Professional Documents
Culture Documents
Analysis of Interdependencies and Risk in Oil & Gas Infrastructure Systems Yacov Y. Haimes, Project Director Joost R. Santos Kenneth G. Crowther Matthew H. Henry Chenyang Lian Zhenyu Yan
This work was produced under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by supported underand supported under Award number 2003-TK-TX-0003 from the U.S. Department of This work was Dartmouth College, grant number 2003-TK -TX-0003 from the U.S. Department of Homeland Homeland Security, Science and Technology Directorate. Points ofof viewthis this document are those of the author(s) Security, Science and Technology Directorate. Points view in in document are those of the author(s) and do not and do not necessarily represent the official position of the U.S. Department of Homeland Security or the necessarily represent the official position of the U.S. Department of Homeland Security, the Science and Technology Directorate, Science Dartmouth College. the I3P, or and Technology. The I3P is managed by Dartmouth College. Copyright 2005. Trustees of Dartmouth College. Copyright 2007. Trustees of Dartmouth College.
TABLE OF CONTENTS Introduction ....................................................................................................................................2 Section 1: Filtering and Prioritizing SCADA Risk Scenarios...............................................4 Stage 1: Develop a Hierarchical Holographic Model (HHM) ................................................4 Stage 2: Partition based on temporal domain and level of decision-making .................4 Strategic Risk Scenarios .........................................................................................................5 Tactical Risk Scenarios ...........................................................................................................7 Stage 3: Risk Scenario Filtering and Ranking.........................................................................7 Strategic Risk Scenarios .........................................................................................................7 Tactical Risk Scenarios ...........................................................................................................8 Stage 4: Evaluation of Effects on System Dependability .....................................................9 Insights....................................................................................................................................... 12 Section 2: Quantifying Risk in Interdependent Infrastructures ..................................... 13 Modes of Infrastructure Coupling ........................................................................................ 14 Physical Coupling ................................................................................................................. 14 Information and Logical Coupling .................................................................................... 15 Interregional Economic Coupling ...................................................................................... 16 Inter-sector Economic Coupling ....................................................................................... 16 Risk Modeling for Analysis..................................................................................................... 17 Inoperability Input-output Model (IIM)............................................................................ 17 Hierarchical Holographic Model (HHM)............................................................................ 18 Hierarchical Coordinated Bayesian Model (HCBM) ........................................................ 19 Network Security Risk Model (NSRM) ............................................................................... 20 Petroleum Infrastructure Response Model (PIRM) ......................................................... 20 Model Integration for Multi-level Risk Assessment ...................................................... 21 Section 3: Managing Risk in Interdependent Infrastructures ......................................... 22 Section 4: Illustrative Examples .............................................................................................. 24 Network Risk Assessment and Management ...................................................................... 24 Regional Preparedness and Risk Management ................................................................... 26 Dynamic Recovery Analysis ................................................................................................... 27 Section 5: Conclusions and Future Work.............................................................................. 31 References .................................................................................................................................... 32
1 of 34 12/19/2005
Introduction
