The European Commission’s

science and knowledge service

Joint Research Centre

Risk Assessment Methodologies

for Critical Infrastructures

Marianthi Theocharidou
marianthi.theocharidou@ec.europa.eu

• Directorate E: Space, Security and Migration

• Technology innovation in Security
The Joint Research Centre
at a glance

3000 staff
Almost 75% are scientists
and researchers.
Headquarters in Brussels
and research facilities
located in
5 Member States.
Risk
• effect of uncertainty on objectives (ISO 31000)

• often expressed in terms of a combination of:

• consequences of an event
• associated likelihood of occurrence

Likelihood Consequences
Critical Infrastructure
Risk Management at EU level

Risk Assessment
•National assets (all hazards) •Measures of
•European CI protection
•Organizational •Measures of
level Resilience
•Dependencies! •Sector level
•National level
•European level
CI Identification Risk Treatment
In the world …

World Economic Forum

Global Risks 2016
11th Edition

5
NRA guidelines (DG-ECHO)
• Based on ISO31000
Top Hazards in EU

Man-made Hazards Man-made Hazards

Natural Hazards
(Non Malicious) (Malicious)
• Floods •Industrial accidents • Cyber attacks
• Severe weather •Nuclear/radiological • Terrorist attacks
• Wild/Forest fires accidents
• Earthquakes •Transport accidents
• Pandemics/epidemics •Loss of critical
• Livestock epidemics infrastructure

2016 update: Several countries include scenarios on loss of CI, including power
outage.

COMMISSION STAFF WORKING DOCUMENT, Overview of natural and man-

made disaster risks in the EU, SWD(2014) 134 final, Brussels, 8.4.2014
Examples of CI-related risks
Country Risk Level Term used

CZ High Critical infrastructure disruption

DE - Outage of critical infrastructure

IE High Loss Critical Infrastructure

PL Medium Disruption of electricity supplies, of fuel supplies, of natural gas supplies

SE Very High Disruption in food supply die to fuel shortages

UK High Attacks on Infrastructure

Very High IP Network failure/ Malicious prolonged electricity failure

NL High National power failure/ malicious power supply failure

Medium Malicious gas supply failure

Cascading or correlating hazards
Hazard Cascade or correlated hazard Country

Flood DK, NO, RO, HU

Landslides IT
Severe weather phenomena
Forest Fires HU, IE, LT
Pollution, CI loss, Transport accidents DK, LT, SE, NO
Landslides HU, IT
Earthquakes
Tsunamis EL
Landslides, Earthquakes or
Transport Accidents NO, IT, EL, UK
Volcanos

Nuclear chemical and transport Contamination, Pollution DK, LT, UK, NO

accidents,
CI loss Terrorist & Cyber attacks NO, UK

Flood, Pollution, CI loss or UK, IE

CI loss
Pandemics DK
Pollution Pandemics EE, SE
Likelihood
• Semi-quantitative scales:
o ‘very low/very rare (1)’ to ‘very high/very likely (5)’
o frequency of one or more incidents in various time scales
o probability of occurrence within 1 year
o motive for intentional events: is a threat perceived as likely
or not?

• Refers to the initial probability of a risk scenario to occur.

• Likelihood that the event will cause damage (a) to specific

CI or (b) to dependent CIs is not usually assessed.
Impact
Human impacts

• Quantitative (in no. of affected people)

• e.g. number of deaths, number of severely injured or ill people,
number of permanently displaced people

Economic and Environmental impacts

• Quantitative (Sum of the costs in Euros)

• e.g. costs of cure or healthcare, immediate or longer-term
emergency measures, restoration, environmental costs, costs of
disruption of economic activity, value of insurance pay-outs,
indirect costs on the economy, indirect social costs, etc.

Political/social consequences

• Semi-quantitative (limited/insignificant, minor/substantial,

moderate/serious, significant/very serious,
catastrophic/disastrous)
• e.g. public outrage and anxiety, encroachment of the territory,
infringement of the international position, violation of the
democratic system, social psychological impact, impact on public
order and safety, political implications, psychological implications,
and damage to cultural assets, etc.
Complexity of
CI Risk Assessment
A holistic approach for RA including CIs

Public Authorities, Civil Protection

Operators, Public Authorities
Operators
Risk assessment methodologies for critical infrastructure protection. Part II: A new approach, Marianthi Theocharidou,
Georgios Giannopoulos, EUR 27332 EN, 2015
Current level of maturity

• Asset level RAs: High level of maturity, operators are

doing this on a continuous basis*
• System level RAs: Low level of maturity, more effort is
needed both at scientific level as well as governance level
• Models for the assessment of cascading effects still need to
be developed – data collection methods are also missing
• Society level RAs: In principle does not include CI risks
in a systematic way

*Risk Assessment Methodologies for Critical Infrastructure Protection.

Part I: A state of the art, EUR 25286
 RA vs. Performance-based RA
Focus on the
Infrastructure 1
performance of
Infrastructure 2 services, not on the
physical damage of
Infrastructure …
assets…
Disruptive
Event

Performance
Original
State
Cost
Recovered
State

Disrupted Recovery
State Action

“Some elements of critical infrastructure are not assets, Time

but are in fact networks or supply chains”
(Australia’s Critical Infrastructure Resilience Strategy, 2010)
Risk (& Resilience) Assessment
Methodologies
for Critical Infrastructures

16
Common steps

Threat and
Risk Scenario Vulnerability Consequence
Hazard
Identification Assessment Assessment
Assessment
Critical Infrastructure Risk Management
Framework
Better
Infrastructure
Risk and
Resilience
• Argonne National
Laboratory
• 18 sectors
• Vulnerability Index
• Protective Measures
Index
• Resilience Index
• Relies on operators for
the asset assessment
 CARVER2

20
 CIP Decision Support System

• High level
systems of
infrastructures
• 1-st order of
dependencies
• Common
metrics for
impact
• Alternative risk
mitigation
options
CIPMA
(Australia)
RAMCAP-Plus

1. Asset characterisation
2. Threat characterisation
3. Consequence analysis
• Most critical assets in a facility
4. Vulnerability analysis • Higher level analysis
5. Threat assessment • Cross-Sectoral risk
6. Risk and Resilience assessment comparison
• Resilience is central
7. Risk and Resilience Management
SRA tool
Summary
• Large set of methods and tools
• Cover various stages of the risk management process and various needs
• Resilience is not included in several tools explicitly
• Data input is a challenge
• For consequence analysis: Aggregated impact or Scoring

Cross-
Sector National
Operator level border
level level
level
Organisations exist
within a
community/system

Resilience is
needed at all levels
of this system
CIPedia©
A multi-disciplinary glossary

www.cipedia.eu
Stay in touch

•EU Science Hub: ec.europa.eu/jrc

•Twitter: @EU_ScienceHub

•Facebook: EU Science Hub - Joint Research Centre

•LinkedIn: Joint Research Centre

•YouTube: EU Science Hub