, law enforcement, government continuity, agriculture, health
services, and others. Today, these systems depend heavily on one another; that
interdependency is increasing. Disruptions in any one of them could jeopardize the
continued operation of the entire infrastructure system. Many of these systems are known
to be vulnerable to physical and cyber threats and to failures induced by system
complexity37.
37
Statement of Dr. Samuel G. Varnado, Sandia National Laboratories, United States House of
Representatives Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, July
9, 2002 http://www.whisprwave.com/msu-hs-class/critical-infrastructure-protection.htm
38
The Australian trusted information sharing network for Critical Infrastructure

protection defined Critical Infrastructure as those physical facilities and those
information technologies and communication networks which would, if destroyed,
degraded or rendered unavailable for an extended period, impact on the social or
economic well-being of the nation or affect Australia's ability to conduct national defence
and ensure national security. Critical infrastructure extend across many sectors of the
economy, including banking and finance, transport and distribution, energy, utilities,
health, food supply, manufacturing and communications, as well as key government
services and national icons38.
In the field of information and communication technologies, critical infrastructures are
defined as the set of indispensable resources including energy supply,
telecommunications, financial and accounting services, transport and logistics,
emergency services, health care (including water supply), the retail trade and public
administrations. These functions are increasingly linked to supporting information and
communications technologies, especially the Internet39. More specifically, information
systems security considers a critical infrastructure as (1) Elements of a system that are
so vital that disabling any of them would incapacitate the entire system; (2) those
physical and cyber-based systems essential to the minimum operations of the economy
and government40
These definitions are slightly different, even if they do show common elements, even
quoting each others. Table 5 aims at listing the elements retained for the definition of
critical infrastructures.
Existing definitions provide relevant elements defining critical infrastructures, but show
as well difficulties of interpretation:
This table shows that the above definitions consider as infrastructures various
elements such as systems, networks, assets, facilities, services considered in their
physical, virtual, immaterial dimensions. This is coherent with the broad sense of
infrastructure, which is not limited to the technical aspects. There is a clear focus on
telecommunications and information infrastructures, which are most often common to all
other systems. However, the elements considered remain quite general, so that one can
not know which level of the infrastructure is considered (technical, regulatory, service).
All the definitions are then based on the description of the conditions leading to a
critical situation: this might be a disruption, destruction, or degradation, loss of continuity
or of reliability affecting these infrastructures. This places the analysis of critical
infrastructures in the perspective of a risk and vulnerability analysis.
38
http://www.tisn.gov.au/agd/WWW/CriptHome.nsf/Page/What_is_Critical_Infrastructure
www.melani.admin.ch/glossar/
40
http://www.atis.org/tg2k/_critical_infrastructure.html
39
39
Table 5: Elements of definition for Critical Infrastructures

Elements considered
Set
of
indispensable
resources
Elements of a system that
are so vital
Networks
Services
Assets
Systems
and
assets,
whether physical or virtual;
Physical and information
technology facilities
Communication
networks
Functions
linked
to
supporting information and
communications technologies,
especially the Internet
Physical and cyber-based
systems
Complex
set
of
interdependent infrastructures
Conditions for a
critical situation
If disrupted or
destroyed;
The incapacity
or destruction of
such systems and
assets
If degraded or
rendered
unavailable for an
extended period
Disabling any of
them
[Non]
continuous,
reliable operation
Criticalitys criteria
Serious
debilitation
impact
on,
would
incapacitate / so vital to,
essential to:
The entire system
The national public
health,
Safety
National Security
National defence.
National
economic
security
Minimum operations of
the economy and the
effective
functioning
government
Social or economic
well-being of citizens or of
the nation
Quality of life
Or any combination of
those matters
List of critical infrastructures/

critical sectors
Banking, finance and accounting
services41
Transport42 and logistics
Energy, electric power systems43,
gas and oil systems44
Water45
Utilities
Public health
Agriculture
Food supply
Key government services and
public administrations
Law enforcement
Emergency Services46
Defence and Industrial Base
Information and
Telecommunications47
Chemical Industry and Hazardous
Materials
Postal and Shipping
National icons
41
Banking and finance: entities such as retail and commercial organizations, investment institutions,
exchange boards, trading houses, and reserve systems, and associated operational organizations,
government operations, and support activities that are involved in all manner of monetary transactions,
including its storage for saving purposes, its investment for income purposes, its exchange for payment
purposes, and its disbursement in the form of loans and other financial instruments (Moteff, Copeland,
Fisher, 2003).
42
Transportation: physical distribution systems critical to supporting the national security and economic
well-being of this nation, including the national airspace systems, airlines, and aircraft, and airports; roads
and highways, trucking and personal vehicles; ports and waterways and the vessels operating thereon; mass
transit, both rail and bus; pipelines, including natural gas, petroleum, and other hazardous materials, freight
and long haul passenger rail; and delivery services (Moteff, Copeland, Fisher, 2003).
43
Electric power systems: generation stations, transmission and distribution networks that create and
supply electricity to end-users so that end-users achieve and maintain nominal functionality, including the
transportation and storage of fuel essential to that system (Moteff, Copeland, Fisher, 2003).
44
Gas and oil production storage and transportation. The production and holding facilities for natural gas,
crude and refined petroleum, and petroleum-derived fuels, the refining and processing facilities for these
fuels and the pipelines, ships, trucks, and rail systems that transport these commodities from their source to
systems that are dependent upon gas and oil in one of their useful forms (Moteff, Copeland, Fisher, 2003).
45
Water supply system: sources of water, reservoirs, and holding facilities, aqueducts and other transport
systems, the filtration, cleaning, and treatment systems, the pipelines, the cooling systems and other
delivery mechanisms that provide for domestic and industrial applications, including systems for dealing
with water runoff, waste water and fire fighting (Moteff, Copeland, Fisher, 2003).
46
Emergency Services: medical, police, fire and rescue systems and personnel that are called upon, when
an individual or community is responding to emergencies. These services are typically provided at the local
level. In addition state and federal response plans define emergency support functions to assist in the
response and recovery (Moteff, Copeland, Fisher, 2003).
47
Information and Communications: computing and telecommunications equipment, software, processes,
and people that support (Moteff, Copeland, Fisher, 2003).
40

The severity of the potential crisis has to refer to the criticalitys criteria
considered: the analysis of these definitions allows assuming that if an infrastructure is
considered critical, it is both because its potential disruption or lack may lead to an
emergency situation and because in case of en emergency situation, they may be
used to solve a crisis situation (Figure 14). Criticalitys criteria are therefore related to
strategic objectives of a National State, i.e. the maintaining of the national security,
defence, public health, economy, the national well-being of citizens. These objectives are
understandable, but from an operational standpoint, they do not allow identifying
precisely which infrastructures are considered. Existing definitions leave plenty of room
for interpreting which infrastructure fit the definition, which may lead to the
consideration that every infrastructure is critical.
National Security and
safety
Infrastructure as underlying
basis of the system
Defense
Infrastructure-support
Public health
Info-structure
Economical security
Service
is required in
case of
Social well-being
if disrupted
will lead to
Critical situation
Scope: Extent of the impact
Severity of consequences on
public, economy, environment,
interdependencies, psychology
Effects of time
Figure 14: Criticality criteria to identify critical infrastructures
41

The specific sectors that have been listed are illustrative but do not form an
exhaustive list. We may distinguish critical infrastructures:
(1) related to governments continuity and credibility to perform essential national
security missions and to ensure the general public health and safety (key government
services, public administrations, national icons, defence base and emergency services,
public health);
(2) related to the maintaining of order and to the delivering of minimum essential public
services (energy and water systems, agriculture, food supply, industrial base);
(3) related to the private sector to ensure the orderly functioning of the economy and the
delivery of essential services (transportation, telecommunications and information
systems, banking and finance systems, energy and water systems, postal and shipping).
One of the given definitions highlights the fact that these infrastructures do not
exist in isolation of one another and that interdependency is increasing. A number of
facilities and services depend on each other. Airports and railways depend on electricity
and communications. The power grid itself depends on communication among power
plants and distribution nodes, and the telecommunications network depends on power
supply for the transmission links and the exchange nodes. Disruption in any of the
systems could jeopardize the continued operation of the entire infrastructure system.
Gheorghe and Schlapfer define the concept of interdependency as a bi-directional
relationship between two infrastructures, through which the state of each infrastructure
influences or is correlated to the state of the other. They identified four main types of
interdependencies (not mutually exclusive and to various degrees) among Critical
Infrastructures (Gheorghe and Schlapfer, 2004):
- The physical interdependency: two infrastructures are physically interdependent if
the state of each is dependent on the material output of the other;
- The cyber interdependency: if the state of an infrastructure depends on
information transmitted through the information infrastructure;
- The geographic interdependency: if a local environmental event can create state
changes in all of them;
- The logical interdependency: two infrastructures are logically interdependent if
the state of each depends on the state of the other via a mechanism that is not a
physical, cyber or geographic connection.
The analysis of critical infrastructures requires therefore requires a system-of-systems
perspective given their interdependencies, while all the definitions provide just a list of
single infrastructures.
We can therefore retain from existing definitions that:

- Critical infrastructures refer to a broad acceptance of the term of infrastructure,
those underlying systems of a society considered in their physical and immaterial
dimensions. As a consequence, they require implicitly a multi-dimensional
approach aiming at analysing the technical, regulatory, service delivery aspects
of the given infrastructures.
- The definition of Critical infrastructures is a matter of concern for risk and
vulnerability analysis. The adjective critical refers to a potential crisis situation
42
due to various degree of damage of the infrastructure. This implies thus the
understanding of the level of vulnerability and resilience of each infrastructure, in
order to evaluate their level of criticality. In addition the criticality of an
infrastructure has to be understood in two but complementary ways: an
infrastructure is considered critical because its potential disruption or lack may
lead to an emergency situation and because in case of en emergency situation,
they may be used to solve a crisis situation.
A critical situation is defined with respect to the strategic objectives of a National
state. However, the given criticality criteria leave problematic room for
interpretation. They are limited to the standpoint of the authorities, while the
criticality of an infrastructure might be different for the owner, insurer, or other
stakeholder. They refer as well to a national scale, while the criticality might be
different at regional or local level. Finally, they are valid at a certain time but they
might evolve, as political concerns evolve themselves.
The given lists are illustrative but not exhaustive and they do not address the
existing interdependencies between the infrastructures.
4.2. The notion of criticality

As already mentioned above, the first difficulty related to the concept of criticality is that
there is no general, standardised usage and broad-based mutual understanding of
the term Critical Infrastructure, i.e. there is no clear understanding of what
criticality is, so that it would allow defining what a critical infrastructure is. The
main issue is therefore to understand what the notion of criticality implies, in order to be
able to define which the critical infrastructures are. But this issue faces four main
challenges:
- The evolution in time and space of the meaning of criticality and the criteria to
define it;
- The subjective standpoint on criticality leading to the identification of different
types of criticality;
- The spatio-temporal evolution of a critical situations;
- The necessity to define to which infrastructure or to which part of an
infrastructure, the concept of criticality applies.
4.2.1. The evolution in time and space of criticality
Criteria to define criticality are partly conditioned by the geographic scale and the time.
Criteria for classifying a facility or a service as critical infrastructure have evolved over
time. A key problem is that the notion of critical infrastructure has, over the last few
years, moved away from a technical scientific expert level and been introduced into
the political agenda, referring to a very different socio-political context. The set of
critical functions has thus expanded over time. The evolution of the criteria used to define
criticality has been already analysed in the context of the US critical infrastructure
protection policy and is still open to debate (Moteff, Copeland, Fisher, 2003, Moteff,
Parfomak, 2004).
43
Twenty years ago, infrastructure was defined primarily with respect to the adequacy of
the nations public works, which were believed to be suffering from severe problems of
deterioration, technological obsolescence and insufficient capacity to serve future growth.
In the mid-1990s, however, the growing threat of international terrorism led policy
makers to reconsider the definition of infrastructure in the context of homeland
security. The number of infrastructure sectors and the type of assets considered to be
critical for purposes of homeland security has been expanded, as the focus of public
policy debates shifted from infrastructure adequacy to infrastructure protection.
On July, 15, 1996 President Clinton signed Executive Order 13010 establishing the
Presidents Commission on Critical Infrastructures Protection. Infrastructure was defined
as the framework of interdependent networks and systems comprising identifiable
industries, institutions (including people and procedures), and distribution capabilities
that provide a reliable flow of products and services essential to the defence and
economic security of the United States, the smooth functioning of government at all
levels, and society as a whole. If the general concept of vital or critical infrastructures
was not entirely new, the EO 13010 did break new ground in listing what was considered
to be critical infrastructures, which was much broader than that reported on the national
Council on public Works Improvement. Further definitions, in the presidential Decision
Directive 63, signed on May 22, 1998, added the cyber infrastructures. After the
attacks of September 11, 2001, the Executive Order 13228, signed in October 16, 2001
by President Bush, included nuclear sites, special events, and agriculture. In addition to
national security and national economic security, the criterion of public health and safety
was added. The USA PATRIOT Act of 2001 introduces the concept of key resources
defined as publicly or privately controlled resources essential to the minimal operations
of the economy and government. They are distinct from Critical infrastructures but
require the same protection.
The last updated definition is found in The National Strategy for Homeland Security,
issued in July 2002. It restates the same definition but expands it, listing specific
infrastructures sectors as critical (see the above mentioned list of 13 critical sectors).
Furthermore, it introduces a new criterion to assess criticality: the importance of some
infrastructures or assets to the nations morale. With respect to previous lists it includes
chemicals (because they can be a source of materials that could be used as Weapon of
Mass Destruction), and postal and shipping services, due to their economic importance.
The cyber infrastructure is considered apart. Key resources are replaced by the concept of
key assets, as individual targets whose destruction would not endanger vital systems, but
could create locale disaster or profoundly damage our Nations morale or confidence.
This includes the diverse array of national monuments, symbols and icons, facilities and
structures that represent the national economic power and technological advancement,
structures where large number of people regularly congregate to conduct business or
personal transactions, shop or enjoy recreational pastime. The following table (Table 6),
taken from Moteff, Copeland, Fisher, 2003, shows how various infrastructures are
considered critical as a function of the criteria of criticality considered.
44
Table 6: Evolution of criticality criteria and infrastructures considered as critical in

US
Infrastructure
Telecommunications
information networks
Energy
Banking/finance
Transportation
Water
Emergency services
Government
Health services
National defence
Foreign intelligence
Law enforcement
Foreign affairs
Nuclear facilities, in
addition to power plants
Special events
Food/agriculture
Manufacturing
Chemical
Defence industry
Postal/shipping
National monuments
icons
Criteria for being considered critical, vital to

National
Economic
Public health National
defence
security
and safety
morale
X
x
X
X
x
x
x
x
x
x
x
X
X
x
X
x
x
x
x
x
X
x
x
Source: Moteff, Copeland, Fisher, 2003,
Criteria to assess the criticality of an infrastructure reflect thus the major political
concerns and might evolve as these matters evolve. In Europe, the strategy to protect
Critical Infrastructures has been launched in the context of the fight against terrorism.
Though, this raises the problem to know if these criteria are accurate and precise enough
to assess criticality.
4.2.2. A subjective standpoint on criticality
Metger highlights that the classification of what critical is lies mainly in the eye of the
beholder (Metzger, 2004). Government has different priorities for classifying
infrastructure as critical, than an organization or an individual. Different types of
stakeholders are concerned with the definition of critical infrastructures. Each of them, as
a function of its own interests, has a different perception of what criticality represents
for him and refers to what would constitute a crisis situation. We may distinguish
standpoints on criticality:
45
- National authorities and decisions- makers have to guarantee national interests and so
far, they have been the most active in defining the criticality. The main existing concern
is now the protection of most critical infrastructures against intentional acts. Existing
criteria of national defence, national economy security, public health and safety, nations
morale are therefore criteria representing their matters of concern.
- Owners of infrastructures and assets: The main concern of the owners of
infrastructures, most often private ones, is the reliability of the service delivery. The
criticality of their infrastructure lays in the potential loss of quality, competitiveness,
reliability of the service delivered. Criteria are therefore for them business continuity,
infrastructure reliability and service competitiveness.
- Insurers: For the insurance and reinsurance companies, the most critical infrastructures
are the one, which, if damaged, will be the most expensive to insure. The criticality level
is determining to define their insurances fees, and even to decide not to insure one or
more assets. Criticality criteria are thus related to the insurance company sustainability
and business continuity.
- Experts and scientists: They aim at defining criticality in an objective way, assessing
the potential impact of the disruption of one or more infrastructure. However, as a
function of the scientific background of each type of experts, the criticality will refer to
technical, economical, geographical, social criteria.
- Other stakeholders and the general public: The availability of a large number of
services, such as electricity, water supply, telecommunications, etc. is taken as given in
our societies. Criticality refers thus for the public to the degree of dependency of the
society to these services.
The following table (Table 7) shows that criticality is expressed through different criteria
following various actors concerned. Infrastructures are viewed today either as objects to
be protected in the fight against crime and terrorism, as competitive advantages in the
private sector, as technical/operative systems, as defence-relevant strategic assets, or as
objects that are relevant for the formulation of national and international security policy.
Table 7: Actors perceptions of criticality
Types of actor
National authorities and
decisions- makers
Owners of infrastructures
and assets
Crisis situation
Incapacity to insure national
interests, the security and
safety of the citizens, the
continuity
of
the
government, generating loss
of trust in the power and a
political crisis.
Incapacity to deliver a
service with a qualitative
and quantitative reliability,
generating economic losses,
loss of competitivity, loss of
customers trust.
national defence,
national economy security,
public health and safety,
nations morale
Technical
and
service
reliability
Service competitiveness
Business continuity
46
Insurers
Other stakeholders and

the general public
Incapacity
to
provide
insurances funds in case of
a too expensive damage,
generating an economic
disruption of the insurance
company.
Disruption of services,
invalidating the reliable
continuity of daily activities
and threatening life and
economic
well-being
standards.
Insurance
company
sustainability
Business continuity
Service
continuity
following the degree of
dependency.
Acknowledging that criticality is as well a matter of perception implies thus:
The need to identify and to understand different actors perception of

criticality. As it has been often underlined in recent researches on risk management,
there is a need to include the different perceptions of risks when assessing the risk. This
principle is valid while defining what criticality is. Since each type of actor perceives
criticality in a different way, there is a need to take on board their representations in the
definition of a critical infrastructure protection strategy. The disruption of an
infrastructure that the authorities do not consider as critical might be perceived by the
public as the result of policy failure, or the failure of politician. Furthermore, the criterion
for what constitutes good policy is changing: the future career of political decisionmakers is no longer decided by their administrative competence during routine periods,
but instead by the effectiveness of their management before, during and after a crisis
either good or bad. The role of decisions- makers is therefore to identify when the
criticality criteria are relevant for a security policy issue and when it does not. This
implies a good understanding of the political context in which the criticality of
infrastructures is defined.
To define the level of acceptable criticality for each type of actors, as a

function of the political context. In contrast to technical infrastructure analysis, security
policy research is less concerned with identifying objective crisis thresholds than with
investigating who, when, what, in what context, how and with what result a crisis
occurred. A crisis might be perceived in different ways and what is acceptable for some
actors may not be acceptable for others. Criticality must therefore be assessed and
prioritized as a function of these different levels of acceptability.
To define a critical infrastructure protection strategy balancing the interests

of various actors. The various perceptions of criticality show that it is less the
infrastructures in a technical sense that are directly relevant but more the services these
infrastructures support. Each type of actors benefit in a different way of these services.
However, a good protection strategy of critical infrastructures can be well implemented,
only if each actor sees its own interests taken into account.
Following the standpoint adopted to define criticality, it is possible to distinguish
different understanding of criticality, which has consequences on the types of
infrastructures considered as critical.
47
4.2.3. Two differing but interrelated ways of understanding criticality

Metzger distinguishes at least two differing but interrelated ways of understanding
criticality, referring then to different types of infrastructures (Metger, 2004).
a) Criticality as a teleological concept an infrastructure is inherently critical, because
of its role or function in society. This means that an existential security policy objective
can no longer be achieved in the event of the collapse of, or damage to, the infrastructure,
e.g. territorial sovereignty. In such an instance, it is basically the national interest rather
than the infrastructure itself that is critical. This why, as far as the terrorist threat to
critical infrastructures is considered, some assets such as governments buildings might be
targets.
b) Criticality as a systemic concept an infrastructure is critical because of its structural
positioning in the whole system of infrastructures, especially so because it is an important
link
between
other
infrastructures
or
sectors
(e.g.
electricity
and
information/telecommunication networks are of special importance because of linkage
and dependability of other networks).
Metzger concludes that the concept of teleological criticality allows non-networked and
non-technical objects, systems and processes to be integrated under the category of
Critical Infrastructures requiring protection. Human targets, such as the president of a
country, or national heritage sites with a strongly symbolic character are critical targets
not because of their networking significance, but because of their function and
importance for national pride, e.g. for maintaining the identity of a people. The systemic
understanding of criticality, with its understanding of infrastructures as complex,
adaptive systems, provides a more satisfactory representation of everyday reality in all
its complexity. It is also more amenable than teleological criticality to an empirical
analysis based on statistical data. It is however from a security policy standpoint to make
a distinction between optimising routine emergency management and a policy for
existential threats, whereas teleological criticality is, by definition, inherently placed in a
national security policy context. The teleological concept allows the national security
analyst and researcher to define relevant assets more easily than the systemic one,
because it is not the interdependencies as such that are defining in a socio-political
context, but the role, relevance, and symbolic value of specific infrastructures (Figure
15).
48
Theological
approach
Systemic
approach
Inherently critical
(Role for the national
identity, interests)
Relatively critical
(Role within a whole system of
interdependent
infrastructures)
Infrastructure
Human targets
and national
symbols
Infrastructure-support
Info-structure
Service
National security context
Complex
systems of
infrastructures
Ordinary and exceptional emergency

management context
Figure 15: Two approaches to criticality
This shows that the expected output of a discussion on the concept of criticality is the
definition of the infrastructures or piece of infrastructures to which the concept must
apply. This is strongly related with the spatio-temporal dimensions of the analysis.
4.2.4. The scaling factor in time and space
Criticality varies in time and space and is therefore strongly determined by the scale and
the time of analysis. As far as the geographical scale is concerned, one infrastructure
might be critical at national level (e.g. foreign intelligence) but less relevant at regional or
local level. On the contrary a critical infrastructure at regional or local level might not be
relevant at national or international level. The scale affects thus the choice of accurate
criteria of criticality and the involved actors must be aware of the time and space
dimension of these criteria, in order to adapt their objectives.
For a given infrastructure (e.g. the electricity infrastructure), the elements of the
infrastructure to be considered must correspond to the scale of analysis. The map 1 shows
for instance that at the level of a NUTS-level 3 Region, the transmission lines and the
production sites considered critical are those having a national or international capacity of
delivery (Logtmeijer,C., Di Mauro, C., Nordvik, J-P., 2006).
49
Map 1: Main energy infrastructure in North-West Europe

On the contrary, at the level of a regional level of reference for a country (here,
Lombardy, Italy), the transmission lines and production site to be considered critical are
those having a regional importance.
Map 2: Main energy infrastructure in north Italy.
50
Criticality varies as well in time: A service is more or less critical as a function of the
hour, the day, week, month, etc. For instance, a blackout might more easily turn into a
crisis situation in winter than in summer, because the demand is much more important in
winter. This is also related to the geographical position: a blackout in summer, happening
in a country were ventilation systems are heavily needed will trigger a crisis situation
more easily than in a region were, in summer, temperatures averages are lower.
In addition to the spatio-temporal scaling factor, there is a need to know to what the
concept of criticality exactly applies.
4.2.5. To which infrastructure or to which part of the infrastructure does the
concept of criticality apply?
The last concern about the concept of criticality is to understand exactly to what it does
apply. Existing definitions provide illustrative lists of infrastructures. However the fuzzy
set of criteria did not allow so far providing an exhaustive list of infrastructures. Some
authors contest the necessity of giving a too precise list, since it might appear restrictive.
On the contrary, some authors assume that they should be less inclusive as not all
infrastructures should be considered critical. With the view of defining measures for the
protection of critical infrastructure, there is somehow a need to know which
infrastructures have to been in priority protected, keeping in mind that the criticality
of individual assets is potentially fluid, since criticality varies as a function of time, scale,
risk, and market changes. If there is a quite common agreement on the importance of
some infrastructures, such as the telecommunications and information networks, together
with energy, which are at the heart of almost all other infrastructures, there are still
debates on the criticality of others infrastructures. One of the ongoing debate is for
instance to know whether means of persuasion, like computer or radio or television
technology, must be considered as critical, as it is more belief-sustaining than lifesustaining. The argument parallel those for means of protection, with conservatives
generally asserting that belief in a common view of reality, especially in emergency
services, is critical to survival. This can be achieved through a precise definition of the
criteria of criticality.
Another issue is the need to clarify what is meant to be protected. Metzger assumes: is it
really the infrastructures that we need to protect above anything else? The answer is no,
because it is rather the services, the physical and electronic (information) flows, their
role and function, and in particular the core values symbolised by the
infrastructures that are the real focus of our protective interests. In order to take into
account the actual system dynamics involved and our own protective interests, it would
actually make more sense to speak of critical services robustness or critical services
sustainability rather than critical infrastructures (Metzger, 2004). Following table
(Table 8) details vital services provided by critical infrastructures in Netherlands (Luiijf
E., Burger H., Klaver M., 2003)
51
Table 8: Vital services provided by Critical Infrastructures (in Netherlands)
Source: Luiijf E., Burger H., Klaver M., 2003

Furthermore, none of the existing definition clearly defined what actually makes a piece
of infrastructure critical. The assets, functions and systems within each critical
infrastructures sector are not equally important, are not uniformly critical in nature.
The EU definition points to elements that help narrow down a definition, such as the
extent of the geographic area affected and the magnitude of the impact measured in
environmental, public, political or economic terms. In order to develop an effective
protection strategy, there is thus a need to identify and prioritize which assets of an
52
infrastructure are most essential to its function, or pose the most significant danger to life
and property if threatened or damaged. The European Green Paper on the protection of
Critical infrastructures lists following elements, whose criticality has to be assessed
(COM (2005) 576):
- Material elements;
- Non-material elements (sensors, command, information systems);
- Human elements (decision-maker, expert);
- Access to information (databases, reference systems);
- Dependence on other systems (energy, telecoms);
- Specific procedures (organisation, management of malfunctions, etc.)
Taking the example of the transportation sector, Moteff, Copeland and Fisher show that
not all components of the transportation network are equally critical: they start with the
assumption that if a bridge is destroyed by a terrorist attack: how badly would the local
economy and interstate commerce suffer? They show, on the basis of two cases-studies,
that although the transportation system is frequently congested in urbanized areas, there
are usually alternative transportation routes or facilities that come into play. There are
few instances where this is not the case and these are probably the real critical pieces of
transportation infrastructure (Moteff, Copeland and Fisher, 2003).
Finally, providing lists of critical infrastructures might lead to overlook the
interdependencies between infrastructures that might be very critical elements in a system
of infrastructures. The identification of interdependencies between assets on others
systems is another important issue for the prioritization process.
Discussion on the concept of criticality is en essential preliminary work before carrying

out a criticality assessment of existing infrastructures, since criteria must be defined as a
function of the ongoing political issues, of the geographic scale, of the standpoints of
involved stakeholders. This implies a process of deliberation between these actors. The
objective of the deliberation is to agree on what constitutes a critical situation, what is the
level of acceptability of such as crisis situation, what is the common understanding of the
concept of criticality. The last element is then to define precisely to which infrastructures,
and to which part of an infrastructure this concept applies, including critical
interdependencies (Figure 16).
53
Theological
/ systemic
approaches
National Security and safety
Defense, Public health
Business security
Social well-being
CIP Context/
Objectives
CRITICAL
Actors
perception
Decision
makers
Owners
Experts
Stakeholders
Insurers
To which part?
Interdependencies
Infrastructure support
Info-structure
Service
INFRASTRUCTURE
Time/Scale
factors
Critical situation
Scope
Severity of
consequences
Effects of time
Figure 16: Main issues related to the definition of Critical Infrastructures
54
4.3. Main policy issues for the identification of critical infrastructures

The difficulty to interpret existing definitions of critical infrastructures as well as existing
discussions on the concept of criticality have many implication for the decision and
policy-making process, i.e. allocating in the most efficient way the resources for critical
Infrastructures protection, identifying and defining role and responsibilities of involved
stakeholders, defining a methodology for the critical infrastructures and
interdependencies assessment.
4.3.1. Allocate the resources in the most efficient way
An unclear definition of critical infrastructures can have implications for the efficiency
of the decision-making process. One concern is that an unclear or unstable understanding
of what constitutes a critical infrastructure could lead to inefficient security policies.
The first issue is related to the fact that a growing list of critical infrastructures
requires growing resources devoted to protect them. Allocating limited public resources
across an excessively broad range of infrastructures may be an inefficient use of
resources. Moteff, Copeland, Fisher underlines that the debate among policy makers
about the implications of an ambiguous or changing list of critical infrastructures lays on
the fact that ambiguity could lead to inefficient use of limited homeland security
resources. The risk is to consider that too many facilities have to be protected, even the
wrong ones. On the other hand arbitrarily limiting the number of critical infrastructures
a priori, due to resource constraints might miss a dangerous vulnerability (Moteff,
Copeland and Fisher, 2003).
Second, clear criticality criteria are also important for the government bodies
intending to implement and enforce any potential future security regulations related to
critical infrastructure, especially where private companies are responsible for security
spending. They need a clear and stable definitions of infrastructure or asset criticality so
they will know exactly which of them to protect, and how well to protect them.
As result, in many countries, Critical Infrastructures Protection initiatives were launched
that focused more or less exclusively on the area of the Internet or cyber
communications. Metzger gives the example that in 2000, in what was intended to meet
the requirements for a national Critical Infrastructure Protection Plan entitled Defending
Americas Cyberspace: National Plan for Information Systems Protection, a strategic
Internet security plan was presented that largely neglected physical infrastructure
protection. However, it is important to understand that Critical Infrastructure Protection
comprises all critical sectors of a nations infrastructure meanwhile Critical Information
Infrastructures Protection is only a subset of a comprehensive protection effort, as it
focuses on critical information infrastructure (Metzger, 2004)..
A too broad definition of critical infrastructures can thus constitute an inefficient starting
point for a Critical Infrastructures Protection strategy. If it might appear difficult to
provide a satisfactory definition, there is at least a need to bring all concerned
stakeholders to agree on the objectives of the critical infrastructures assessment.
55
4.3.2. Identifying roles and responsibilities to define the objectives of the critical
infrastructures assessment.
The identification of critical infrastructures that need to be protected requires the
involvement of all concerned stakeholders. The identification of what constitute critical
services must be the result of a comprehensive review of each actors perception,
combined with the political objectives of such a strategy. The choice of the stakeholders
must be coherent with the scale chosen for the critical infrastructures assessment (at
international, national, regional, local levels). The role and responsibilities of each of
them must then be defined. The responsibility of private actors owning infrastructures is
in this view particularly relevant. Infrastructures providers have vast experience
responding to and mitigating day-to-day outages or minor disruptions, and therefore
know well how critical is there infrastructure. Authorities must be responsible for the
definition of what could lead to a political crisis, on the basis of publics concerns as well
as experts studies. They remain the entity of reference to coordinate policies and actions.
Through a process of consultation, there is a need to define a strategy for critical
infrastructure protection, which requires first to have defined the criticalitys perspective.
Metzger identifies following perspectives:
The system-level, technical perspective: CIP is approached as an IT-security or
information assurance issue, with strong focus on Internet security.
The business perspective: CIP is seen as an issue of business continuity.
The law-enforcement perspective: CIP is seen as an issue of protection of society
against (cyber-) crime.
The defence perspective: This view is either military- or civil protection-centred.
The regulatory policy perspective: The smooth and routine operation of infrastructures
and questions like privacy, or hardware and software standards must be regulated.
The national and international security policy perspective.
This issue is complicated by the fact that there might be some conflicts of interests in the
definition of what criticality is, namely between infrastructures providers and authorities:
one of the main problems is to adopt a position between everyday routine and crisis
situations. When is critical infrastructure protection a maintenance issue of business
continuity for an individual, corporate or local actor, and when is it the subject of
national and, where necessary, even international security policy?
The objectives of the criticality assessment must then result from the consultation of the
involved stakeholders. Objectives must be coherent with the ongoing policy concerns and
with the scale considered.
4.3.3. Define a methodology to identify Critical Infrastructures and critical
interdependencies
Once roles and responsibilities have been clarified and that the objectives of the
criticality assessment have been defined, there is a need to identify critical infrastructures
at the chosen scale. The aim of a methodology is to prioritize and rank most critical
infrastructures or assets requiring protection. There is thus a need to develop a
56
uniform methodology for identifying critical assets and establish and implement a more
consistent standard for what constitutes a critical asset.
The FEMA provides decision makers with the following methodology, to establish
mitigation priorities at local level. The assets and infrastructures criticality must be
assessed considering (FEMA, 2003):
- Is it an element of one of the communitys critical infrastructures?
- Does it play a key role in the communitys government, economy or culture?
- What are the consequences of destruction failure or loss of function of the assets
in terms of fatalities and/or injuries, property losses and economic impacts?
- What is the likelihood of cascading or subsequent consequences should the asset
be destroyed or its function lost?
- What is the level of resilience of the given asset or infrastructure?
The difficulty lays in the fact that the criticality approach must be based on a multidimensional approach, i.e. addressing the technical, regulatory, service-providing aspects.
This requires a multi-disciplinary quantitative and qualitative vulnerability and resilience
assessment.
The same methodology must be developed at the infrastructure or assets level. Some
elements within a critical infrastructure are far more critical: they may be lightly used or
somewhat redundant. One option is therefore would be to focus on identifying the truly
critical assets and doing things to harden or toughen them against attack or to reduce the
impact of their loss either by building in redundancies or through relocation or redesign
(to reduce associated hazards) over time. Individual critical infrastructure sectors have
implemented independent and often varying approaches for identifying their own critical
assets. For example the June 2001 security guidance issued by the national Petroleum
Council for oil and gas infrastructure stated:
The first step in the risk management process is to identify and put a value on each of
the key assets of the organization. These key assets can be people, facilities, services,
processes, programs, etc. Next, the impact of loss for each of these assets is estimated.
This is a measure of the loss to the company if the assets is damaged or destroyed. A
simple rating system based on user-defined criteria can be used to measure the value of
the asset (e.g. very low, low, moderate, high, and extremely high) and the impact of its
loss. In a more complex risk management system, the value of an asset and impact of loss
can be calculated in monetary units. These values may be based on such parameters as
the original cost to create the asset, the cost to obtain a temporary replacement for the
asset, the permanent replacement cost for the asset, costs associated with the loss of the
revenue, an assigned cost for the loss of human life or degradation of environmental
resources, costs to public/stakeholder relations, legal and liability costs, and the costs of
increased regulatory oversight (Moteff, Copeland, Fisher, 2003)
It is up to individual companies to determine the specific basis for criticality in their
security assessments. It is important to note that criteria chosen to express potential losses
must be adapted to the criticality criteria adopted, e.g. potential loss to the company
that private companies tend to use, versus, broader economic or social welfare impacts
This emphasis illustrates the practical challenge of relying on private companies to
identify critical assets in the context of national infrastructure security.
57
Finally, the focus should be laid on the identification of most critical

interdependencies. In the past, the nation's critical infrastructures operated fairly
independently. Today, however, they are increasingly linked, automated, and
interdependent. What previously would have been an isolated failure could cascade into a
widespread, crippling, multi-infrastructure disruption today. Currently, there are no tools
that allow understanding of the operation of this complex, interdependent system. This
makes it difficult to identify critical nodes, determine the consequences of outages, and
develop optimized mitigation strategies." Omitting interdependencies will at best limit
the validity of analyses and at worse lead to bad or inappropriate policies. Identifying and
focusing on those assets that connect one infrastructure to another may be a cost-effective
way to reduce the overall critical assets of one or more infrastructures are located that
might warrant priority. Experts may provide models on cascading and higher order
effects, i.e. models showing how disruptions in one infrastructure can ripple or cascade
into other infrastructures, creating second and higher order disruptions.
The difficulty lies as well in the identification of the responsible for assessing critical
interdependencies, since two interdependent infrastructures may be under the
responsibility of two different private actors. Local, regional, national authorities must
then identify one responsible or carry out themselves the criticality assessment, in
collaboration with experts and others involved stakeholders.
4.4. Conclusion
As a function of the problems to define critical infrastructures and of the main issues
raised by the concept of criticality, challenges for territorial assessment are related to
(figure 17):
Step 1: Choice of actors as a function of the geographic scale (European, national,

regional, local)
Step 2:
Definition of the objectives of the critical infrastructures assessment;
- Definition of the criticality criteria expressing these objectives.
Step 3: Listing of the areas, infrastructures, interdependencies considered critical as a

function of these criteria.
Step 4: Final ranking of most critical areas, infrastructures, interdependencies.
Figure 17: Policy issues of critical infrastructures assessment
58
The choice at different scales of the type of actors that need to be involved in
critical assessment. These actors are not the same, as a function of the geographical
level considered.
The definition of possible objectives for criticality assessment (e.g. business
continuity vs. exceptional crisis) as a function of the criticalitys perception of each
actors and the scale considered.
For each possible objective, the definition of criticality criteria as a function of
ongoing political concerns and of the scale of analysis.
Listing of the areas, infrastructure (and appropriated level of analysis that must be
considered, i.e. technical, regulatory, service) and interdependencies that must be
considered critical as a function of these objectives and criteria. This list should be
the starting point of the vulnerability and resilience analysis. The output of this
analysis should be the ranking of most critical areas, infrastructures,
interdependencies.
59
5. The concepts of risk and vulnerability applied to critical

infrastructures
Literature dealing with the risk and vulnerability concepts is mainly related to natural
disasters. There is an ongoing debate on how they should be defined and used within the
field of natural disaster management. Terminology in this field is not standardized and
authors from different institutions may use the same terms in slightly different ways. In
addition, there is a plethora of vulnerability-related literature addressing developing
countries (Wisner, 1993; Blakie et al., 1994; Twigg & Bhatt, 1998; Canon, 2000;
Kreimer & Arnold, 2000). This is driven by the needs and priorities of international
institutions such as the World Bank48, Inter-American Development Bank49 and the Asian
Development Bank50 that need tools to prioritise the allocation of grants and loans to
developing countries. However, the developed countries perception regarding their own
vulnerabilities is changing dramatically as a result of a sequence of events affecting
among others critical infrastructures 51(Vetere, Heikkila, Bouchon and al., 2004)
There is therefore a need to understand how the concepts of risk and vulnerability are
applied to critical infrastructures, showing the similarities with the field of natural
disaster management and the specificity of the field of Critical Infrastructure Protection.
Our main objective is not here to propose new definitions but rather to identify the main
issues related to the need of using these concepts in an operational way, i.e. as a support
for effective tools and methodologies.
The following chapter recalls first which are the existing definitions for risk, hazard and
vulnerability and highlights the conceptual difficulties they raise (5.1). It addresses
second how the definitions of these concepts evolve when applied to Critical
infrastructure, in the context of the analysis of so-called systemic risks (5.2). Finally it
focuses on the properties of the concept of vulnerability and related ones as a function of
their time-spatial dimensions (5.3).
5.1. Existing definitions of the basic concepts in risk analysis
5.1.1. The concept of risk
The term risk is defined in dictionaries, as a source of danger, the exposure to a
chance of loss or damage, the possibility of suffering or being exposed to possible
harm or loss, but refers also to a venture depending on chance, i.e. taking a risk in the
48
http://www.worldbank.org
http://www.iadb.org
50
http://www.adb.org
51
i.e. the 11 September 2002 attack on the Twin Towers in New York, USA, various blackouts that
occurred in 2003 (USA, Sweden, Italy), several successful attempts of hackers regarding the dissemination
of viruses across the world wide web, anthrax episodes, SARS dilemma, etc.
49
60
hope of a favourable outcome. These general definitions show that risk refers to a
potential outcome, that could be both negative and positive, and depending on a level of
exposure and of probability. In economy for instance, higher risk means a greater
opportunity for high returns... and a higher potential for loss (Mechler, 2003). In
management terms, risk is also seen as a measure of uncertainty about the achievements
of set objectives.
Basically, within the disaster management literature, the definitions focus on the
potential negative outcome, e.g. potential harm, or potential losses that may arise from
some present process or from some future event. Risk as a scientific term was developed
within the context of disasters in the world of engineering (Holling 1973, Walker et al.
1993, Fiering 1982). Misunderstandings arose when the definitions were transferred from
physical sciences and engineering into the realm of social sciences, which wished to
include social, political, and economic conditions. First clarification of concepts has been
proposed by UNDRO (UNDRO, 1979). However, UNDROs definitions were never
widely accepted as a reference glossary, even if some authors still refer to them (Coburn,
2001). As a result, authors still compelled to provide their own definitions. The UN/ISDR
secretariat has presented primary terms related to disaster risk reduction to practitioners
and experts for their consideration and further refinement 52(UN/IDSR 2004). They
constitute a relevant starting point.
Some examples of risk definition in the hazard and disaster management literature are
presented in Table 9.
52
An important activity in the project has been to study the terminology in several disciplines, e.g. system
safety, reliability, information technology security, and risk management, in order to clarify how concepts
such as vulnerability, dependability, risk, and robustness can be used in the infrastructure context.
61
Table 9: Examples of risk definitions in the field of disaster management

Burby,
1991
Lafond and Gosselin,
1994
Chapman,
1994
Coburn and al.,
1994
Smith,
1996
Stenchion,
1997
Crichton,
1999
IPCC,
2001
Di John,
2001
UN/IDSR,
2004
The concept of risk implies the possibility of suffering a loss

The potential for accidental incapacitation or casualty, the chance
of dying immediately or in the future as a result of exposure to any
one of the listed activities or substances
Risk is a function of the probability of the specified natural
hazard event and vulnerability of cultural entities
The term risk refers to the expected losses from a given hazard to
a given element at risk, over a specified future time period
Probability x loss (probability of a specific hazard occurrence)
Hazard = potential threat
Risk might be defined simply as the probability of occurrence of an
undesired event [but might] be better described as the probability of a
hazard contributing to a potential disasterimportantly, it involves
consideration of vulnerability to the hazard.
Risk is the probability of a loss, and depends on three elements,
hazard, vulnerability and exposure.
Function of probability and magnitude of different impacts
The risk an individual and/or community faces is a function of the
a) probability of a
particular hazard and b) identified vulnerability minus c) the
mitigation capacity of the
community to handle an eventual realization of the disaster.
The probability of harmful consequences or expected losses (deaths,
injuries, properties, livelihoods, economic activity disrupted or
environment damaged) resulting from interactions between natural of
human induced hazards and vulnerable conditions
Following these definitions we can assume that:

(1) Risks refer to a combination of three components or risk factors:
- Hazard describes the potential for harm or other consequences of interest and
related process (geographical location, intensity and probability).
- Exposure describes the elements at risk, i.e. targets exposed to potential hazards
- Vulnerability describes the susceptibilities and capacities of the targets to be
impacted by potential hazards.
Risks describe the potential effects that these hazards are likely to cause on specific
targets, such as lives (lost), persons (injured), property (damaged) and/ or economy
(disrupted). It is broadly accepted that risk cannot only be determined as a function of
hazard describing the possibility of physical harm but must also include the vulnerability
of the element at risk (Cannon, 1994; Bolin and Stanford, 1991). Hazard only has the
potential to cause negative consequences (if and to what extent these consequences will
become reality is dependent on the vulnerability of the element at risk). A disaster means
62
that the potential negative consequences have become reality due to the occurrence of a
hazard.
(2) Therefore, the concept of risk combines the likelihood or chance of potential
consequences and the severity or magnitude of these consequences. Likelihood refers to
the probability of an event occurring, based on its passed frequency or estimation and
forecasts; the severity refers to the intensity of a hazard, and therefore to the potential
consequences on targets as a function of this intensity and of the vulnerability of targets.
(3) All these definitions are probabilistic in nature, relating either to:
(i)
The probability of occurrence of a hazard that acts to trigger a disaster or
series of events with an undesirable outcome, or
(ii)
The probability of a disaster or outcome, combining the probability of the
hazard event with a consideration of the likely consequences of the hazard.
The ambiguity as to whether it is the probability of occurrence of a hazard, or the
probability of a particular outcome that is being referred to, is addressed by Sarewitz et
al. (Sarewitz et al., 2003). They define event risk as the risk of occurrence of any
particular hazard or extreme event and outcome risk as the risk of a particular
outcome. The final outcome risk combines the expected losses from all levels of hazard
severity, taking into account also of their occurrence probability.
(4) On the basis of Crichtons risk equation, we retain the following formulation of risk
(Figure 18):
Rah = Hah x Ea x Vah

Figure 18: Crichtons risk equation
Where:
H= types of hazard (determined in place, duration, probability, intensity);
a= geographical region affected by hazard h;
Ea= number of targets or elements at risks located in area a;
V= susceptibility / capacities of the targets to cope with hazard h in area a;
The risk equal to zero is if one of the three components of hazard, vulnerability or
exposure is equal to zero (Crichton, 1999).
(5) Risk must also be considered as a social construction, since it depends on how it is
perceived by a society. Douglas and Widalvsky show that the level of perception is a
condition of the experience and varies as a function of social groups and their inherent
63
values (Douglas and Wildavsky, 1983). Factors affecting risk perception are for
instances:
- The type of individuals or groups concerned;
- The access to the information on risks;
- The past experience with similar disasters;
- The degree to which the hazard is perceived as controllable or its effect
preventable
- The benefits which are obtained from exposure to it and to be much greater where
exposure to the risk is voluntary (as in sports) than where it is involuntary (like
natural disasters).
There is therefore a need to distinguish the real risk from the perceived risk, which
can differ and which are both relevant for risk management. For instance if the level of
real risk is quite high but if its perception is low, the final disaster might be high, since
the effect of surprise will be greater. In addition, decision-makers can have interests and
objectives in decisions other than the simple consideration of risk mitigation, and the
general public may not see things the same way as either the experts or politicians.
Effective risk management requires information about both the magnitude of the risk
faced (risk assessment: the scientific quantification of risk from data and understanding
of the processes involved) and on how much importance society places on the reduction
of that risk (risk evaluation). This involves trading off perceived risks against potential
benefits and also includes balancing scientific judgments against other factors and beliefs.
5.1.2. Properties of hazards
.
In the disaster management literature, hazard refers to a possible source of danger, a
chance of being injured or harmed, a phenomenon of given occurrence and intensity.
Most achieved definitions have been proposed by the UN/IDSR (2004): A potentially
damaging physical event, phenomenon and/ or human activity, which may cause loss of
life or injury, property damage, social and economic disruption or environmental
degradation. Hazards can be single, sequential or combined in their origin and effects. In
others definitions, hazardous situation replace the focus on hazardous event: A condition
or situation which has the potential to create harm to people, property, or the
environment (Ipenz53).
Following these definitions, hazard is defined as a function of following properties:
(1) Its probability/primacy, i.e. its shock value based on time elapsed since previous
occurrence;
(2) Its predictability, i.e. the degree of warning available;
(3) Its prevalence, i.e. the extent and duration of hazard impacts
(4) Its pressure, i.e. the intensity of impact.
Hazards can therefore be described as a function of the following characteristics (Table
10 / Figure 19):
53
http://www.ipenz.org.nz/ipenz/
64
Table 10: Properties and characteristics of hazards

Hazards characteristics
Nature
Magnitude
Location or geographical extent
Spatial dispersion
Speed of onset
Description
Natural, socio-natural, technological, sociopolitical, man-made hazards
Only those occurrences that exceed some
common level of magnitude are extreme
Space covered by the hazardous event
Pattern of distribution over the space in
which its impact can occur.
Length of time between the first
appearance of an event and its peak
Length of time over which a hazardous
event persist, the onset to peak period.
Duration
Frequency/Probability
The sequencing of events, ranging along a

continuum from random to periodic. From
the frequency the probability of return can
be defined
(After Gravley, 2001)
Nature
Magnitude
Duration
HAZARD
Frequency
Speed of onset
Location
Probability
Figure 19: Properties of Hazard
65
5.1.3. The concept of vulnerability

The term Vulnerability has been introduced as a response to the hazard-centric
perception of disasters in the 1970s, that revealed being too limited to understand risks
(White 1974): a hazard of low intensity could have severe consequences, while a hazard
of high intensity could have negligible consequences. The level of vulnerability was
making the difference.
To date, there is no consensus definition of vulnerability. Researchers from various fields
bring their own conceptual models which often address similar problems and processes
using different language (Brooks and Adger, 2003)54. Historically, the reflection on the
concept of vulnerability developed in three main steps (Figure 20):
Nature
Duration
Nature
Magnitude
Duration
HAZARD
Duration
Magnitude
HAZARD
Frequency
Speed of onset
Location
Nature
Magnitude
Probability
Location
Hazard
Sensitivity
HAZARD
Frequency
Speed of onset
Probability
Location
Hazard
Susceptibility
Degree of
exposure
ELEMENT
AT RISK
ELEMENT
AT RISK
Frequency
Speed of onset
Probability
Hazard
Susceptibility
and
capacities
Degree of
exposure
Resistance
/ resilience
capacities
ELEMENT
AT RISK
Vulnerability
Degree of losses
and damages
Technical approach
Degree of losses
and damages as a
function of the
exposure
Degree of losses and

damages as a
function of the
exposure, balanced
by capacities
Socio-technical approach
Figure 20: The evolution of the definition for vulnerability

54
The growing body of literature on vulnerability and adaptation contains a sometimes bewildering array of
terms: vulnerability, sensitivity, resilience, adaptation, adaptive capacity, risk, hazard, coping range,
adaptation baseline and so on (IPCC, 2001; Burton et al., 2002). The relationships between these terms are
often unclear, and the same term may have different meanings when used in different contexts and by
different authors.
66
(1) First definitions of vulnerability focused on the degree of loss and damages
due to the impact of a hazard, i.e. on the technical dimensions of vulnerability. Historical
or social dimensions of vulnerability were not addressed. Proposed measures to reduce
vulnerability, i.e. the sensitivity of the element at risks to the impact of a given hazard,
were therefore limited to engineering and technical measures.
(2) The second step is linked to the understanding at the beginning of the 1980s
that the degree of loss and damages was determined by the degree of exposure to the
hazard. Vulnerability was therefore defined as the likelihood of being exposed to hazards
and as the susceptibility of an element at risk to suffer losses and damages as a function
of its degree of exposure to a given source of hazard. All elements at risk do not show the
same level of exposure to a hazard, as a function of their location in space for instance.
The assessment of losses and damages as a function of the degree of exposure became the
measure of vulnerability (Dow, 1992).
(3) Finally, as a result of two scientific approaches a third type of definitions was
proposed:
- On the one hand, applied sciences underlined the fact that the degree of loss and
damage depends on internal characteristics of the element at risk. Vulnerability was thus
considered as an internal risk factor, related to the resistance capacity of the element at
risk: beyond a given level of resistance, the element at risk could suffer damages.
- On the other hand, within social sciences, Susman et al (Susman and al., 1983)
introduced the topic of a populations capacity to cope with a disaster, absorb and recover
as a measure of their vulnerability. Triggers of natural disasters occur, but household and
social systems allow them to become (or prevent them from becoming) disasters through
their response. This capacity for adaptation was defined as the capacity of resilience of a
society. The definition of reference of vulnerability was proposed by Blaikie and al.:
vulnerability refers to the characteristics of a person or a group in terms of their
capacity to anticipate, cope with, resist and recover from the impact of a natural or manmade disaster, noting that vulnerability is made up of many political-institutional,
economic and socio-cultural factors (Blaikie and al., 1994).
This historical evolution leads to the distinction between two categories of definitions for
vulnerability, viewing vulnerability either (Figure 21):
(i) In terms of the amount of (potential) damages caused to a system by a particular event
or hazard (Jones and Boer, 2003), or
(ii) As a state that exists within a system before it encounters a hazard event (Allen,
2003).
(i) The biophysical vulnerability is defined by a hazards and impacts approach.
It refers to a hazard-dependent vulnerability of a human system, which is determined by
the nature of the physical hazard(s) to which it is exposed, the likelihood or frequency of
occurrence of the hazard(s), the extent of human exposure to hazard, and the systems
sensitivity to the impacts of the hazard(s)55. The term biophysical [...] suggests both a
55
- The extent to which an individual, community, sub-group, structure, service, or geographic area is
likely to be damaged or disrupted by the impact of a particular disaster hazard.; the degree of loss to a given
67
physical component associated with the nature of the hazard and its first-order physical
impacts, and a biological or social component associated with the properties of the
affected system that act to amplify or reduce the damage resulting from these first-order
impacts. Biophysical vulnerability is often viewed in terms of the amount of damage
experienced by a system as a result of an encounter with a hazard. These are indicators of
outcome rather than indicators of the state of a system prior to the occurrence of a hazard
event.
The difference with the risk is that risk combines the expected losses from all levels of
hazard severity, taking account also of their occurrence probability. Alexander, 2000
even considers using another expression such as innate risk instead of vulnerability for
risk analysis in order to avoid confusion.
(ii) The second category of definitions falls within the approach considering
vulnerability as a state, i.e. as a variable describing the internal state of a system (Allen,
2003).) In this formulation, vulnerability is something that exists within systems
independently of external hazards, i.e. is a hazard-independent vulnerability56. For
many human systems, vulnerability viewed as an inherent property of a system arising
from its internal characteristics may be termed social vulnerability (Adger, 1999;
Adger and Kelly, 1999). For vulnerability arising purely from the inherent properties of
non-human systems or systems for which the term social is not appropriate the term
inherent vulnerability might be used (FEMA, 2003). Social vulnerability refers to the
state of a society before a disaster strikes. The social vulnerability determines how a
society will respond and cope with a disaster situation.
The interaction of hazard with social vulnerability produces an outcome, generally
measured in terms of physical or economic damage or human mortality and morbidity
(Brooks and Adger, 2003). Hence social vulnerability may be viewed as one of the
determinants of biophysical vulnerability. Although, social vulnerability is not a function
of hazard severity or probability of occurrence, certain properties of a system will make it
more vulnerable to certain types of hazard than to others. We must therefore distinguish
factors such as generic determinants of social vulnerability (e.g. poverty, inequality,
health, access to resources and social status), and others such as hazard- specific factors.
element at risk or set of such elements resulting from the occurrence of a phenomenon of a given
magnitude and expressed on a scale of 0 (no damage) to 1 (total loss) (Buckle et al. 2001)
56
The conditions determined by physical, social, economic and environmental factors or processes, which
increase the susceptibility of a community to the impact of hazards. For positive factors, which increase
the ability of people to cope with hazards, see definition of capacity.
Vulnerability is the product of sets of prevailing conditions within which disasters may occur. (Lewis
1999)
68
Nature
Duration
Magnitude
HAZARD
Speed of onset
Frequency
Location
Probability
System at risk
Hazardindependent
Vulnerability:
Social or inherent
Vulnerability
Inherent capacity and vulnerability

factors
Hazard-dependent
Vulnerability:
biophysical vulnerability
Outcome vulnerability
factors
Figure 21: Hazard-independent and hazard-dependent Vulnerability
The reflection on social vulnerability led to the need to understand better the concepts
of resilience and adaptation that are used to define the capacities of a society to
anticipate, cope and recover from a disaster.
5.1.4. The concepts of resilience and adaptation

Resilience generally means the ability to recover from some shock, insult, or disturbance,
the quality or state of being flexible. However, it is used quite differently in different
fields.
- In physics and engineering, resilience is defined as the physical property of a material
that can return to its original shape or position after deformation that does not exceed its
elastic limit, i.e. as its capacity of to absorb energy when it is deformed elastically and
then, upon unloading to have this energy recovered.
- Resilience is also commonly used in psychology and child development to describe the
ability of people to cope with stress and catastrophe.
- In business terms, resilience is the ability of an organization, resource or structure to
sustain the impact of a business interruption and recover and resume its operations to
continue to provide minimum services.
Basically, resilience is the potential of a system to remain in a particular configuration
and to maintain its feedback and functions, and involves the ability of the system to
69
reorganize following disturbance-driven change (Holling, 1973, Walker and al 2002). It

defines the ability of a system to persist and the ability to adapt (Adger, 2003).
From an epistemological standpoint, nearly all of the literature refers in one manner or
another to various works by C.S. Holling within the analysis of the stability of ecological
systems. He distinguished two main types of resilience:
-The first definition concentrates on stability near an equilibrium steady-state,
where resistance to disturbance and speed of return to the equilibrium are used to
measure the property. This type of resilience has been defined as engineering resilience.
This definition of resilience assumes that behaviour of a system remains within the stable
domain that contains this steady state. Resilience is then measured as the systems
ability to rebound, return, or recover its original state, structure, equilibrium, or state of
nature or to persist, maintain, retain, or remain in its original state.
- The second dimension of resilience concentrates on dynamics of ecological
systems and is a measure of the amount of change or disruption that is required to
transform a system, i.e. to shift from one stability domain to another, through the
reorganization of processes and structures (Brock, William, Maler and al. 2002). This
type of resilience has been defined as ecological resilience. This refers to the capacity of
a system to absorb disturbance by returning to a steady state after being disturbed and to
its capacity to utilise or even benefit from perturbations and changes that attain it, and so
to persist without a qualitative change in the systems structure (Van der Leeuw, Sander,
2001). Resilience is equated with absorbing stress, absorptive power, recuperative power,
perseverance, and adaptation.
The two contrasting aspects of stability and therefore resilience, are a combination of a
focus on maintaining efficiency of function (engineering resilience) vs. one that focuses
on maintaining existence of function (ecological resilience).
In summary, Resilience infers (Figure 22):

i)
The amount of change the system can undergo and still retain the same controls
function, structure, identity, and feedbacks on function and structure;
ii)
The degree to which the system is capable of self-organization;
iii)
The degree to which the system expresses capacity for learning and adaptation
(Quinlan, 2003).
iv)
The speed and time required for a system to go back to a state of equilibrium
70
Amount of
changes that
can be
absorbed
Speed / time
to return to
equilibrium
SYSTEMS
RESILIENCE
Capacity for
learning and
adaptation
Capacity for
self-organization
Efficiency of the
systems function
Maintaining the
existence of the
systems function
Figure 22: Features of Systems resilience

Some authors, including Adger (2000) view resilience and vulnerability as equivalent
but opposite concepts. For instance, Davies summarizes livelihood vulnerability as a
balance between the sensitivity and resilience of a livelihood system (davies, Megan,
1998). The livelihood sensitivity is the degree to which a given system undergoes change
due to natural forces, following human interference. The livelihood resilience allows a
system to absorb and utilize (or even benefit from) change. Less vulnerable system are
characterized as low sensitivity/high resilience, while most vulnerable systems are low
resilience/high sensitivity. The strength of this approach is its strong conceptual link to
reasonable standards about what constitutes vulnerability.
The reflection on the concept of adaptation and its relation with vulnerability is mainly
the fact of climatologists, analysing the capacity of societies to adapt to climate change.
However various positions exist: Smit et al. for example, state that adaptation involves
adjustments to enhance the viability of social and economic activities and to reduce their
vulnerability to climate, including its current variability and extreme events as well as
longer term climate change ( Smit and al., 2000)
This literature explicitly links adaptation with vulnerability, and it is unclear whether the
two concepts should be viewed separately or in aggregate, as shown through these two
following issues:
(1) Frequently adaptation is contrasted with mitigation, with adaptation being
responsive and mitigation being pre-emptive (Smither, Barry, 1997). On the contrary, for
some other authors, adaptation means any adjustment, whether passive, reactive, or
anticipatory, that is proposed as a means for ameliorating the anticipated adverse
consequences associated with climate change.
(2) The second issue is related to the way adaptation and resilience are
combined: Some authors proceed to develop a model which uses both resilience and
71
vulnerability as system characteristics that determine adaptive responses to climate

disturbances. Of interest is their view that adaptation is the antithesis of resilience, with
the former equated with change and the latter with entrenchment (Riebsame, 1991). This
approach contrasts with Walker et al. who use the phrase adaptive capacity to be a means
of improving the resilience of a system (Walker and al., 2004).
As a function of these conceptual issues, we defined the components of vulnerability,
keeping in mind that ...We should not distract ourselves from the very real need to
manage risk and reduce vulnerability with arguments over which formulation of
vulnerability is best. (ETH, KOVERS-KT, 2004)
5.1.5. Components of vulnerability
We retain as working definition for vulnerability the following (Chambers and al., 1989):
The potential for loss, with two sides: an external side of shocks and perturbations to
which a system is exposed; and an internal side which represents the ability or lack of
ability to adequately respond to and recover from external stresses (R. Chambers).
The exposure refers to the external side. Susceptibility is often used as a synonym to
exposure. Though, we distinguish both terms: exposure refers to the condition, situation,
and action exposing something or someone, i.e. the possibility of loss caused by an
outside source. Levels of exposure vary as a function of the hazard considered.
Susceptibility refers to the property of the system of being potentially damaged and
combines the likelihood of a hazardous event, the differential exposure, the potential
sensitivity of a system or element of the system exposed, i.e. the degree to which a system
or the element could be potentially damaged or affected by a given hazard and the
existing capacity of this system that could potentially reduce this level of damages (e.g.
existing measures of prevention, mitigation, etc.).
The analysis of exposure and susceptibility contribute to a pre-disaster vulnerability
analysis, based on the assessment of potential losses and damages, including hazardindependent vulnerability factors (state of the system before the disaster) and hazarddependent factors (scenarios as a function of the likelihood of a hazard to happen and its
potentially damaging effects).
The internal side of vulnerability refers to the capacity of resilience of a system, once the
disaster stroke. It is a balance between the effective sensitivity of elements affected by
hazardous impacts (negative end, which can be measured in terms of amount of damages
or losses) and the resilience (positive end, which can be measured as a function of the
capacity for adaptation). Resilience is composed by the coping capacities (existing means
to deal with the state of emergency and to balance short-term impacts, like organization
capacities, emergency resources, etc.) and the recovery capacities (existing means to
return to the equilibrium of the system and to balance long-term impacts, once the state of
emergency is over).
The analysis of the internal side of vulnerability constitutes a post-disaster vulnerability
analysis, based on the assessment of post-disaster impacts balanced by the capacities of
72
the system to adapt and recover from a disaster. The post-disaster vulnerability analysis
may reveal features of hazard-independent vulnerability (Figure 23).
Level of exposure
Hazard-independent Vulnerability
Hazard
Hazard-dependent Vulnerability
Resilience
Susceptibility
Effective impacts
balanced by capacities
Likelihood of hazard
Differential exposure
Sensitivity/capacity of the
system at risk
Coping Capacity
Recovery
State of emergency
Time
Potential losses
Effective losses
External side
Internal side
Crisis
Figure 23: Vulnerability model
73
5. 2. The application of risk analysis concepts to critical infrastructures

The application of the concepts of risks and vulnerability to Critical Infrastructures shows
that the definitions of these concepts evolve, taking on board issues related to Critical
Infrastructure Protection. The risks related to critical infrastructure do not refer to
classical risks but to systemic risks. The hazard analysis needs to shift toward threat
assessment, while the concept of vulnerability shifts towards the concept of systemic
vulnerability.
5.2.1. From risks to systemic risks
Risks related to critical infrastructures present some characteristics that require a shift
from the classical risk concept. Since Critical infrastructures can be analysed as systems
of interdependent infrastructures, the concept of systemic risk allows considering
accurately risks related to these infrastructures: a systemic risk is a risk faced by a
system, in contrast to a specific risk or unique risk. In recent years it has become part of
the jargon of economics and financial markets57, taking its name from a combination of
systemic agents in biology and systematic risks elsewhere58.
Within the risk literature the introduction of the concept of systemic risk is relatively
recent. The OECD (OECD, 2003) has dedicated an entire report: Emerging risks in the
21st Century: An agenda for action on the topic of systemic risks. Although they have
not introduced a definition of systemic risk, they have provided five examples of
systemic risks: natural disasters, technological accidents, infectious diseases, terrorism
related risks, and food safety. Follow-up work on this report provided the following
definitions:
- Systemic risk is the potential realisation of a systemic disaster;
- A systemic disaster is the realization of what may seem like a highly uncertain,
low probability, interdependent and interconnected series of events affecting vital
complex societal systems. The disaster is the result of cultural, demographical,
environmental, socio-economical and technological pressures triggering changes in
society, which occur at a pace that supersedes our capacity and adaptability to respond to
them. (Vetere, Heikkila, Bouchon and al., 2004).
57
Systemic risk: Risk that affects an entire financial market or system, and not just specific participants.
(http://www.investorwords.com/5817/systemic_risk.html).
Systemic risk is the danger that problems in a single financial institution might spread and, in extreme
situations, such contagion could disrupt the normal functioning of the entire financial system (Bank for
international Settlements, 2002).
A systemic event is defined as a financial crisis that causes a substantial reduction in aggregate economic
activity, such variables as housing starts, home sales, consumption, output and employment. Systemic risk
is the possibility that a systemic event may occur In many groups of interrelated and interdependent
living things, a breakdown in the functioning of one or a few entities can spread to many others, causing
sufficient damage to harm the well being of the group or system as a whole. The nature of the event, its
timing and incidence, and its likely effects are studied in an effort to identify means of reducing potential
losses (OFHEO, 2003).
58
http://en.wikipedia.org/wiki/Main_Page
74
Following IRGC, the concept of Systemic risk denotes the embeddings of any risk to
human health and the environment in a larger context of social, financial and economic
consequences and increased interdependencies both across risks and between their
various backgrounds. Systemic risks are at the crossroads between natural events
(partially altered and amplified by human actions such as the emission of greenhouse
gases), economic, social and technological developments and policy-driven actions, both
at the domestic and the international level. These new interrelated and interdependent risk
fields also require a new form of handling risk, in which data from different risk sources
are either geographically or functionally integrated into one analytical perspective.
Handling systemic risks requires a holistic approach to hazard identification, risk
assessment, concern assessment, tolerability/acceptability judgements and risk
management. Investigating systemic risks goes beyond the usual agent-consequence
analysis and focuses on interdependencies and spill-over risk clusters (IRGC, 2005).
These definitions leave room for interpretation but show adequacies with the need to
address risks related to critical infrastructures. Indeed the concept of systemic risks
appeared in tight relation with technological advancement, which characterizes most of
critical infrastructures. Technology advancement has led to the creation of fasterperforming, more efficient and bigger systems and networks, resulting in a world where
people, goods, services and information can travel distances in less and less time. This
evolving global status quo has indeed brought the above-mentioned advantages; however,
it has also laid the foundations for a potentially vulnerable society that is becoming very
dependent on technology.
Systemic risks refer also to a potential systemic territorial impact. These impacts can
take place at global, national, regional and local level. Systemic risks characteristically
have impacts on society on large scale and their effects may spread much further from the
original source of hazard. Those risks widely affect systems that society depends on, such
as health, transport, environment, telecommunications etc., and their consequences may
be technical, social, environmental and economical.
In theory, systemic risks have always existed. However, our awareness of our evolving
vulnerability with respect to them has increased. The evolving inter-dependence of
technological and societal systems comes at a cost and needs to be better understood and
internalised into territorial systemic risk assessment and management practice. The
dynamic relationship between social and technological systems and their impacts have to
be studied in the short, medium and long terms in order to better address our changing
vulnerability. Systemic risks require therefore cross-scientific research on critical systems
and possible vulnerabilities. The shift towards vulnerability assessment is enhanced by
the difficulty to assess hazards to critical infrastructures.
5.2.2. From the hazard to the threat concept
A quick glance at existing hazards to critical infrastructures, allows highlighting how
limited the classical concept of hazard is to define them. Potential hazards are described
as a function of their nature, distinguishing human/non-human acts, internal/external
sources of hazards (Table 11). Non-human actions are related to technical components
75
and their failures, and to natural hazards. Within the human actions, intentional acts must
be distinguished from non-intentional acts (Table 12). The distinction between
internal/external sources of hazards is especially relevant for Critical infrastructures,
since hazards triggered by internal disruptions are important.
Table 11: Potential hazards to critical infrastructures
Human
Non-human
External
Intentional or
unintentional actions by
groups or individuals
outside of the system/
installation.
Stress to the system
caused by external
pressure like natural
hazards or disruptions of
other technical systems.
Internal
Intentional or unintentional
actions by employees or
contractors.
Internal failure of a technical

system or its components.
Technical failures (e.g. due
to ageing, manufacturing
errors, etc.)
Table 12: Intentional and unintentional acts as hazards for critical infrastructures
Internal causes
Intentional
Unintentional
External causes
Infiltration,
Physical sabotage
Market manipulation,
Terrorism
Terrorist action
Cyber threats
Sabotage
War
Human factors, lack or Human factors
reduced
level
of
maintenance,
hardware
construction
or
design
errors,
inadequate
investments in production
and/or
transmission
capacities
Some authors, as far as critical infrastructures are concerned prefer, to speak about
threat instead of hazard. A threat is a very low-probability but serious event - which
some analysts may be unable to assign a probability in a risk assessment because it has
never occurred, and for which no effective preventive measure (a step taken to reduce the
probability or impact of a possible future event) is available. The difference is most
clearly illustrated by the precautionary principle which seeks to reduce threat by requiring
it to be reduced to a set of well-defined risks before an action, project, innovation or
experiment is allowed to proceed (COM (2000) 1, 02.02.2000). The case of terrorist
threat is one of the main issues of concern.
76
A more specific example is the preparedness of the United States of America prior to the
devastating attack on September 11th, 2001. Although the Central Intelligence Agency
had often warned of a "clear and present danger" of using planes as weapons, this was
considered a threat, not a risk. Accordingly, no comprehensive scenarios of probabilities
and counter-measures were ever prepared for the type of attack that occurred.
Most of the threats against the vital infrastructure are associated with considerable
uncertainty. Besides the traditional physical threats, e.g. natural disasters, technical
failures, human factors, terrorism, sabotage, etc., there is an increasing awareness about
the importance of the cyber-based threats. The rapid proliferation and integration of
telecommunications and computer systems have connected infrastructures to each other
in complex networks. The resources needed to harm the critical infrastructures are easy to
acquire and the knowledge of how to use them is relatively easy to obtain.
Consequences related to the concept of threat and associated level of uncertainty is
fundamental:
- The risk model for Critical Infrastructures is not anymore defined as a function
of the hazard but as a function of Threat, Critical assets and Vulnerability (Figure
24)
- There is a need to shift towards Vulnerability assessment of ranked critical assets,
since threats can not be identified precisely.
Where:
77
Source DoD USA, 2002

Figure 24: Risk Model for Critical Infrastructures
In addition, critical infrastructures are characterized by cascading hazards or domino
effects that are the results of cascading failures within or from one system to another.
Cascading hazards are the result of the high level of interdependency among critical
infrastructures. The following figure (Figure 25) gives some example of potential
domino-effects triggered by a disruption of the electric power system.
Cascading hazards can range from temporary and partial disruptions to the complete
disruption of a service. This corresponds to ordinary failures to more exceptional
situations.
78
Source: Rinaldi, Peerenboom, 2001

Figure 25: Cascading Hazards after Electric Power disruption
In brief, we can distinguish three levels of hazard/ threat analysis on the basis of the
example of the electricity network (Haimes, Longstaff, 2002):
- Attacks upon the power system: the power system itself is primary target with
ripple effect through society. The target is the electric infrastructure, e.g. key
transmissions towers.
- Attacks by the power system: population is the actual target, using parts of the
power system as a weapon using some installations, to attack the population, for
instance using power plant cooling towers to disperse chemical or biological
agents.
- Attacks trough the power system: utility networks provide the conduit for attacks
on other critical infrastructures.
Critical infrastructures are therefore at risk, exposed to internal, external hazards or
threats, but pose a risk themselves, since their partial or complete disruption constitute a
hazard for other infrastructures and the society.
79
5.2.3. From vulnerability to systemic vulnerability

The focus on the vulnerability analysis59 and not on risk analysis is a consequence of the
difficulty to predict in time, place and magnitude, threats such as intentional acts. The
vulnerability analysis is driven by the question: vulnerability of what to what?
Existing definitions of the vulnerability in the field of critical infrastructures refer mainly
to a weakness in the system of the critical infrastructure in itself, which might be
exploited, unintentionally or intentionally60. For instance, in information security a
"risk" is defined as the probability that a threat will act on a vulnerability to cause an
impact, in other words a risk represents the chance coincidence of all three elements.
Threats in this context include deliberate/directed acts (e.g. by crackers) and
undirected/random/unpredictable events (such as a lightening strike). Vulnerabilities are
generally caused by weaknesses in the system of preventive controls, including missing
or ineffective procedural or technical controls, bugs in systems etc. Impacts are adverse
effects on organizations, individuals or indeed society at large. Vulnerability is not an
issue per se unless a threat exploits it and causes an impact. This definition of the
vulnerability of a critical infrastructure system is strongly related to security and technical
approaches.
Related concepts are the terms of reliability, i.e. the ability of an item to perform a
required function, under given environmental and operational conditions and for a given
period of time (Hoyland & Rausand, 1994) and robustness, i.e. the systems ability to
endure threats and survive accidental events that originates both within and outside the
systems boundaries, and if disturbed, return to a state where the operating characteristics
correspond to the assigned function.
Though, critical infrastructures systems form complex socio-technical systems involving
social entities and individuals, and multiple perspectives are therefore appropriate. Beside
the technical components and structures, there is a need to take into account the
organizations and persons that develop, run, and use the systems together with the
economical, institutional and legal conditions that form a frame for supplying the service
in question. A well-established approach when analyzing large technical systems are the
perspectives proposed by Linstone (Linstone, 1984): a technical perspective, an
59
Defined here as the analysis of the degree to which a system, subsystem or system component is likely
to experience harm due to exposure to a hazard, either a perturbation or stress/stressor(Turner and al,
2003);
60
A weakness in automated system security procedures, administrative controls, physical layout, internal
controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or
disrupt critical processing www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
Vulnerability is the existence of a weakness, design, or implementation error that can lead to an
unexpected, undesirable event compromising the security of the system, network, application, or protocol
involved www.dhs.state.or.us/policy/admin/security/glossary.htm
"A vulnerability is a feature or bug in a system or program which enables an attacker to bypass security
measures."( Schultz Jr. et al. 1990)
"An aspect of a system or network that leaves it open to attack www.dfncert.de/eng/pre99papers/certterm-print.html
80
organizational perspective and a personal perspective. Kaijser (Kaijser, 1994) proposes

another set of perspectives appropriate for studies of infrastructures: a technical
perspective, a geographical perspective, an economical perspective and an institutional
perspective. These approaches refer therefore to systemic vulnerability of complex
systems of critical infrastructures.
A systemic perspective enables the assessment of vulnerability in a new and systematic
manner, including (Table 13) (Bouchon, Gheorghe, Birchmeier, 2006):
(a) The vulnerability of the infrastructure itself;
(b) The vulnerability of interdependent critical infrastructures;
(c) The vulnerability of the dependent territorial, socio-economic, political dependent
sub-systems.
Internal/External
hazards
Levels of Vulnerability of the

vulnerability infrastructure itself
Exposed elements
Material element,
component of the
infrastructure
Service flows
(material/ nonmaterial)
Territorial subsystem (socioeconomical,
political, etc.)
Vulnerability of
interdependent
infrastructures
Vulnerability of
dependent
territorial systems
DIRECT
DIRECT
VULNERABILITY
VULNERABILITY
INDIRECT
VULNERABILITY
INDIRECT
VULNERABILITY
Domino Effect
Domino Effect
Table 13: Direct and indirect Vulnerability of Critical Infrastructures systems

(1) The vulnerability of the infrastructure itself refers to the scale of the
infrastructure and its sub-systems. They are directly exposed to both internal and
external hazards / threats and show therefore various levels of direct vulnerability.
(2) The vulnerability of dependent critical infrastructures refers to the types of
interdependencies linking critical infrastructures (geographical, logical, physical,
cyber) that are exposed both internal and external hazards (direct vulnerability) and to
the disruption of the service provided by the infrastructure under analysis (indirect
vulnerability).
(3) The vulnerability of dependent territorial systems refers to the areas deserved
by a critical service and composed by various sub-systems. They may show various
levels of indirect vulnerability.
81
The classical concepts used for risk analysis show some specificity when applied to
Critical Infrastructures, mainly related to the introduction of a systemic perspective. The
shift towards the threat concept highlights the importance of the vulnerability analysis, in
relation with the concept of criticality. The coming sub-section addresses the factors
affecting the vulnerability analysis of systems of critical infrastructures.
5.3. Main issues raised by the application of the concept of vulnerability to Critical
Infrastructures
Issues related to the application of the concept of vulnerability to critical infrastructures
systems are related to the interactions between criticality and vulnerability, time and
space scaling factors, and to the definition of accurate parameters and indicators to
express vulnerability. All these issues are related to the concern of allowing a transition
from the conceptual reflection to a more operational context.
5.3.1. Vulnerability and criticality

In the context of Critical Infrastructures Protection, vulnerability and criticality are
strongly related. Since threats and hazards can not always be identified precisely in time,
location and magnitude, the vulnerability assessment must start with the analysis of a
potential disruption of a system, whatever the source of disruption is. Since systems are
complex, there is a need to organise hierarchies and prioritize most critical elements
to start the vulnerability assessment. The basic assumption is to assess the vulnerability
of a system, through displays of scenarios: these scenarios concern the failure of most
critical elements of the system and the consequences of this failure on the rest of the
system. Whatever the scale of analysis and the chosen sub-systems are, the concept of
dependence is fundamental to prioritize most critical elements and to determine the
vulnerability of the system. Dependability could in this case be defined as task
accomplishment and provision of expected service (CSA, 1995; Jonsson, 1998).
Service of INF1
Service of INF 2
Service of INF 3
Service of INF1
Service of INF 2
SUB S1
SUB S3
Level of exp. for direct

vulnerability
Level of exp. for

cascading vulnerability
SUB S2
Service of INF 3
Level of exp. for
cascading vulnerability
Figure 26: Criticality, Dependence, Exposure
82
This refers to a two-fold approach:

- The degree of criticality is evaluated through the following principle: The more a
system is dependent on the good functioning of one of its sub-systems, the more critical
is this sub-system for the entire system. The more this sub-system is vulnerable, the more
the entire system is vulnerable. For instance, the following map shows that some nodes
within the energy infrastructure of North Italy are more important for the rest of the
network, as a function of the number of links. The vulnerability analysis must therefore
start with the vulnerability assessment of most critical subsystems: the degree of
criticality allows the ranking and prioritization of most critical sub-systems. The
vulnerability analysis of this sub-system relies thus on its degree of direct exposure of a
critical subsystem to internal or external hazards, as well as the assessment of its inherent
vulnerability (hazard-independent vulnerability).
Source : Logtmeijer, Di Mauro, Nordvik, 2006

Map 3: Nodes criticality of the energy infrastructure in North Italy
83
- The degree of dependency refers to the other side of the degree of criticality : the more
one system is depending on the good functioning of a critical element, the more the entire
system is vulnerable against the disruption of this element. The concept of dependency
allows introducing the concept of indirect exposure of a dependent system, referring to
the indirect or cascading vulnerability. The dependent system can be either the system of
the critical infrastructure or the territorial systems depending on a critical service. The
following map shows for instance the degree of dependency of Nuts region on the main
energy infrastructures. The dependency is expressed in terms of accessibility to the
networks services and is measured as a function of the density of nodes for each region
(Map 4)
Source : Logtmeijer, Di Mauro, Nordvik, 2006

Map 4: Degree of accessibility of NUTS-regions to the energy infrastructure
There are thus two entry points for the vulnerability analysis: through most critical assets
or through the systems dependent on most critical assets.
84
5.3. 2. Vulnerability as scale and time-dependent property of systems

As seen in the previous chapter, criticality is an inherently scale-dependent property of
systems. As a consequence vulnerability is also related to the scale of analysis and
vulnerability assessment must be supported by a dynamic upscaling and downscaling
movement. This has been facilitated by improvements in technologies such as
Geographic Information Systems (GIS). Risks at different levels are related and
assessments of interactions across scales can be important for tracing causal chains of
vulnerability. Local vulnerabilities, moreover, cannot be simply summed to give
meaningful national or global vulnerability estimates. On the other hand, low
vulnerability at higher levels of organization cannot be taken to indicate low vulnerability
for all embedded localities. Different scales may be characterized by different concerns
about potential impacts and different causal structures of vulnerability. Appropriate
parameters and indicators must express the main concerns about vulnerability for each
scale. Though, the particularity of the vulnerability of critical infrastructures is that a
single located failure may have consequences well beyond the element or area impacted,
ranging from local consequences to regional, national or international consequences.
There is therefore a need to address vulnerability in a systemic way, allowing shifting
from one scale to another.
From a temporal standpoint, the vulnerability of critical infrastructures is a timedependent property of systems, as we can distinguish three main temporal phases:
The pre-disaster phase refers to the period preceding the crisis. Vulnerability is
here mainly a hazard-independent vulnerability. Regarding the vulnerability of societies,
Blaikie distinguished three factors of hazard-independent vulnerability: roots cause,
external pressures, unsafe conditions (Blaikie, 1994). These conditions of vulnerability
will determine the crisis that acts as a revelatory of these pre-disasters factors of
vulnerability. Regarding infrastructures themselves, this might refer to the age of the
material infrastructures, to the value accorded by a society to most critical assets, etc.
The phase of the crisis may have two dimensions:
First the crisis will be function of the hour, day, week, season during which it takes
places. The state of operation of an infrastructure can be thought of as a continuum that
exhibits different behaviours during normal operating conditions, (from peak to off-peak
conditions), during times of severe stress or disruptions ort during time when repair and
restoration activities are under way. In addition, the state of operation of a unit
subsystem or system at the time of failure will affect the extent and duration of any
disruption or degradation in the services of an infrastructure. For example, events that
occur at times of peak electric power, natural gas or water demand when telephone usage
is heavy or during periods of traffic congestion will have different effects than similar
events during non peak times. Conceptually, the state of operation of an infrastructure
can range from optimal design operation to complete failure with a total loss of service to
all users, including dependent Critical Infrastructures. Under certain conditions, an
infrastructure can operate at well below the optimal design state and still provide what
user perceives as full service. For example generating units in the electric power
infrastructure can be out of service for maintenance or repair with no limitations in
85
service to users as long as the condition does not occur during the peak usage period
when reserve margins are critically low (Rinaldi Peerenboom, Kelly, 2001).
Second, it refers to the way the crisis develops: time is an essential factor underlying the
evolution of vulnerability across a system and the associated areas. As the criticality is
also time-dependent, the vulnerability evolves as a function of the spreading of a
cascading failure and as a function of the succession of crisis periods: A triggering
hazards may result in cascading effects when affecting first the critical infrastructure
itself and then the dependent infrastructures and territorial systems. The lag of time
depends on the type of disruption and the way it propagates. Failures in these
infrastructures can lead to additional damage that typically emerges and grows over time.
Steetskamp & van Wijk (Steetskamp & van Wijk, 1994) characterize the effects, their
growth over time and the growth of extent of these additional damages. Table 14 shows
examples of possible effects of energy outages and the time log of these effects.
Table 14: Cascading hazards in time after electric power supply failure
Infrastructure
Transport
Communication
Waste disposal
Electricity
Drink water
Sewage
management
Gas
Telecommunication
0-2 hours
2-8 hours
8-24 hours
24 hours >>
No traffic at all,
No public
Delays increase
Depends on
transport
and ripple through fuel supply
characteristics of
problems
area and nature of to un-affected
parts of the
train-system.
system. No traffic
Electricity
at all on affected
dependent: no
parts
traffic, nondependent on
electricity: traffic
with delays. Urban
systems stop, road
traffic in chaos
Difficult to supply Information back set, more personnel
Availability of
information,
needed
personnel
decreases
outages of
transmission poles
Difficult due to traffic congestions,
Collection is difficult, possible undelay in disposal of waste
hygienic circumstances
Difficult to keep
Possible problems
communication up with fuel supply
for generators
Production: control of remote stations
Water is
Distribution: local pressure drops on stations without
guaranteed
generators, in case of loss of pressure devices: nor water on
higher floors
Low lying areas,
Flooding in higher Also flooding in
flooding
with rainfall:
areas as well
case of no rain
flooding of sewer
water after 2 hours
Generally no problems, receivers will endure problems in
In case of pressure
energy dependent systems; climate control, watersupply.
loss: temperature
drops
Telephone is assured, possible problems with GSM systems,
Telephone system
internal operators outage. No fax, congestion in telephone
assured. Possible
86
network
problems with
generators due to
fuel supply
problems
The post-crisis phase refers to the recovery and resilience of systems after the
emergency phase. The normal operation of an infrastructure and the repair of a disrupted
infrastructure generally involve multiple functions (activities, processes, or operations).
Some of the functions occur sequentially in time, whereas others occur in parallel. There
may be large uncertainties about the amount of time needed to successfully complete
each step in the repair process. Such operational complexities and the associated
uncertainties must be identified and incorporated into analysis frameworks to develop
realistic and meaningful insights into normal operations and response and recovery
strategies. In addition, taking on board the analysis of the resilience, through the analysis
of the coping capacities and the recovery process may help assessing the short-term and
long-term consequences within a vulnerability scenario. Debates are ongoing on the way
to define parameters and indicators to analyze the resilience of socio-economic systems.
One fundamental aspect is the assessment of the reversibility or irreversibility of some
consequences. This will determine the next pre-crisis phase. Vulnerability is dynamic and
its characteristics change over time. It may change slowly as a result of the development
process (Alexander, 2000) but it may also change very quickly due to a sudden disaster.
Each significant disastrous event increases the overall vulnerability of the society
abruptly and interrupts its steady developmental improvements (Figure 26).
Source: Schneiderbauer, Ehrlich, 2004

Figure 27: The effects of disastrous events on a society during the development
process
87
According to the scale and time of the vulnerability analysis, appropriate parameters and
indicators are required to express the vulnerability.
5.3.4. Which parameters, indicators to express vulnerability?

A systemic vulnerability assessment implies the analysis of the vulnerability in its multidimensional and dynamic dimensions. So far, debates on the definition of vulnerability
and on the right parameters and indicators to measure it are still ongoing, especially in the
field of natural and technological disasters literature. We consider our research on
systemic vulnerability assessment as the opportunity to extend the debate to the field of
critical infrastructures protection, keeping in mind the need to adopt an integrative,
dynamic and multi-dimensional overview with respect to CIP issues.
This entails first the identification of the element at risks, which vulnerability must be
assessed. Elements at risks refer to the sub-systems existing within the boundaries of the
system under analysis. We can distinguish various types of elements at risks as a function
of their nature, for instance:
- At the level of the infrastructure itself:
- Technical and material components of the critical infrastructure
- Systems of regulation, control,
- Flows of service (energy, goods, information, people, etc.)
- At the level of dependent critical infrastructures:
- Technical and material components of interdependencies
- Geographical area geographically interdependent
- Systems of regulation and control
- Flow of services, information
- At the level of the dependent territorial system:
- People
- Buildings
- Socio-economic activities
- Political system
- Cultural system
- Vital networks and infrastructures
- Environmental assets
As a function of the nature of the element at risks parameters expressing their
vulnerability must be defined. For each parameter, indicators must be defined when
possible, in order to measure the vulnerability. Parameters can refer to potential losses
but also the existing capacities. A weighted analysis of the indicators, when possible
allows obtaining a final picture of the level of vulnerability.
Though the identification of these parameters and indicators should take on board
following requirements:
1/ The distinction between hazard-independent and hazard dependent vulnerability.
According to the definition given to those two different aspects of vulnerability, accurate
88
parameters will not be the same. Burton proposed five criteria to assess the biophysical
vulnerability of cities: the biological sensibility of the population, importance of the
structures, risks related to the disruption of vital infrastructures, potential economical
losses, risks related to institutional or organisational disruption. Social vulnerability is
determined by factors such as poverty and inequality, marginalisation, food entitlements,
access to insurance, and housing quality financial resources, health state of the
population, existing alternative resources, experience and knowledge of the population,
existing coping capacities. (Burton and al. 2002; Blaikie et al., 1994).
Figure 27 shows for instance the possible dimensions of vulnerability and capacities.
Though, indicators expressing hazard-independent or hazard-dependent vulnerability
were different. The choice of the corresponding indicators must be based at least on three
criteria: availability and coverage, measurability and accuracy, frequency of update.
Source: Schneiderbauer, Ehrlich, 2004

Figure 28: Conceptual diagram of social levels and examples of relevant
characteristics identified for the assessment of vulnerability
2/ In the frame of the hazard-dependent analysis, The vulnerability analysis must focus
first on the level of exposure, relative to hazard independent parameters describing the
strength or weakness of a sub-system, and its degree of dependency from the services
89
provided by critical infrastructure under study. A vulnerability scenario, i.e. the

assessment of potential losses to a given event must take account of the susceptibility,
balanced by the resilience, as they have been defined. Regarding social systems,
Anderson and Woodrow classified Vulnerabilities and capacities into three categories: (1)
physical/material; (2) social/organizational; and (3) motivational/attitudinal (Anderson
&Woodrow, 1988).
(1)The physical/material vulnerabilities and capacities include climate, environment,
sources of livelihood, productive and other skills, land, water capital, infrastructure
and services.
(2)The social/organizational capacities and vulnerabilities refer to the manner society
is organized, its internal conflicts and how it manages them. These factors include
family structures, leadership qualities and structures, patterns of decision making,
participation levels, social division and conflicts, community organizations,
relationship to government, and government policies and legislation.
(3)Motivational/attitudinal vulnerabilities and capacities refer to how people in
society view themselves and their ability to affect their environment. Factors for this
category include attitude towards change, sense of ability to affect environment and
get things done, religious belief, ideology, fatalism, dependence/self-reliance,
unity/solidarity, and cooperation.
3/ There must be a distinction between direct and indirect consequences of a critical
service disruption. This distinction allows assessing the systematic vulnerability and
induced vulnerability. For instance, in case of case of power grid disruption, the
immediate damage is the loss of power and the immediate consequences are for instance
the loss of life because traffic signaling fails, life support systems fail etc. Secondary or
indirect damages can include lost output for the businesses and the economy overall, loss
of confidence by population and possibly by investors, etc. over-investment in measures
to prevent a re-occurrence. This entails considering both quantitative and qualitative,
tangible and intangible aspects of vulnerability. For instance, to express the
vulnerability with respect to critical security issues, following parameters can be found in
the literature:
The security of people is related to the protection of human life. The parameter to
be retained is the potential number of deaths in case of service disruption.
The physical security is related to the potential destruction affecting sources of
livelihood, productive and other skills, land, water capital, the environment, other
infrastructure and services. Indicators can be built on the degree of destruction (from
0 to 100%) or on the cost of destruction.
The economical security is related to the maintenance of business continuity and
sustainability. Possible parameters to express the vulnerability are related to the cost
of potential disruptions, the lack of investment, etc. Some qualitative aspects such as
the degradation of the trust of customers can be included. Indicators can adopt the
common unit of the cost of the damages.
90
The national security is related to consequences on strategic elements ensuring the

survival and safety of the nation-state. Parameters to express the vulnerability can be
the continuity of authorities activities, the capacity to maintain essential public
services, the trust of the population and the credibility of the authorities. Indicators
are more difficult to provide.
In order to compose a useful composite indicator for vulnerability assessment, it is
necessary to define weighting factors for each indicator, using expert knowledge.
Furthermore the indicator should evolve as the vulnerability evolves. A number of more
qualitative parameters that are highly relevant for vulnerability assessments are difficult
to describe and none of the frequently globally surveyed indicators could support their
determination. The relevant information can only be compiled with time-consuming local
expert consultation.
5.4. Conclusion
The application of the classical concepts used for risk and vulnerability assessment to
Critical Infrastructures shows the need to shift towards a systemic approach of risks
hazards and vulnerability. The importance of intentional acts against critical
infrastructures requires a threat analysis and reinforces the need to focus on the
vulnerability of critical infrastructures. The focus on the vulnerability assessment against
service disruption of critical infrastructures requires defining a methodology based on a
set of indicators that capture the dynamic temporal and spatial aspects of vulnerability.
This implies setting up an appropriate metric to measure these indicators, through the
assessment of quantitative-qualitative, direct-indirect, short-term-long-term consequences
of potential disruptions.
91
6. Conclusions
The objective of this report was to review the conceptual and epistemological background
concerning systems of interdependent critical infrastructures and associated risk and
vulnerability.
From the epistemological standpoint, it appeared that the field of analysis for the
vulnerability of critical infrastructures comes at a scientific crossroad, encompassing
technical, socio-economical, political, scientific conceptual approaches. Various aspects
are analyzed within different fields without any multi-disciplinary overview. This raises
the problem of the comparison and reutilization of the terminology from one field to
another. While systemic risks require cross-scientific research on critical systems and
possible vulnerabilities, decision-making on risk often fails to successfully combine
scientific expertise with careful consideration of the socio-cultural aspects of risk issues.
Scientific knowledge alone cannot produce the expected basis for political decisions
(IRGC, 2004).
From a conceptual standpoint, the systemic approach appeared as a solution, since it
allows a coherent and holistic approach of the multi-dimensional characteristics of the
problem:
Applied to the analysis of the spatial systems formed by critical infrastructures,
the systemic paradigm refers to the definition of organisation, location and functioning of
critical infrastructures systems, based on human, technical, political, geographical, social
sub-systems, according to a territory.
Applied to the analysis of the criticality, the system approach allows analysing the
context, the scale, the time, the types of infrastructures, the actors perceptions leading to
various understandings of the concept of crisis and criticality, as well as the main policy
issues.
Applied to the concepts of risks, hazards and vulnerability, the systemic approach
allows characterizing systemic risks, cascading hazards and cascading vulnerability, in
tight relation with the criticality, the scale, the time and the multi-dimensional issues of
the vulnerability.
On the basis of the work, coming research should address problems related to the
identification and definition of accurate tools and methodologies, allowing decisionmakers to adopt an appropriate Critical Infrastructure Protection Strategy and taking on
board holistic, multi-disciplinary requirements.
92
7. References
ADGER, W. N. (1999). Social Vulnerability to Climate Change and Extremes in Coastal
Vietnam. World Development, 27 (2), pp. 249-269.
ADGER, W. N. (2000). Social and Ecological Resilience: Are They Related? Progress
in Human Geography 24 (3), pp. 347-364.
ADGER, W. N. (2003). Building Resilience to Promote Sustainability: An Agenda for
Coping with Globalisation and Promoting Justice. IHDP Update, pp. 2:1-3.
ALLEN, K. (2003) Vulnerability reduction and the community-based approach, in
PELLING (ed.), Natural Disasters and Development in a Globalising World. Pp. 170184.
ALEXANDRE, D.E. (2000). Confronting Catastrophe. Terra Publishing, Harpenden. 282
p.
ANDERSON, M., WOODROW, P. (1998). Rising from the Ashes: development strategies
in time of disasters. London Westview Press, intermediate technology publications.
BANK FOR INTERNATIONAL SETTLEMENTS (2002). Risk measurement and
systemic risk, Committee on the Global Financial System, Proceedings of the Third
Joint Central Bank Research Conference, 7-8 March 2002, Basel, Switzerland.
BATES, F. L. & W. G. PEACOCK (1993). Living conditions, disasters and development:
an approach to cross-cultural comparisons, Athens, USA: University of Georgia Press.
BATTY, M. (2003). Network Geography: relations, Interactions, Scaling and spatial
processes in GIS. Centre for advanced spatial analysis, Working paper series,
paper 63, pp. 1-24
BERTALANFFY, L. (1973). Theorie Generale des systemes, Dunod.
BLAIKIE, P., CANNON, T., DAVIS, I. & WISNER, B. (1994). At Risk: Natural Hazards,
Peoples Vulnerability and Disasters. London, Routledge.
BOHLE H-G. (2001) Vulnerability Article 1: Vulnerability and Criticality. In Newsletter
of the International Human Dimensions Programme on Global Environmental
Change, Nr. 2/2001
http://www.ihdp.uni-bonn.de/html/publications/update/update01_02/IHDPUpdate01_02_bohle.html
BOUCHON S., GHEORGHE A., BIRCHMEIER J.(2005) Toward Guidelines for

Regional Assessment of Vulnerability against Service Disruption of Critical
Infrastructures. EsReDa, 29th Seminar "System Analysis for a More Secure
World" Proceedings.
BOLIN, R. and STANFORD, L. (1991). Shelter, housing and recovery: a comparison of
U.S. disasters.in Disasters, 15(1), pp. 24-34.
BRABANDERE (DE), L. (1989) Le Lateroscscope, Systmes et crativit. La
Renaissance du livre, Bruxelles.
BROCK, WILLIAM A., KARL-GORAN MALER, AND PERRINGS C. (2002).
Resilience and Sustainability: The Economic Analysis of Nonlinear Dynamic
Systems. In Panarchy: Understanding Transformations in Human and Natural
Systems, edited by L. Gunderson and C. S. Holling. Washington DC: Island Press.
BROOKS, N. and ADGER, W. N. (2003) Country level risk measures of climate-related
natural disasters and implications for adaptation to climate change, Tyndall Centre
Working Paper 26:
93
http://www.tyndall.ac.uk/publications/working_papers/wp26.pdf
BUCKLE P., MARS G., SYD SMALE R. (2000). New approaches to assessing
vulnerability
and resilience. Australian Journal of Emergency Management.
2000. pp. 8-16. (69)
BUCKLE, P., GRAHAM, M., and SMALE, S. (2001). Assessment of Personal and
Community Resilience and Vulnerability. Report EMA Project 15/2000. May 2001.
BULLOCK, S., COHEN, N., DI PAOLO, E., NOBLE, J. Simple Models of complex
networks. Case for support. Simple Models of Complex Networks Research
Cluster. www.comp.leeds.ac.uk/seth/cluster/cluster.ps
BURBY, R.J. (1991). Sharing Environmental Risks: How to control Governments losses
in Natural Disasters. Westview Press, Boulder.
BURTON, I., HUQ, S., LIM, B., PILIFOSOVA, O. AND SCHIPPER, E. L. (2002).
From impacts assessment to adaptation priorities: the shaping of adaptation policies.
In Climate Policy, 2, pp.145-159.
BUSH G.W. (2001). September 11/2001: Attack on America. Executive Order Critical
Infrastructure Protection in the Information Age. Office of the Press Secretary, the
White House, October 16, 2001. Downloaded from
http://www.yale.edu/lawweb/avalon/sept_11/execord_1016.htm
CANNON, T. (2000). Vulnerability analysis and disasters. In: D J Parker (ed.) Floods
Routledge.
CANNON, T. (1994). Vulnerability analysis and the explanation of "natural" disasters', in
VARLEY, A. (ed.) Disasters, development and the environment, Chichester: John
Wiley.
CHAMBERS R, PACEY A, THRUPP L (eds)(1989), Farmer first. London, Intermediate
Technology Publications
CHAPMAN, D. (1994). Natural Hazards. Oxford University Press. 174 p.
CHRISTALLER, W. (1933). Die zentralen Orte in Sddeutschland, Darmstadt :
Wissenschaftliche Buchgesellschaft, [Abt. Verl.], 1980, 3., unvernd. Aufl.,
reprograf. Nachdr. d. 1. Aufl. Jena 1933
CLARK, G., MOSER, S., RATICK, S., DOW, K., MEYER, W. EMANI, S., JIN, W.,
KASPERSON, J., KASPERSON, R., AND SCHWARZ, H. Assessing the
Vulnerability of Coastal Communities to Extreme Storms: the Case of Revere, MA.,
U.S.A. 1998.
COBURN A.W., SPENCE, R.J.S., POMONIS A. (1994) Training Manual: Vulnerability
and Risk Assessment (2d Edition). UNDP Disaster management Training
Programme. http://www.proventionconsortium.org/toolkit.htm
COM (2004) 702 final Communication from the Commission to the Council and the
European Parliament Critical Infrastructure Protection in the fight against
terrorism
http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/com/2004/com2004_0702en01.pdf
COM (2005) 576 final Green paper On a European Programme for Critical
Infrastructure Protection
europa.eu.int/eur-lex/lex/LexUriServ/ site/en/com/2005/com2005_0576en01.pdf
COM (2000) 1. European Commission (2000). COMMUNICATION FROM THE
COMMISSION on the precautionary principle, 02.02.2000.
CRICHTON, D. (1999). The Risk Triangle. In Natural Disaster Management. Jon
Ingleton (Ed) Tudor Rose, London.
94
CSA (CANADIAN STANDARD ASSOCIATION). Dependability Management - Part 2:

Dependability Programme Elements and Tasks (Adopted IEC 300-2:1995) / Gestion de
la sret de fonctionnement - Partie 2: lments et tches du programme de sret de
fonctionnement (norme CEI 300-2:1995 adopte)
DAVIES, H., AND MEGAN W.(1998). Do all crises have to become disasters? Risk and
risk mitigation. Disaster Prevention and Management: An International Journal.
Vol. 7. No. 5. (1998): pp. 396-400.
DI JOHN, J. (2001). An Institutionalist political Economy Perspective of Risk and
Vulnerability. Joint World bank/ Columbia University Workshop: Assessment of
High-Risk Disaster Hotspots, Lamont-Doherty Earth Observatory, Palisades, New
York, 6-7 September 2001.8 p.
DOD (DEPARTMENT OF DEFENSE, USA). (2002). Critical Infrastructure Protection.
NDIA Information Briefing, July 3, 2002
http://www.dtic.mil/ndia/2002security/bozek.pdf
DOUGLAS, M. and WILDAVSKY, A. (1983). Risk and culture, an essay on the
selection of technological and environmental dangers, University of California
Press, 1983,
DOW, K (1992). Exploring Differences in Our Common Future(s): The Meaning of
Vulnerability to Global Environmental Change. Geoforum 23 (3):417-436.
DOWNING, T.E. (1991). Assessing Socioeconomic Vulnerability to Famine:
Frameworks, Concepts, and Applications. FEWS Working Papers 2.1. USAID,
Famine Early Warning System Project, Washington DC.
DUPUY, G. (1985). Systmes, rseaux et territoires. Paris, Presse de lEcole nationale
des Ponts et Chausses.
FEMA. (2003). Integrating Manmade hazards Into Mitigation Planning. Rep. No. FEMA
386-7
Version
2.0.
September
2003.
FIERING, MB (1982). Alternative Indices of Resilience in Water Resources Research,
18, pp.33-39
GHEORGHE, AV., MOCK R. AND KROGER W. (2000) Risk assessment of regional
systems.
Reliability Engineering and System safety , 70, pp.141-156.
GHEORGHE A.V., SCHLAPFER M (2004). Critical Infrastructures: Ubiquity of
Digitalization and Risks of Interdependent Critical Infrastructures; IRGC, ETH,
Zurich, June 2004.
GHEORGHE, A. V. AND VAMANU, D. V. (2004). Towards QVA Quantitative
Vulnerability Assessment: a generic practical model. Journal of Risk Research 7 (6): 613
628
GRAVLEY, D. (2001). Risk, Hazard and Disaster. University of Canterbury, New
Zealand.
http://www.canterbury.ac.nz/
HAIMES Y.Y., LONGSTAFF T. (2002). The Role of Risk Analysis in the Protection of
Critical Infrastructures Against Terrorism. Risk Analysis, 2002(3). Pp. 439-444.
HEWITT, K.,1997, Regions of Risk: a geographical introduction to disasters, Harlow:
Addison Wesley Longman.
HOLLING, C.S. 1973. Resilience and Stability of Ecological Systems. Annual Review of
Ecology and Systematics 4:1-23.
95
HOLMES R (2004). Survey of public private partnerships for critical infrastructures

protection Michigan State University CyberSecurity Initiative Workshop ,
Saturday, November 20, 2004
http://ccs.cse.msu.edu/workshop/Workshop_Holmes_11-15-03.pdf
HOLMGREN ., MOLIN S., THEDEN,T. (2004). Vulnerability of Complex
Infrastructure. Power Systems and Supporting Digital Communication Systems.
The Swedish Defence Research Agency (FOI).
HOYLAND A., RAUSAND M. (1994) System Reliability Theory, Models and Statistical
Methods, John Wiley & Sons
IPCC (Intergovernmental Panel on Climate Change) (2001). Climate Change 2001:
Impacts, Adaptation and Vulnerability. Contribution to the Working Group II to the
Third Assessment Report of the IPCC, UNEP Publication.
IRGC. (2004) The role of governance in the framing, assessment and management of
risks Promoting effective and sustainable international networks and systems.
TaxGov project, Draft Paper.
IRGC. (2005). White Paper on Risk Governance: Towards an integrative approach.
International risk governance council, Geneva, September 2005.
JONES, R. and BOER, R. (2003) Assessing current climate risks Adaptation Policy
Framework: A Guide for Policies to Facilitate Adaptation to Climate Change,
UNDP, in review, see
http://www.undp.org/cc/apf-outline.htm
JONSSON, E. (1998) An Integrated Framework for Security and Dependability
(abridged
version). Department of Computer Engineering, Chalmers
University of Technology, Gteborg.
KAIJSER, A. 1994. The Swedish Infrastructure; Historical Development and Future
Challenges. (in Swedish). Carlsson Bokfrlag, Stockholm.
KORHONEN, J., SNAKIN, J-P. (2005) Analysing the evolution of industrial
ecosystems: concepts and application. Ecological economics 52 , pp. 169-186.
KREIMER A. AND ARNOLD M. (Eds) (2000). Managing Disaster Risk in Emerging
Economies, Disaster Risk Management Series No. 2, The International Bank for
Reconstruction and Development/THE WORLD BANK
LAFOND, G. and GOSSELIN A. (1994). A survey on perceived risks in Risk Assessment
and Management: Emergency Planning Perspectives. Ed. Martin L.R.G. pp. 45-59.
LAPIERRE, J-W. (1992) Lanalyse de systmes, Lapplication aux sciences sociales.
Labor, Bruxelles.
LATORA, V., MARCHIORI, M. (2004) How the science of complex networks can help
developing strategies against terrorism. Chaos, Solitons and Fractals 20, 69-75.
LE MOIGNE, J-L. (1977). La thorie du systme gnral; Thorie de la modlisation.
3me dition, 1990, Paris, PUF, 330 p.
LINSTONE, H. 1984. Multiple Perspectives for Decision-making; Bridging the Gap
Between Analysis and Action. North-Holland, Amsterdam.
LEWIS, J. (1999). Development in Disaster-prone Places: Studies of Vulnerability.
Southampton Row, London: Intermediate Technology Publications.
LOGTMEIJER, C. DI MAURO, C., NORDVIK, J-P. (2006) Energy Demonstrator:
regional
vulnerability against energy disruptions in Europe, Technical note,
EC-DG-JRC- TVAU (Under edition)
96
LUIIJF E., BURGER H., KLAVER M. (2003). Critical Infrastructure Protection in the
Netherlands: A Quick-scan. EICAR Conference Best Paper Proceedings, EICAR,
Copenhagen, 2003.
MECHLER R (2003). Macroeconomic Impacts of Natural Disasters;
http://yym.marmara.edu.tr/anasayfa/yayin/yayin1/03mechler3-n%5B1%5D.ac.doc
METZGER J.(2004) An Overview of Critical Infrastructure Protection (CIP): A Critical

