The developments that marked the international security sector have led to an increase in the number of challenges and non-traditional, dispersed and interconnected threats, which have no boundaries. The security sector continues to be dominated by change and the relevant developments have a high degree of uncertainty, discontinuity and unpredictability. However, countries perceive this process in different ways.
Although experts haven’t agreed on a unanimously accepted definition, critical infrastructures influence the approach of classical geopolitical concepts. Most countries’ dependency on critical infrastructure for ensuring the basic needs allows them to anticipate the risk of producing devastating effects following the interruption, even for a short period of time, of the critical public services, such as banking and commercial, communications, production and transport. The state’s monopoly over the authority seems to be more and more fragmented. That is why the state should share its influence with other experts and professional associations from the technological communities, with the business sector and non-profit organisations, seeing as critical infrastructures are owned, operated and supported mainly by the private sector, whose defining features are diversity, interconnectivity and, to a certain extent, non-uniformity.
In the context in which the component sectors of critical infrastructure ensure a series of products and services that are vital for the normal functioning of society, their protection should be perceived as being one of the pillars which support national security, the governing capacity or economic stability, all in all our way of living.
The vulnerability of a critical infrastructure is expressed through the ratio between the possibility of a real threat on the components of critical infrastructure and the system’s capacity to face these threats. The analysis of the vulnerability factor is based on the mutual understanding of the range of threats that could have devastating effects on the well-functioning of the system’s elements and their interactions. In accordance with Directive EC 114/2008 of December 8, 2008, “the risk analysis represents the analysis of the significant threat scenarios, in order to evaluate the vulnerability and potential impact on critical infrastructure”. This ensures the defining elements of the information – risk analysis – prevention and threat elimination chain.
I. Techniques and methods applied in critical infrastructure management. Quantity threat analysis.
The use of this work technique involves six stages, as shown below:
Stage 1: Critical infrastructure asset identification and evaluation. This stage identifies all the components of the critical infrastructure. For instance, if the critical infrastructure is represented by an organisation, then all its assets have to be included and divided into four categories, as shown in figure 2:
After identifying the assets, we have to establish the costs for replacement in case one of the assets is destroyed. In order to perform this operation in good conditions, we can make up a series of questions to help speed the process along, like:
What is the replacement value at current market price?
How long will the replacement process take?
What is the necessary work force for the replacement operations?
What is the degree of the losses in relation to third parties?
If training is necessary, what financial efforts would be required and how long would the training take? What are the psychological effects of the destruction? What is the classification level of the assets destroyed? etc.
After finalizing the first stage, we have to estimate the replacement cost (PI). This operation involves six cost elements: the acquisition value (VA), security (S), training (I), work force (M), the value of the lost production (VPP) and the value of the indirect costs (CI): PÎ -VA + S + I + M + VPP + CI (1)
In case several assets are destroyed, the total replacement cost (PtI) can be calculated base don the following formula: PtÎ= Y,PÎn,
where k = the number of assets destroyed
We should mention that this replacement value structure is valid only if the effects are not externalized. However, if they cause effects outside of the organisation, then other specific factors should be taken into account.
Stage 2: Determining the vulnerability of the critical infrastructure.
This stage documents all the threats made, as well as their frequency. For instance, figure 3 shows several possible threats: We should mention that Figure 3 shows only a limited number of threats. In regards to their frequency, it depends on a series of factors, such as: the field of activity, location, local economic conditions, technologies used, work protection related issues, fire protection, employee training level etc.
Stage 3: Estimating threat probability
At this stage, the management of the organisation (or of the critical infrastructure) should establish the threat probability within a certain timeframe. During this activity, the work group or the person in charge should cooperate with other experts from the field in which a threat has been found. For instance, in case the organisation/critical infrastructure is located in an area with a high earthquake probability, the management should work together with the National Institute for Earth Physics in order to establish the probability of a major earthquake. The same goes for the rail transport sector. In case the organisation/critical infrastructure is located in an area with multiple dangerous points, the management should work together with SNCF CFR SA and with the Romanian Railway Authority in order to establish the probability of a railway accident.
Because of the fact that, in most cases, all the calculations made are valid over a period of one year, this indicator will have to be calculated for the same period of time. Table 1 shows several values of the annual threat frequency.
Based on the values presented above we can calculate the rate of threat probability as a timeframe whose end points correspond to the minimal and maximum values.
For instance, if in an area where earthquakes may happen the probability is between 1-5 years, then the threat probability rate would be between 0.20-1.
by Dan Marcel Bărbuț – Central and synthesis state inspector AFER, Crisis management, multinational operations and Euro-Atlantic security expert
Share on:
