Risk Management for Critical Infrastructure Protection (CIP)
Challenges, Best Practices & Tools
Eyal Adar
Founder and CEO – iTcon
Eyal@itcon-ltd.com
Abstract
Risk Management (RM) has become increasingly
important in dealing with Information and IT security
over the past several years.
This article aims at discussing the major
challenges facing Critical Infrastructure Protection
(CIP) RM, and outlines several methods and best
practice guidelines that can be used to cope with it,
including:
• Creating a RM framework and RM
measurement criteria
• Usage of advanced Risk Analysis (RA)
methods, and adoption of CIP models that can be used
for RA
• Development and implementation of RM tools
Use of RM tools can play a major role in this process,
as it can raise the efficiency of RM activities, and
decrease reliance on any individual RA specialist’s
knowledge. The contribution of such tools is even
greater, when dealing with Critical Infrastructures; as
it is very difficult for a single specialist to cope with
the diversity and complexity of CIP Risk Assessment.
1. Introduction
Over the past few years, Risk Management (RM)
has become increasingly important in dealing with
Information and IT security.
The growing number of IT security threats,
malicious intentions, and attack capabilities of hostile
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
Andreas Wuchner
Global IT Security Officer – Novartis
Andreas.Wuchner@novartis.com
elements has made RM an extremely important subject
for organizations. IT infrastructure has become
increasingly complex and vulnerable, and exposure to
internal or external security incidents, whether they
may have been intentional or unintentional, cannot be
accepted by any organization. Security measures,
therefore, need to derive from focused and efficient
implementation of RM.
Resultantly, the risk management process has
become a major force, driving: creation of information
security strategies, build of security road maps,
prioritization of activities, and selection of safeguards.
This approach is significantly strengthened by the
need to integrate new regulatory standards, such as
Sarbanes Oxley and Basel II, which focuses on
reducing business, operational, and IT risks, and in
treating RM as an enterprise-wide process, rather than
as a single isolated activity.
RM also assists in overcoming one of the main
limitations of Information Security: The ability to
justify Return On Investment (ROI) through financial
profit. The concept of identifying and reducing risks,
i.e. preventing potential losses, is the closest we can
come to indirectly substituting the ROI model.
Therefore, the scope of security RM has been
broadened. RM can be viewed through different lenses
and levels within the organization. At the enterprise
level, departmental level, infrastructure levels and
even by evaluating RM at the level of a single IT
component.
Additionally, RA is often performed by evaluators
who come from different disciplines. This includes:
 Information Security, IT Security, Internal Audit,
Privacy, External Regulations, and so forth.
The limitations inherent in RM as it is currently
being practiced, derive to a large extent from the fact,
that despite the growing need for a solution and
increasing complexity of the processes involved,
usually, RM activities are still performed in a
decentralized manner. Different RM activities within
large enterprises, are often un-coordinated and only
partially congruent, and decision processes are
predominantly influenced by local knowledge and the
"gut feeling" of the specialist on hand. This "pen and
paper" effort might sometimes result in the creation of
a document that its findings may remain unattended,
as often there is no process in place to assure the
completion of all the risk mitigation activities.
These limitations become even more critical when
dealing with CIP RM. Here the level of complexity is
significantly greater and there is a need to deliver a
comprehensive RM approach that takes into account
all the different Critical Infrastructure aspects, and not
just the information layer.
In this article we discuss the major challenges
facing CIP RM, and we outline several best practice
methods of coping with it. This includes:
• Creating an RM framework and establishing
suitable RM measurement criteria
• Usage of advanced Risk Assessment (RA)
methods, including adoption of appropriate CIP
models that can be used for RA
• Development and implementation of RM
tools
Use of RM tools can play a major role in this
process, as it can raise the efficiency of RM activities,
and decrease reliance on any individual RA
specialist’s knowledge. The contribution of such tools
is even greater, when dealing with Critical
Infrastructures, and could even be critical for
successful Risk Management. As, it is very unlikely
that a single specialist will be able to cope with the
diversity and complexity of information required to
properly conduct CIP risk assessment.
