Presentation is loading. Please wait.

Presentation is loading. Please wait.

CRITICAL INFRASTRUCTURE RISK ASSESSMENT SUPPORT WP2 Concept of the risk assessment tool with the planned components 1st Stakeholders’ Workshop Katowice,

Published byClarence Stokes Modified over 9 years ago

Similar presentations

Presentation on theme: "CRITICAL INFRASTRUCTURE RISK ASSESSMENT SUPPORT WP2 Concept of the risk assessment tool with the planned components 1st Stakeholders’ Workshop Katowice,"— Presentation transcript:

1 CRITICAL INFRASTRUCTURE RISK ASSESSMENT SUPPORT WP2 Concept of the risk assessment tool with the planned components 1st Stakeholders’ Workshop Katowice, March, 5th, 2015 Andrzej Białas, Dariusz Rogowski, Jacek Bagiński

2 Design of the CIRAS tool – Input 1.State of the art – analysis of the existing solutions 2.Requirements based on the stakeholders’ needs and expectations 3.Ciras project requirements and constraints 4.Early experimentations Design of the CIRAS tool 2

3 State of the art – legal requirements Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection COMMISSION STAFF WORKING DOCUMENT on a new approach to the European Programme for Critical Infrastructure Protection Making European Critical Infrastructures more secure COMMUNICATION FROM THE COMMISSION on a European Programme for Critical Infrastructure Protection 2006 national regulations 1 3

4 State of the art – standards Risk and assets management standards ISO 31000:2009 ‑ Risk management – Principles and guidelines ISO/IEC 31010:2009 ‑ Risk management – Risk assessment techniques ISO Guide 73:2009 ‑ Risk management – Vocabulary ISO/IEC 27000 family ‑ Information technology – Security techniques – Information security management systems ISO 55001:2014 ‑ Asset management – Management systems – Requirements Risk related technical standards ISO 17776:2000 ‑ Petroleum and natural gas industries – Offshore production installations – Guidelines and tools for hazard identification and risk assessment ISO/DTS 16901 ‑ Guidance on performing risk assessment in the design of onshore LNG installations including the ship/shore interface NORSOK standard Z-013 ‑ Risk and emergency preparedness analysis MIL_STD_1629A ‑ Procedures for performing a Failure Mode, Effects and Criticality Analysis (FMECA) IEC 61025 (2006) ‑ Fault tree analysis (FTA) IEC 62502 (2010) ‑ Analysis techniques for dependability – Event tree analysis (ETA) 1 4

5 State of the art – frameworks BMI (ger. Budesministerium des Innern) ‑ The Federal Ministry of Interior (Germany), the Federal Office for Civil Protection and the Disaster Response and the Federal Criminal Police Office have issued a baseline protection plan DECRIS (Risk and Decision Systems for Critical Infrastructures) approach – a programme funded by the Norwegian Research Council EURACOM ‑ EUropean Risk Assessment and COntingency planning Methodologies for interconnected energy networks MIN (Multilayer Infrastructure Network) – developed by the Purdue School of Civil Engineering (US). NIPP (US National Infrastructure Protection Plan) NISAC (National Infrastructure Simulation and Analysis Center) ‑ a program within the US Department of Homeland Security (DHS) NPOIK (National Critical Infrastructure Protection Programme for Poland) RAMCAP Plus ‑ an extended version of Risk Analysis and Management for Critical Asset Protection developed by ASME (American Society of Mechanical Engineers) 1 5

6 State of the art – methods Bayesian Networks BIA (Business impact analysis) Bow Tie Analysis CBA (Cost/benefit analysis) Consequence/probability matrix ETA (Event tree analysis) FMEA/FMECA (Failure mode effect analysis) FTA (Fault tree analysis) HAZOP (Hazard and operability) LOPA (Layers of Protection Analysis) MCDA (Multi-criteria decision analysis) PHA (Preliminary Hazard Analysis) RVA (Risk and Vulnerability Analysis) SWIFT (Structured “What if” Technique) 1 6

7 State of the art – tools (1/2) BowTieXP ‑ BowTie Analysis CAFTA (Computer Aided Fault Tree Analysis System) – FTA, ETA Expert Choice ‑ MCDA (Multi-criteria decision analysis) Free Web-based Fault Tree Analysis Software ‑ FTA GeNIe 2.0 ‑ Bayesian Networks, Influence diagrams, Probabilistic models GRC (Governance, Risk and Compliance) ‑ risk identification and assessment HAZOP Manager ‑ HAZOP, PHA, Hazid (Hazard identification), FMEA/FMECA HAZOP+ 6.0 ‑ HAZOP InfraRisk ‑ Preliminary Hazard Analysis, Bow Tie model with Fault- and Event Tree Analysis LOPAWorks® 3 ‑ LOPA 1 7

8 State of the art – tools (2/2) Open FTA ‑ FTA OSCAD ‑ Business Impact Analysis, Consequence/ Probability Matrix PHAWorks® 5 ‑ PHA, HAZOP, SWIFT, FMEA QCA tool – ValueSec toolset for MCDA (Multi-criteria decision analysis) RAM Commander ‑ FMEA/FMECA, Fault Tree Analysis, Event Tree Analysis Reliability Workbench ‑ FMEA/FMECA, FTA, ETA, Markov Analysis RiskSpectrum PSA ‑ FMEA, FTA, ETA THESIS BowTie ‑ BowTie Analysis, Layers of Protection Analysis (LOPA) WCK GRC – risk management Xfmea (Synthesis Platform) ‑ FMEA/FMECA XFTA – FTA 1 8

9 State of the art – method assessment criteria 9 1

10 State of the art – methods assessment summary 1 10 Threshold for choosing the best methods >=30 points (max 48)

11 State of the art – tools assessment criteria 11 1

12 State of the art – tools assessment summary 1 12 Threshold for choosing the best tools >=30 points (max 46)

13 Requirements based on the stakeholders’ needs and expectations CIRAS STAKEHOLDERS’ WORKSHOP QUESTIONNAIRE Objective: to collect expert input from CI stakeholders for an appropriate functional concept of the toolset to be implemented within the CIRAS toolset. The stakeholders’ answers and conclusions will influence the functions of the toolset the layout of the toolset 2 13

14 Ciras project requirements and constraints Use of the ValueSec solution in CIRAS - assessment o Integration of risk assessment tools o Cost-benefits assessment o Consideration of social, political, legal restrictions Identification of components (incl. their communication aspects) Technology of the project fulfilment determined Time /budget constraints 3 14

15 General scheme of the ValueSec decision framework Aggregated results for decision maker #1public mass event #2 mass transportation RRA – Risk Reduction Assess. (OSCAD) CBA – Cost-Benefit Assessment QCA – Qualitat. Criteria Assess. #3 air transport/airport #4 communal security planning #5 cyber threats Threats Assets Social values Budget Security measures to assess Decision contexts Ciras has quite a different decision context 3 15

16 Ciras toolset concept Ciras framework facade RRA – Risk Reduction Assessment OSCAD-Ciras component Analyses manager CBA – Cost-Benefit Assessment QCA – Qualitative Criteria Assessment CBA component QCA component Authentication module Knowledge base FTA component? ETA component? Interdependencies diagram Reporting /dashboard Other component? 16 This colour – „Candidate component”

17 RRA: OSCAD-based early experimentations 4 External event acqusition OSCAD system Dictionaries, configuration, management Asset inventory Document management Tasks management Risk analysis (AORA/PORA,ABIA/PBIA) Audit management Tasks scheduler Incident management Business continuity planning Measures of effectiveness Reporting External interfaces Technical system, SCADA Fire protection, antiburglary systems ERPIT monitoring Other OSCAD Incident statisctics Redundant OSCAD BS25999 (ISO 22301) ISO/IEC 27001 17

18 RRA: Bow-tie model implementation Analyzing causes of hazardous events: AORA – Asset Oriented Risk Analyzer PORA – Process Oriented Risk Analyzer Analyzing multidimensional consequences: ABIA – Asset Oriented Business Impact Analyzer, PBIA – Process Oriented Business Impact Analyzer 4 18

19 RRA: Causes/consequences diversifications Causes: AORA/PORAConsequences: ABIA/PBIA 4 19

20 Scenario relevant analyses 4

21 CBA: CBA environment for CIs 21

22 QCA: QCA environment for CIs 22

23 Experiment – summary indirect implementation of the bow-tie model enhanced focus on CIs reporting is needed FTA (Fault Tree Analysis), ETA (Event Tree Analysis), FMECA (Failure Mode Effects Analysis), … additional modules needed? 4 23

24 Ciras toolset concept Ciras framework facade RRA – Risk Reduction Assessment OSCAD-Ciras component Analyses manager CBA – Cost-Benefit Assessment QCA – Qualitative Criteria Assessment CBA component QCA component Authentication module Knowledge base FTA component? ETA component? Interdependencies diagram Reporting /dashboard Other component? 24 This colour – „Candidate component”

25 Way ahead of tool implementation Interdependencies and cascading effects OSCAD-Ciras, CBA, QCA will be integrated into the Ciras toolset All three components (RRA_OSCAD, CBA, QCA) will be updated to be more focused on CIs 4 25

26 Thank you for your attention! Andrzej Białas Project manager EMAG a.bialas@emag.pl +48 32 2007711 www.cirasproject.eu Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security- related Risks Programme of the European Union

Download ppt "CRITICAL INFRASTRUCTURE RISK ASSESSMENT SUPPORT WP2 Concept of the risk assessment tool with the planned components 1st Stakeholders’ Workshop Katowice,"

Similar presentations

Ways to Improve the Hazard Management Process

Ways to Improve the Hazard Management Process
Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.

Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.
Department of Homeland Security Site Assistance Visit (SAV)

Department of Homeland Security Site Assistance Visit (SAV)
Operation & Maintenance Engineering Detailed activity description

Operation & Maintenance Engineering Detailed activity description
Medical Device Software Development

Medical Device Software Development
New market instruments for RES-E to meet the 20/20/20 targets Sophie Dourlens-Quaranta, Technofi (Market4RES WP4 leader) Market4RES public kick-off Brussels,

New market instruments for RES-E to meet the 20/20/20 targets Sophie Dourlens-Quaranta, Technofi (Market4RES WP4 leader) Market4RES public kick-off Brussels,
CIRAS PROJECT OVERVIEW

CIRAS PROJECT OVERVIEW
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Y. PERREAL, THALES - Project leader SECUR-ED, FP7 – 261605 SRC’10, Ostende.

Y. PERREAL, THALES - Project leader SECUR-ED, FP7 – SRC’10, Ostende.
Security Controls – What Works

Security Controls – What Works
Scandpower AS P.O. Box 3, N-2027 Kjeller, Norway Risk management in the Scandinavian railway industry Karl Ove Ingebrigtsen Vice president Sweden Norway.

Scandpower AS P.O. Box 3, N-2027 Kjeller, Norway Risk management in the Scandinavian railway industry Karl Ove Ingebrigtsen Vice president Sweden Norway.
Prof. Seppo Virtanen TUT PURESAFE Final Conference Tuesday 20 January 2015, 14:20 – 14:40 RAMS Methods and Tools: From LHC to FCC.

Prof. Seppo Virtanen TUT PURESAFE Final Conference Tuesday 20 January 2015, 14:20 – 14:40 RAMS Methods and Tools: From LHC to FCC.
Risk and Economic Analysis of Terrorism Events Detlof von Winterfeldt Professor of Public Policy and Management Director, Center for Risk and Economic.

Risk and Economic Analysis of Terrorism Events Detlof von Winterfeldt Professor of Public Policy and Management Director, Center for Risk and Economic.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Quality Management.

Quality Management.
Quality Risk Management ICH Q9 Annex I: Methods & Tools

Quality Risk Management ICH Q9 Annex I: Methods & Tools
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

Similar presentations

Ads by Google