Professional Documents
Culture Documents
3
Integrated report on the link between Risk Assessment and
Contingency Planning Methodologies
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 2 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Table of Contents
1
Introduction .................................................................................................................................. 10
1.1
1.2
WP2 Deliverables.................................................................................................................. 11
1.3
1.4
1.5
1.6
Acronyms ............................................................................................................................. 14
Analysis of links between available Risk Assessment and Contingency Planning methodologies ..... 16
2.1
2.2
2.2.1
2.2.2
2.2.3
3.2
3.2.1
3.2.2 Impact for the combined structure of Risk Assessment and Contingency Planning
approaches .................................................................................................................................... 26
3.2.3
4
Risk Assessment............................................................................................................................. 29
4.1
4.2
Page 3 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
4.2.1
Overview of Structure....................................................................................................... 30
4.2.2
4.2.3
Methodology description.................................................................................................. 32
4.2.3.1
4.2.3.2
4.2.3.3
4.2.3.4
4.2.3.5
4.2.3.6
4.2.3.7
4.2.4
4.3
4.3.1
4.3.2
4.3.3
Introduction ......................................................................................................................... 63
5.2
5.3
5.4
5.4.1
5.4.2
5.4.3
5.4.4
Page 4 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.4.5
5.4.5.1
5.4.5.2
5.4.5.3
5.4.5.4
5.4.5.5
5.4.5.6
5.4.5.7
5.4.5.7.1
5.4.5.7.2
Crisis Management................................................................................................... 83
5.4.5.7.3
5.4.5.7.4
5.5
5.5.1
5.5.2
5.5.3
5.6
5.6.1
5.6.2
The EURACOM Combined Risk Assessment and Contingency Planning Approach ......................... 100
6.1
6.2
Managing Dependencies of the energy sector in Risk Assessment and Contingency planning ...... 104
7.1
Page 5 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
7.2
7.2.1
Defining the scope of the analysis and the risk assessment team .................................... 106
7.2.2
7.2.3
7.3
7.3.1
7.3.1.1
7.3.1.2
7.3.1.3
7.3.1.4
7.3.1.5
7.3.2
7.3.2.1
7.3.2.2
7.3.2.3
7.3.3
7.3.3.1
7.3.3.2
7.3.3.3
7.4
8
Page 6 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Table of Figures
Figure 1: Structure of the EURACOM project ......................................................................................... 11
Figure 2: Interactions between Risk Assessment and Contingency Planning........................................... 18
Figure 3: Interactions between Risk Assessment and Contingency Planning........................................... 19
Figure 4: The energy networks analysis framework................................................................................ 20
Figure 5: Energy players from organisational to international ................................................................ 21
Figure 6: High level overview of the Supply Chain .................................................................................. 21
Figure 7: Focus of RA and CP approach .................................................................................................. 22
Figure 8: The collection of the Risk Management processes .................................................................. 24
Figure 9: The EURAM 7 step Risk Assessment approach......................................................................... 31
Figure 10: Holistic Risk Assessment Team .............................................................................................. 42
Figure 11: Impact Scales for Electricity Transmission ............................................................................. 44
Figure 12: Probability Scales for Electricity Transmission ....................................................................... 45
Figure 13: Common Threats to Electricity Transmission operators ......................................................... 47
Figure 14: Holistic Risk Assessment Team .............................................................................................. 49
Figure 15: Impact Scales for Gas Transmission ....................................................................................... 52
Figure 16: Probability Scales for Gas Transmission ................................................................................. 52
Figure 17: Common Threats to Gas Transmission operators .................................................................. 54
Figure 18: Holistic Risk Assessment Team .............................................................................................. 56
Figure 19: Impact Scales for Oil Transmission ........................................................................................ 59
Figure 20: Probability Scales for Oil Transmission .................................................................................. 59
Figure 21: Common Threats to Oil Transmission operators .................................................................... 61
Figure 22: The Contingency Planning 3 Phase Approach ........................................................................ 66
Figure 23: Contingency Planning Preparation Phase structure ............................................................... 67
Page 7 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 8 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 9 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
1 Introduction
1.1 Context of EURACOM
The objective of EURACOM is to identify, together with European Critical Energy Infrastructure
operators, a common and holistic approach (end-to-end energy supply chain) for risk assessment and
contingency planning methods. This is to facilitate the establishment of appropriate levels of resilience
within critical energy services across the whole (end-to-end) energy infrastructure chain.
EURACOMs activities to define common risk assessment and contingency planning methodologies will
build upon the EURAM project results: the concepts of the EURAM methodology will be specifically
developed further for the energy sector.
The objective is to create more resilient energy infrastructures by developing methodologies and tools
that assure a dialogue, sharing of data and close co-operation between energy operators, large energy
users, security solution suppliers, administrations, regulatory bodies, and other stakeholders. This
approach requires common methodologies all along the value chain, from production to distribution. It
also requires common methodologies at different hierarchical levels, from individual companies up to
European level.
EURACOM has to cover all applicable hazards to the energy sector, including threats from natural
causes, human intent, technical failure, human failure, dependencies of other Critical Infrastructures
and other dependencies.
In the development of the EURACOM project, it was apparent that methodological solutions and
supporting tools should be developed in close cooperation with European Critical Energy Infrastructure
operators. The EURACOM project has been structured accordingly.
In order to develop the methodology and supporting tools, the structure depicted in Figure 1 is applied
to the EURACOM project.
Page 10 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
1.2
WP2 Deliverables
The role of Work Package 2 (WP2) in EURACOM is the identification of a common and holistic approach
for risk assessment and contingency planning. WP2 has three deliverables:
Deliverable 2.1: Concerns the analysis of available Risk Assessment approaches to identify good
practices from several domains including security industry, national guidance and energy standards.
Deliverable 2.2: Concerns the analysis of Contingency Planning approaches to identify good practices
from several domains including security industry, national guidance and energy standards.
Deliverable 2.3 (This Report): Concerns the analysis of the communally accepted links between Risk
Assessment and Contingency Planning practices and the creation of Risk Assessment and Contingency
Planning approaches which can be combined and are clearly targeted to the energy sector.
Page 11 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 12 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
conclusions about the good practices of the discipline. These good practices will be used in order to
develop the EURACOM Contingency Planning approach as described in section 5.3.
D2.2 and D2.3 are also combined in order to feed into the analysis of the links between Risk
Assessment and Contingency Planning practices as described in section 2.
D6.3 Update and validation of used Risk Assessment and Contingency Planning methodologies: D6.3
will contain the final version of the EURACOM Risk Assessment and Contingency Planning
methodologies. These methodologies will have evolved from the approaches of D2.3 thanks to the
input of the case studies (WP4) and associated workshops (WP5). This will help in refining the
approach and in particular to tailor it to the needs of the Energy sector.
Page 13 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
1.6 Acronyms
BCM
BCP
BIA
CI
Critical Infrastructure
CIP
CM
Crisis Management
CP
DR
Disaster Recovery
EU
European Union
ICT
IM
Incident Management
IPOCM
KPI
OR
Organisational Resilience
PDCA
PM
Project Management
RA
Risk Assessment
RAM
RM
Risk Management
TSO
Page 14 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 15 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
The objective of this section is to identify the links and the interactions between Risk Assessment and
Contingency Planning. The scope of this section satisfies the EURACOM Description of Work
requirement to report on the link between Risk Assessment and Contingency Planning
Methodologies
2.2
Risk Assessment and Contingency Planning are both key elements within an organisations Risk
Management process. They are essential in the effort to ensure that risk are identified, prevented,
treated and where risk mitigation is not feasible, processes are created and implemented to manage
incidents should they occur.
The EURACOM deliverable D2.1 (Common Areas of Risk Assessment methodologies) highlighted, by its
non-inclusion, the issue that the majority of Risk Assessment standards and methodologies make little, if
any, reference to the Contingency Planning processes, even though Contingency Planning processes rely
on a clear evaluation of the business impact of adverse events. The EURAM methodology is an exception
in this respect as it discusses contingency and includes scenario based contingency workshops within the
methodology itself.
In contrast to this, the findings within the deliverable D2.2 (Contingency Planning Methodologies and
Business Continuity) highlighted within section 2.4 Relation to Risk Management, that the majority of
the Business Continuity and Contingency Planning Standards and Guidelines included some element of
Risk (and Vulnerability) Analysis (and also Business Impact Analysis) within the structure of their
framework. D2.2 also identified that although this Risk Assessment link/requirement was included
within most of the Standards and Guidelines, the depth of this Risk Assessment link/requirement is very
limited with little or no granularity.
However, there are some links between the two set of practices even if those are not translated into
standards. This section aims at clarifying what these links are and therefore provides objectives for the
development of the Risk Assessment and Contingency Planning sections developed later in this
document. Please see Figure 8: The collection of the Risk Management processes , for a high level
overview on where the two processes reside within the Risk Management process.
Page 16 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
2.2.1
As the essential underpinning element of the Risk Management process, Risk Assessment is the initial
process used to assess the potential impact and the likelihood of threats exploiting vulnerabilities.
Therefore the Risk Assessment process, along with the Business Impact Analysis, provides an
organisation with the necessary information required to address risk (Treat, Avoid or Accept) in line with
the organisations Risk Management objectives.
The Contingency Planning process receives the majority of its input from the Risk Assessment process
(including the Business Impact Analysis). Contingency Planning is used by an organisation to plan for the
prevention of incidents by implementing formal protective controls and also with ways of minimising
the effect of an incident by creating appropriate response and recovery processes.
2.2.2
The lessons learnt following Contingency Planning exercises, testing or incidents (within the organisation
or more largely within the energy sector) will provide a feed back to the organisations Risk Management
Life Cycle. Following this input, several maintenance actions can take place at multiple levels:
First the previous Risk Assessments may require to undergo re-evaluation in order to integrate new
data about risk elements through better understanding of vulnerabilities, finer evaluation of threats
or better appreciation of the actual chain of reaction that would cause the ultimate impact on the
organisation;
Then the mitigation controls may be reviewed in order to cover the gaps identified by the lessons
learnt.
Page 17 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
2.2.3
From the first principles described in the preparation loop and in the lessons learnt loop, it is possible to
build a high-level picture of relationships between Risk Assessment and Contingency Planning processes.
Page 18 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 19 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
3.1
The EURACOM deliverable D 1.1 provides a view of the energy networks which are analysed, and a way
to model the energy networks. These views are analysed on different layers as illustrated on the
following diagram.
Network
Information
Process
Strategy
European level
National level
Organisational level
ELECTRICITY
GAS
OIL
On this framework, the issue of resilience of energy networks is applicable in and across all the
dimensions depicted in this diagram:
From Organisational to European levels as the issues are not only intrinsic to the individual
organisations and the consequences and the management of adverse events have respectively the
potential and the necessity to spread at European scale.
