Business

Continuity
&
Emergency
Planning
Volume Four - - -
HEN RY
STEWA RT
PUBLICATIONS
Developing measurement indices to
enhance protection and resilience of
critical infrastructure and key resources
Ronald E. Fisher* and Michael Norman**
Received: 1st June, 2010
Decision and Information Sciences Division, Argonne National Laboratory, 9700 South
Cass Avenue, Bldg 203, Argonne, IL 60439, USA
Tel: +1 (630) 252 3508; E-mail: refisher@anl.gov
"Department of Homeland Security, Office of Infrastructure Protection, Protective Security
Coordination Division, Washington, DC 20598-0612, USA
Tel: +1 (703) 235 5765; E-mail: michael.norman@hq.dhs.gov
Ronald E. Fisher is the Deputy Director of
Argonne National Laboratory's Infrastructure
Assurance Center. His responsibilities include
providing technical support in many areas of crit
ical infrastructure assurance to the US
Department of Homeland Security (DHS), US
Department of Energy and US Department of
Defense. He currently serves as the Infrastructure
Assurance Center coordinator for the DHS Office
of Infrastructure Protection support activities,
which include conducting field assessments,
developing vulnerability assessment methodol
ogy, providing risk analysis and aligning DHS
products with the National Infrastructure
Protection Plan. Mr Fisher served as a senior
consultant to the National Petroleum Council and
to the President's Commission on Critical
Infrastructure Protection. Mr Fisher is the author
of more than 100 reports and has multiple copy
rights/trade marks on software inventions.
Michael Norman has been the Field Operations
Branch Chief and the Program Manager for the
DHS Protective Security Advisor (PSA) pro
gramme since January 2008. Mr Norman is
responsible for all of the programmatic planning,
training, budgeting and operational support for
93 PSAs and supervisory PSAs deployed across
50 states and six territories. He is the DHS lead
for the Office for Bombing Prevention and the
Journal of Business Continuity & Emergency Planning Volume 4 Number 3
Vulnerability Assessments Branch, responsible
for the vulnerability assessments of the nation's
most critical infrastructure and key resources
(CIKR) and the execution of the $50m per year
Buffer Zone Protection grant programme. He is
also responsible for developing plans to imple
ment multiple CIKR national protection pro
grammes, providing deployable teams and
resources to assist with the protection and
restoration efforts for the nation's most critical
CIKR. Mr Norman joined DHS in 2004 and
started as the Program Manager in the Office of
Intelligence and Analysis. Prior to joining DHS,
he served on the Army Staff supporting person
nel recovery operations for forces deployed from
Joint Special Operations Command. In addition,
he served as the Physical Security Officer for
Kosovo with the US Department of State and as
a marine for 13 years in both reconnaissance
and force reconnaissance units.
ABSTRACT
The US Department oj Homeland Security
(DHS) is developing indices to better assist in
the risk management oj critical inJrastructures.
T7u first oj these indices is the Protective
Measures Index - a quantitative index that
measures overall protection across compol/mt
categories: physical security, security manage
ment, security Jorce, iriforrnation sharing, protec
j Ollrn,iI of
&. EJIll'fgl"lKY Pbllning
Vol. 4 No. j,pp. 191-21)6
Henry Stc:wan PublicrHlOIl'i,
17-t<J- l)2 1(J
Developing measurement Indices
tive measures and depmdencies. The Protectipe
Measures Index, which can also be recalculated
as the Index, is a way to compare
differing protective measures (eg fence llersus
security training). The second of these indices is
the Resilience Index, which assesses a site's
resilience and consists of three primary compo
11 e/1. ts : robustness, resourcifuln.ess and recovery.
The third index is the Criticality Index, which
assesses the importance of a facility. The
Criticality lt1dex il1Cludes economic, human,
govemance and mass evacuation impacts. The
Protective lV!easures Index, Resilience Index
and Criticality Index are beil1g developed as
part of the Enhanced Critical Infrastructure
Protection initiative that DHS protective secu
rity advisers implement across the nation at crit
ical facilities. This paper describes two core
themes: determination of the vulnerabilil)"
resilience and criticality of a facility Q/1d compar
ison of the indices at different facili ties.
Keywords: critical infrastructure protec
tion, vulnerability assessment,
resilience assessment, criticality
assessment
INTRODUCTION
This paper provides an overview of the
collaborative approach being developed by
the US Department of Homeland
Security (DHS) and Argonne National
Laboratory (Argonne) to estimate the pro
tective measures, resilience and criticality
of facilities and to provide comparisons t()\"
sectors and subsectors. The information
assists DHS in analysing existing security
measures at facilities, identifYi.ng potential
ways to reduce vulnerability and criticality,
and improve resilience. The indices also
allow comparison of like facilities (eg
commercial buildings to other commercial
bui.1dings) to provide owners/ operators
\'lith an indication of the security strengths
and weaknesses that contribute to the vul
nerability, protection posture and resilience
of their f.Kilities in relation to other like
facilities nationwide. Information is pro
vided via a 'dashboard' dispby that allows
the owner/operator to analyse the imple
mentJtion of Jdditional measures and their
impJct Oil the facility's Protective
Measures Index, Resilience Index and
riticality Index.
