Framework for shared drinking water risk assessment

https://doi.org/10.1016/j.ijcip.2018.10.007Get rights and content

Abstract

Risk assessment plays a vital role in protecting our nation's critical infrastructure. Traditionally, such assessments have been conducted as a singular activity confined to the boarders of a particular asset or utility with little external sharing of information. In contrast other domains, e.g., disaster preparedness, cyber security, food-borne hazards, have demonstrated the benefits of sharing data, experiences and lessons learned in assessing and managing risk. Here we explore the concept of a Shared Risk Framework (SRF) in the context of critical infrastructure assessments. In this exploration, key elements of an SRF are introduced and initial instantiations demonstrated by way of three water utility assessments. Results from these three demonstrations were then combined with results from four other risk assessments developed using a different risk assessment application by a different set of analysts. Through this comparison we were able to explore potential challenges and benefits from implementation of a SRF. Challenges included both the capacity and interest of local utilities to conduct a shared risk assessment; particularly, wide scale adoption of any SRF will require a clear demonstration that such an effort supports the basic mission of the utility, adds benefit to the utility, and protects utility data from unintended access or misuse. In terms of benefits, anonymous sharing of results among utilities could provide the added benefits of recognizing and correcting bias; identifying ‘unknown, unknowns’; assisting self-assessment and benchmarking for the local utility; and providing a basis for treating shared assets and/or threats across multiple utilities.

Introduction

The Department of Homeland Security (DHS) explains the importance of critical infrastructure by stating, “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof” [1]. The value of our nation's critical infrastructure is particularly evident when it is compromised by disaster. The U.S. has sustained 196 weather and climate disasters since 1980 where overall damages/costs reached or exceeded $1 billion (including Consumer Price Index adjustment to 2016). The total cost of these 196 events exceeded $1.1 trillion [2]. Beyond such disasters, failure to maintain our infrastructure is estimated to cost our economy in excess of $195 billion per year in lost efficiencies [3]. Safeguarding infrastructure from internal and external attack also looms large as indicated by cyber-attacks costing the average American firm $15.4 million per year (a sampling of 252 international firms) [4]. Toward these challenges, President Clinton established the President's Commission on Critical Infrastructure Protection with the task to review the vulnerabilities and threats facing U.S. infrastructures, assess the risks, and propose a long-term strategy to protect and maintain the nation's critical infrastructure [5]. This was quickly followed with President Bush establishing a national strategy for the Physical Protection of Critical Infrastructures and Key Assets [6].

Central to protecting our nation's critical infrastructure is the development of a comprehensive methodology for evaluating the risk posed by a range of natural and man-made threats. The foundation for such analysis was established in the early 1970s in the context of the nuclear power industry [7]. Efforts were accelerated following the attacks of September 11, 2001 when the Title IV of the 2002 Public Health Security and Bioterrorism Preparedness and Response Act, required all water utilities serving more than 3,300 people to perform security vulnerability assessments [8]. At that same time the White House requested that the American Society of Mechanical Engineers develop a standardized risk assessment methodology to permit direct comparison within and across industry sectors. The result was the Risk Analysis and Management for Critical Asset Protection (RAMCAP), which was a seven-step methodology that enabled asset managers to analyze their risk and risk-reduction options [9]. Consistent with the RAMCAP framework, sector-specific applications soon followed for nuclear power plants [10], radioactive waste transportation and storage, petroleum refineries [11], chemical manufacturing plants [12], LNG off-loading terminals, and dams and locks [13]. Additionally, a water-sector specific framework was developed by the American Water Works Association (AWWA), which ultimately became the ANSI/AWWA J100-10 standard for Risk and Resilience Management of Water and Wastewater Systems [14]. Specific applications in the water/wastewater sector adopting this standard include the Vulnerability Self-Assessment Tool (VSAT™), the Security and Environmental Management System (SEMS™), Program to Assist Risk & Resilience Examination (PARRE™), and the Risk Assessment Methodology-Water (RAM-W).