Page 20 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Transmission
Operators
Distribu tion
Operators
Traders /
Sh ippers
Suppliers
Producers
End Users
Ow nership of commodities
Within each of the Oil, Electricity and Gas services throughout their energy sector supply chain and
also across sectors as energy flows move from one sector to another (mainly from Gas to Electricity).
In all the layers of one organisation Strategy, Process, Information and Network as the risk factors
and the associated responses do not reside in a single layer and rather form a holistic posture where
all the measures taken at strategic, processes, information or network level are meant to work in
conjunction.
Page 21 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
This very short introduction to the scope (not entering into any detail) of D 1.1 already provides an
insight to the order of magnitude of the complexity of the subject and it is not the objective of
EURACOM to provide answers to all of this. The objective and therefore the scope of D2.3 is to
concentrate on the energy operators for which the Risk Assessment and Contingency Planning
methodologies are meant (as depicted on the figure below). This does not mean that the full picture
does not need being taken into account. On the contrary, this picture is very important to set and to
integrate to understand in which context each single operator Risk Management approach (i.e. Risk
Assessment + Contingency Planning) will have to operate.
Network
Information
Process
Strategy
European level
National level
Organisational level
ELECTRICITY
GAS
OIL
The scope of applicability for WP 2.3 is governed by the EURACOM deliverable D 1.1 and is to build up
the method to start with the operator level and expand to higher levels at later sections in the
document (i.e. National or European level). The justification of this is that the implementation of
consistent and efficient risk management by each operator within its organisation is the prerequisite
and foundation for a collective and federated resilience across sectors and borders. This focus on single
operators should not forget the relationships they have with other external stakeholders. On the
contrary, it should treat them as critical but from the sole perspective of the entity on which the analysis
is applied. To meet this objective, the EURACOM D2.3 deliverables proposes first a generic approach to
Risk Assessment and Contingency Planning for energy operators and then provides specific information
on how to actually implement this generic approach into the distinct sectors of Electricity, Oil and Gas.
These sectors are analysed through the focal point constituted by TSOs which are at the heart of mutual
dependencies at European level and by taking into account their connections to the rest of the supply
chain (source, distribution, other grids, etc.).
Page 22 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
The initial path explored by the document was to view Risk Assessment and Contingency Planning at the
operator level, then the end of the document gives some directions to reflect on for analysis at higher
levels where interactions are not any more seen only from one organisation perspective but from the
point of view of a network of organisations.
3.2
3.2.1
It has been identified as part of the desktop studies of task 2.1 and task 2.2 that the use of terms varies
considerably with mixes of notions like contingency planning and business continuity planning. The
stance taken in EURACOM is one of integrated risk and contingency management1. For the purpose of
this document, the descriptions of the different terms are as follows:
Risk Management
This is the collection of processes that form an organisations formal threat and vulnerability
management process. This includes all processes for risk assessment, risk treatment, risk avoidance, risk
acceptance, response and recovery.
Integrated Emergency Management concept - Guidance on Part 1 of the Civil Contingencies Act 2004 HM
Government United Kingdom
Page 23 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Risk Assessment
Risk Assessment is the process used to assess the potential impact and the likelihood of a threat
exploiting vulnerabilities in order to provide a risk rating prior to the implementation of any risk
treatment or mitigation.
Risk Treatment
Risk Treatment is where the risk is reduced by the implementation of countermeasures designed for risk
mitigation. Risk treatment measures are aimed at reducing the probability and/or the severity of risk
factors.
Risk Avoidance
Risk Avoidance is used where the Risk Treatment is too costly or too impractical to implement and
where Risk Acceptance is not a viable option for an organisation to consider. Risk avoidance is a decision
Page 24 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
to change the company infrastructure or more largely the mode of operation to ensure there is no more
exposure to a risk.
Risk Acceptance
Risk Acceptance is utilised when the risk level is acceptable to the business or when the risk can not be
avoided or mitigated to an acceptable residual risk level. The decision is ultimately taken by the
organisation risk owner(s) to accept the risk or residual risk.
Contingency Planning
Contingency Planning is required to plan for incidents by implementing formal controls to assist with the
prevention of incidents and also with ways of minimising the effects should an incident occur by creating
appropriate response and recovery processes.
Contingency Plan
A contingency plan is one of the results of Contingency Planning. Contingency plans are the set of
controls materialised through organisation, measures and resources which are put in place as a
response and recovery capability to respond to major incidents.
Page 25 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
special dispositions of Incident Management (or Crisis Management), Business Continuity and
Disaster Recovery. High Impact, Low Frequency events fall for example in this category.
Incident Management
Incident Management is a process that an organisation puts in place to manage the occurrence of
incidents of low to moderate magnitude. The Incident Management process has the possibility of
escalating into Crisis Management should the situation deviate from a low to moderate magnitude.
Crisis Management
Crisis Management is used to formally manage an active incident which has escalated beyond the
routine Incident Management process. Crisis management is the organisational and infrastructure
measures put in place to ensure that an organisation can be organised in times of crisis (alert rising,
crisis cell mobilisation, decision taking, situation awareness and communication of directives).
Business Continuity
Business Continuity ensures that business recovery processes are implemented to ensure continuity of
service with the minimum of disruption. Business continuity is mainly targeted at continuity of supply of
goods or services.
3.2.2
The clarification of these terms allows for the scope and definition of the boundaries and the links
between the Risk Assessment Approach and the Contingency Planning approach.
When considering the combined nature of the two approaches developed in this document, the choice
has been taken to remove all Risk Assessment or Business Impact Analysis from the Contingency
Planning approach. It is worth mentioning that, as the analysis within D2.2 has shown, most of the
Business Continuity or Contingency Planning approaches integrate a Business Impact Analysis stage. Our
choice to remove that step has been taken as the EURACOM Contingency Planning approach will receive
those inputs from the EURACOM Risk Assessment approach.
Page 26 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Also EURACOM clarifies the differences and relations between concept whose boundaries are often
fuzzy like Contingency Planning, Business Continuity, Incident & Crisis Management and Disaster
Recovery. All these notions are federated and are clearly differentiated under the umbrella of
Contingency Planning which covers the entire spectrum of issues.
3.2.3
The EURACOM approach should respond to three main characteristics. These should be:
Holistic in terms of infrastructure coverage, which means that it should include all aspects that
contribute to operations, i.e. the physical infrastructure, the ICT infrastructure, the organisation
(including links to external stakeholders) and human factor aspects, and the human resources.
Combined in the sense that Risk Assessment and Contingency Planning processes need to be closely
integrated with clear linkages between one another.
All-hazards, in the sense it will cover the two main categories:
1. Accidental (Human or Technical, Natural causes, or linked to external dependencies), and
2. Deliberate (Human).
Page 27 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 28 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
4 Risk Assessment
4.1
EURACOM WP2.1 performed an analysis on available risk assessment methodologies in order to learn
from good practices and also to assess their suitability to the context of EURACOM. The analysis, the
results and the recommendations are reported in D2.1 Common areas of Risk Assessment
Methodologies.
The major conclusions from WP2.1 are:
[]
When we look at the EURAM method and compare it to the RA methods we assessed, we can conclude:
The EURAM method is still one of the few methods which is both holistic, all-hazard and
generically applicable to all Critical Infrastructure (CI) sectors.
The EURAM method is one of the few methods that can be applied to all operational and
organisational levels of CI and even trans-sector.
The EURAM method is unique in the sense that it provides a mechanism to spread responsibilities
for risk management over all levels while assuring all risk factors are addressed. Additionally, this
is facilitated by a non-prescriptive mechanism.
The EURAM method is still rather conceptual and has few supporting tools (although it includes
the start of some supporting checklists).
The EURAM method complies with the common good practice approaches identified in most of the
other Risk Assessment methods.
[]
The further recommendations from WP2.1 to develop the EURACOM Risk Assessment approach are:
[]
Develop supporting tools (checklists or otherwise) to support easy application of the method with
respect to determining:
o Threats
o Vulnerabilities
o Effects
o Assets
Supply clear, tangible, and easy-to-follow steps that require a minimum of expertise of the user.
o Develop a supporting glossary of the terms used;
o Support the execution of the method with simple, easily distributable tools.
Develop a checklist whereby the user can determine beforehand what information is required to
complete the RA and where it may be found.
Page 29 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Of course, when the RA method is to be applied to a single sector, it can be further honed to the needs of
that specific sector (e.g. energy), by conforming to the terminologies of the sector, concentrating on
specific assets, threats, vulnerabilities, and effects that are most relevant to the sector. This will further
heighten the ease of use.
[]
These conclusions and recommendations are used to develop the EURACOM Risk Assessment approach.
4.2
4.2.1
The seven steps of this risk assessment process are described below from a high level perspective. These
are directly extracted from the results of the EURAM approach. The changes introduced by EURACOM
will become visible at a more granular level and will include the tailored approach for the energy
transmission operations within the energy sector including: Electricity in section 4.3.1, Gas in section
4.3.2 and Oil in section 4.3.3. The decision to narrow the scope to transmission is justified by the fact
that energy grids are the pivotal point of dependencies and cascading effects at European scale whether
we talk about dependencies between grids themselves or their interaction with source and distribution.
In this sense energy sources and distribution knock on effects are analysed through the point of view of
the transmission networks and especially the impact they can induce on energy transmission networks
and in turn how these networks can propagate the impact to the distribution.
Page 30 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
4.2.2
Before presenting the detail of the methodology, it is important to present what a Holistic Approach to
Security means.
A holistic approach or holistic risk management aims at managing risks using a joined up approach.
This joined up approach requires each dimensions of risks to be considered, these dimensions are:
Physical security.
Information and Communication Technology security.
Organisational security.
Human factor aspects regarding security.
These four dimensions will be used to analyse each of the components of the risk (please refer to
the glossary section):
Assets.
Vulnerabilities.
Threats.
Effects.
Page 31 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
4.2.3
Methodology description
Silos is referring to the compartmentalisation often noticed in organisations where risk factors are not
managed across the whole organisation but in silos (e.g. Physical Security, IT security, HR, etc.).
Page 32 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
It should have boundaries from an organisational point of view with identification of the various
job functions involved.
Please note that dependencies of the organisation towards elements outside of the scope can be
analysed using the results of the EURAM project on the Methodology for (inter)dependency analysis.
Output: Definition of scope understood by all team.