The ultimate goal of the DHS
Enhanced Critical Infrastructure
Protection (EClP) programme is to pro
vide insightful information to owners and
operators to help them make better
informed risk management decisions (eg
regarding physical security, business conti
nuity and emergency management). In
addition, DHS uses the data collected
during the ECIP visits to support risk
reduction investment parameters and
processes; identify gaps that require addi
tional programmes, activities and functions
to mitigate; and understand and inform
the national risk picture through detailed
analysis. DHS lIses the information during
steady-state operations and activities and
during times of increased threat and/or
hazard to critical infrastructure and key
resources (CIKR).
ECIP PROGRAMME
Critical inti-astructures are the assets, sys
tems and networks, whether physical or
virtual, deemed so vital to the USA that
their incapacitation or destruction would
have a debilitating effect on security,
national economic security, public health
and/or safety.] Key resources are the pub
licly or privately controlled resources
essential to the minimal operations of the
economy and government. The term 'crit
ical infrastructures and key resources
encompasses dil:erent industry sectors. At
present, DHS defines 18 sectors of CIKR.
Because critical inti'astructures are vital to
the functioning of civi.1 society, it is impor
tant to assure their resilience, decrease their
Page 192
Fisher and Norman
vulnerabilities and reduce the negative
consequences resulting from their
failure(s). Efforts to enhance the protection
of critical infrastructures began in 1996,
with the establishment of the President's
Commission on Critical Infrastructure
Protection.
2
In 2003, the National Strategy
for the Physical Protection of Critical
Infrastructures and Key Assets defined the
basis of the national policy by identifying
the national goals, objectives and principles
that underpin the efforts to secure critical
infrastructure facilities .
J
This strategy was
further defined in December 2003 by
Homeland Security Presidential Directive
7, which established a national policy for
federal departments and agencies. The goal
was to identify and prioritise the critical
infrastructures and to protect them from
terrorist attacks. The directive delivers
policy statements and defines the roles of
federal, state and local agencies.
4
In 2009, the updated National
Infrastructure Protection Plan was estab
lished to build a safer, more secure and
more resilient country by preventing,
deterring, neutralising or mitigating the
effects of deliberate efforts by terrorists to
destroy, incapacitate or exploit elements of
the nation's CIKR. The objective was to
strengthen national preparedness, and plan
for a timely response and rapid recovery of
CIKR in the event of an attack, natural
disaster or other emergency.5 The
National Infrastructure Protection Plan
defines the roles and responsibilities of
authorities and the context for CIKR risk
management and actions to enhance pro
tection. The principal objectives are to:
understand and share information about
threats that could affect CIKR;
build partnerships to share information
about CIKR protection;
implement a long-term risk manage
ment programme that incorporates the
resilience of CIKR; and
maximise the efficient use of resources
for CIKR protection.
To achieve these objectives, the National
Infrastructure Protection Plan proposes a
methodology for assessing the risk by
characterising its major components (ie
vulnerability, resilience and criticality) in
order to propose comprehensive, cost
effective and coordinated programmes to
manage the resiliencies and the vulnerabil
ities of critical infrastructures. The
National Infrastructure Protection Plan
defines risk as a function of threat, vulner
ability of and consequence of the failure of
a critical infrastructure facility. Included in
the consequences is the facility's resilience
to a potential threat or consequence.
The overall risk can be illustrated by
using a ' bowtie' representation of a process
hazard analysis. Originally developed to
assess chemical processes, the process
hazard analysis combines events and con
sequence trees and allows characterisation
of pre- and post-event elements.
6
This
representation is used to explain the rela
tionship bet\veen vulnerability, resilience
and criticality. Figure 1 shows how threat,
vulnerability, resilience and criticality
combine to determine the risk for a given
threat type. Vulnerability represents the
capability of the system to resist a threat.
This capability is directly linked to the
protective measures in place and the state
of the system when the threat occurs.
Resilience is also linked to the state of the
system. It represents the capability of the
system to avoid or reduce the conse
quences set in motion when a threat event
is successful. Criticality represents the
severity of the consequences to the facility,
the system and the community. Thus, the
bowtie scheme enables the entire spec
trum of risk to be represented for a spe
cific facility or system - from the threat
to the consequence - and allows expla
nation of the different types of measures
Developing measurement indices
Figure 1 The risk
bowtie
that can be used to manage this risk and to
reinforce the system.