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
2. CIP: Risk Management Challenges
2.1 The Nature of CIP
Critical Infrastructure Protection is a new field,
posing a complex set of requirements upon security
assessment. To protect critical infrastructures, a
comprehensive approach is needed.
The success of RA to a large part depends on
considering the unique aspects of each infrastructure.
Manufacturing electricity is unlike supplying
communication, or e-Government services. The key
processes involved in each Critical Infrastructure
needs to be studied and their unique vulnerabilities
identified.
This approach is very different from most of the
analysis methodologies used today, which focus
mainly on Information and IT security. Here they are
by contrast regarded as closed environments detached
from their surroundings.
2.2 Growth in Organizational Complexity
The complexity of organizational structures and
information systems within multi-national enterprises
has progressively been increasing over time.
Key business processes may take place in
different countries, and may use very different systems
and technologies. Each component involved in the
process may be capable of influencing the entire
process. Risk Management in a distributed
organization, however, must focus on the entire
sequence of business activities, as well as on every
individual component along the process chain.
As a result, the RM specialist must be intimately
familiar with numerous environments, systems and
technologies, in order to perform his task well. He
needs to be able to think flexibly and must possess the
ability to correlate findings from diverse knowledge
areas.
2.3 Dynamic Aspects of Risk
A risk can be defined as any event that may result
in a missed business objective. In today’s economy,
 one’s only guarantee is ‘guaranteed business change’.
With this principle in mind, it becomes self evident
that RM cannot be static. Properly managed RM is an
ongoing activity that facilitates and allows the
business process owner to control and manage his
exposures.
Every existing risk cannot be prevented.
However, prior knowledge will allow the owner of the
business process to make informed decisions. With
preventive measures in place the owner may be able to
avoid or reduce exposure to existing risks. It may even
be possible to transfer the risk burden to an insurance
company. Some potential risks may just not be critical
enough, while others may just be too expensive to
cover, when they are put against the impact of the
possible losses involved.
2.4 Need for Compliance
Organizations use various types of media (such
as: computers, computer networks, tapes, disks, paper,
etc.), to store their information. This information can
be divulged via fax, mail or even simply verbally. RM
with regard to information is a very old discipline, and
most organizations are well aware of the processes
needed to maintain their CIA (Confidentiality,
Integrity and Availability) classification.
Compliance with existing regulations is a key
requirement in organizations supervised by
governmental agencies, such as the FDA (Food and
Drug Administration). Following the Enron and MCI
cases, government agencies are continuously issuing
new laws and directives (e.g., Sarbanes Oxley) that
additional industries must comply with. In the past,
CIA was the basis of business impact analysis, with an
emphasis on confidentiality. New laws and
regulations, however, added a fourth dimension,
Compliance. The serious implication that may result
from non-compliance, including imposition of heavy
penalties, poses a heavy potential burden on
organizations.
2.5 Efficiency and Cost Effectiveness
The main challenge facing the information
security arena is how to achieve more for less. Many
organizations view information security simply as
"extensive expenditure", rather than as a business
enabler. Consequently, despite increasing levels of
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
complexity within environments requiring protection,
and the number of increasing threats being posed,
there hasn't been a comparable increase in information
security budgets.
Information security needs to be more efficient,
but not at the expense of reduced protection levels. It
needs to provide an optimal and cost-effective security
solution through appropriate use of RM.
2.6 Human Factors
The major RM challenges facing organizations
described earlier, combined with the fact that at
present RM processes to a large extent depend on the
experience of the individual RM specialist, leads to the
conclusion that there is a need for highly skilled
specialists meeting industry benchmarks and objective
criteria, to perform this task. Those individuals must
have a broad understanding of a diverse range of
subjects (e.g., information security, security standards
and government regulations, organizational processes,
systems’ architecture, plus other technologies), in
order to carry out a thorough RA.
The main problem is that specialists in a field
such as this are either very costly to hire, or extremely
difficult to find. Resultantly, performing a
comprehensive RA is a serious financial burden even
for medium to large sized organizations.
Furthermore, it is highly risky for organizations,
that sensitive RA processes, are to a large extent
dependent on the personal judgment, knowledge, and
gut feeling of the individual specialist. Therefore,
there is a need to offset subjective evaluations by
standardizing some of the more complex decision
making processes.
3. Adopting Best Practices to Defeat
Chaos
3.1 Framework and Measurements
Building a global RM framework, and efficiently
measuring its accomplishments, is one of the key
ingredients in successful RM.
The framework should centralize all RM activities
within the organization. This centralized approach is
 important for achieving gapless risk coverage, and for
preventing an overlap of activities. Central
coordination and prioritization of RA objectives, will
lead towards cost effectiveness and efficiency.
For example, creating a central RM know-how
center will also significantly assist RM specialists in
their work.
Figure 1. An Example Depicting Typical RM Lifecycle
Success of the framework will largely depend on
measurement criteria being used, and its effectiveness
in measuring the contribution of the framework to the
organization.
Primary objectives of measurement criteria are:
• Clearly defining business driven objectives
• Creating a roadmap and activity plans
• Integrating management expectations
• Assimilating RM activities within
organization
• Risk identification and mitigation
• Compliance with regulations and standards
• Reporting and escalating process
• Periodic "current status" evaluations
• Means of analysis of efficiency and cost-
effectiveness
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
The RM framework should cover all the RM
lifecycle phases, and clearly define responsibilities for
each phase. A vague definition of responsibilities is
likely to result in a vicious cycle, whereby a document
waits on the shelf, and the next document joins it, a
few months later.
3.2 Advanced RA Methods
RA methods designed for complex organization
and systems must be integrated within the RM
frameworks of large Critical Infrastructures.
Since the RA field is not yet fully standardized,
and different RA methods cover different RA aspects,
it is important to pre-select the RA method that is
suitable for the specific needs of the organization.
the Following are some examples of several leading
RA methods:
• Common Criteria for Information
Technology Security Evaluation (CC 2.1)1: This
method is based on the International Standard
ISO/IEC 15408:1999. It is meant to be used for
security evaluation of IT products and systems. The
CC is useful for development of products and for
1
http://niap.nist.gov/cc-scheme/index.html
 procurement of commercial products and systems. The
CC addresses neither the evaluation methodology nor
the administrative and legal framework, however, it
could be used for such evaluation purposes.
• Operationally Critical Threat, Asset, and
Vulnerability Evaluation (OCTAVE®)2: The
Octave approach is a systematic way for an
organization to address its information security risks,
sorting through the complex web of organizational and
technological issues. The OCTAVE approach includes
a set of criteria that defines the requirements for a
comprehensive, self-directed information security risk
evaluation, and a set of methods consistent with the
criteria. Octave was developed by Software
Engineering Institute at Carnegie Mellon University.
• Consultative, Objective and Bi-functional
Risk Analysis (COBRA)3: The COBRA approach
consists of a range of risk analysis, consultative and
security review tools. These were developed largely in
recognition of the changing nature of IT and security,
and the demands placed by business upon these areas.
It is BS7799 compatible.
• End to End Security Assessment
(EESA™)4: EESA deals with Critical Information
Infrastructure Protection (CIIP). It analyzes the
“Security Quality of Service” (SQOS) along the path
of critical processes within a business environment or
system and evaluates whether the security mechanisms
along it, are adequate for protecting against likely
threats. The uniqueness of EESA lies in the fact that
the analysis covers both strategic issues as well as very
detailed technical security design issues. Ranging from
business layer to IT layers, it provides an
interdisciplinary, business oriented assessment
method.
3.3 CIP Models That Can be Used for RA
Today, most RA methods mainly focus on
information systems, which they treat as isolated
entities.