Page 33 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Probability
1
Very low
probability
Low
probability
Medium
probability
High Probability
Near certainty
Evaluation
of
feasibility of an
attack or likelihood
of an accident
Concerning the probability scale and later on in the methodology, there are a few pitfalls and good
practices to keep in mind when carrying out the exercise:
Probability scales need to fit with mainly two types of adverse events:
1. Untargeted attacks or accidents. For these types of events the most appropriate way to evaluate
probability is based on historical evidence, using for example experience or statistics on records
from past incidents. These records can be gathered at the operator level on past incidents in
their particular infrastructure but for low occurrence events wider scopes of information (e.g.
sector records, national records if available) would provide a more extensive view of the number
of incidents for a statistical analysis.
2. Targeted or intentional attacks. For these types of events, the statistical approach is not as
appropriate as the fact that an incident has not occurred yet does not mean it is not a feasible
attack and even less that it is not going to happen in the future. The more appropriate approach
to evaluate the probability of such events is to evaluate the feasibility of an attack taking into
account various factors as attractiveness of the target (asset), motivation/ skills/ resources of
the attacker and level of protection of the target (asset). In this area, it might be difficult for
operators to assess the probability of certain areas of risks; this is where there can be significant
value in sharing information with peers from other organisations or to receive intelligence
information from national intelligence agencies.
Page 34 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Severity
1
Low impact
Medium
impact
Significant
impact
Critical impact
Most severe
impact
Evaluation of impact
on product/ service
delivery,
citizen
security,
image,
citizen
confidence,
financial impact, or
other aspects.
Even if impact and probability levels examples have to be adapted to the scope of the analysis, it is
necessary to have a common definition of impact and probability levels, to enable analysis of
interdependencies between critical infrastructures. Therefore generic scales across sectors should be
used (please refer to section 7.2.3 for detail).
Output: Defined scales for evaluation of Probability and Severity.
Page 35 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 36 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 37 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
4.2.3.6 STEP
6:
Review
security
and
Identify
vulnerabilities
The objective of this step is for the security experts of the team to review the actual security controls in
place to protect the infrastructure, given the assets and threat context understood at the previous
stages.
This will lead to the identification of missing security controls and also the effectiveness of these security
controls in managing the risk. This will then lead to the identification of the vulnerabilities across the
various dimensions of the holistic risks:
Page 38 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
if their organisation and infrastructure is potentially vulnerable. As for example: the UK Centre for the
Protection of National Infrastructure (CPNI): The CPNI provides Critical Infrastructure within the UK
with Security advice and security good practice guidelines, including an ICT vulnerability watch service.
http://www.cpni.gov.uk
Some private companies provide a security assessment and notification service about physical security
threats to sectors such as the energy sector (including early detection and remediation advice where
appropriate). Information about such threats and vulnerabilities are sent out to the subscribed service
users.
Some Government departments and private companies will provide an ICT vulnerability watch and
notification service where ICT vulnerabilities (including remediation advice where appropriate) are
collated and sent out to the subscribed service users.
Manufacturers: These will often provide notification of vulnerabilities within their products
(software/hardware) and suggestions for remediation, but sometimes they may not be able to provide
timely notification or even effective remediation.
Internal: It is also very important that an Energy Transmission System Operator utilises it own internal
experts to monitor their environment and maintain a level of vulnerability watch within their area of
expertise.
Examples of other sources for vulnerability information and assistance
Guide for ICT Vulnerability Identification: ICT Standard ISO/IEC 27002 for Corporate ICT systems. This
Standard provides good practices for ICT security. It is therefore possible through a gap analysis to
identify vulnerabilities.
MPSCIE, E-SCSIE and national process control information exchanges (e.g., ISACs): The Meridian,
European, and national SCADA (and process control) Security Information Exchanges aims for the
process control users, governments and research to benefit from the ability to collaborate on a range of
common security-related issues, and to focus effort and share resource where appropriate. The
intended outcome is a raised level of protection adopted across international as well as Europe's SCADA
and other Process Control Systems.
The National Vulnerability Database (NVD): Is a publicly accessible reference system for publicly known
ICT vulnerabilities and exposures. It is funded by the National Cyber Security Division of the United
States Department of Homeland Security: http://nvd.nist.gov/
Bugtraq: This is a mailing list where ICT Security issues and vulnerabilities are sent to subscribers of the
service. Options to subscribe to other Security related information such as security incidents is also
available: http://www.securityfocus.com/archive
Page 39 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
NIST: The US National Institute of Standards and Technology have issued a publication on Creating a
Patch and Vulnerability Management system: http://csrc.nist.gov/publications/nistpubs/800-40Ver2/SP800-40v2.pdf
MITRE:
1. CVE database is a dictionary of publicly known information security vulnerabilities and
exposures. http://cve.mitre.org/
2. Common Weakness Enumeration (CWE) provides a unified, measurable set of software
weaknesses that is enabling more effective discussion, description, selection, and use of
software security tools and services that can find these weaknesses in source code and
operational systems as well as better understanding and management of software
weaknesses related to architecture and design. http://cwe.mitre.org/
CVSS-SIG Common Vulnerability Scoring System Support v2 (CVSS) CVSS provides a universal open and
standardized method for rating IT vulnerabilities. http://www.first.org/cvss/
Output: Documented list of detailed vulnerabilities on the scope of the study in all areas of holistic
security.
Vulnerability: In the case of a dependency, the vulnerability is that one or several assets are
dependent on a service provided with limited resilience in case of disruption of this service.
Threat: In this context the threat is the disruption of the essential service associated to the
dependency.
Asset: the assets impacted are the assets being dependent.
Page 40 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Severity: the dependency analysis will provide useful information for severity analysis identifying
in particular any possible knock-on effects and evolution of the impact over time.
Probability: The evaluation of the probability will be supported by the description of the
dependency context.
The result of this last step is the list of relevant risks that the infrastructure faces from a holistic point of
view. These risks are all evaluated and ranked which will support decision making in the risk mitigation
process part of the contingency planning approach.
Output: List of risks that have been qualified in terms of associated vulnerability (ies) and probability &
severity levels.
These risks will also be useful to support interdependencies analysis between critical infrastructures. By
construction these risks can be compared or cross-analysed with risks identified in an other
infrastructure provided that the same approach has been followed. This methodology used with
supporting guidelines ensures:
4.2.4
This information is the result of the holistic risk assessment and this is the document that will have to be
maintained regularly to follow the evolution of the risk profile depending on:
The maintenance of the risk assessment can also receive some feedback from experience of real or
simulated incidents through lessons learnt. This experience allows to refine the evaluation of risks and
notably in terms of the effects and cascading consequences or to identify new risks which were not
anticipated before.
Page 41 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
4.3
The following subsections detail the tailored approached for the energy transmission sector (Electricity,
Gas and Oil) as mentioned in section 4.2.1. It must be mentioned that there will be a number of
similarities between the 3 energy transmission sectors (especially gas & oil transmission) and therefore
some of the requirements will be the same (e.g. Setting up the Holistic team, SCADA, etc.).
4.3.1
Electricity Transmission
Page 42 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Substations
Interconnector: An Interconnector is the point where the transmission network connects either
at a national or cross border/international level with another TSO area.
SCADA/Telemetry: These contain the key elements for the management, monitoring and
control of the electricity transmission infrastructure and include real time and historic status
information.
ICT Networks and Systems: The ICT systems and networks is the infrastructure that supports
the operations of the corporate and the SCADA/Telemetry environments.
Facilities: The facilities include the buildings and land where electricity transmission assets are
located.
Engineering function: The engineering function is responsible for the deployment and
management of the assets used for the transmission of electricity over the transmission
infrastructure.
Maintenance function: The maintenance function has the role of maintaining the infrastructure
and work in conjunction with the engineering function.
Contingency plans: The contingency plans provide the organisation with the tools required to
react in an effective manner following an incident.
Electricity supply: This can be from Nuclear, Fossil, Bio, renewable, etc.
Page 43 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Not owned telecommunications: Communication with own process control elements, adjacent
TSOs, DSOs, producers (planning 24h and longer term), relevant Power exchanges (e.g., APX),
maintenance crews, ..)
Weather (forecasting) services (short term and 24h planning demand as well as wind/solar
power supply)
Impact Scales
The following table indicates the possible impact scales for an electricity TSO:
1: Low impact
2: Medium
impact
3: Significant
impact
4: Critical impact
5: Most severe
impact
< 5%
>5%
> 25%
> 50%
< 25%
< 50%
< 75%
> 75%
> 5 Seconds
> 5 Minutes
> 1 Hour
< 5 Minutes
< 1 Hour
< 12 Hours
> 12 Hours
Financial loss
Loss of revenue, Customer compensation, Cost of reactive remedial action & Regulator fines as a
percentage of revenue during the period of an incident
< .5%
< 5%
< 25%
< 50%
Page 44 of 118
> 50%
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Probability Scales
The following table indicates the possible probability scales for an electricity transmission operator:
1 Very low
probability
3 Medium
probability
4 High Probability
The incident is
not likely to occur
as for example
experience of it is
very limited in the
electricity
transmission
sector.
It is very likely
that the incident
will occur in the
organisation as,
for example,
most of the
electricity
transmission
sector has already
suffered such
incidents.
Attack very
difficult to
perform needing
conjunction of
expert skills and
money.
Attractiveness,
lack of protection
and, resources of
the attacker
making the attack
perfectly feasible.
Attractiveness,
lack of protection
and, resources of
the attacker
making the attack
ordinary.
2 Low probability
5 Certainty
Deliberate attacks
Attack would
require virtually
unlimited
resources
(money, skills,
etc.)
Page 45 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 46 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Interconnection points: These assets are where the transmission network interconnects with other
networks and what the level of criticality is given to each interconnection.
The Contingency Plan: The need is to understand the contingency plan and all the resources that can
be activated during an incident affecting the scope of the risk assessment.
Failure/Accident
Nature
Extreme
conditions
Cascade
weather
Loss
of
power
supply/utilities/services
Acts of Terrorism
Negligence
Acts of Vandalism
Mistake
Pandemic (Flu/etc)
Loss of Telecoms
Theft (copper/metals)
Geological
Ingress of Water
Fire
Explosion
Flood
Disclosure of information
(Theft/Leakage)
Solar Activity
Theft (equipment)
Industrial action
Targeted Cyber Attack
Virus/Trojans
EMP
Act of War
Diplomatic Incident
Loss
of
pumped
storage
capacity
Equipment malfunction
or failure
Chemical (spillage)
Loss, unavailability or
turnover of personnel
Outdated
and
unmaintainable technology
An Electricity Transmission System operator is required to review the high level threats listed above and
if they are applicable to their context, they should proceed to evaluate the level of threat exposure,
Page 47 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
taking into consideration that the level of the threat of exposure may not be consistent across the scope
of the risk assessment.
Page 48 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
4.3.2
Gas Transmission
Page 49 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Storage Tanks: These are located in strategic points along the transmission network and are
used to store the gas and to release it on demand as demand cannot be met by pipes alone.