Vulnerability and protective measures
For a given threat (manmade or natural),
the vulnerability of an entity (system)
determines the likelihood of a successful
attack. Low vulnerability implies a lower
sensitivity to a specific threat, either
because protections against the threat are
substantial or the consequences from the
threat are small . For example, consider as
an illustration a tank in a facility contain
ing pressurised propane, and the threat that
an electrical short circuit in the facility
could lead to a fire that ultimately affects
the propane tank. The facility's vulnerabil
ity with respect to a threat against the tank
can be attributed to how a fire would
potentially afl'ect the propane tank. To
manage this vulnerability, different protec
tive measures can be employed, such as
automatic sprinklers, a fire-resistant pro
tective area for the tank, surveillance and
control measures, and proper maintenance
of the electrical system. These protective
measures mitigate the threat. If the protec
tive measures deployed are not sufficient, a
short circuit can generate a fire, affecting
Preparation/Mitigation Response/Recovery
Resilience
Vulnerability Criticality
Manmade
Threats
i
I i
l
I
~ ~
Natural
Economic Impacts
~ !
: ~ t
: ~
HUman Impacts
Consequences
Governance Impacts
,
,
Mal. Evacuations
the tank and ultimately leading to a boil
ing liquid expanding vapour explosion,
which will constitute an 'event' in the
bowtie diagram (Figure 1) .
Resilience
Assuming that the event occurs, the conse
quences would be expected to be on a
smaller scale if the tanklfacility had a high
level of resilience. Resilience is deter
mined by:
preparation;
response; and
recovery
Good preparation reduces the conse
quences related to the explosion of the
tank. Preparation is related to the training
and exercises conducted at the facility and
the training of fire-fighters responding to
the explosion, as well as protective meas
ures that reduce consequences. These pro
tective measures can be as diverse as a plan
to evacuate the facility or structural meas
ures (eg tank enclosure, buffer zone from
populated areas or window blast film) that
mitigate projectiles launched by the tank
explosion.
Page 194
Fisher and Norman
Preparation also depends on imple
menting new protective measures and pos
sessing the ability to respond to and restore
operations at the facility after a boiling
liquid expanding vapour explosion. This
preparedness includes reducing the time it
takes to respond and restore, as well as
addressing specific needs for reinforcing
the system. This system reinforcement
plan can include negotiating special agree
ments with providers of critical resources
or establishing interoperable commUOlca
tion with first-responders.
Criticality
The last risk component, criticality,
accounts for the severity of the conse
quences for the entity. Criticality is
directly related to the importance of the
facility to a system and its environment
when considering a specific event and the
impact of the loss of that facility. To
analyse risk in its en tirety, a methodology
is needed that considers the vulnerability
(via the protective measures), resilience
and criticality of the facility.
PROPOSED METHODOLOGY
Enhancing protection of critical infra
structures requires a comprehensive
method of analysis and assessment. The
risk and characteristics of critical infra
structures evolve over time. Thus, it is
important to capture this evolution and
analyse the interaction between critical
infrastructures and their environment. It is
important to consider specific critical
infrastructures, their components and the
interactions among networks in daily
operations, as well as emergency manage
ment following a crisis. This assessment
needs to be proactive to promote anticipa
tion of and preparation for possible failures
and/ or consequences. The main objective
is not to predict the unpredictable but to
better understand the relationship
between critical infrastructures and their
environment and to better react during a
crisis or unanticipated event. To accom
plish this objective, the approach must
consider both critical infrastructures and
their environment (whjch is the context of
the study) and analyse components of risk
(ie vulnerability, resilience and criticality).
A given type of critical infrastructure
facility is typically vulnerable to different
threats, and the different threat types can
generate, if successful, different conse
quences. In that context, at least three dif
ferent indices can be developed to
characterise the risks related to a specific
critical infrastructure. The first is the
Protective Measures Index, which consid
ers the resistance of a critical infrastructure
against a particular threat. The inverse of
the Protective Measures Index is the
Vulnerability Index, assuming that the lack
of protective measures decreases resistance
and increases vulnerabiJity to a particular
threat. These terms are used interchange
ably in this paper. The second index is the
Resilience Index, which seeks to deter
mine the ability of the system to withstand
the impact from a specific threat and to
return to normal after degradation. The
third index is the Criticality Index, which
allows the definition of the consequences
of the loss of the critical infrastructure's
function to the facility and its environ
ment. By combining these three types of
assessment, a more comprehensive approx
imation of risk is obtained that integrates
threats, vulnerabilities, consequences and
resilience related to a specific facility
(Figure 2).
The first step of the proposed method
ology consists of collecting data that will
be used to assess the different risk compo
nents . In a second step, the assessment of
vulnerabilities, consequences and
resiJience can be performed in parallel to
determine indices that are combined to
define an overall risk index for each criti
Figure 2 Global
methodology of risk Data collection
assessment
JJ JJ JJ
Vulnerability
analysis
Vulnerability Resiliency
index index
Resilience
analysis
Consequences
analysis
Criticality
index
Combination of indices
JJ
Risk
index
~
cal infrastructure. The difFerent steps of the
general methodology are described in the
following sections.
Data collection
Argonne developed a tool to be used in
conjunction with the ECIP visit to sup
port the comparison of CIKR in terms of
vulnerabilities, resilience, consequences
and ultimately risk. The Infrastructure
Survey Tool is a survey that consists of
more than 1,500 variables. This survey
allows analysts to collect, within a limited
timeframe (typically 4-8 hours), the perti
nent information that will help charac
terise a facility. The Infi-astructure Survey
Tool is llsed for a wide range of CIKR
facilities, including commercial buildings,
electrical substations and dams. Using the
data collected, analysts develop indices to
allow companson of vulnerability,
resilience and criticality across CIKR
facilities. Analysis of the data reveals ways
to enhance the security posture of the
facility, such as by improving business con
tinuity, implementing measures to reduce
the facility's vulnerabilities and improvlOg
resilience.
Determination of the Protective
Measures (or Vulnerability) Index
The Protective Measures Index provides a
sum.mary value of the protective measures
in place at the facility on the basis of data
H1 the Infrastructure Survey Tool.
Conversely, the Vulnerability Index pro-
Page 196
Table 1: Critical infrastructures and key resources sectors
l\ TO. Sector
B:mking and fmance
2 Chemica]
3 COllunercial facilities
4 ommunicarions
J Critical manufacturing
6 Dams
7 Defence industrial base
8 Emergency services
9 Energy
No. Sector
10 Food and agriculture
11 Government f<1cilities
12 Healthcare and public health
13 Information technology
14 National monuments and icons
15 Nuclear reactors, materials and waste
16 Postal and shipping
17 Transportation systems
18 Water
vides a summary value indicating a facil
ity's vulnerability. Vulnerabihty is deter
mined by physical features or operational
attributes that render an entity either open
to exploitation or susceptible to a given
hazard.
7
As such, the Vulnerability Index is
a representation of the entity's sensitivity
to a specific threat or a disruptive event.
The estimation of the Vulnerability Index
incorporates differing security postures for
the 18 CIKR sectors and their associated
subsectors (Table 1).
To develop the Vulnerability Index, one
works from its corresponding Protective
Measures Index. The Protective Measures
Index is the aggregation of three levels of
components that characterise the principal
elements contributing to protection (Table
2). The Protective Measures Index is the
aggregate of the following six level 1 com
ponents: physical security, security man
agement, protective measures assessment,
information sharing, security force and
dependencies. Each of the 42 level 2 sub
components, designated by the letters in
Table 2 (eg access control, fences and
gates), has its own Protective Measures
Index value. Each level 2 subcomponent
also has a number of contributors (level 3),
which are directly connected to the data
collected for the Infrastructure Survey
Tool (eg level 2 access control is made up
of consolidated access point control, iden
tification check process, card access control
systems, mail screening and suspicious
package procedures). 8
Each level 1 and level 2 item has been
weighted by an expert panel to represent
its relative importance in terms of its con
tribution to protection. The overall
Protective Measures Index consists of a
weighted sum of the six major compo
nents (Table 2), as shown in Equation 1:
6
PMI=LajXXj (1)
;=1
where:
a
j
Scaling constant (weight : a number
between 0 and 1) indicating the rela
tive importance of component ; of
the Protective Measures Index; and
Xj = Value of component of the
Protective Measures Index (eg physi
cal security, security management,
protective measures assessment, infor
mation shar ing, security force and
dependencies) .
The six weights (a
j
) in Equation 1 are
called level 1 weights and vary according
to the sector (or subsector) and threat. The
value of X
j
is referred to as the Protective
Measures Index for component i (eg Xl is
the Protective Measures Index for physical
Developing measurement indices
security) . The resulting Protective
Table 2: Components and
Measures Index score ranges from 0 (low
subcomponents of Protective Measures
protection) to 100 (high protection).
1. Physical security
a. Access control
b. Fences
c. Gates
d. Closed-circuit television
e. Intrusion detection system
f. Parking
g. Lighting
h. Vehicle control
l. Building envelope
2. Security ma/JasclI1en/
a, Business continuity plan
b. Security plan
c. Emergency action plan
d. Threat levels
e. Security information communication
f. sec urity exercises
g. Executive protection progLllllme
h. Security working groups
I. Sensitive information identified
J National security
k. Background checks
3. Pro/eclipe measures assessmer/t
a. New protective measures
b. Random secur ity measures
4. Il1formalion sha ril1g
a. Threat sources
b. Information-sharing mechanisms
5. Security force
a. Staffing
b. Equipment / weapons
c. Training
d. Post guidelines
e. Patrols
f. Random patrols
g. After-hours security
h. Checks recorded
i. Coml11Jnd 3nu control
j. Memoranda of
of
6. Depmilfl1cics
a. Critical products
b. Electricity
c. Inlormation technology
d. Natural gas
e. Telecomlllunications
f. Transportation
g. Water
h.