Integration of some of the leading CIP models
within RA methodologies is critical if specific CIP
needs are to be met. This includes CIP models, such
as: CIP layers, implications resulting from
dependencies between layers, and the multi-
2
http://www.cert.org/octave/
3
http://www.riskworld.net/
4
http://www.iabg.de/acip/doc/ergebnisse_workshop_2002_12_brue
ssel/EESA-basics.pdf
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
dimensional vector of an incident’s impact. These
models are described in the paper entitled “Summary
of the Cross Connections Between WP6
Deliverables”, published in the ACIP project, by Mr.
Walter Scmitz, IABG,5 which dealt with the creation
of the European roadmap for CIP analysis and
assessment research.
3.4 Critical Infrastructure Layers
Understanding the various risks associated with
Critical Infrastructures requires an understanding of
the four basic infrastructure layers. This includes:
• Business/Strategic Layer: This involves
central business processes and the implications of their
protection.
• Organizational Layer: The organization, its
structure, procedures, and human behavior aspects.
• Cyber Layer: Data, communication and
information systems, including management systems
for the physical layer. For example, Supervisory
Control and Data Acquisition (SCADA).
• Physical Layer: Physical devices (e.g., in the
electricity infrastructure: the generators, breakers, and
cables).
3.5 Dependency Between Layers
In order to evaluate Critical Infrastructures, each
layer needs to be evaluated, and the impact security
incidents may have upon it, analyzed. The underlying
mechanisms affecting security between layers, and the
implications resulting from an incident occurring in
one layer and affecting other layers (intra-
dependency), should be analyzed as well. Finally,
there is a need to involve understanding the manner in
which an incident taking place in one infrastructure,
may impact upon other infrastructures (inter-
dependency).
5
http://www.iabg.de/acip/doc/wp6/D61_summary.pdf
 Figure 2. Dependency Between CIP Layers

However, the impact of an incident within a

3.6 Multi-Dimensional Impact Vectors complex infrastructure might have several dimensions.
Figure 3 illustrates the effect of a multi-dimensional
impact upon critical infrastructures. This should also
Another important aspect is the need to examine be incorporated within analysis processes.
the various implications of an incident. Most RA
methods relate to the effect of an incident as having
either a ‘0’ (negative) or a ‘1’ (positive) value.

Figure 3. Multi-Dimensional Security Incident Impact Vectors

Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
 3.7 Development and Implementation of RM
Tools
Tools for RA and RM are a developing field.
Over the next few years, as risk analysis activity is
increasingly centralized, the use of tools to automate
this process will undoubtedly also increase.
Some potential benefits of RM tools are:
• Optimization of resource management and
budgeting by automating processes. This includes the
usage of predefined templates and report generators.
• Optimization of IT security spending through
efficient identification of risk areas.
• Providing a computerized methodology that
increases the ability of handling large, complex
systems – that a "one-man" approach would have
difficulty coping with.
• Providing centralized management and
measurement capabilities, for the RM processes within
the entire organization.
• Improve policy and regulation compliance
processes, by creating compliance workflows,
throughout the organization.
• Allow some RA tasks to be delegated to non-
security experts, thus covering more security areas
with fewer professional resources.
• Provide a comprehensive computerized
methodology that reduces the need to rely on
subjective knowledge and gut feelings.
At present, the first generation of tools is very
limited. They focus mainly on RA, and provide only
basic RM capabilities. However, this might change.
Existing tools are to a large extent questionnaire-
based and only aid in the process of risk management
within large organizations. They use asset mapping,
whereby a range of values is assigned to the
organization’s assets, and each of these is evaluated
for compliance with different industry standards. For
example, financial services are evaluated for
compliance with the Sarbanes Oxley Act, data services
in the Health industry with HIPAA compliance, etc.