Gas Transmission Network booster stations (compressors): These are used to maintain the
pressure of the gas within a section of the transmission network through the use of
compressors.
Offshore gas feeder (gas receipt) station (removal of moisture and condensate).
SCADA/Telemetry: These contain the key elements for the management, monitoring and
control of the gas transmission and storage infrastructure and include real time and historic
status information.
ICT Networks and Systems: The ICT systems and networks is the infrastructure that supports
the operations of the corporate and the SCADA/Telemetry environments.
Facilities: The facilities include the buildings and land where gas transmission and storage assets
are located.
Engineering function: The engineering function is responsible for the deployment and
management of the assets used for the transmission of gas over the transmission infrastructure.
Maintenance function: The maintenance function has the role of maintaining the infrastructure
and work in conjunction with the engineering function.
Contingency plans: The contingency plans provide the organisation with the tools required to
react in an effective manner following an incident.
Page 50 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Tankers (Ship): These contain up to 1506,000 cubic meters of Liquid Natural Gas (LNG) and are
used to transport gas to onshore gas terminals ready to be processed and added to the gas
transmission network.
Terminals: This is where gas from the gas fields (and Tankers) is stored and processed and
where gas is introduced to the national transmission network (also cross border & international
via interconnectors). LNG is warmed and converted back to it gaseous form (re-gasification) at
the terminal, before being injected into the transmission network.
PIG Launchers: These are Y shaped points within a gas pipeline where a maintenance PIG
(Pipeline Inspection Gauge) or Scraper is introduced into the pipeline.
Impact Scales
The following table indicates the possible impact scales for a gas transmission operator:
1: Low impact
2: Medium
impact
3: Significant
impact
4: Critical impact
5: Most severe
impact
< 5%
>5%
> 25%
> 50%
< 25%
< 50%
< 75%
> 75%
> 6 Hours
> 12 Hours
> 24 Hours
< 12 Hours
< 24 Hours
< 48 Hours
Page 51 of 118
> 48 Hours
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Financial loss
Loss of revenue, Customer compensation, Cost of reactive remedial action & Regulator fines as a
percentage of revenue during the period of an incident
< .5%
< 5%
< 25%
< 50%
> 50%
Probability Scales
The following table indicates the possible probability scales for a gas transmission operator:
1 Very low
probability
3 Medium
probability
4 High Probability
5 Certainty
The accident is
not likely to occur
as for example
experience of it is
very limited in the
gas transmission
sector.
It is very likely
that the accident
will occur in the
organisation as,
for
example,
most of the gas
transmission
sector has already
suffered
such
incidents.
Attack is very
difficult
to
perform needing
conjunction
of
expert skills and
money.
Attractiveness,
lack of protection
and, resources of
the
attacker
making the attack
perfectly feasible.
Attractiveness,
lack of protection
and, resources of
the
attacker
making the attack
ordinary.
2 Low probability
Page 52 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 53 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Failure
Nature
Acts of Terrorism
Negligence
Acts of Vandalism
Mistake
Theft (copper/metals)
Theft (equipment)
Industrial action
Ingress of Water
Explosion
Virus/Trojans
Disclosure of information
(Theft/Leakage)
Cascade
Extreme weather
conditions
Loss of power
supply/utilities/services
Pandemic (Flu/etc)
Loss of Telecoms
Geological
Fire
Flood
EMP
Act of War
Sabotage
Diplomatic Incident
Equipment malfunction
or failure
Chemical (spillage)
Loss, unavailability or
turnover of personnel
Outdated and unmaintainable technology
A Gas Transmission operator is required to review the high level threats listed above and if they are
applicable to their context, they should proceed to evaluate the level of threat exposure, taking into
consideration that the level of the threat of exposure may not be consistent across the scope of the risk
assessment.
Page 54 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 55 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
4.3.3
Oil Transmission
Page 56 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Oil Transmission Network pump stations: These are used to maintain the flow of the oil within
a section of the transmission network. Pump stations may also contain oil storage facilities.
SCADA/Telemetry: These contain the key elements for the management, monitoring and
control of the oil transmission and storage infrastructure and include real time and historic
status information.
ICT Networks and Systems: The ICT systems and networks is the infrastructure that supports
the operations of the corporate and the SCADA/Telemetry environments.
Facilities: The facilities include the buildings and land where oil transmission and storage assets
are located.
Engineering function: The engineering function is responsible for the deployment and
management of the assets used for the transmission of oil over the transmission infrastructure.
Maintenance function: The maintenance function has the role of maintaining the infrastructure
and work in conjunction with the engineering function.
Contingency plans: The contingency plans provide the organisation with the tools required to
react in an effective manner following an incident.
Tankers (Ship): These can contain in excess of 500,000,000 litres of oil and are used to transport
oil to onshore oil terminals ready to be processed and injected into the oil transmission
network.
Page 57 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Terminals/Depot/Farms: This is where oil from the oil fields (and Tankers) is stored and
processed (not refined) and where oil is injected into the national transmission network (also
cross border & international via interconnectors). Terminals/Depots/Farms can also be supplied
with oil via road or rail (bridging).
PIG Launchers: These are Y shaped points within an oil pipeline where a maintenance PIG
(Pipeline Inspection Gauge) or Scraper is introduced into the pipeline.
Impact Scales
The following table indicates the possible impact scales for an oil transmission operator:
1: Low impact
2: Medium
impact
3: Significant
impact
4: Critical impact
5: Most severe
impact
>5%
> 25%
> 50%
< 25%
< 50%
< 75%
> 75%
> 12Hours
> 24 Hours
> 48 Hours
< 24 Hours
< 24 Hours
< 96 Hours
> 96Hours
Financial loss
Loss of revenue, Customer compensation, Cost of reactive remedial action & Regulator fines as a
percentage of revenue during the period of an incident
< .5%
< 5%
< 25%
Page 58 of 118
< 50%
> 50%
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Probability Scales
The following table indicates the possible probability scales for an oil transmission operator:
1 Very low
probability
3 Medium
probability
4 High Probability
The accident is
not likely to occur
as for example
experience of it is
very limited in the
oil transmission
sector.
It is very likely
that the accident
will occur in the
organisation as,
for example,
most of the oil
transmission
sector has already
suffered such
incidents.
Attack is very
difficult to
perform needing
conjunction of
expert skills and
money.
Attractiveness,
lack of protection
and, resources of
the attacker
making the attack
perfectly feasible.
Attractiveness,
lack of protection
and, resources of
the attacker
making the attack
ordinary.
2 Low probability
5 Certainty
Page 59 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
The transmission grid (Pipes & Interconnectors): The need is to fully understand and appreciate the
extent of the network and the resilience levels provided in case of the loss of a section of pipeline or
Interconnector. Dependencies to energy sources, such as oil terminal or other interconnections with
other transmission networks need also to be understood. This analysis should be done in a different
mode of operations such as seasonal usage and other usage patterns such as increases in peak
demand and even price fluctuation.
The Terminals: These assets are used to receive, process (not refine), store and pump oil to the oil
transmission grid. Oil can be received directly from oil production fields using pipelines or by tanker
(via a terminal).
The ICT systems & networks: This is primarily the organisations ICT assets and the need to protect
sensitive information that may facilitate a compromise of the electricity transmission infrastructure
should its protection fail. It is also important to identify any possible route from the ICT corporate
infrastructure into the Telemetry infrastructure.
The SCADA/Telemetry infrastructure: The need is to understand the potential control of the energy
transmission infrastructure that can be achieved using the SCADA/Telemetry components and the
potential to cause widespread disruption to the oil transmission infrastructure should the systems be
misused or compromised.
The Engineering and Maintenance teams: The need at this stage is to understand what are the critical
activities undertaken, who are the key actors within these teams and what other dependencies they
rely upon in order to deliver the required levels of service.
The Control/Dispatch Room (including Control Room personnel): The need is to understand the level
of resources required to function for different scenarios (normal load, peak time, incidents, etc). Also
how much of the control rooms management, monitoring and control of the systems are manual,
automatic or a combination of both.
Interconnection points: These assets are where the transmission network interconnects with other
networks and what the level of criticality is given to each interconnection.
The Contingency Plan: The need is to understand the contingency plan and all the resources that can
be activated during an incident.
Page 60 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Intent
Failure
Nature
Extreme
conditions
Cascade
Acts of Terrorism
Negligence
Acts of Vandalism
Mistake
Pandemic (Flu/etc)
Loss of Telecommunications
Theft (copper/metals)
Geological
Ingress of Water
Fire
FIRE
Flood
Theft (equipment)
Industrial action
weather
Loss
of
power
supply/utilities/services
Disclosure of information
(Theft/Leakage)
Equipment malfunction
or failure
Oil (spillage)
Loss, unavailability or
turnover of personnel
Outdated
and
unmaintainable technology
An Oil Transmission operator is required to review the high level threats listed above and if they are
applicable to their context, they should proceed to evaluate the level of threat exposure, taking into
consideration that the level of the threat of exposure may not be consistent across the scope of the risk
assessment.
Page 61 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 62 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5 Contingency Planning
The following section will define the holistic Contingency Planning approach; identify the elements an
organisation explicitly requires to create an appropriate and relevant Contingency Plan with an
emphasis on the energy transmission sector.
5.1
Introduction
5.2
The primary scope of work for EURACOM WP 2.2 was to undertake a comparative analysis and a
desktop study and review of current Contingency Planning and Business Continuity Management
Page 63 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 64 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 65 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.3
The following is a recommendation for an approach to Contingency Planning for the Energy Sector that
is based on a formal qualitative analysis of the current standards, methodologies, and good practice,
including industry requirements.
This approach is broken down in 3 primary phases:
The Preparation Phase,
The Test Exercise and Training Phase and,
The Maintenance Phase.
This is illustrated by the following diagram.
Page 66 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.4
Preparation Phase
The preparation phase is where an organisation defines the scope, the objectives and the structure of
Contingency Planning and then initiates the processes that are required for the proper mitigation of risk
in terms of measures to prevent, protect, respond and recover from incidents which are relevant to the
organisations needs and in line with the organisations defined objectives and priorities.
The primary elements that are considered a fundamental within the Contingency Planning preparation
process are illustrated in Figure 22: The Contingency Planning 3 Phase Approach are then described
below.
Page 67 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.4.1
Objective
The objective of this initial step of the preparation phase is to set the objectives and scope for the
contingency planning activities.
Approach
In particular, the Contingency Planning will have to define first the scope of the analysis; this scope has
to be defined holistically in terms of the part of the organisation covered, the people, process, physical
infrastructures, ICT infrastructures and more generally the resources that are involved. Where transport
(water/rail/road) is a primary requirement and/or a contingency requirement, the details of transport
requirements should be included within the scope and the objectives for the delivery of energy by
transport, as this is required to be addressed within the contingency planning process. More generally,
outputs from the dependency analysis would be used to address external dependencies of the
organisation within the contingency planning process.
For practical reasons the scope can be reduced for the first implementation of Contingency Planning
process and then later on it can be further expanded in future iterations of the process (see
Maintenance Phase: section 5.6). The scope can be set using the inputs of the Risk Assessment activities
(please refer to section 4.2.3.2): either by reusing the scope of the risk assessment or by refining it to
the areas that are identified as having predominant risk profiles (areas of high threat exposure or areas
where occurrences of risk factors reach particularly high severity).
Then following this scope, the objectives of Contingency Planning will have to be defined. This is for the
business to set their expectation about the level of resilience or risk mitigation they want to, or are
required to, achieve. This can be pragmatically performed by setting the risk appetite of the organisation
by identifying the acceptable level of risk the organisation is ready to accept. Depending on the scales
selected for the assessment of risk (please refer to Risk Assessment approach), this risk acceptance
setting process will set a threshold for the risk level which is generally considered as acceptable. In
addition to this, external influences need to be considered. These could be legislative, contractual,
environmental, financial, etc and set some target risk level in designated areas which could be lower
than the organisation own considerations.
Page 68 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
-+
Figure 24: Risk Assessment Scale
Stakeholders
At this initial stage, it is important to note that senior management business representatives need to be
involved in order to validate the objectives that will drive this activity for which the primary objective is
to serve business and operations.
Business Requirements
Impact of Failure
Restoration Requirements
Page 69 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.4.2
The objective of this second step of the preparation phase is to ensure that all stakeholders required for
the roll-out of contingency planning are identified along with their responsibilities. As this is an
enterprise wide initiative, most of the functions of the organisation are represented. In addition, when
dependencies are taken into account, relevant persons of contact have to be identified outside the
organisational scope, e.g. within the supply chain or to downstream facilities. This would ensure rapid
access to/passing of information in case of complex, large scale disturbances.
The different level of stakeholder involvement is one or a combination of the following;
Lead: The participant either leads the overall process or is responsible for a key area of
the Contingency Planning process within their area of responsibility or expertise.
Validation: The participant validates that the Contingency Planning processes are
relevant, accurate and fit for purpose within their area of responsibility and expertise.
Observe: The participant observes the processes from an observers position or from a
compliance perspective.
Receive: The participant receives relevant information explicit to their needs and
requirements.
This is demonstrated in the following 2 matrixes, which also identifies the different participants needed
to make up the contingency teams:
Page 70 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Executive Management
O/V
Contingency Maintenance
Contingency Exercises
Contingency Testing
Contingency Training
C/R
C/O
L/C/V
L/C/V
L/C/V
C/V
C/R
C/V
L/C
C/R
Internal Stakeholders
Contingency Process
L/C
C/V
C/V
C/R
C/V
C/V
C/R
C/V
L/C
Site(s) manager(s)
Facilities Management
Maintenance Manager
Maintenance Engineers
Departmental Managers
C/R
C/R
C
C
Staff Representatives
C
C/R
R
Page 71 of 118
C/V
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
C/O
C/O
Contingency
Maintenance
Contingency Exercises
C/O
C/R
L/C
C/O
Industry Peers
Suppliers
Regional Government
Contingency Testing
Partners
Contingency Training
External Stakeholders
Contingency Process
C
C
O/R
C/R
C/O
Customers
National Government
O/R
C/R
C/O
EU
O/R
C/R
C/O
Page 72 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.4.3
Objective
The primary objective is to take the output from the Risk Assessment exercises and introduce
appropriate Risk Treatment(s) to provide the most appropriate mitigation possible.
Approach
This process is initiated by a review of the risk factors identified in the scope of the analysis (please refer
to section 4.2.3.7) as part of the Risk Assessment exercise. The first objective is to set the Risk Mitigation
strategy, this is achieved by identifying the risk mitigation approach for each of the risk categories in the
scope in order to reduce the risk level below the acceptable risk level defined in the objectives. It is
important to mention at this stage that the risk mitigation solutions have to be envisaged as giving
priority to the prevention and protection measures, the subsequent options being often less effective
and more costly; this is a general statement which proves to be true in most cases.
Prevention: putting in place prevention measures directly aimed at reducing the probability of the
occurrence of a risk.
Protection: putting in place protection measures which are tasked with reducing the severity of a risk
should it occur.
Response: for risk factors which can not be prevented or protected, an organisation sets a
Contingency Plan aimed at reacting to the risk should it occur.
Recovery: This regroups the set of resources and processes that need to be activated in order to
resume to a normal state of operation after an incident has occurred and first response procedures
have been activated.
Risk Avoidance: For risk factors which are considered unacceptably high and for which no suitable or
adequate prevention, protection, response or recovery measures are available, an option can be to
avoid the risk. Depending on the circumstances, risk avoidance can be achieved through modifying the
way the organisation operates to avoid the areas where the risk could occur (use of uncertain
technologies, operations in risky regions, risky activities, etc.) Another option for risk avoidance is to
transfer the risk through for example the out sourcing of the risky activities to an external partner, in a
not too dissimilar context there are options for organisations to offset part of their risk factors to
insurance companies by ensuring against it.
Risk Acceptance is the final option of risk mitigation either because the risk level falls below the
acceptability threshold or because there are no cost effective or even feasible measures to mitigate a
risk that can not be avoided.
Page 73 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
This process should be documented by a formal risk treatment plan identifying for each risk factor the
mitigation options which are retained in all the above categories. This risk treatment plan should include
an evaluation of the residual risk level of each risk factor after mitigation. It should also document the
acceptance of the residual risk and in particular highlight all risk factors that are above the agreed risk
acceptability threshold.
It has to be re-emphasized that the whole approach undertaken and presented within this document
needs to be holistic, which at this juncture means that security measures need to be identified in all
areas (i.e. Organisational, Physical, IT and Human aspects security).
On the other hand, risk mitigation strategies must appropriately take into consideration the existence of
external dependencies, their nature (e.g. basic supplies for energy, water, communication etc., possibly
organisational dependencies), their impact, relation and relevance with regard to specific risk (e.g.
communication means may also be impacted by significant natural hazards). A good risk mitigation
strategy may for example attempt to limit the level and reduce the impact of these dependencies (e.g.
through the availability of alternative communication means, simultaneous suppliers, back-up systems
etc.).
This risk treatment plan constitutes the strategy of the organisation for risk mitigation, as such this plan,
along with the necessary investments and impacts on operation implied by the mitigation measures
need to be presented and validated by senior management to ensure senior executive backing and
secure the appropriate resources required to implement the Contingency Planning project and
processes.
Stakeholders
The lead stakeholder for the Risk Mitigation Strategy is the organisations Risk Manager who is acting on
behalf of the Executive Management. It is the Executive Management who will validate the Risk
Management Strategy.
Other stakeholders include key areas of the business that will provide the required input to contribute
with the formularisation of the strategy, potentially the industry regulator who may want some level of
assurance that regulatory requirements are being addressed and met, as well as providing input to the
process.
Output
Risk Treatment Plan (including mitigation measures, residual risk and required investment) validated by
senior management.
Page 74 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.4.4
Objective
The objective of is primarily for an organisation to adopt a proactive approach to Risk Mitigation
activities in order to facilitate the prevention of a major incident. The proactive prevention of a major
incident is preferable to the reactive management of an incident. This is why the prevention and
protection measures have been grouped together. This is achieved by using appropriate
countermeasures to effectively mitigate risk and therefore reduce the probability of occurrence of a risk
(prevention) and/ or to limit the impact/ severity of a risk if it occurred.
Approach
The approach for the implementation of the prevention and protection measures is not dissimilar to the
approach undertaken to roll out any other projects within the organisation. To this end, this activity
should be driven following the practices and processes in place within the organisation for the
governance, management and control of the project. This includes objectives setting and
communication, definition of a project plan identifying the main phases, resources involved, timescales,
activities, dependencies and the main milestones of the project, setting of a steering committee,
procedures for validating the results, etc.. This is not the objective of this approach to go into detail for
this part as it would be counterproductive to devise a project management framework which would not
be totally adapted to the existing processes of an organisation which wishes to follow the EURACOM
approach.
Although this detailed approach is not described here, it is important to underline the key performance
indicators, the drivers and other criteria that are crucial for the successful management and
implementation of the project:
Risk Mitigation: Risk mitigation is the principal driver of this activity and therefore the various
activities and solutions need to be designed to satisfy this goal and to achieve the objectives set out in
the Risk Treatment Plan.
Residual Risk: The level of residual risk is the main result of this phase where the prevention and
protection measures are implemented to achieve a target residual risk level. It is therefore important
to follow this measure as a Key performance indicator (KPI) for the project both for the final result but
also for the intermediate milestones to identify how the level of risk mitigation is built throughout the
project execution.
Holistic implementation: This aspect needs to be closely monitored to ensure that security is not
implemented in a multitude of isolated silos and that on the contrary all measures form a complete
security posture for prevention and protection.
Page 75 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Security audits or reviews: This is the use of a third party to verify and validate the
actual implementation of the security measures.
Stakeholders
The key stakeholders are the Contingency Planning Management Managers whose role is to ensure that
adequate Prevention and Protection measures are in place to assist with the prevention of an incident,
or incidents, from occurring. In order to facilitate this process, a number of key management
stakeholders from within the organisation are utilised and cover the different organisational aspects
such as ICT, Physical and Logical Security, Facilities, etc.
External stakeholders may include industry partners, the Regulator and Government who may observe
and review the implemented controls.
Output
A comprehensive and formal Prevention and Protection measures implementation process and also
the actual implementation of the validated Prevention and Protection measures.
Page 76 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
The risk profile of the organisation has undergone a level of mitigation. This output should be fed back in
the risk assessment process to show the evolution of the risk profile on the scope of the analysis.
Page 77 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.4.5
This process will aim at developing the Response and Recovery capabilities of an organisation against
incidents that have been identified through the risk assessment process. The objectives of this section
will be to develop the necessary processes, solutions, resources to constitute this Response and
Recovery capability.
This section is presented after the Prevention and Protection measures implementation to reflect the
general fact that responsive measures should always be considered to complement preventive
measures. However, this does not mean that this process should happen once the previous one is over.
On the contrary, this activity should happen in parallel to the previous one within the limits of the
resources available in the organisation.
Page 78 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 79 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 80 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
The continuity levels expected with each strategy to be analysed against the Supply Continuity
Objectives,
The cost and effort in perspective to the actual risk which are mitigated,
The use of common strategy elements to cover a maximum of risk scenarios by opposition to
resources which can only cover a certain type of risk scenarios,
Having flexible solutions which can be adapted to actual events, this recognises the fact that real life
situations will always deviate from the scenarios used to dimension Contingency Plans and also to
recognise that situations can evolve. To this respect, on the organisational side of the Contingency
Plan, the organisational structure to manage incidents should allow for a core organisation and set of
processes which are common whatever the scenario with possible variations around this core to cope
with the specifics of each situation. To illustrate this, the procedure for alerting and mobilising a crisis
management cell should be the same for all scenarios, however the composition of the crisis
management cell would vary depending on the situation and therefore the disciplines and expertise
that need to be represented.
Page 81 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Stakeholders
The Contingency Planning Managers, Plan Responders and the Disaster Recovery Manager lead any
Response and Recovery measures. To effectively respond during and incident, they will need to be
supported by all relevant elements of the organisation along with suppliers, Industry Peers, Government
and potentially the Emergency Services. Customers of the Energy Provider will need to be advised of,
and updated with, restoration of service details.
5.4.5.7.1
Incident Management
Incident Management is the process through which organisations deal with incidents. It covers the
reporting of incidents, the escalation/ resolution of incidents and the review of incidents.
Organisation can have different processes for incidents management depending on their nature:
A structure for reporting by customers of incidents linked to perturbation of supply
A structure for reporting physical security incidents
A structure for managing operational incidents through telemetry
A structure for managing ICT incidents
Page 82 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
All these processes are separate but have all in common the capability to escalate an incident which
would go out of proportion to the crisis management process.
5.4.5.7.2
Crisis Management
Crisis Management is the set of processes, organisational structure and resources for an organisation to
actively manage a crisis (by opposition processes linked to tactical resolution actions) from detection to
the exit of crisis mode.
Crisis Management objectives are principally aimed at ensuring that there is a chain of command for the
management of the crisis, enabling decision making in extraordinary circumstances and ensuring that
decisions are relayed and that information is reported towards the decision makers.
The basic processes cover alert, crisis cell mobilisation, crisis cell operation, decision making, decision
communication, situation awareness building. These processes are very stable whatever the type of
crisis or incident with allowance for variations to adapt to different types of situations. All these
processes are documented as procedures of the crisis management plan. The response and recovery
measures specific to scenarios are found in the supporting Business Continuity Plans and Disaster
Recovery Plans (see below).
Some of the elements constituting a crisis management plan are:
1. Organisation in terms of crisis (internal and external) covering roles and responsibilities
2. Main procedures from alert to end of crisis
3. Special conditions reflex actions for specific scenarios
4. Supporting tools:
a. Directory of contacts internal
b. Directory of contacts external
c. Dashboards supporting crisis management
Crisis management plans can be set at various levels of an organisation:
Group
Branch
Site
Activity
Page 83 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
The plan is also supported via dedicated resources for crisis management, typical resources are:
Alert system,
Crisis Management Room(s) in several locations (the level of equipment need to be adapted to the
needs),
Video/ Phone conference facilities (available in time of crisis),
Special Communication means in case of ICT or electricity blackout,
Activation of an external information line,
Crisis Management Case (containing all essentials for crisis management),
Etc.
5.4.5.7.3
Business Continuity Management is the set of processes and resources an organisation has identified
and provisioned to be activated following adverse events in order to ensure an acceptable level of
continuity of operational activities.
This plan contains dispositions about management but these aspects are mainly covered in the crisis
management plan(s). The content of Business Continuity is more focused on more practical operational
and tactical measures directly aimed at responding and recovering to specific incident scenarios.
All these measures are documented through procedures in the Business Continuity Plan.
A business continuity plan includes some of the following elements:
1. List of scenarios covered,
2. Overall strategy for each scenario along with organisation, roles and responsibilities. The
strategy should remind the target continuity objectives,
3. Supporting procedures for the various actions and stakeholders (fall-back procedures, BCM
activation, recovery actions, etc.)
4. Supporting tools.
The plan is also supported via dedicated resources for business continuity, typical resources are:
Deployable units for intervention on energy network,
Page 84 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Backup infrastructures and systems for energy supply, ICT and other fundamental, external resources
and supplies,
Alternate sites for employees in case of unavailability of primary site,
Etc.
5.4.5.7.4
Disaster Recovery Management deals as well at operational as at tactical level and focuses on the
measures and resources to be activated in order to recover the required level of ICT capabilities to
support the business functions. Due to the complexity of ICT systems, these dispositions are usually
dealt with separately from the other resources managed in the Business Continuity Plan.
Concerning the energy sector, it is probable that Disaster Recovery Management will be separated in
two main scopes:
Corporate ICT,
Process Control, Network management, ICT (SCADA, Telemetry, etc.).
A disaster recovery plan includes some of the following elements:
1. List of scenarios covered,
2. Overall strategy for each scenario along with organisation, roles and responsibilities. The
strategy should remind the target continuity objectives,
3. Supporting procedures for the various actions and stakeholders (swap production environment
to DR site, restoration of data, system, applications, etc.)
4. Supporting tools.
The plan is also supported via dedicated resources for business continuity, typical resources are:
Disaster recovery site,
Backup data (on tape, disk, etc.),
Backup communication methods,
Spare hardware,
Alternate control room,
Page 85 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Etc.
Page 86 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.5
These phases are critical to successful execution, management and maintenance of a Contingency Plan
as they ensure that all the processes developed within the Contingency Plan can be successfully
implemented and that the Contingency Plan implementers for Response & Recovery can effectively
undertake their roles and fulfil their responsibilities.
Any issues that arise from the Test, Exercise & Training phases are fed back into the Contingency Plan in
the form of lessons learnt and be used to enhance and stabilise the processes surrounding Contingency
Planning and the Contingency Plan.
5.5.1
Objective
The objective is that as a pre-requisite, all personnel involved with Contingency Planning need to be fully
conversant as to what their roles and responsibilities are and what is required from them during an
incident to facilitate a successful implementation of the Contingency Plan.
Approach
The use of subject matter experts without the appropriate Contingency Planning training will not
provide an organisation with the level of skills required to manage incidents and to execute the
Page 87 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
appropriate level of response to an incident. The use of subject matter experts without appropriate
Contingency Planning training may in fact impede the successful execution of an organisation's
Contingency Plan during an incident and would most certainly delay the recovery and restoration
processes for the organisation.
The only way to effectively manage this requirement is to provide the appropriate level of training to an
individual or group of individuals that is relevant to their role when executing the contingency plan. The
training needed has to be refreshed at regular intervals or when an individuals role changes, when new
personnel have contingency responsibilities or if the organisation evolves.
Failure to provide the necessary and appropriate training to personnel will potentially lead to an
organisations Contingency Plan failing and therefore increasing the potential for an incident to
significantly increase in magnitude.
The training of personnel with responsibilities under the contingency plan should be conducted along
with testing. Personnel should reach a stage of competence where they are able to execute the roles
without the need to refer to a guide and that the level of training must be sufficient enough so that
contingency plan execution becomes second nature to personnel.
There are three main training groups in Contingency Planning:
1. The training of strategic personnel for the implementation, the execution and the
management of the organisations Contingency Plan.
2. The training for personnel who are responsible for the management and implementation of
defined recovery processes.
3. The training for personnel who have a role in assisting with the implementation of the
recovery processes
Stakeholders
Contingency Planning Managers are the key stakeholders (on behalf of the Executive Management) and
will lead this element to ensure that all relevant parties within the organisation receive appropriate and
relevant Contingency Training in order for them to fulfil their duties within the contingency Plan.
Output
A comprehensive training plan that accommodates all personnel involved in Contingency Planning and
the provision for refresher training or updated training when key factors within the organisation change.
Page 88 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.5.2
Objective
The testing of the contingency plan is important to provide the appropriate level of assurance that the
assumptions made about the quality and effectiveness of the Contingency Plan are tried and tested to
confirm its validity and satisfy the organisation that the Test Plan, as well as the Contingency Plan itself,
are fit for purpose and meet the organisations Continuity objectives.
Approach
The testing can be scenario based or it can be tailored to test explicit elements or functions of a Plan,
including the ability to accommodate changes or deviations to the plan.
The following types of testing can be undertaken:
a. Call Tree: The function of a call tree is to provide a list of personnel, and their contact
details, needed to execute and operate the Contingency Plan when an incident occurs.
When contact is initiated to the first group of contacts, they then cascade the process
onwards by contacting their contacts, who in turn contact their contacts, etc.
This type of test will verify, or not, that the Contingency Plans Call Tree works and it
should introduce elements into the testing that address the loss of mobile and/or fixed
telecoms or key/senior team members.
If the call tree process is automated, this test is also relevant.
b. Walkthrough: A walkthrough is primarily a formal peer review of an element (or
elements) of a contingency plan where each stage is discussed and where its merits and
deficiencies are identified and potential improvements are discussed.
This is required in order to validate the plans ability to deliver and meet its objectives
and where shortcomings can be addressed in a proactive manner.
The output from this test/review is the most critical of the tests and the lessons learnt
from it feed directly into the preparation phase.
c. Table Top: A Table Top exercise would involve a contingency scenario being presented
to the contingency team (or teams) where they would describe and discuss the actions
they would undertake during and incident without actually executing their actions.
Page 89 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
This test follows on from the Call Tree and the Walkthrough and leads towards the
execution of a contingency exercise.
The tests should include the following to identify the contingency and the actions that need to be taken
to address the contingency:
1. Contingency: What is the contingency?
2. Activation: What are the activation criteria?
3. Severity: What is impact of the contingency?
4. Action: What action is undertaken to address the contingency?
5. Result: What is the expected result?
The testing has to be undertaken in a formalised manner and personnel should be fully de-briefed so
that any lessons learnt or short comings are captured and fed into the contingency plan maintenance
phase.
Stakeholders
The Contingency Planning Managers are the key stakeholders for Contingency Testing as they have a
responsibility to the Executive Management and potentially the Industry Regulator to validate that their
Contingency Testing plans and activities are fit for purpose and as such will lead this element to ensure
that all relevant parties within the organisation validate their Contingency Plans through appropriate
testing.
Output
The output will be a formal Test Plan, including test scripts and scenarios, to validate the assumptions of
the Contingency Plans suitability and effectiveness and that it is fit for purpose and meets the
organisations objectives.
Page 90 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.5.3
Contingency Exercises
Objective
Contingency Exercises will act as a comprehensive method to complement the Testing and Training
phases and to validate that they have achieved their goals and satisfy the organisations requirements to
the appropriate level with respect to Contingency Plan.
Approach
Periodical contingency exercises are important not only as part of the testing and maintenance, but to
ensure that personnel fully understand their roles and responsibilities in an actual incident and are
conversant with the procedures and protocols should a Contingency Plan be activated.