Figure 3 provides an example of a
Protective Measures Index comparison. A
facility can see where its value is relative to
the low, medium and high values for like
fa cilities (facilities in their respective sub
sector). These comparisons can be pro
vided for level 3 categories (eg fences),
level 2 categories (eg physical security)
and level 1 overall.
It is assumed that the Vulnerability
Index is the exact opposite of the
Protective Measures Index (ie the more
protected a 1cility, the less vulnerable it
is). When the Protective Measures Index is
low, the Vulnerability Index is high and
vice versa. When an action is taken that
increases protection of the facility or
entity, the Protective Measures Index goes
up and the Vulnerability Index goes down.
The Vulnerability Index therefore
ranges from 0 (low vulnerability) to 100
(high vulnerability). It is important to
note that a Vulnerability Index of 0 does
not mean the facility is not vulnerable.
Rather, this index represents the combina
tion of all protective measures, procedures
and policies identified within the ECIP
Illfi-astructure Survey Tool that result in
the lowest vulnerability ranking. Thus, the
Vulnerability Index is related to, but does
not correspond precisely with, the proba
bility of success for a given attack, which is
sometimes referred to as vulnerability.
Determination of the Resilience Index
The Resilience Index is a summary value
indicating a faciJity's resilience. The
National Infrastructure Advisory Council
has defined resilience as the ability to
reduce the magnitude and/or duration of
disruptive events. The etlectiveness of a
resilient infrastructure or enterprise
depends upon its ability to anticipate,
absorb, adapt to and/or rapidly recover
Page 198
Sector Sector Your Sector Figure 3 Example of
minimum average asset maximum
Protective
Measures Index
comparison
Il
11 11 I 11
0 100
Protective Measures Index (PMI)
from a potentially disruptive event.
9
The
resilience is thus a representation of the
capability of an entity to support a disrup
tive event and to avoid or reduce conse
quences. Similar to the Protective Measures
Index, in the proposed index an infrastruc
ture's resilience is composed of three levels.
Level 1 has three categories:
robflstness, which characterises the capa
bility of the system to resist a specific
event;
recovery, which characterises the capabil
ity of the system to recover after a crisis;
and
resOttrcejuiness, which characterises both
the current resources (eg training
and/ or planning) developed to support
the facility's robustness and new
resources to support the recovery of the
system.
The use of these three categories enables
analysts to view the resilience of a system
in terms of its anticipation of and its
capacity to absorb a disruptive event, as
well as its adaptation and recovery follow
ing a crisis. Each of these level 1 categories
is divided into subgroups (level 2) that
accollnt for different related elements. For
example, robustness combines the follow
ing level 2 components:
redundancy;
prevention; and
maintenance of key functions
Each of the subcomponents has a number
of contributors (level 3), which are directly
connected to the data collected using the
Infrastructure Survey Tool. For example,
the last level 2 item listed, maintenance of
key functions, combines four level 3
elements:
dependencies on external resources;
levels of acceptable degradation;
construction to mitigate impact; and
planning.
The Resilience Index is calculated by
aggregating the sub-indices successively by
each level. Each level has been weighted
by an expert panel to represent its relative
importance to each successive set of
resilience components. The Resilience
Index score ranges from 0 (low resilience)
to 100 (high resilience). As with the other
indexes, it is a relative measure. A high
Resilience Index does not mean that a
speciflc event will not affect the facility or
will not have some consequences. A low
Resilience Index does not mean that a dis
ruptive event will automatically lead to a
complete failure of the critical infrastruc
ture and to severe consequences. Like the
other indices, the Resilience Index is a
way to compare the level of preparation
and recovery of critical infrastructure facil
ities. To obtain a complete portrait of the
situation and to consider the different
steps of risk management (preparation,
mitigation, response and recovery), the
indices developed can be combined to
defme a Resilience Index for the studied
entity.
Determination of the Criticality Index
The Criticality Index provides a summary
value of a facility's criticality. As used in
the classic Failure Mode and Criticality
Analysis approach, the Criticality Index
combines a relative measure of the conse
quences of a failure mode and its fre
quency of occurrence.lO Next, the
consequence is determ.ined as a measure of
the magnitude of an event, incident or
occurrence.
11
Criticality represents the
repercussion(s) of the loss of function of an
entity on its environment. This repercus
sion can be estimated by determining the
Criticality Index. Although the methodol
ogy used to define the Criticality Index is
similar to that used to develop the
Protective Measures Index, there are only
two levels. Level 1 consists of five cate
gories that characterise the main elements
of criticality (based on the National
Infrastructure Protection Plan): 12
importance;
economic impact;
human impact;
governance impact; and
n1ass evacuation.
Level 2 comprises items within each of the
five level 1 categories. The five level 1 cat
egories help to characterise the conse
quences that would occur in the event of a
loss of function of a critical infiastructure
facility. The il1lpMtllllce is characterised by
combining the level of fUBctional degrada
tion at the facility following the event and
the amount of time that passes following
the event before the mission of the facility
is impacted aud the amount of time that
passes before the facility recovers after a
crisis. Analysts further characterise critical
ity by assessing impacts on the following
three level 1 groups: the population, the
economy and governance.