This report documents the analytical contributions of the Center for Risk Management of Engineering Systems at the University of Virginia (UVA Risk Center) to the Process Control Network Security project conducted by the Institute for Information Infrastructure Protection (I3P) from 2005 to 2007. The focus of the UVA Risk Centers effort was to understand, quantify, and develop methodologies for managing the risk of cyber attacks on interdependent infrastructures, particularly infrastructures employed in the production, refining, and distribution of Oil & Gas commodities. The results of the two-year study include (1) an assessment of the various sources of risk to Oil & Gas infrastructures due to cyber and other threats, (2) methodologies for the quantification of cyber and other risk at the facility, infrastructure, and economic levels, (3) several case studies that illustrate the utility of the models developed, and (4) methodologies and recommendations to manage cyber and other risks to interdependent infrastructures. The motivating problem that precipitated the methodological and analytical developments over the last two years can be stated as follows: Given a sufficiently sophisticated and executed cyber attack on one or more process control networks embedded in Oil & Gas infrastructure, what is the likelihood and severity of consequences, as measured at the facility, infrastructure, and economic levels. Furthermore, what can and should be done to manage the risks posed by cyber and other threats at the multiple levels of decision-making. In this problem, the infrastructure systems of interest are highly interconnected and interdependent both within the Oil & Gas industry and with external supporting and dependent infrastructure and economic sectors. Moreover, the interdependencies are manifested at many different levels. At the macroeconomic level, interdependencies exist between economic sectors, between geographic regions, and between economic sectors in one region with different sectors in other regions. At the infrastructure level, interdependencies exist between crude oil producers and importation facilities, refinery operations, and pipeline capacity. At the facility level, interdependencies exist 2 of 34 12/19/2005
between process control components functionality and controlled process operations. Furthermore, during an attack, interdependencies exist between the attackers tactical decisions in pursuit of infrastructure disruption and the network security system in its role of detecting and managing intrusions. Untangling these complex interdependencies resulted in a multi-scale approach to modeling for a cost-effective capability to estimate tradeoffs among various risk management options. Assessment of risk must take into account interdependencies at all levels. However, the problem quickly becomes intractable due to the different domains in which interdependencies manifest themselves. The first step in addressing the larger problem is decomposing it into coupled sub-problems that can be more easily digested and addressed with analytical tools. Figure 1 illustrates the problem decomposed into functional domains. Different models and methodologies are used across functional domains to assess the risks associated with disruptions propagating from lower-level domains. In particular, the risk of cyber attack on facility-level process control networks is quantified by resolving the effects of Information Coupling in the Process Control Domain to evaluate the degree of Process Control Disruption, which when considered in conjunction with Physical Process Coupling in the Production Domain gives a measure of the likelihood and severity of Product Disruption. In the Infrastructure Domain, Commodity Disruption is a product of local Product Disruption at the facility level and Physical Regional Coupling across the interconnected infrastructures that produce, import, refine, and distribute Oil & Gas commodities. Risk is given as a measure of the likelihood and severity of Commodity Disruption after resolution of infrastructure interdependencies. In the Economic Domain, risk is measured as the likelihood and severity of Sector Disruption, a product of regional Commodity Disruption and Transactional Regional Coupling, which accounts for intersector and inter-regional interdependencies.
The remainder of this report is organized as follows. Section 1 discusses risk scenarios generated via four parallel HHM sessions at the initial I3P workshop in Houston, Texas. Section 2 enumerates and describes several analytical models and methodologies employed by the UVa Risk Center throughout this project, including 3 of 34 12/19/2005
several that have been developed during the course of the project. Section 3 develops methodologies and recommendations for risk management. Section 4 presents some analytical results based on select case studies. Finally, Section 5 discusses opportunities for future work in interdependencies analysis in the Oil & Gas industry and in general.
risk scenarios were divided into two groups: strategic and tactical risk scenarios. Strategic scenarios are those for which significant planning and resource collection and allocation is required on the part of attackers and system defenders. Tactical scenarios are those corresponding to real-time attacker-system interaction and represent methods which might be combined to form an attack or defense strategy. Note that the partitioning is imperfect. For many of the risk scenarios, a sound case could be made for identifying them with either group. The grouping presented here was expedient for filtering and prioritization.
5 of 34 12/19/2005
6 of 34 12/19/2005
investing in inherent security of emerging technologies and employee education and security incentives, the filtering and ranking in based on the strategic decision being made to not take these risk-managing actions.