Contingency Exercises should be organised to simulate real world scenarios in a structured and defined
format in order to validate the effectiveness of the contingency planning processes, including testing
and training. The exercise should include as many elements of the organisation as possible, but must
maintain a focus on the organisations most critical elements which have previously been identified in
the Risk Assessment.
Each exercise should have clearly defined objectives as to what the organisation wants to achieve from
the exercise and the exercise should have a formal set of evaluation criteria to measure the level of
success the organisation has achieved in its response and recovery processes.
Ideally the exercises should include a scenario based approach to a specific incident within the energy
sector that will activate a broad range of response and recovery processes using multiple teams from
different elements of an organisation's structure to facilitate effective co-operation, communication and
decision making processes. These should include elements from the Test Plan including executing the
Call Tree processes and utilising the scripts and scenarios developed for the Contingency Test Plan.
Such a simulation, albeit a customised one, of a previous event (within the energy sector) would deliver
a more realistic scenario simulation and would also be able to validate if the lessons learnt (by the
energy sector) have been implemented and incorporated within their risk management processes
following the post mortem of the original incident.
Exercises could be either undertaken in Real or Accelerated time, with the former being more
appropriate for a larger exercise involving multiple parties and agencies, whilst the latter would be more
suitable for a smaller internal exercise e.g. a single site. Accelerated time exercises are also more
suitable for simulating business responses during an incident.
One primary and critical element for any form of contingency exercise is that there must be inbuilt and
comprehensive safeguards against the simulated incident exercise being accidentally mistaken for a real
Page 91 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
incident which could cause distress and panic for those not realising that an exercise was being
executed. Panic driven actions could also be undertaken by poorly trained personnel that may
implement real responses to simulated incidents, which could potentially lead to an actual incident
occurring and placing the organisation in Contingency mode. This could also then create a scenario
where a number of personnel may still think they are in the contingency Exercise mode and not
actually execute the appropriate responses during an actual contingency.
Organisations should also introduce additional elements within a contingency exercise to identify
potential shortcomings following:
Extended Approach
The introduction of major incident scenarios involving multiple organisations (Sector, Cross Sector,
Emergency Services, Local, Regional, National, Cross Border and International) and complex exercises
should be undertaken to validate the compatibility, interconnectivity and interdependency of the
different contingency plans and to assist in reducing the probability of an incident from escalating.
This type of exercise will ensure that major incidents involving multiple organisations can effectively
implement and manage multiple contingency plans under a single overreaching contingency plan and
that no isolated contingency plan can severely impede the response and recovery processes during a
major incident.
These aspects are further developed in section 7 Managing Dependencies of the energy sector in Risk
Assessment and Contingency planning.
Page 92 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Stakeholders
As with Contingency Testing, the Contingency Planning managers are the key stakeholders for
Contingency Exercises as they have a responsibility to the Executive Management and also potentially to
the Industry Regulator to validate that their Contingency Plans are fit for purpose. Contingency Exercises
follow on from Contingency testing and not only involve an organisations internal resources, but it has
the potential to involve a number of external organisations such as the Emergency Services, Industry
peers and Government. Customers will need to be advised that an exercise is being staged.
Output
A structured and formal scenario based program that will test the organisations Contingency Plan to
ensure that the contingency testing and training is adequate and that the decision making processes are
in place, embedded in the organisations business processes and implemented effectively within the
Contingency Plan.
Page 93 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.6
The maintenance phase is where the Contingency Plan is modified and updated to meet an
organisations new objectives and change in their environment of operation and also where the lessons
learnt are introduced into the maintenance phase, along with inputs from the Risk Assessment element.
Additional results from ICT Security Testing (Risk Assessment), e.g. Penetration Tests, are input into the
maintenance phase as the compromise and/or loss of ICT services can lead to the loss of service delivery
for an energy provider. E.g. it can prevent the generation and distribution of energy.
5.6.1
Objective
The objective for Contingency Planning Maintenance is to ensure that the contingency plan, and its
associated processes, is subjected to a constant formal evaluation and maintenance cycle to provide an
organisation with a high level of assurance that the Contingency Plan is up to date and satisfies the
organisations Contingency objectives and requirements.
Approach
Contingency Plans need to be maintained on a periodical basis to ensure that all dispositions are up to
date and reflect the latest changes in the organisation and its environment. To this purpose a
maintenance plan should be developed to ensure that the various components are reviewed and
maintained on an adapted frequency.
Page 94 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 95 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Stakeholders
Contingency Planning Managers are the key stakeholders of Contingency Planning Maintenance as they
have overall responsibility for Contingency Planning Management within the organisation. They will
include most elements of the organisation in the Contingency Planning Maintenance Life Cycle and will
also take input from external elements such as Industry, the Regulator and Government in order to
ensure satisfactory maintenance levels are achieved.
Output
The output is a series of formal maintenance update processes covering the different elements of the
contingency plan with defined responsibilities.
Page 96 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
5.6.2
Lessons Learnt
Following the testing, an exercise, or even a contingency incident (within the organisation or external to
the organisation), there will be lessons learnt that need to be studied, analysed and, where appropriate,
introduced into the organisations Contingency Plan.
Objective
To ensure that identified and highlighted shortcomings in the contingency plan, or areas identified
without appropriate and required contingency coverage, are addressed in an effective manner in order
to mitigate the identified weaknesses within the contingency plan.
Approach
The approach should be a holistic and organic approach to understanding weaknesses within the
contingency planning processes and taking input from a number of different sources including:
1. Contingency Tests
2. Contingency Exercises
3. Contingency Incidents
a. Internal
b. External
4. Good Practices
5. Industry Research
6. Security Assessments
7. Risk Assessments
8. Peer Reviews
Stakeholders
As with Contingency Planning Maintenance, Contingency Planning Managers are the key stakeholders of
Contingency Lessons Learnt and as this is an important process they will receive feedback from most
elements of the organisation in the Maintenance Life Cycle and will also take input from external
elements such as Industry, the Regulator and Government.
Page 97 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Output
The output should be a formal approach and processes to allow the organisation to incorporate the
relevant Lessons Learnt within the contingency plan to ensure the effectiveness of the organisation
implemented contingency plan and contingency planning process.
Page 98 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Page 99 of 118
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Figure 31: The Combined Approach Taken by EURACOM to Risk Assessment and Contingency Planning.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
6.1
On the direct linear sequence of steps, there is a link between the results of the Risk Assessment and the
implementation of Contingency Planning. This first link is called the preparation loop as it is mainly
occurring during the preparation activities when moving from the evaluation of the risk factors to the
definition of a Risk Treatment Strategy.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Risk Mitigation Strategy Setting as described in 5.4.3: This process is initiated by a review of the
risk factors identified in the scope of the analysis (please refer to section 4.2.3.7) as part of the
Risk Assessment exercise.
6.2
The lessons learnt loop characterises the feedback from tests and exercises into the risk assessment
process.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
feeds into the Risk Assessment for the update of risk factors that are better understood (in
terms of effect for example) or newly identified from tests and exercises activities.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
7.1
Introduction
In systems theory, an interdependency exists when a change in the state of one system element induces
a change in the state of another system element (i.e. dependency), which in turn induces further
changes in the state of the first system element via feedback mechanisms (i.e. interdependency).
Dependency and interdependency relationships are particularly prevalent in the case of energy
infrastructures, which display the characteristics of highly structured, complex and highly
interconnected networks. These relationships can create subtle interactions and feedback mechanisms
that have the capability to lead to unintended behaviours and consequences. Problems in one
infrastructure can cascade to other infrastructures, potentially inducing large-scale effects.
Interdependencies therefore introduce an additional level of vulnerabilities in the system, and they
should be treated as such within a risk and contingency management framework. Additionally,
interdependencies may vary considerably both in their scale and complexity, and they also typically
involve numerous system components. As the levels of complexity increase and interdependency
becomes more prevalent, increased levels of risk may occur with higher levels of uncertainty.
The process of identifying and analysing dependency and interdependency relationships requires a
detailed understanding of the overall system, and in particular how the components of each
infrastructure and their associated functions or activities depend on, or are supported by, or interact
with, each of the other infrastructures in each mode of operation [CROSS REFERENCE TNO PAPER/BOOK
CHAPTER IFIP 2008]. This process provides valuable and essential information for risk assessment and
contingency planning.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Figure 34: The High Level Analysis of Risk Assessment and Contingency Planning.
7.2
The risk assessment process can be conducted at a multi-stakeholder level to address complex
dependency paths and interdependencies within the sector, region, or at higher scales. The general
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
approach described in section 4 can be applied at higher levels of analysis, by reconsidering the assets,
threats and vulnerabilities in order to fit with the complexity of larger scopes (sector, cross-sectors,
region, country etc.). A number of specificities related to a multi-stakeholder risk assessment process
are described below.
7.2.1
Defining the scope of the analysis and the risk assessment team
The risk assessment scope has to take into account critical dependency paths at a wider level than the
organisational one, spanning over an entire sector or following a cross-sectoral approach. The
stakeholders involved in the risk assessment process have to be identified at this stage, along with an
overall supervising authority to coordinate/lead the entire process. This could be an industry association
within the sector if the scope is sector-specific, or a local or governmental authority if the scope is a
region or a country.
Once the scope and coordinating authority are defined, the risk assessment activities would require the
support of a workgroup constituted of business and security experts from the various infrastructures
included in the scope.
7.2.2
The identification of vulnerabilities and evaluation of risks at this higher level of analysis is based on the
results of previous risks and interdependency analyses carried out by each organisation/infrastructure. A
harmonised approach to the identification of dependencies and risks at the organisational level would
ensure a well-coordinated implementation of this very important stage in the multi-stakeholder risk
assessment process. Each member of the workgroup will be in charge of contributing with information
concerning their specific area of expertise.
The objective of this approach is not to sum up point risk estimates assessed by each Infrastructure
Operator (as this information is also confidential for each operator). The objective is to aggregate:
high level information from the operators about their level of resilience over time to high level
categories of risk factors without giving the detail of the associated vulnerabilities in the
infrastructure,
Information about the external dependencies of each infrastructure with information about
their level of resilience over time.
If the risk assessment aims at aggregating more precisely the results of individual risk assessments
carried out by each organisation, it poses the question of comparability of results. It requires therefore
that all organisations use
The same approach (e.g. EURACOM),
with the same guidelines or references (e.g. EURACOMs threats and asset lists + similar sources
for vulnerability analysis) and,
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Concerning the scales for risk assessment, it is necessary, if a single set of scale is to be applied across a
wide scope involving many organisations that the severity scale (please refer to 4.2.3.3) is wide enough
to be able to cater for the situation of the various organisations that are supposed to use it. To illustrate
this using a simple example, lets consider two organisations A & B operating Critical Infrastructures in
the energy sector, A being a rather small and focused organisation and B a large organisation
concentrating many activities:
For their own internal risk assessment, these companies could use a limited scale directly linked
to the size of their operations with severity levels corresponding to similar ratios of their
turnover for financial impact, customers in terms of energy supply disruption, etc. These scales
are then appropriate to each organisation context but can not be compared as they are built on
the specific situation of each organisation. In our case an Impact Level 5 for company A would be
far lower than the same Impact Level 5 for company B.