Each level 1 and level 2 component has
been weighted by an expert panel to
detenllinc the components' relative con
tributions to criticality. As in the case of
both the Protective Measures Index and
the Vulnerability Index, the Criticality
Index ranges from 0 (low criticality) to
100 (high criticality). A high criticality
score means that the loss of function can
lead to important impacts on society. Also
like the Vulnerability Index and the
Protective Measures Index, a Criticality
Index of 0 does not mean that the failure
of the critical infrastructure will be with
out consequences. Instead, it means that,
in a relative sense, the impact of its loss,
considering only the specific categories of
data drawn on in the Criticality Index,
will be lower compared with sites with
higher cri ticali ty.
Combining the indices: the Risk
Matrix
Different approaches can be used to com
bine the three indices developed. The first
relevant information that can be obtained
with these indice, is to combine two of
them to generate graphs that compare dif
fcrcnt facilities. Combining two indices
provides a first-glance method to analyse
data, support decisions and prioritise
actions. Figure 4 shows an example that
compares the protection and resilience
indices for 12 facilities.
Figure 4 shows that facility 12 has both
low resilience and low protection and
(other factors being equal) might be
deemed at highest risk. At the opposite
end, facility 9 has high Protective Measures
Index and Resilience Illdex scores, which
show that this facility, in comparison with
other f:lcilities, is at lower risk. Decisions
about assessing the other facilities need to
incorporate additional information; for
exal1lple, information about criticality or,
Pnge 200
Ie
\S
0
1
f
d
Y
0
Y
n
()
,e
y
'e
.
90
80
70
60
50
40
30
20
10
0

rl 11 H_
I:
'I

Ii
2"
II
-
,.;-
- - -

11-
m-
-
--
II -
-
-
--
r ;.....
,"""
11
- - - - - - - -
11 -
I'
- -
I
- -
II =
1""'
-
- - 11
r _
-
IS
11-
II
- -
i- j- j-
11 11 f
: 1 J,
1 2 3 4 5 6 7 8 9 1::) 11 12
Facilities
Fisher and Norman
Figure 4
Comparison of
Protective
Measures Index and
Resilience Index for
different facilities
PMI
RI
If
alternatively, about the relative tradeoffs
h between protection and resilience.
Evaluations remain difficult for all of the
combinations between the extremes of
facilities 9 and 12. A low resilience score
coupled with a high protection score or a
high resilience score coupled with a low
protection score can be completely accept
able. It depends on the context and objec
tives of the facilities' owners. It is also
difilcult to discriminate among facilities
with close combinations of Resilience
Index and Protective Measures Index
scores, as is the case, for example, with
facilities 6, 9 an.d 11. One way to remove
this uncertainty is to combine the three
developed indices (Figure 5).
Figure 5 shows the combination of the
three developed indices, making it easier
to discriminate among facilities 6, 9 and
11. Figure 4 confirms that facility 9 is the
best prepared, with low criticality, high
protection and high resilience. It is still
difficult to determine whether facility 6 or
facility 11 is better prepared because these
two facilities' combinations of Protective
Measures Index and Resilience Index
scores are close; however, because facility
11 has a higher criticality score than facil
ity 6, the decision to enhance and/ or
implement additional protective measures
for facility 11 before doing so for facility 6
appears to be the better decision. But this
type of representation does not really
allow identification of the best actions to
take to reduce risk. The guestion remains
- for a specific facility, is it better to act
on the basis of resilience, vulnerability
and / or criticality? To help answer such
guestions, matrix representations initially
developed for environmental impact
assessments or engineering risk assess
ments can be useful (Figure 6).
In Figure 6, using the inverse of the
Protective Measures Index, the
Vulnerability Index on the vertical axis
and the Resilience Index on the horizon
tal axis determine the matrix and define
four guadrants:
facilities in the upper left guadrant are
characterised by high vulnerability and
low resilience;
facilities in the lower left guadrant are
characterised by low vulnerability and
low resilience;
Figure 5
90
Comparison of
80
Protective
70
Measures Index,
Resilience Index 60
and Criticality Index
50
for different facilities
40
30
20
10 ",-
I-
0
1 2 3
-
-
-
-
I
!!
-
l-
l
4
f--
I-
I-
5
Facilities
n
I
I-
l-
I-
- -
I I -
6 7 8
t-
f-
r
'
9 10 11 12
. PMI
:-
RI
,...
-
-CI
....
l i
,
I-
facilities in the upper right quadrant are
characterised by high vulnerability and
high resilience;
facilities in the lower right quadrant are
characterised by low vulnerability and
high resilience.
The Criticality Index is represented by a
circle, the size of which provides an indi
cation of criticality: the larger the circle,
the greater the consequences.