8 of 34 12/19/2005
9 of 34 12/19/2005
Table 1 Assessment of Effects on System Dependability - Strategic Risk Scenarios Scenario [S1] On-sight contractor or disgruntled employee (insider threat) [S2] Use of opensource protocols Impediment to automated emergency response systems Provides a consistent path for attack until protocol changed [S3] Connectivity to business LAN [S4] (Not) investing in employee education Impediment to emergency response personnel alerting Impedes the ability of an organization to respond and recover from an attack Impediment to emergency recovery and external communications Provides consistent path to SCADA network Makes social engineering and access theft more likely to succeed Path for system failure Failure of an external infrastructure removes one level of redundancy Potentially disables redundant components or subsystems Effect on Resilience Impediment to automated emergency response systems Effect on Robustness Expert knowledge of weak spots in system Softens target prior to attack Public knowledge of weak spots in system Potentially disables spares and recoverability systems Effect on Redundancy Disables spares and recoverability systems
[S5] Dependence on external infrastructure [S6] Vulnerable noncritical assets provide path to critical assets [S7] Lack of systemwide security solutions [S8] (Not) investing in secure emerging technologies
Multiple paths for system failure Improved technologies will enable faster and more reliable fault recovery Improved technologies will enhance security via authentication and other intrusion prevention measures
10 of 34 12/19/2005
Table 2 Assessment of Effects on System Dependability - Tactical Risk Scenarios Scenario [T1] Exploit emergency response plan [T2] Horde and release energy Effect on Resilience Impediment to emergency response procedures Effect on Robustness Softens response systems to augment effectiveness of attack Renders multiple components or subsystems inoperable Impediment to automated emergency response systems Disables system communications Access to confidential data may yield knowledge of weak spots in system Impediment to automated emergency response systems Impediment to external communications [T6] Mail-distributed scripts [T6] Packet Spoofing Impediment to automated emergency response systems Impediment to automated emergency response systems Softens of target prior to attack Enables local process control manipulation Disable spares and recoverability systems Disable spares and recoverability systems Provides weak spot and path for attack Effect on Redundancy Disables spares and recoverability systems
Renders multiple components or subsystems inoperable Disables spares and recoverability systems Attacker may disable spares and recoverability systems Attacker may disable spares and recoverability systems
[T3] DOS/DDOS
11 of 34 12/19/2005
Insights
The RFRM analysis in this section describes how identified risk scenarios should be viewed in terms of their likelihood, consequences and the nature of their effects on the target systems. Moreover to be consistent with the RFRM process, the analysis is not exhaustive and should be constantly refined by identifying more detailed risk scenarios and adopting some measure of likelihood estimation based on available intelligence data [16]. In spite of these limitations, the analysis yields valuable insight into risks posed by vulnerable SCADA systems for this interdependency study. One conclusion that can be drawn from this analysis is that the risk scenarios of greatest severity require risk management solutions of a multi-scale nature. For example, the dominant risk scenario in each of the operational partitions, the insider threat and exploitation of emergency response plans, pose complex problems that require a comprehensive management policy development effort, addressing challenges posed by organizational, technical and operational systems. Another conclusion that can be drawn is the degree to which infrastructure interdependence poses risk to SCADA systems. This is highlighted by the risks associated with accessibility via IP networks, dependence on utility infrastructure and the vulnerability of critical assets via interdependence with ostensibly non-critical components or subsystems. Finally, the need for comprehensive technological security measures in SCADA systems is clear, particularly the need for better authentication technologies, improved system-wide security measures and more secure communication protocols. This calls for a systematic and systemic life-cycle approach to security implementation processes in which all of the stakeholders need to participate, from the development of system requirements to the implementation of systems that can securely evolve as requirements change and capability is added in the form of new hardware and software subsystems. Future work in the area of risk identification and characterization in SCADA systems includes a more comprehensive and detailed identification of risk scenarios, and a process for continual improvement and adaptation. This analysis, for example, would benefit from a more thorough development of an initial HHM. As it currently exists, the HHM was developed in a short period of time and lacks the depth and detail that would ideally come from a more exhaustive modeling effort. While the HHM exercise yielded much-needed insight into potential sources of risk in Oil & Gas SCADA and infrastructure systems, the current HHM entries are largely conceptual describing dimensions and scales of risk without reference to detailed risk scenarios. The value of having specific scenarios is that the filtering and ranking exercises undertaken by this analysis yields a more meaningful prioritization of risk management tasks with respect to allocating resources and developing realizable solutions.
12 of 34 12/19/2005
13 of 34 12/19/2005
Risk assessment is the pursuit of understanding how adverse consequences might arise as the result of destructive forces acting upon systems of interest. Furthermore, by understanding how the state of the system contributes to its vulnerability to different sources of risk, risk assessment provides insight into how to manage risk by changing the state of the system in such a way that its vulnerability, and consequently the risk of adverse consequences, is reduced. Kaplan and Garrick [20] posed the risk assessment triplet: 1. What can go wrong? 2. What is the likelihood? 3. What are the consequences? Ideally, the process of risk assessment fully develops answers to these questions and thus holistically captures all sources of risk and assesses their associated likelihoods and consequences. Most traditional assessment methodologies decompose systems into isolated subsystems for analysis and recombination to create system-level measures [21]. This approach, however, is inadequate for the analysis of complex and interdependent systems of systems. Rinaldi et al. [27] underscore the need to enhance interdependency analysis. In their words, it is clearly impossible to adequately analyze or understand the behavior of a given infrastructure in isolation from the environment or other infrastructures; rather, we must consider multiple interconnected infrastructures and their interdependencies in a holistic manner. Current work seeks to address this gap and improve methods for interdependency assessment.
Physical Coupling
Physical coupling between subsystems and components can be described as the means by which energy, information bits, or matter is physically transferred from one component to another. In the case of interdependent infrastructures, physical couplings are manifested in the transmission of (1) electricity from distribution networks to electro-mechanical loads via transformers and transmission wires, (2) water and gas from distribution infrastructures to points of consumption via plumbing, (3) materials from one process to another, or one facility to another, via plumbing, pipeline, or other transport, and (4) information from one network 14 of 34 12/19/2005
component to another via electrical transmission and reception of physical signals. Physical couplings have the capacity to render multiple systems inoperable if disrupted. For example, refineries cannot ship their products to consumers by way of a pipeline if the valves that enable flow from the holding tanks to the pipeline are immovably shut. Due to their high degree of criticality to most systems, physical couplings tend to be highly robust and are often redundant. However, they are typically neither adaptable nor resilient due to structural and mechanical constraints. Therefore, the risks associated with physical couplings tend to be characterized by significant consequences, yet with relatively low degrees of likelihood.
In June 1999, system failure of a SCADA system was believed to have caused leakage of 277,000 gallons of gasoline from the Olympic Pipeline in Washington State. This incident caused the shutdown of the pipeline for nearly 1.5 years. Tanker trucks and barges were used for petroleum transport during this time, which consequently led to higher retail prices.
15 of 34 12/19/2005
attack could cause widespread damage due to infrastructure interdependencies. Therefore, in order to ensure the security of critical infrastructure sectors, it is imperative not only to understand their inherent physical and economic linkages, but also the additional information and logical interdependencies associated with NIS.
This observation was made after compiling and summarizing more than one hundred EIA Hurricane Rita Situation Reports.
16 of 34 12/19/2005
The IIM is an inexpensive, holistic method for estimating economic impacts and sector interdependencies. It models the nation or some region of contiguous states or counties as an interdependent set of linear causal relationships, with perfect communication between all economic sectors. Thus, the resulting effects of a perturbation are estimated uniformly across the entire region and without temporal recovery details. This lack of spatial and temporal explicitness in IIM risk analysis results in only average estimates across geography and time. Such estimates may lead to overlooking geographically concentrated risks or significant cross-regional 17 of 34 12/19/2005
interdependencies and dynamic effects associated with post-event recovery. Extensions to the IIM have been developed to address these problems. The Dynamic IIM (DIIM) describes the temporally interdependent recovery of sectors after an attack or natural disaster. The concept of resilience is incorporated so that the improvement of various sectors can be quantified and managed over time. Like the IIM, the DIIM shows economic loss and the number of sectors affected when considering different policy options, which directly or indirectly change the recovery dynamics of different sectors, as quantified by resilience coefficients in the dynamic model. The MR-IIM surveys available, relevant geo-spatial databases and integrates them to derive estimated impacts to multiregional systems for risk analysis. This model generates multiple scenarios, which serve the purpose of estimating higher-order impact propagations across multiple regions and industry sectors.
18 of 34 12/19/2005
Interdependencies
Types of Couplings
Response Times
Failure Propagation
Physical
Real-time
Cascading
Linear/Non-linear
Cyber
Time-lag
Amplifying
Adaptive/Fixed
Economic
Days
Dampening
Deterministic/ Random
Telecom.
Geographic
Months
Distributed
String/Mesh
Logical
Equilibrium Other
Derivatives of the HHM, the AMP-HHM [12] and the RFRM ([11], [16]) provide more extensive frameworks for collaborative and resource allocation analyses, respectively. In particular, the AMP-HHM is a framework for making more structured use of experts from different points of view when analyzing risk in specific assets or classes of systems. In conducting an AMP-HHM exercise, each of several teams of experts is charged with constructing an HHM from its specified point of view, after which the HHMs are combined to build a richer model of the system of interest. For example, two teams, one representing asset owners and the second representing potential adversaries, would build two separate HHMs to capture, from each perspective, the possible paths of attack, methods of defense, and so forth. The combined HHM, then, serves as a seed for future HHM adaptation on the part of each team. The RFRM makes use of HHM development to construct risk scenarios, which are then filtered and ranked according to assessed likelihood and consequence in order to make reasoned judgments for risk management.
the database into multiple perspectives, HCBM can integrate both direct data and indirect data from multiple sources and make inferences on extreme event likelihoods and consequences using hierarchical coordination. Thus, HCBM can largely reduce the estimation variance and enhance estimation accuracy relative to direct estimation methods for extreme event data analysis.
20 of 34 12/19/2005
PADD 4 PADD 2
PADD 5
Crude to Other PADDs Crude from Other PADDs Finished to Other PADDs
PADD 1
Finished from Other PADDs
PADD 3
Crude Distribution Refining
Finished Distribution
Domestic Crude
Imported Crude
Note that the PIRM complements the more sophisticated system dynamics model developed by the National Infrastructure Simulation and Analysis Center (NISAC) at the Sandia National Laboratory. If used in conjunction with NISAC, the PIRM can be used to quickly identify scenarios of high consequence for more detailed and dynamic analysis by NISAC.
21 of 34 12/19/2005
The previous section reviewed several methodologies that permit answers to the first two questions. Specifically, the identification of candidate risk management policies can be accomplished through HHM and AMP-HHM, where measures are elicited to mitigate either the likelihood or consequence of disruptive events. Furthermore, RFRM can assist in allocating priority to addressing specific risk scenarios. Evaluating tradeoffs requires the quantitative assessment of risk for comparison with the costs of risk management. For large-scale economic systems, IIM and its extensions DIIM and MR-IIM, provide quantitative estimates of the economic impact stemming from the disruption of commodity production or distribution. The NSRM and HCBM provide tools for assessing the risk of cyber attacks on process control networks at a facility level. These risk models provide a means of evaluating the efficacy of candidate risk management policies by producing a measure of risk with and without the policy in place. These assessments, when compared against the estimated cost of risk management policies, permit an evaluation of cost-benefit-risk tradeoffs. For example, Figure 9 plots the results of an analysis conducted using the MR-IIM to assess the losses due to Hurricane Katrina (2006) to different sectors of the economy. Figure 10 illustrates an assessment of the of what the benefits of proactive risk management might have been to Gulf Coast residents prior to Hurricane Katrina in 2006 based on an hypothetical capability of reducing the hurricane consequences across specific sectors [6]. The analysis illustrates, furthermore, how cost and benefit could be distributed amongst different interest groups to evaluate the efficacy of different risk management policies with respect to disruption of specific economic sectors. Addressing the third question requires a new approach to employ the risk models in a dynamic decision framework that evaluates the cost-benefit-risk tradeoffs in the context of constrained future options due to past and present decisions. Henry [17] and Haimes [18] developed an envelope-based methodology for evaluating the efficacy or risk management policies based on the envelope approach to multiobjective optimization problems [25]. For facility-level analysis, the NSRM is used as a risk assessment engine to provide measures of risk for evaluation of candidate policies over the course of several decision periods, which correspond to corporate resource 22 of 34 12/19/2005
allocation cycles. Finally, minimax envelopes provide an analysis that is robust to uncertainty associated with cyber attack scenario. At a macroeconomic level, the MRIIM is embedded in the minimax envelope framework to evaluate preparedness and emergency response policies at a regional level.
1.E+05
1.E+04
Trans. Resources Mfg. Banks & Info.
