Critical Infrastructure Resilience: Are we addressing the real challenges? In the right way?

By A. Jovanovic, Steinbeis European Risk & Resilience Institute, Germany & F. Guyomard, EDF, France

Resilience of critical infrastructures
In about the last two decades, the term resilience has taken the most prominent position among the words used in discussions on “how the infrastructure should prepare for its future challengers”. Words like safety, protection, or risk, often used as synonyms, became less “fashionable”, and the discussions among politicians, scientists, media and even ordinary people became very much focused on resilience, as the “ability of … to respond and adapt to change” (ISO). This is particularly true for the area of critical infrastructures (the “critical entities” in the EU Critical Entity Resilience CER Directive), where the above trend is amplified by the new types of threats, increased “black-box” character of many processes, increased uncertainty in social, political, technological, and climatic factors, increase in global interdependencies, and increased complexity of the infrastructures as systems. Above all, it has been the case when extreme threats, e.g., those resulting from extreme weather, emerging and disruptive new technologies (e.g., AI), the role of social networks, hyper-connectivity, or topics deep uncertainties.

Stability and transparency vs. agility
In the area of engineering, the above plethora of elements is further complicated by the fact that current resilience management of infrastructure has been focused on components/assets, stability of processes, allocated/regulated responsibilities and compliance, resulting in inertia and rigidity of decision-making processes – just the opposite of the agility needed for “dealing with unforeseen”. This engineering-focused approach is nowadays often challenged by societal and economic, often also political, pressures to focus on services and functions, collective response, adaptation, and “preparing for unknown futures”. That is why the ways of designing, building, operating, and maintaining critical infrastructures have to be adapted to this new societal context, becoming more agile.

The “open talk” vs. “newspeak” of resilience
In the above situation, the stakeholders involved in critical infrastructure resilience often face difficulties when openly identifying and labeling in-practice real challenges, e.g., due to the fear that it could trigger suspicion that something related to safety, protection, risk prevention, etc. is not properly done. That in turn, can significantly hamper the capability of critical infrastructures to cope with new threats, especially the extreme ones. Many infrastructure owners will gladly discuss generic topics like “what are the risks of digitalization”, but would probably be less willing to embark on the discussion on the possibly increased probability of accidents caused by the employees (e.g., the younger ones) “trusting the screen too much”, without understanding the process behind the screen, or caused by the (e.g., the elderly) employees who “did not understand the IT black boxes standing between them and the process”. Creating an environment for open talking about the challenges is possible and encouraged, not a buzzword-based “newspeak”- is, therefore, essential for achieving resilience of infrastructures and building the “public language of resilience” in society – which is important, as, e.g., almost 2/3 of all 89 major national risks listed in the 2023 UK National Risk Register are infrastructure-related.

Measuring the resilience of critical infrastructures
A further element of the above common language will be to introduce common measures for characterizing threats and infrastructure resilience against them, primarily by indicators. That would directly lead to the possibility to better identify, measure, compare and rank them. Current efforts of organizations like ISO (e.g., the ISO TS 31050 and the 22300-series), Geneva Association (documents on “new risk landscapes”) or UNDRR (“5-point plant for resilience infrastructure”) indicate the need to use indicators and measure resilience but do not provide hints on how one, possibly globally accepted measurement system could look like. A similar situation is also in the area of regulation (e.g., the EU CER Directive) or the insurance industry offering a unique possibility to include the resilience of a critical infrastructure as a factor in defining operational and business aspects. That would open a series of new opportunities, such as, e.g., the new resilience-oriented parametric insurance, where measuring resilience can be a game-changer.

Resilience ownership and resilience owners, the value of resilience
Although new demands for critical functions/services/infrastructures appear (e.g., in car-sharing or in the AI-control of demand for services and infrastructures) and the ways how they are demanded and provided, change by the day, the need to provide these services, e.g., energy or water supply, will remain. This makes the infrastructure operation and ensuring resilience even more complex and it has to be supported by the increased capacities of the regulators/governance. These, however, often tend to react slowly, or are poorly equipped to “deal with new and unforeseen challenges”. Although other factors, such as market, technologies, demands and other stakeholders (infrastructure owners, competent authorities, general public), will certainly play an important role, the regulators, will certainly maintain a pivotal role in the process. They should) lead the process of establishing a (possibly global!) common language of resilience, common ways to measure it and, finally, proposing common ways to implement the whole concept practically, in a possibly aligned way, as an extension of existing good practices. They should help identify the “resilience owners” (similarly to the “risk owners”), and define the concept of “Value-of-Resilience” (VoR, similarly to the “Value-at-Risk”, VaR). That would improve the identification and addressing of new threats, quantifying and ranking them, knowing better the level of resilience needed, and providing a framework for stress-testing resilience. Comparing investment in resilience with new VoR (including protection, absorption, recovery and adaptation capacities), would, thus, incentivize the bottom-up investment in enhancing resilience. This process has to involve all the relevant stakeholders, but must not be politicized, let alone allowed to focus on producing “white elephants” (e.g., in public research) or “emperor’s/entities’ new clothes” (e.g., by suppressing early warnings are misinterpreted or even banned). Only so, the important new regulations (such as CER, NIS2, AIA, etc.) will “live” and yield the expected improvements.