Critical Entities Resilience Failure Indication

An exert from ‘Critical Entities Resilience Failure Indication - Reference: SAFETY_106371’ by David Rehak, Alena Splichalova, Martin Hromada, Heidi Janeckova and Josef Ristvej.

The adoption of the new Directive (EU) 2022/2557 on the resilience of critical entities has raised the question of how to assess the level of resilience of these entities in relation to current security threats. Until now, approaches have focused only on assessing the resilience of critical infrastructure elements. However, the new Directive exemplifies the need to pay attention not only to the element resilience, but also and more importantly to the resilience of their owners and operators, i.e., critical entities. Based on this fact, the authors of the article created a tool for Critical Entities Resilience Failure Indication (CERFI Tool). The essence of this tool is a probabilistic algorithm that predicts the relationship between the threat intensity and the protective part of critical entity resilience through indicators (to be created by the assessors themselves). The result of this prediction is an indication of the critical point of failure of the critical entity’s resilience in phases of prevention and absorption of impacts. The CERFI Tool thus contributes to increasing the safety of technically oriented infrastructures, especially those of an energy and transport nature.

This is an exert of the paper that concludes with an example of the practical application of the developed tool on a selected critical entity in the energy sector.

Introduction
People living in large urban agglomerations are increasingly dependent on a reliable supply of essential services that are necessary to maintain vital social functions and economic activities, along with public health and safety services (Directive (EU), 2022). These essential services are provided through critical infrastructure (CI), which can be classified as technical and socio-economic. The most important technical CI systems have long included energy and transport (Council Directive, 2008). For example, the energy sector was identified as a uniquely critical sector in 2013 (The White House, 2023), as a failure of its services would cause cascading impacts on the provision of essential services of all other CI systems (Vichova and Hromada, 2019, Rehak et al., 2018a).

Owners or operators of CI systems are referred to as critical entities. The ability of these critical entities to prevent, respond to, withstand, mitigate, absorb, adapt to and recover from incidents is referred to as resilience (Directive (EU), 2022). This resilience can be perceived on two basic levels. The first level is technical resilience, which focuses on the physical protection of CI elements (NIAC, 2009, Kampova et al., 2020). The second level is organisational resilience, which is concerned with the managerial and procedural areas of critical entities (Asis, 2009, Rehak, 2020). However, the same determinant components can be identified for both types of resilience, which are resistance, robustness, recoverability and adaptability (Rehak et al., 2018b, Rehak et al., 2022a).

In the context of the timeline, resistance can be seen as the most important resilience component, whereby resistance is perceived as the ability of a critical entity to prevent an incident from occurring, whereas the essence of robustness is the absorption of the effects of an incident that has already occurred (Rehak et al., 2022a). The resilience of critical entities is currently determined by several important approaches. These include emergency preparedness (Philpott, 2016), risk management (ISO 31000, 2018), activities taken by an entity to define the hazard environment to which elements of the CI are exposed (Carlson et al., 2012), monitoring (Tracht et al., 2013) or a physical protection system (Kampova et al., 2020). All of these approaches have been successfully applied in practice, but their predictive potential in relation to an impending incident is very low. For this purpose, approaches based on the use of indicators in the context of CI resilience are clearly more appropriate (Rehak and Splichalova, 2022).

A number of methods and tools are currently used within the CI systems that use indicators to detect weaknesses, measure and assess resilience, or evaluate its security or vulnerability. The most prominent of these is a method in which individual questions asking about specific resilience-related issues are considered to be indicators (Øien et al., 2017). Through these questions, they try to define whether the system is sufficiently resilient. In contrast, static resilience assessment methods (Rehak et al., 2019, Nan and Sansavini, 2017, Kozine et al., 2018) use indicators to obtain information about the integrated level of resilience and also to model the failure behaviour of infrastructure systems. A different perspective is provided by holistic methods (Mazur et al., 2019, Fu et al., 2021), which identify indicators based on their benefits for enhancing resilience and stakeholder preferences. Another approach is to define indicators based on economic aspects, which are presented in a three-dimensional form, namely functionality, time and cost (Abbasnejadfard et al., 2022).

It is also common practice to use indices, which can then be considered as a specific type of indicator that is also able to identify significant shortcomings and weaknesses that can threaten the functionality of infrastructure systems. The Resilience Measurement Index can be considered as one of the most important indices, which is complementary to other indicators such as the Vulnerability Index (Collins et al., 2011), the Protective Measures Index, the Consequences Measurement Index (Petit et al., 2013), and the Total Resilience Index (Mottahedi et al., 2021).

Therefore, the essence of all the methods and tools presented above is the assessment of the static resilience/vulnerability level (i.e., the level at the time when the element is not exposed to any incident) in order to identify weak points of the assessed CI elements. Such an approach to CI protection has certainly been correct in recent years, but in the context of the new Directive (EU) (2022) it is necessary to shift the focus to critical entities. As a result of this change, it is now possible to view CI resilience in an integral way that links technical and organisational resilience into a single unit. In this context, it is also appropriate to redistribute indicators from the current CI elements to a new position located between threats and critical entities.

On the basis of these newly established conditions, research was launched in 2020 on the indication of CI resilience failures in the energy, transport and ICT sectors. As a result, the CERFI Tool was developed to enable the predictive indication of failure of critical entity’s resilience in phases of prevention and absorption of impacts. The essence of this tool is to link the knowledge of threats and the protective part of resilience. Based on this information, entities can detect the most significant threats that could cause a failure in the delivery of their essential services.

Conclusion
With the adoption of Directive (EU), 2022/2557, the focus on CI has shifted from elements to entities. This change in perception is very positive, as the basis for reliable CI is sufficiently resilient critical entities. However, the adoption of the Directive has raised the question of how to assess the resilience of critical entities in relation to contemporary security threats. Until now, all attention has been devoted exclusively to assessing the resilience of CI elements. An important solution to this problem could be a predictive indication of resilience failure of critical entities. For this purpose, the CERFI Tool was developed by the authors of the paper.

The essence of the CERFI Tool is a probabilistic algorithm that predicts the relationship between the intensity of the threat and the protective part of critical entity resilience through indicators (to be created by the assessors themselves). The result of this prediction is an indication of the critical point of failure of the critical entity’s resilience in phases of prevention and absorption of impacts. Failure of the critical entity resilience in this context refers to a situation where the level of the protective part of resilience is not sufficient to protect the critical entity, as a result of which there is an immediate failure of the supply of basic services provided by the critical entity. At the same time, it is necessary to mention some limitations of this approach. The CERFI Tool enables the indication of the failure of resilience of only one critical entity as a result of the action of only one threat and the subsequent occurrence of only one incident. As part of the assessment, it is therefore not possible to consider the interdependencies of critical infrastructures or actually occurring cascading or synergistic effects.

The CERFI Tool thus contributes to improving the security of technically oriented infrastructure systems, especially those in the areas of energy and transport. However, in some cases it can also be applied to selected socio-economic infrastructure systems, e.g., in the field of emergency services or healthcare. The CERFI Tool is primarily intended for security liaison officers of individual infrastructure systems. By applying this tool, they can obtain valuable information about the level of the protective part of resilience of a critical entity and its elements. However, this information is only predictive in nature and is essentially an indication of weaknesses that require subsequent attention.

The CERFI Tool has already been successfully tested in practice on selected critical entities in the energy and transport sectors. This is illustrated by the case study presented at the end of the article. This study focused on the indication of a substation resilience failure due to a physical assault using a motor vehicle. The results of the study show that the CERFI Tool indicated an insufficient level of critical entity resilience in question and identified weaknesses that need increased attention. According to the findings, it is proposed that further research be directed particularly in the area of tools for strengthening the resilience of critical entities and assessing their effectivity. It would also be appropriate to pay attention to research on the critical entities’ resilience failure indication in the recovery and adaptation phase.

The Full Report can be downloaded at https://www.sciencedirect.com/science/article/pii/S0925753523003132