By automating and formalizing the risk
management process, the organization can benefit in
terms of efficiency, but with tool capabilities as they
exist today, they are unable to provide an accurate
appraisal of the inherent cross boundary security risks
within organizations or across disciplines which
decision makers can effectively make use of.
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
Some tools, try to calculate risk probabilities and
risk rates by using a variety of risk analysis formulas
such as ALE (Annual Loss Expectancy), and financial
metrics. Their scope is however limited, since there is
little ability within the organizations to actually
provide the data necessary to quantify these metrics.
Other products also maintain databases that store
large amounts of information concerning threats,
vulnerabilities and countermeasures. Although, this
reduces the amount of time (and of expert personnel)
required to research the information for the risk
assessment process, the tools that implement this still
focus on the single IT component and not on all the
CIP processes.
Developing the next generation of Risk
Management tools will probably change the Risk
Management environment in medium to large sized
organizations. Each security officer will have an RM
tool on his desk, to assist him in dealing with the full
range of RM activities within the organization. An
interesting example of such tool under development is
the White Cyber Knight™6, which will provide a
comprehensive approach towards risk management in
large organizations.
White Cyber Knight™ is an expert RM system.
The tool is designed for CIP, with an emphasis on
Critical Information Infrastructure Protection (CIIP).
The tool is based on an advanced RA engine. It is
capable of providing a comprehensive Risk Map, that
is driven by a wide variety of aspects, affecting
organizations security. This includes: human behavior,
policies and regulations, critical business processes,
architecture of IT systems, and technical
vulnerabilities, among others. The tool it designed to
meet RM needs in large organizations, but can
effectively be used by medium-sized organizations as
well. It provides the ability to manage security risks in
distributed environments, to follow-up risk mitigation
activities, and finally, allows the Chief Security
Officer (CSO ) and the IT manager to measure their
success over time.
Use of RM tools such as this can play a major role
in the RM process, since it can raise the efficiency of
RM activities, and decrease reliance on any individual
risk analyst’s knowledge. The contribution of such
tools is even greater, when dealing with Complex
Critical Infrastructures, as it is highly unlikely any
6
http://www.whitecyberknight.com
 single specialist is able to cope with the diversity and
complexity of CIP risk assessment requirements.
However, use of RM tools, cannot exist in a
vacuum. They will be possible only within a strong
global RM framework and suitable measurement
criteria on which to be based. It would furthermore
require use of advanced RA methods, plus CIP models
that can be used for RA.
These elements are interdependent, and only by
selectively combining their best features can a
successful RM campaign be instituted, and to
adequately face the challenges of an ever changing
and ever demanding security risk environment.
References:
[1] Greg Miles, Russ Rogers, Ed Fuller, Matthew Paul
Hoagberg and Ted Dykstra, "Security Assessment, Case
Studies for Implementing the NSA IAM",Syngress
Publishing, ISBN: 1-932266-96-8
Proceedings of the 2005 First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’05)
0-7695-2426-5/05 $20.00 © 2005 IEEE
[2[Anthony H. Cordseman, “Cyber-Threats, Information
Warfare, and Critical Infrastructure Protection,” Library of
Congress, 2002
[3] Professor Heinz Thielmann, Eyal Adar, "End to End
Security Assessment Für CIP", Digma magazine June 2004.
See: http://www.digma.info
[4] Bernhard M. Hämmerli, Eric Luiijf, Willi Stein, Eyal
Adar, "ECN, European CIIP Newsletter".
See: http://www.ci2rco.org/
[5] Dunn Myriam, Isabelle Wigert,
"The International CIIP Handbook 2004"
See: http://www.isn.ethz.ch/crn/
[6] EU-US collaboration team for CIP. See:
http://www.eecs.berkeley.edu/CIP/US-EU/agenda.html
[7] Sandro Bologna, Ruaridh Macdonald,,
"Advanced Modeling and Simulation Methods and
Tools for Critical infrastructure Protection", ACIP project,
See: http://www.iabg.de/acip/doc/wp4/D4_5_v0_1_RM.pdf