1.E+03
Services Wholesale&Retail
Thousands of Employees
Figure 9 Approximate distribution of direct and indirect impacts across Louisiana economic sectors during for month after Katrina [6]
1.E+05
1.E+04
Trans. Mfg. Banks & Info. Recreation
1.E+03
Services Resources Wholesale&Retail
Thousands of Employees
Figure 10 Hypothetical redistribution of impacts from preparedness activity [6]
23 of 34 12/19/2005
24 of 34 12/19/2005
To evaluate the efficacy of different risk management options, then, the localized effects of each option are mapped to the attack model parameter space for each of the attack scenarios, inducing new measures of risk due to the implemented risk management policy. Minimax envelopes are found as the solution to a multiobjective optimization problem, providing a Pareto frontier for the set of risk management options in the objective space, where the objectives are to minimize risk and minimize the cost of risk management. Consider, for example, that five options are being considered: (1) implement two-factor authentication for all machines, (2) encrypt all communication channels, (3) upgrade the intrusion detection system, (4) implement fail-safe control logic in all devices, and (5) implement redundant controls for all processes. Each of these options has an assumed cost of implementation and an estimated effect on some characteristic of the security configuration. By mapping these local effects to the NSRM parameter space, the value of each option is ascertained fro a system perspective and, when compared to the cost of implementation, provides a basis for making informed decisions with respect to resource allocation. Figure 12 illustrates the Pareto frontier that results from assessing the tradeoffs for multiple attack scenarios, where the minimax envelope is robust to the scenario uncertainty. Each point on the frontier represents the multiobjective value of the combination of three options, where each option is denoted by A (authentication), I (intrusion detection), E (encryption), F (fail-safe logic), R (redundant controls), or N (do nothing). The decision-maker then assesses the tradeoffs between risk and the cost of managing risk in order to choose the best combination from the efficient set.
25 of 34 12/19/2005
26 of 34 12/19/2005
management alternatives can be compared in terms of their capabilities to improve the systems performance relative to the integrated risk metrics developed from the IIM (inoperability and economic loss,) and its dynamic extension (recovery period and resilience). To demonstrate the dynamic recovery analysis framework for assessing the security of an oil and gas SCADA system, a cyber-enabled attack scenario is considered that causes Gulf of Mexico crude oil terminals to be inaccessible to tankers for five weeks. Suppose further that this scenario results in an 80% reduction in crude availability for Gulf-area refineries and a 40% reduction of overall US crude availability for the affected time period. The impact analysis for this scenario is decomposed into several regions according to the Petroleum Administration for Defense Districts (PADD) as defined by the Department of Energy (see Figure 14). We assumed that the disruption periods for PADDs I, II, and III are roughly 10 days, and the recovery periods for these 3 PADD regions are about 12 weeks. Applying the disruption scenario as inputs to the recovery analysis, the ripple effects can be estimated for the several regions and sectors of the economy. Figure 3 gives a summary of the economic loss impact for each PADD region. Note that a limitation in this case study is the usage of non-current data in our analysis [30]; hence, regions that were relatively less interdependent such as PADD regions IV and V suffered negligible effects. Hence, the recovery and economic impact analysis of ripple effects to various sectors will be performed only for PADD regions I-III.
In the interest of space, only the detailed results for PADD I are shown here. Figure 15 shows that For PADD I, the sectors with highest inoperabilities are as follows: (1) PIPE; (2) PETR; (3) OILG; (4) MING; and (5) RENT. On the other hand, Figure 16 shows the PADD I sectors that are expected to suffer the highest economic losses as follows: (1) PETR; (2) PIPE; (3) OILG; (4) OTHR; and (5) REAL.
Table 3 Economic Losses of PADDs I-V
http://www.eia.doe.gov/pub/oil_gas/petroleum/analysis_publications/oil_market_basics/paddmap.htm
28 of 34 12/19/2005
Although the first three sectors in both inoperability and economic loss rankings are virtually the same (PIPE, PETR, OILG), the resulting rankings are different in general. For example, MING (mining except oil and gas) and RENT (rental and leasing services and lessors of intangible assets) are in the top-5 most inoperable sectors, but not in the top-5 sectors with highest economic losses. Also, OTHR (other services) and REAL (real estate) are in the top-5 sectors with highest economic loss but not in the set of top-5 most inoperable sectors. The inoperability and economic loss results can provide complementary insights when developing risk management options. Economic loss describes the monetary impact, while inoperability refers to the physical functionality. The rankings generated from these two metrics typically vary because different sectors have varied levels of economic significance (i.e., economic loss represents the financial value of the impact to a sector; inoperability captures the relative impact that is normalized according to the sectors economic value).
40% 35% 30% Inoperability (%) 25% 20% 15% 10% 5% 0%
Pipeline transportation Petroleum and coal products manufacturing Oil and gas extraction Mining, except oil and gas Rental and leasing services and lessors of intangible assets
29 of 34 12/19/2005
10 0
30
15
20
10
25
50
55
35
40
45
60
65
80
85
70
75
90
95
$800 $700 Economic Losses ($M) $600 $500 $400 $300 $200 $100 $0
Time (Days)
PETR
PIPE
OILG
OTHR
REAL
Petroleum and coal products manufacturing Pipeline transportation Oil and gas extraction Other services Real estate
Figure 16 Dynamics of Top-5 Sectors with Highest Economic Losses (PADD I).