The highest relative risk is then identi
fied by high vulnerability, low resilience
and high criticality. The lowest relative
risk corresponds to low vulnerability, high
resilience and low criticali ty.
Combinations of risk occur between
these two extremes. Figure 5 shows that
facility 1 represents a greater risk (a worse
combination) than facility 9 (better com
bination). The other elements represent
intermediate risk between elements 1 and
9. By combining the three indices, it is
seen that facility 9 has a better combina
tion than facilities 6 and 11. This repre
sentation also shows that, considering all
facilities, it is not as important to act on
facilities 6, 9 and 11. Actions are more
important for other facilities. Thus, the
strength of this visualisation tool is the
ease of discriminating between facilities in
terms of risk. For example, to reduce the
risk associated with facility 3, it is possible
to reduce its vulnerability or to increase
its resilience. Facility 2, on the other
hand, has low criticality and low vulnera
bility, so the best action to manage the
risk is to increase its resilience. By deter
mining an acceptable level of risk and by
using the proposed risk matrix, analysts
can support their risk management deci
sions. In fact , it can be acceptable for a
critical infrastructure facility to have high
vulnerability if it is highly resilient and has
lower criticality.
Because it represents the capability of
an entity to resist a specific threat or
reduce (or avoid) the size of an event and
the consequences it could generate, the
risk matrix is a relevant tool to support
decisions by risk managers; however, infor
mation is still missing to better support
business continuity and/ or emergency
management decisions. Indeed, the tools
described thus far do not yet highlight the
actions that facility owners can take to
Pilge 202

the
he
In
he
Ie
Ise
'sts
1
a
h
as
of
Ll r
d
e
rt
y
Is
e
o
, r-----,---,---,..----,---, -----,---,---,-----,---,


7. /--+--,
60
:!::
.c 60
ctI
...
(1) 40
c:
:::J 3. r-----'I'----4_---if---+-----f
>
20
10

to 2. 40 so 60 7. 80

'00
Resilience
reinforce their critical infrastructures.
To facilitate comparison among differ
ent possible actions, Argonne has devel
oped a web-based tool, the ECIP
Dashboard. This user-friendly tool allows
managers, simply by clicking, to change
characteristics at each level and immedi
ately see the changes to the overall values
of the calculated indices . Instead of
analysing only one scenario, the
Dashboard allows managers to consider as
many scenarios as they want. This func
tionality supports a reduction in the
uncertainty inherent in risk management
by providing more information to man
agers trying to determine the best courses
of action to ensure better functioning of
their facilities . The Dashboard provides
different interactive windows that are par
ticularly relevan t to supporting decisions
for proactive risk management. One of
these windows is a Protective Measures
Index scenarios screen that helps identify
what protective measures can be imple
m.ented (Figure 7).
At the top of the Dashboard screen, dif
ferent tabs allow selection of one of the six
level 1 Protective Measures Index parame
ters (eg 'security force' is highlighted).
When one of these components is
selected, the related level 2 and level 3
components appear in the middle of the
screen, which enables the user to manipu
late the different characteristics that apply
to their facility. At the bottom of the
screen, the user can see -- in real time -
the repercussions of modifying these com
ponents 111 the different Protective
Measures Index values that result (bottom
of the screen). Three representations are
used to support this functionality (moving
clockwise from the bottom left of the
screen) :
a gauge shows the value of the
Protective Measures Index for the
selected level 1 component (ie security
force);
a counter shows the value of the overall
Protective Measures Index; and
bar charts show the facility-specific
Protective Measures rndex scores for
Fisher and Norman
Figure 6 The risk
matrix
U .M, PMI Dashboard
I
P'f4l ll:dcd
Security Force PMI
Scemlrio Overall PMI
'61.86
Scenario Security Force
Figure 7 The
Protective
Measures Index
Dashboard screen
the level 2 components compared with
the su bsector average Protective
Measures Index scores.
The ability to change the parameters, the
speed with which users can see the results
and the possibility for assessing different
scenarios aU serve to make the Dashboard
a very powerful tool , which is particularly
relevant for helping to manage risk-related
decisions about critical infrastructures.
Furthermore, the D as hboard supports
consideration of ail of the components of
a complex system and its interconnections
with other systems. Indeed, the critical
infrastructure is not analysed as an inde
pendent element; rather, its interdepen
dencies are taken into account m
implementing its protective measures.
All of the developed tools
(Infrastructure Survey Tool, Protective
Measures Index, Resilience Index,
Criticality Index and ECIP Dashboard)
provide value judgments that allow
owners/operators to use the information
provided after an ECIP visit to identify
their facility's security gaps and to enhance
its protection. These relevant tools support
Page 204
F I S ~ l e r and Norman
decisions in the context of emergency
management and business continuity.
CONCLUSION
In the context of a complex and intercon
nected world, it is important to reinforce
protection and increase resilience of criti
cal infrastructures and key resources.