Appraisal of a Concept, Centre for Security Studies, Swiss Federal Institute of
Technology (ETH Zurich)
http://www.eda.admin.ch/eda/e/home/foreign/secpe/intsec/wrkshp/cybsec/metzger.html
MITCHELL J.K (ed) (1999). Crucibles of Hazard: Mega cities and Disasters in
Transition. United Nations Publications.
MOTEFF J., PARFOMAK R. (2004) Critical Infrastructure and key assets: Definition
and
Identification. CRS Report for Congress, October 1, 2004.
MOTEFF, J. COPELAND C., FISHER J. (2003) Critical Infrastructures: what makes an
infrastructure critical? Report for Congress. Updated January 29, 2003.
NRC (National Research Council) (1989). Improving Risk Communication. Washington,
DC: National Academy Press.
OFFICE OF FEDERAL HOUSING ENTERPRISE OVERSIGHT - OFHEO (2003).
Systemic risk: Fannie Mae, Freddie Mac and the role of OFHEO. OFHEO Report
February 2003.
OFFICE OF THE PRESIDENT. OFFICE OF HOMELAND SECURITY. National
Strategy for Homeland Security, July 2002.
ORGANISATION FOR ECONOMIC COOPERATION AND DEVELOPMENT (2003).
Emerging Systemic Risks in the 21st Century: An Agenda for Action. OECD
Publications Service, Paris.
ORGANISATION FOR ECONOMIC COOPERATION AND DEVELOPMENT (2004).
Summary of the Conference Discussions: First Nordic Conference on Emerging Risks
and Regional Economic Development, Karlskoga, Sweden, 24 25 November 2003.
PARK, R., BURGESS E.W. AND MCKENZIE R. D. (1925). The City. Chicago:
University of Chicago Press.
PARR AR, (1987), Disaster and Disabled Persons: an examination of the safety needs of a
neglected minority. Disasters 11, pp. 148-153
PASCUAL M, GUICHARD F.(2005). Criticality and disturbance in spatial ecological
systems. TRENDS in Ecology and Evolution, Vol.20, n.2. February 2005.
PERROW, C. (1984). Normal Accident: living with High-risk Technologies. New York:
Basic Books.
QUINLAN, A. (2003). Resilience and Adaptive Capacity: Key Components of
Sustainable Social-Ecological Systems. IHDP Update 2:4-6.
RIEBSAME, W.E. (1991). Sustainability of the Great Plains in an Uncertain Climate.
Great Plains Research 1 (1):133-151.
RINALDI S.M. (2004). Modelling and Simulating Critical Infrastructures and Their
Interdependencies. Proceedings of the 37th Hawaii International Conference on
System Sciences January 2004.
RINALDI S.M., PEERENBOOM J.P., Kelly T.K. (2001). Identifying, Understanding,
and Analyzing Critical Infrastructure Interdependencies. IEEE Control System
Magazine, 0272-1708/01, Washington, December 2001.
97
RITTER S., WEBER J. (2004). Critical Infrastructure Protection: Survey of world-wide

Activities. Federal Office for Information Security, Bonn, March, 2004.
SAREWITZ, D., PIELKE, R. and KEYKHAN, M. (2003) Vulnerability and risk: some
thoughts from a political and policy perspective, submitted to Risk Analysis.
SCHNEIDERBAUER S., EHRLICH D. (2004). Risk, hazard and peoples vulnerability
to natural hazards: a review of definitions, concepts and data. European
Commission-Joint Research Center-EUR 21410 EN, 2004
SCHOON M.(2005). A Short Historical Overview of the Concepts of Resilience,
Vulnerability, and Adaptation. Workshop in Political Theory and Policy Analysis,
Indiana University Working Paper W05-4, 29/01/05
SHANNON, C.E., Weaver, W. (1949). A mathematical theory of communication, 11th
edition, 1977, Urbana, Illinois, University of Illinois Press.125 p.
SMIT, B., BURTON I., RICHARD J.T. KLEIN, and J. WANDEL. (2000). An Anatomy
of Adaptation to Climate Change and Variability. Climatic Change 45:223-251.
SMIT, B. (1993). Adaptation to Climatic Variability and Change. Guelph:
Environment Canada.
SMITH, K. (2000). Environmental Hazards- Assessing Risk and Reducing Disasters,
Routledge, 3rd Edition, 381 p.
SMITH, K. (1996). Environmental Hazards-Assessing Risk and reducing disaster.
Routledge, 2nd Edition. 381 p.
SMITHERS, J., and SMIT B. (1997). Human Adaptation to Climatic Variability and
Change. Global Environmental Change 7 (2):129-146
STEETSKAMP, I. VAN WIJK A. STROOMLOOs: kwetsbaarheid van de samenleving;
gevolgen van verstoringen van de electriciteitsvoorziening, Rathenau Instituut,
Den Haag 1994.
STENCHION, P. (1997). Development and disaster management in The Australian
Journal of Emergency Management, vol.12, n.3, spring 1997, pp. 40-44.
SUSMAN P, OKEEFE P, WISNER B. (1983). Global Disasters, a radical interpretation,
in HEWITT, K. (ed). Interpretations of Calamity, pp-263-283, London, Allen &Unwin
THE WHITE HOUSE. (1998). Presidential Decision Directive/NSC-63: Critical
Infrastructure Protection. The White House, Washington, 22-8-1998.
THE WHITE HOUSE. (2003). The national strategy for the physical protection of
critical infrastructures and key assets. The White House, Washington, February.
THILL J-C. (2000) Geographic information systems for transportation in perspective.
Transportation Research Part C 8 3-12.
THNEN VON, J- H von (1826). Isolated state; an English edition of Der isolierte
Staat. Translated by Carla M. WARTENBERG. Edited with an introd. by Peter
Hall, Oxford, New York, Pergamon Press [1966].
TOBLER, W. (2002).Global Spatial Analysis. Editorial. Computers, Environment and
Urban systems, 26, pp.493-500.
TURNER, B.L., ROGER E., KASPERSON, PA. and al. (2003) A Framework for
Vulnerability Analysis in Sustainability Science. Proceedings from the National
Academy of Science, 100 (14), pp.8074-8079.
TWIGG, J. & M. R. BHATT. (1998). Understanding vulnerability: South Asian
perspectives, London and Colombo: Intermediate Technology Publications.
98
UN/ISDR (2004). Glossary. Basic Terms of Disaster Risk Reduction.

http://www.unisdr.org/eng/library/lib-terminology-eng.htm
UNDRO (United Nations Disaster Relief Coordinator) (1979). Natural Disasters and
Vulnerability Analysis, in Report of Expert Group meeting, Geneva, July 9-12.,
1979, 49 p.
UNITED NATIONS (2002). Living with Risk: A Global Review of Disaster Reduction
Initiatives. Preliminary Version, United Nations, Inter-Agency Secretariat, International
Strategy for Disaster Reduction, Geneva, Switzerland.
UNITED NATIONS (2004). Living with Risk: A Global Review of Disaster Reduction
Initiatives. Final Version, United Nations, Inter-Agency Secretariat, International
Strategy for Disaster Reduction, Geneva, Switzerland.
VAN DER LEEUW, SANDER E. 2001. 'Vulnerability' and the Integrated Study of
Socio-Natural Phenomena. IHDP Update 2:8-11.
VETERE, A-L, HEIKKILA, A-M., BOUCHON S. ET AL. (2004) Systemic
risks
and lessons learned, Joint Seminar in Karslkoga, EUR 21404 EN, 2004
WALKER, B., CARPENTER S., ANDERIES J., ABEL N., CUMMING G., MARCO A.
AND AL. (2002). Resilience Management in Social-Ecological Systems: A
Working Hypothesis for a Participatory Approach. Conservation Ecology 6
(1):14.
WALKER, BRIAN, C. S. HOLLING, STEPHEN R. CARPENTER AND ANN P.
KINZIG. (2004). Resilience, Adaptability and Transformability in Social
ecological Systems. Ecology and Society 9 (2): 5.
WALLISER, B. (1977). Systmes et modles, Seuil.
WEBER, A. [translated by Carl J. Friedrich from Weber's 1909 book]. Theory of the
Location of Industries. Chicago: The University of Chicago Press, 1929.
WEST CHURCHMAN, C. (1968). The systems approach. A Delta book, New York Dell
publishing Co, 243 p.
WIENER, N. (1947). Cybernetics, or control and communication in the animal and in the
machine, 1st edition, Cambridge, Mass., The MIT Press, 212 p.
WILSON, A.G (2002) Complex Spatial Systems: Challenges for Modellers.
Mathematical and Computer Modelling, 36, pp.379-387
WISNER, B. (1993). Disaster Vulnerability: Scale, Power and Daily Life. GeoJournal 30,
2, pp. 127-144.
WHITE, G.F. (1974). Natural Hazards, Local, National, Global, O.U.P. 288 p.
WU J., DAVID, J.L. (2002). A spatially explicit hierarchical approach to modeling
complex
ecological systems: theory and applications. Ecological Modelling
153, pp. 7-26.
99
European Commission
EUR 22205 EN DG Joint Research Centre, Institute for the Protection and Security of the Citizen
Luxembourg: Office for Official Publications of the European Communities
2006 99 pp. 21x29,5 cm
Scientific and Technical Research series
Abstract
The main objective of this report is to provide a state-of-the art on the existing conceptual
background dealing with the vulnerability of critical infrastructures systems, in order to highlight
the main issues for decision-making processes and to provide an overview of all the dimensions
of the problem.
The first Chapter addresses the terminology and the epistemological background for the analysis
of spatial systems of interdependent Critical Infrastructures. It analyses first the definition of a
system and of the systems approach. It focuses then on the definition of spatial systems of
critical infrastructures, following the background of the spatial analysis of networks. It ends with
the study of the factors that affect the construction of systemic models, i.e. the scale of analysis,
the choice of the sub-systems and processes to analyze according to the objectives and goals of
the analysis.
The second chapter focuses and the definition of critical infrastructures, highlighting the
conceptual debates addressing the notion of criticality. It details the existing approaches to
criticality, the complexity of the term infrastructure that reveals various possible levels of analysis
and recalls the evolution in time and space of criticality. It underlines as well the various
understandings of criticality as a function of actors perception. These elements of a conceptual
debate have very specific implication for the decision-making process. The chapter ends
therefore with a dedicated subsection on the main policy issues raised by the concept of
criticality.
The last chapter provides a review of existing definitions of risks, hazards, vulnerability and
resilience within the field of disaster management literature. This review led to the analysis of the
specificity of the field of critical infrastructures protection. In this context, the concept of systemic
risk appears more appropriate, as the shift towards the concepts of threats, cascading hazards
and cascading vulnerability. The focus on the cascading vulnerability shows that various levels of
exposed elements can be considered within critical infrastructure systems, whose vulnerability
depends on their level of dependency. Since vulnerability is also affected by time and
geographical scale issues, these factors have been further analysed, as the question of the
definition of accurate parameters and indicators to express it.
The conclusion highlights the necessity to adopt a holistic, multi-disciplinary approach to the
vulnerability analysis of critical infrastructures systems.
The mission of the Joint Research Centre is to provide customer-driven scientific and
technical support for the conception, development, implementation and monitoring of
European Union policies. As a service of the European Commission, the JRC functions as a
reference centre of science and technology for the Union. Close to the policy-making
process, it serves the common interest of the Member States, while being independent of
special interests, whether private or national.

The Vulnerability of Interdependent Critical Infrastructures Systems

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

The Vulnerability of Interdependent Critical Infrastructures Systems

Загружено:

Авторское право:

Доступные форматы

The Vulnerability of interdependent

Critical Infrastructures Systems:

Institute for the Protection and Security of the

How critical are critical infrastructures? ......................................................... 33

5. The concepts of risk and vulnerability applied to critical infrastructures ............ 60

5.1. Existing definitions of the basic concepts in risk analysis ................................ 60

Figure 8: a regional system of critical infrastructures (p.24)

A systemic approach to spatial systems of critical infrastructures

Main issues related to the definition of critical Infrastructures

Definition and characterization of

3.1. Defining, characterizing a system and the system approach

3.1.1. Definition of a system

One ensemble aiming at fulfilling through various processes a goal, a function, or

In summary, a system can be defined as an organised ensemble of sub-systems or

Figure 1: The systemic paradigm

3.1.2. The systems approach

Boundaries of the system

Figure 2: The structural approach of a system

Figure 3: The functional approach of a system16

Figure 4: The six systems characteristics18

3.2.1. A systemic approach to Critical Infrastructures

Source: Rinaldi, Peerenboom, Kelly, 2001

Fuel for Gen

Source: Rinaldi, Peerenboom, Kelly, 2001

Fuels for generators,

Table 2: Characterizing a system of interdependent critical infrastructures

They refer to the way disturbances

It refers to the conditions thought of

3.3. Complex spatial systems of critical infrastructures

Balancing land use practices and transportation costs

3.3.2. From system analysis to spatial analysis of critical infrastructures

Orientation, direction of flows,

Figure 8: Regional system of critical infrastructures

The homogeneous region is characterized by the homogeneity of its sub-systems or

The polarized region refers to a heterogeneous system, in which some components

- Homogeneity and isotropy refer to a spatio-temporal correlation. It expresses the

3.3.4. Definition and characterization of spatial systems of critical

Figure 9: Spatial system of critical infrastructures

Critical infrastructures owners: Critical infrastructures are fully or partly created

3.4. Types of complex spatial systems of critical infrastructures

The scaling factor

(Wu, David, 2002)

The boundaries of a system

All activities generating flows

Activity generating flows

Vehicle and related sub-systems

Figure 11: The boundaries of a system: Example of transportation

4. How critical are critical infrastructures?

BBC News Europes anti-terror capacity; Wednesday 13 July, 2005.

We may therefore distinguish three levels of analysis of an infrastructure: (1)

Figure 12: The three levels of analysis for infrastructures

4.1.2. The adjective critical and the concept of criticality

critical to the continuity of production or operations.34 The risk control by criticality

Figure 13: Criticality and crisis

www.pnl.com.au/glossary/cid/30/t/glossary / The American Heritage Dictionary of the English

4.1.3. Defining Critical infrastructures and their interdependencies

The Australian trusted information sharing network for Critical Infrastructure

Table 5: Elements of definition for Critical Infrastructures

List of critical infrastructures/

Figure 14: Criticality criteria to identify critical infrastructures

We can therefore retain from existing definitions that:

4.2. The notion of criticality

Table 6: Evolution of criticality criteria and infrastructures considered as critical in