If their risk assessment results are to be aggregated, the scales for severity evaluation need to be
based on absolute values that can be compared across the board. In this case it is unlikely that a
5 level scale as advised in 0 can be sufficient to cover with enough granularity the full spectrum
of severity levels that could arise from the smaller organisations like company A or the largest
like company B. It is therefore necessary to expand the scale for severity assessment.
Concerning the probability scale, the adoption of shared levels is less an issue as this dimension of the
risk is less influenced by scale (size).
Therefore the area of risk when going to a wider scale of analysis would only expand in one dimension
as illustrated on the following figure.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
7.2.3
Vulnerabilities identified according to the approach described above, along with inputs from an
(inter)dependency analysis carried out on the same scope will support:
Identification of the risks which have the more relevance in the wider scope of the study.
Information sharing between the various parties which will allow operators to identify risks that
they have not initially considered.
It should be noted that, as a precondition to evaluate new risks, the scale for risk evaluation should also
be reconsidered in the frame of the wider risk assessment scope. The overall output of these risk
assessment activities would then feed into the contingency planning process.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
7.3
Contingency and response plans also need to be assessed from an infrastructure interdependencies
perspective. In a situation of interdependence, concerted action comes namely through coordination,
seen as the process of managing dependencies and interdependencies. Coordination mechanisms create
linkages across system components and facilitate communication and linked action between various
entities with preparedness and planning responsibilities.
Several mechanisms can be implemented to address (inter)dependencies within a multi-stakeholder
framework and the overall aim of these mechanisms is to facilitate and enhance coordination among
stakeholders in complex emergency situations through harmonised information management (sharing)
and contingency planning, as well as maximise the capacity and effectiveness to manage dependencies
at the organisational level.
The following sections describe how the EURACOM approach as described in section 5 should be applied
in a multi-operator framework in order to incorporate the management of interdependencies in
interconnected networks in the contingency planning process.
7.3.1
Preparation Phase
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
Organisational model (set up of a joint expert team) and key roles and responsibilities (see
Erreur ! Source du renvoi introuvable.),
Documentation plan (essential documents that sustain a shared contingency management
process, guidance documents etc.),
Fundamental communication means and procedures.
Upstream infrastructure assets (e.g. supply chain, operational partners) that, if lost or degraded,
could adversely impact the performance of own infrastructures in the case of:
o Normal and stressed operations
o Disruptions (including coincident events, e.g. N-2)
o Repair and restoration
Identifying how interdependencies may change as a function of outage duration, frequency, and
other factors all modes of operation;
Cascading effects vs. risk of simultaneous failure through common vulnerabilities;
Time characteristics of degradation and restoration; identifying how backup systems or other
mitigation mechanisms can limit and/or reduce interdependence problems all modes of
operation.;
Identifying the linkages between own infrastructure and downstream (in particular community)
assets (as potential grounds for major high-scale disturbances).
Even though out of the scope of the contingency planning approach itself, it should be stressed that a
detailed knowledge and understanding of the specific (inter)dependency risk scenarios is required in
order to identify appropriate and effective risk mitigation solutions (see 5.4.3).
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
The conclusions and decisions should be documented in a Risk Treatment Plan or equivalent as part of
the overall documentation plan shared and used by all involved operators / stakeholders.
reducing the likelihood and/or periods of disruptions (outage times of critical components),
backup systems and mitigation mechanisms to limit the impact interdependence problems,
...
Formation of organisational structures for incident response and recovery (joint teams),
technical means, coordination (operational procedures, communication) between participating
stakeholders,
...
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
In a multi-stakeholder scenario, the planning of response and recovery measures must pay particular
attention to the aspects of communication as well as monitoring and information sharing (see section
7.3.3.3), ensuring that in the case of a risk occurrence, each operator becomes immediately aware of the
incident in order to act according to the established plans (as part of the overall documentation plan)
and as fast as possible. On the other hand, the flow of communication between stakeholders has to be
mutually agreed and relevant contact persons within every organisation identified accordingly, along
with established procedures for information exchange and predefined frequency of exchanges in
different scenarios (e.g. incident, accident, disaster, etc.).
It is important to consider that the management of incident response and recovery for network
connectivity and related interdependency issues should not stay isolated from the general contingency
plan (of each single operator) and its elements (incident management, crisis management, business
continuity management). This becomes clear when considering that in a real-world scenario certain risks
may relate to each other and therefore occur together or in some sequence.
In other words, operators should implement integrated contingency planning processes that satisfy the
needs for a joint management of risks related to network connectivity and interdependencies (multistakeholder framework) on one hand, and that also fit into and extend already established processes at
the level of each participating organisation on the other. As a matter of fact, this integrated approach to
risk management and contingency planning is a major challenge from the organisational perspective.
7.3.2
training of individuals according to their role and responsibility vs. scenario-based training
(groups, up to all participants),
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
efficient exchange of information and better communications during incident management and
recovery,
The process of designing such common exercises also has some ancillary benefits, such as gradually
building mutual trust and therefore facilitate and support future exchanges in real life situations.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
7.3.3
Maintenance Phase
Training...
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
sequence in the process. Collaboration therefore involves an interdependent relationship engaging all
the parties to work closely together and create mutually beneficial outcomes, such as establishing and
sharing joint knowledge and expertise, as well as reaching a common understanding and vision of the
planning process.
As an illustration of how the information exchange process can be implemented at the sector level, the
ENTSO-E Transparency Platform publishes data on congestion management, system vertical load,
planned schedule evolutions, day-ahead Net Transfer Capacity, balance management and
interconnection outage information. More than thirty European Transmission System Operators (TSOs)
participate actively in this exercise by publishing information on e.g. cross-border physical flows, crossborder commercial schedules and auction information. This is a good example of successful
collaboration at the sector level, by engaging all the parties in a collaborative effort to establish and
share joint knowledge and information. Building on existing efforts such as the one previously
mentioned, sector-specific information exchange platforms can be extended to address dependency
issues not only from a market perspective, but also at the operational level, including cross-sector
insights on infrastructure vulnerabilities, threats, impacts and protective measures. Furthermore, it is
important to mention the underlying effort in developing common standards for data supply and
publication, along with data provision agreements and rigorous information exchange policies.
The benefits of implementing a multi-stakeholder contingency planning process are numerous, among
which, readiness and availability of resources (notably human and material), a tested mechanism for
rapid decision making involving several partners, targeted to address complex contingencies, added
value in terms of flexibility and focused effort, access to joint knowledge and expertise.
It should be also mentioned that these processes are dynamic in nature, requiring effort on monitoring
and maintenance, as well as on providing continuity to the process. There is however a danger, for
instance in the case of multiple staff changes, that the process could cease and fail through neglect.
Constant support from senior and executive management and robust procedures for feedback and
maintenance are vital to the successful implementation of such schemes.
7.4
The electric power sector in Europe is undergoing a series of very important changes which have strong
impact on power system security. Current regulatory developments in the electricity sector are mainly
focused on market based mechanisms, such as congestion management and inter-TSO compensation
mechanisms. However, topics such as congestion management have a strong impact on both power
system security and market liquidity. The requirement for market-based solutions to cross-border
congestion management was introduced by Regulation n. 1228/2003, and restricts the choice of eligible
methods to implicit auctions/market splitting and explicit auctions.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
This means that TSOs are responsible for ensuring that capacity allocation complies with security
requirements and for defining power transfer distributions which are consistent with the appropriate
security standards, i.e. maximising available cross-border transmission capacity without compromising
system security. Within this perspective, and with the aim to support collaboration and coordination
between operators, the EtsoVista Transparency Platform has been launched in 2006 and further
expanded in 2008 to include information on balance area profile and network capacity. This process can
therefore serve as a means to support risk assessment at interconnectors. Although the scope of the
information currently shared is limited with respect to security issues, this ongoing process can serve as
a basis to implement wider collaborative processes, also including a focus on system security.
Furthermore, security issues at the wider European level were addressed by ERGEG in the 2008
Guidelines of Good Practice for Operational Security, by focusing on how technical rules and operational
procedures could work at a regional level to address interconnectivity issues, without specifying
however implementation details. The document covers four areas, namely:
The focus is mainly on information exchange among TSOs, regarding operational experiences, data
relevant to the secure operation of the power system, commercial data, information on specific
methods applied e.g. to calculate capacity, outcomes of contingency analyses, etc. This exchange of
information would also include regular joint training between operators to improve the knowledge on
the characteristics of neighbouring grids, along with overall communication and coordination. The
guidelines also envisage a common monitoring system for increased efficiency in disturbance prevention
and system defence in cases of disturbed conditions.
These regulatory attempts targeted at the electricity sector illustrate a wider effort to guide current
approaches addressing complex risks in the energy sector, namely through partnership agreements and
collaborative efforts involving many stakeholders. This includes an overall effort engaging the many
actors in the field to formalise good cooperation and targeted mechanisms and procedures aimed to
address interdependencies from a system-wide perspective.
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies
8 Conclusion
This document presents some candidate principles for the wide adoption of risk assessment and
contingency planning approaches in the energy sector in order to contribute to enhance the resilience
level of the interconnected energy networks. It is also foreseen that the wide adoption of similar risk
management practices across the energy sectors would have some benefits in terms of interoperability
of practices and overall efficiency of the security and resilience posture of the whole sector.
This positive contribution should be achieved in two ways.
First by enhancing risk management practices in the energy industry through the implementation of Risk
Assessment and Contingency Planning at the level of each operator. This has the benefit of providing
operators with a clear reference on which aspects they have to consider and through which process. In
this way, it provides a good aid and benchmark to the risk managers and operations managers when
asking themselves the question Have I covered everything? which is one of the most common worries
for these often lonely positions.
Then by providing some mechanisms to develop these risk management practices on larger scopes of
applicability including multi-stakeholders and interconnected energy infrastructures.
This first version of the EURACOM methodology for holistic, all hazard and combined approaches to Risk
Assessment and Contingency Planning will then be put to discussion in the EURACOM community
through 6 workshops gathering experts from the Industry sub sectors of oil, gas and electricity and also
their regulators and associated national institutions.
The result of these exchanges will allow improving the EURACOM methodology in a subsequent version
which will be one of the main results of the EURACOM project.