How do you see the future of risk management as a core duty in operating critical infrastructures?
Critical infrastructures are characterized by their fundamental importance for society. They are crucial for the maintenance of essential societal functions, e.g., the continuous supply with power, oil/gas, water, food and money. Major disruptions or even small incidents within a critical infrastructure may have significant effects on the economic and social life of the people living in vicinity to that infrastructure or for a whole country. This is due to the increasing interconnections and interdependencies within and among critical infrastructures. In the future, these interconnections will further grow, creating a highly sensitive network of (utility) networks. Besides the current movements in the technical area (e.g., Smart Grids, Industry 4.0 and the Internet of Things), organizational and social aspects (e.g., the human factor and the social network of an organization’s employees) will become more and more relevant. Due to these changes, the dependencies between various (technical and social) networks will increase, making a structured and well-defined risk management a core process for critical infrastructure operators.
Despite the existence of numerous risk assessment tools to support the critical infrastructure operators in estimating the nature and impact of possible incidents, risk management up till now is mostly a matter of best practice approaches. Facing the increasing amount of interdependencies in the next decade, novel concepts for risk assessment need to be defined, better capturing the significant interaction between the various (utility) networks. These approaches will need to provide a sound basis for assessing and categorizing security risks in interconnected networks. It will be more important to model and evaluate how incidents might evolve within and among the critical infrastructure operator’s various (technical and social) networks to provide foundations for improved protection and prevention mechanisms.
What is the HyRiM project about and what will you present at EUW16?
HyRiM (www.hyrim.net) is a research project dealing with risk management for utility networks that started in April 2014 in the EU 7th Framework Programme, the predecessor of the current EU Horizon 2020 Framework Programme. In HyRiM, we do not look solely on the risk management in a single network operated within a utility provider (e.g., the ICT network, the control network or the utility network), as it is the case in classical risk management approaches. On the contrary, the focus in HyRiM lies on the sensitive interconnection points between these networks with the aim to provide novel concepts to assess cascading effects in utility networks. Hence, we investigate novel approaches towards risk management spanning over several technical and social networks (referred to as Hybrid Risk Management).
The main result of the HyRiM project is a methodology to abstract from technical details of a system so as to provide a stakeholder with qualitative and/or quantitative risk indicators related to the security under current and potential future (cyber) attacks. Therefore, it specifically respects the interconnected nature of today’s utility networks and allows inspecting cascading effects over multiple technical and social networks. This methodology is based on a sound mathematical foundation, reducing information loss as well as potential ambiguity and misinterpretation of results.
In the HUB Session “Security Frameworks to Prevent Hacking the Grid” at EUW16, I will give an overview on one of the core results of the HyRiM project: the HyRiM Risk Management Process. This process integrates outcomes stemming from current research in the project, combining novel methodologies for threat awareness, consequence analysis, risk assessment and risk mitigation. In this context, I will go into detail on how these approaches interact with each other and how their results can support decision makers of critical infrastructures.
What workshop are you organizing during EUW16?
The workshop we are holding at the EUW16 on November 15th is dedicated to all parties interested in the field of risk management and to potential end users of the HyRiM risk assessment methodology. These could be operators of critical infrastructures in general and utility providers in particular, as well as technology providers for these interest groups. The workshop will include, amongst other topics, an overview on the HyRiM Risk Management Process, a presentation of a resilience architecture for critical infrastructures, an introduction to the HyRiM risk assessment methodologies accompanied with use case scenarios where these methodologies are applied. Further, a first glimpse at the final tools and prototypes developed within the project will be provided. The participants will be provided an insight into the most recent findings from the HyRiM project together with an overview on how these novel approaches can be applied in real-life use cases.
Why should people come to your presentation and the workshop?
In our HyRiM workshop as well as in my presentation during the HUB Session, we want to take the chance to interact with critical infrastructure operators, technology providers and other potential interested parties. The goal is to share our most recent results from research activities within the HyRiM project and discuss them with the participating experts based on their experience and insights from the day-to-day praxis. Altogether, in our workshop as well as in the HUB Session we want to create an environment for vivid discussions between field experts and researchers. From that, we want to receive valuable feedback from the participating parties on their perception towards practicability and applicability of our methodologies in their particular area of expertise. Hence, everyone who is interested in novel concepts and approaches for risk assessment and risk management in interconnected (utility) networks as well as for the protection of critical infrastructures is sincerely invited to join our workshop in the morning of November 15th in CC3-3.11 and come to the HUB Session in the afternoon.
Find out more about the workshop: Novel Approaches to Risk and Security Management for Utility Providers and Critical InfrastructuresWorkshop outline and registration