The economic analysis of dynamic recovery can be linked to a physical domain analysis of an oil and gas infrastructure (see Figure 1). For example, taking the results from analyses of plant-level incident scenarios (such as the results from an agentbased simulation), interdependency analysis can be implemented for modeling and assessing the ripple effects to other sectors of the regional economy. Given the magnitude of direct disruptions to a given sector, the dynamic recovery analysis generates two types of risk metrics to assess the consequences: inoperability and economic loss. Risk management options for reducing the impacts of the disaster on the economy can be considered by decision-makers at various levelssuch as corporate executives, local officials, and federal agencies. A cost-benefit-risk analytical framework will be applied to evaluate the efficacy of each potential option identified in the case study. As a baseline, risk assessment is conducted for a particular scenario (e.g., a cyber risk scenario), assuming that no risk management actions are taken. Next, the assessment process is repeated for the scenario, implementing one or multiple risk management option(s) to counter the associated risks. Comparing the response and recovery times (and associated costs) and the impacts of the attacks with and without risk management, the net benefit of the risk management option(s) can be quantified. In addition, the underlying cost of each risk management option will be estimated and presented to the decision-makers, together with its net benefit derived from the baseline scenario. Because risk management options are grounded on explicit cost-benefit-risk tradeoff analysis, the decisionmakers will have a holistic understanding of their potential costs and benefits. They can choose to take one or more of these options that are recommended for specific critical infrastructure risk scenarios.
30 of 34 12/19/2005
95 10 0
10
15
20
25
30
35
40
45
50
55
60
65
70
75
80
85
90
31 of 34 12/19/2005
References
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] Anderson, C.W., J.R. Santos and Y.Y. Haimes, 2007. A Risk-Based Input-Output Methodology for Measuring the Effects of the August 2003 Northeast Blackout, Economic Systems Research, 19(2): 183-204. R.G. Bace, Intrusion Detection, Macmillan Technical Publishing, 2000. K.G. Crowther, Development of a Multiregional Framework and Demonstration of its Feasibility for Strategic Preparedness of Interdependent Regions, Ph.D. Dissertation, Department of Systems and Information Engineering, University of Virginia, 2006. K.G. Crowther and Y.Y. Haimes, Applications of the Inoperability Input-Output Model (IIM) for Systemic Risk Assessment and Management of Interdependent Infrastructures. Systems Engineering. 8(4): 323-341, 2005. K.G. Crowther and Y.Y. Haimes, Development and Deployment of the Multiregional Inoperability Input-Output Model for Strategic Preparedness of Interdependent Regions. Submitted to the Journal of Systems Engineering 2007. K.G. Crowther, Y.Y. Haimes, and G.E. Taub, Systemic Valuation of Strategic Preparedness through Application of the Inoperability Input-Output Model with Lessons Learned from Hurricane Katrina. To be published in Journal of Risk Analysis, 2007. M.J. Dombroski, Y.Y. Haimes, J.H. Lambert, K. Schlussel, and M. Sulcoski, Risk-based methodology for support of operations other than war, Military Operations Research Science, 7(1):19-38, 2002. B.C. Ezell, Y.Y. Haimes, and J.H. Lambert, Cyber attack to water utility supervisory control and data acquisition (SCADA) systems, Military Operations Research, 6(2):23-33, 2001. Y.Y. Haimes, Hierarchical holographic modeling, IEEE Transactions on Systems, Man, and Cybernetics, 11(9): 606617, 1981. Y.Y. Haimes, Total risk management, Risk Analysis, 11(2): 169171, 1991. Y.Y. Haimes, Risk Modeling, Assessment, and Management, 2nd ed., Wiley, New York, 2004. Y.Y. Haimes and B.M. Horowitz, Adaptive two-player hierarchical holographic modeling game for counterterrorism