Indeed, these networks support the well
being of society. I t is essential to support
the owners/operators of critical infrastruc
tures with tools that allow them to analyse
risk in a holistic way and that present them
with different alternatives to manage this
risk. This paper proposes three indices to
characterise the protective measures,
resilience and criticality related to a spe
cific entity. Combining these indices pro
vides an improved risk management
perspective. The objective is to develop a
decision tool for comparing critical infra
structures that promote a proactive
approach and improve facilities' prepara
tion in the context of business continuity
and emergency management. Ultimately,
the user has to decide what is acceptable
or not in terms of protective measures,
criticality and consequences. The method
ology is not developed to replace decision
makers, but to support their decisions and
to propose possible actions that can assist
in the management of complex intercon
nected systems.
ACKNOWLEDGMENTS
The authors gratefully acknowledge the
comributions of the many people who helped
bring this project to its current state of
development, including the DHS National
Protection and Programs Directorate, Office of
InfTa"tructure Protection, Protective Security
Coordination Division management team and
the Argonne National Laboratory team (Gilbert
Bassett, William Buehring, David Dickinson,
Rebecca Haffenden, Andy Huttenga, Mary
Klett, MichelJe Lawlor, James Peerenboolll,
Frl'dcTic Petit, Kelly Wallace, Ronald Whitfield
and Stacey Wojahn) . The authors are
particularly thankful to Donald Erskine, Derek
Matthews, Kariann McAlister and Sean
McAraw, without whom this work would not
have been possible. The Department of
Homeland Security sponsored the production
of this material under the Department of
Energy contract for the management and
operation of Argonne National Laboratory.
UChicago Argonne, LLC, Operator of
Argonne National Laboratory, 2010
REFERENCES
(1) US Department of Homeland Security
(2010) 'Critical Infrastructure and Key
Resources', US Dcp3rtmcnt of
Homeland Security, Washington, I)C.
available at: http:/ /\vww.dhs.gov/fil es/
programs/gc_1189168948944.shtm
(accessed 22nd April, 2010).
(2) Clinton, W. J (1996) 'Executive Order
13010 - Critical Infrastructure
Protection', Presidential Document,
Federal R egister, 17th July, Vol. 61,
No. 138, pp. 37345-37350.
(3) The White House (2003) The National
Strategy for The Physical Protection of
Critical [ nfrastructures and Key Assets',
The White House, \Vashington, DC,
p. 96.
(4) US Department of Homeland Security
(2010) 'Homeland Security Presidential
Directive 7: Critical Infi-astructure
Identification, Prioritization, and
Protection', US Department of
Homeland Security, Washington, DC,
available at: http:/ / www.dhs.gov/
xabout/ laws/ gC1214597989952.shtm
(accessed 22nd April, 2010) .
(5) US Department of Homeland Security
(2009) 'National Infrastructure
Protection Plan: Partnering to Enhance
Protection and Resilience', US
Department of Homeland Security,
W3si1ingron, DC, p. 175, available at:
http: // \Vww.dhs .gov/ xlibrary / JS$e ts/ NIP
P_Plan.pdf (J((;essed 22nd April, 2(10).
(6) PhiUey,J (2006) 'Collar hazards with a
bow-tic', Chcmiol Processing, Putman
Medi3, January, pp. 27-34, available at:
http://wwwl1xtbook.com/nxtbooks/
putman/cp01 O(Jlindex. php?startid=27
(accessed 22nd April, 2010) .
(7) US Department of Homeland Security
(2008) 'DHS Risk Lexicon', US
Department of Homeland Security,
Washington, DC, p. 60, available at:
http://www.dhs.gov/ xlibrary /assets/
dhs_risk_lexicon.pdf (accessed 22nd
April,2010).
(8) Argonne NationaJ Laboratory (2009)
'Constructing Vulnerability and
Protective Measures Indices for the
Enhanced Critical Infrastructure
Proteccion Program', Argonne National
Laboratory, Decision and Information
Sciences Division, ANLIDIS-09-4,
Argonne, IL, p. 41.
(9) National Infrastructure Advisory
Council (2009) 'Critical Infrastructure
Resilience, Final Report and
Recommendations', US Department of
Homeland Security, \Vashington, DC,
p. 54, available at: http://www.dhs.gov/
x1ibrary / assets/ niac/ niac_criticaL
infrastructure_resilience. pdf (accessed
22nd April, 2010).
(10) US Department of Defense (1980)
'Military Standard: Procedures for
Performing a Failure Mode, Effecrs and
Criticality Analysis', MIL-STD-1629A,
US Department of Defense, Washington,
DC, p. 80, 24th November, available at:
http: // www.fmeainfocentre.com/
handbooks/ milstd 1629. pdf (accessed
22nd April, 2010).
(11) US Department of Homeland Security,
ref. 7 above.
(12) US Department of Homeland Security,
ref. 5 above.
Page 206