intelligence analysis, Journal of Homeland Security and Emergency Management, 1(3), 2004. Y.Y. Haimes, B.M. Horowitz, J.H. Lambert, J.R. Santos, C.Lian, and K.G. Crowther, Inoperability input-output model (IIM) for interdependent infrastructure sectors. I: theory and methodology, ASCE Journal of Infrastructure Systems, 11(2): 6779, 2005a. Y.Y. Haimes, B.M. Horowitz, J.H. Lambert, J.R. Santos, K.G. Crowther, and C. Lian, Inoperability input-output model (IIM) for interdependent infrastructure sectors. II: case studies, ASCE Journal of Infrastructure Systems, 11(2): 8092, 2005b. Y.Y. Haimes and P. Jiang, Leontief-based model of risk in complex interconnected infrastructures, Journal of Infrastructure Systems, 7(1): 112, 2001. Y.Y. Haimes, S. Kaplan, and J.H. Lambert, Risk filtering, ranking, and management framework using hierarchical holographic modeling, Risk Analysis, 22(2): 383398, 2002. M.H. Henry, Minimax Envelopes for Total Cyber Risk Management in Process Control Networks, Ph.D. Dissertation, Department of Systems and Information Engineering, University of Virginia, 2007. M.H. Henry and Y.Y. Haimes, A new dynamic risk assessment and management model for supervisory control and data acquisition networks, Presented at the Society of Risk Analysis Annual Meeting, December 5, 2006. R.C. Jurko and M.H. Henry. Input-output analysis of the oil and gas industry with respect to: Oil and gas extraction, petroleum and coal products manufacturing, and pipeline transportation, in preparation, 2007. S. Kaplan, and B.J. Garrick, On the quantitative definition of risk, Risk Analysis, 1(1): 1127, 1981. S. Kaplan, Y.Y. Haimes, and B.J. Garrick, Fitting hierarchical holographic modeling into the theory of scenario structuring and a resulting refinement to the quantitative definition of risk, Risk Analysis, 21(5): 807819, 2001.
32 of 34 12/19/2005
[22] M. F. Leung, Y. Y. Haimes, and J. R. Santos, 2007. Supply- and Output-side Extensions to Inoperability Input-Output Model for Interdependent Infrastructures. To appear in the Journal of Infrastructure Systems. [23] C. Lian and Y.Y. Haimes, Managing the risk of terrorism to interdependent systems through the dynamic inoperability input-output model, Systems Engineering, 9(3): 241258, 2006. [24] C. Lian, J.R. Santos, and Y.Y. Haimes, 2007. Extreme Risk Analysis of Interdependent Economic and Infrastructure Sectors: Theory and Application, to appear in Risk Analysis, an International Journal. [25] D. Li and Y.Y. Haimes, The envelope approach for multiobjective optimization problems, IEEE Transactions on Systems, Man, and Cybernetics, 17(6): 10261038, 1987. [26] Pipeline Accident Report: Pipeline Rupture and Subsequent Fire in Bellingham, Washington, June 10, 1999, National Transportation Safety Board, Washington, DC, 2002. [27] S.M. Rinaldi, J.P. Peerenboom, and T.K. Kelly, Identifying, understanding, and analyzing critical infrastructure interdependencies, IEEE Control System Magazine, 21(6): 1125, 2001. [28] J.R. Santos and Y.Y. Haimes, Modeling the demand reduction input-output inoperability due to Terrorism of interconnected infrastructures, Risk Analysis, 24(6): 14371451, 2004. [29] Santos, J. R., Y. Y. Haimes, and C. Lian, 2007. A Framework for Linking Cyber Security Metrics to the Modeling of Macroeconomic Interdependencies, to appear in Risk Analysis, an International Journal. [30] A. Turk, R. Raynor, T. Corbet, S. Conrad, W. Beyeler, and T. Brown, 1989. Simulated nation-wide consequences of disruptions to the petroleum industry in the western US gulf coast. Petroleum Storage & Transportation, National Petroleum Council. [31] Yan, Z., Y.Y. Haimes, and M.G. Waller. Modeling Sparse Data in Risk Analysis of Complex Systems with Coordinated Hierarchical Bayesian Models. Submitted to International Journal of Systems and Statistics, 2006. [32] Z. Yan, Y.Y. Haimes, and M.G. Waller, Hierarchical coordinated Bayesian model for risk analysis with sparse data, Presented at the Society of Risk Analysis Annual Meeting, December 5, 2006.
33 of 34 12/19/2005