Where risk assessments (RAs) of critical infrastructure have been performed they tend to focus on a single asset or utility. Results of the assessment are rarely shared outside the “walls” of the utility due to apprehension over how such data could be used against the utility. While a valid concern, other domains have demonstrated the benefits of sharing data, experiences and lessons learned when assessing and managing risk. Both federal and international disaster management agencies recognize that the sharing of lessons learned and the experience gained can help reduce risks and strengthen resilience [15], [16]. Food safety regulators in the United State have called for the sharing of experiences in developing risk management strategies and improving the assessment process [17]. Software developers likewise have recognized a crucial component of a collective response to cyber-threats is the sharing of information. When information about attackers and methods of attack is shared, organizations are better prepared to thwart them [18].

Here, we explored the concept of a Shared Risk Framework (SRF) in the context of critical infrastructure assessments; specifically, a framework that facilitates the comparison and prioritization of RA data in a secure and user-friendly environment. The first objective of this exploration was to identify key elements of an SRF and introduce an initial instantiation demonstrated by way of three water utility assessments. Results from these three demonstrations were then combined with results from four other risk assessments developed using a different risk assessment application by a different set of analysts. Through this comparison the second objective of this exploration was achieved—identification of potential challenges and benefits pertaining to the implementation of a SRF.

Section snippets

Methods

This section begins with a brief review of key elements of an SRF along with a description of an initial instantiation towards an operable framework. Attention then focuses on the process by which three face-to-face assessments using the scoping-level SRF were conducted. Also discussed is the process by which four other risk assessments were conducted and mapped for comparison with data from the face-to-face assessments. The purpose of the comparison being the identification of potential

Results

The three face-to-face demonstrations combined with the four data sets obtained from externally performed RA's offer seven real-world examples to explore the Shared Risk Framework (SRF) concept. In the discussions and figures that follow, the four externally performed RA's are referred to as East 1, East 2, Central 1, and West 1, while the three in-person demonstration utilities are referred to as Central-p, South-p, and West-p. Below, results are presented that explore the operability of the

Shared risk framework

Direct feedback and observation from the three face-to-face demonstrations provided important insights into potential adoption of the streamlined approach and risk metrics of the SRF. On the positive, each utility could complete a streamlined RA in less than a day. However, utilities that don't maintain internal risk analysis/management capabilities may feel uncomfortable completing a SRF without assistance, as we experienced with two of the three demonstrations. Quantitative impact metric

Acknowledgments

The authors want to express their appreciation to the three water utilities that participated in SRF demonstrations. The authors also acknowledge the constructive comments of six anonymous reviewers. This work was funded by an Interagency Agreement between the Department of Homeland Security Science & Technology Directorate and the Department of Energy. Sandia National Laboratories, Oak Ridge National Laboratory and the University of Colorado, Colorado Springs collaborated on support aspects of

References (31)

  • DHS, U.S. Department of Homeland Security, What is Critical Infrastructure? 2017: Washington,...
  • NOAA, National Oceanic and Atmospheric Agency, National Centers for Environmental Information, Billion-Dolar Weather...
  • Sherraden, S. and S. Henry. New America, costs of the infrastructure deficit. 2011 [cited 2017 February 28]; Available...
  • Hewlett Packard, 2015 cost of cyber crime study: global. 2015. p....
  • PCCIP, President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's...
  • GAO, General Accounting Office, The Physical Protection of Critical Infrastructure and Key Assets. 2003: Washington,...
  • Apostolakis, G.E., How useful is quantitative risk assessment. Risk Analysis, 2004. 24: p....
  • HoR, U.S. House of Representatives H.R. - 3448: Public Health Security and Bioterriosim Preparedness and Response Act...
  • Brashear, J.P. and J.W. Jones, Risk Analysis and Management for Critical Asset Protection (RAMCAP Plus). 2008: John...
  • USNRC, U.S. Nuclear Regulatory Commission, Probabilistic Risk Assessment....
  • Markowski, A.S. Quantitative risk assessment improves refinery safety. Oil Gas J. 2002, 100,...
  • AIChE, American Institute of Chemical Engineers, Center for Chemical Process Safety, Guidelines for Chemical Process...
  • Chauhan, S.S. and D.S. Bowles. Dam Safety Risk Assessment with Uncertainty Analysis. in Australian Committee on Large...
  • AWWA, American Water Works Association, AWWA J100-10(R13) Risk and Resilience Management of Water and Wastewater...
  • UNDP, United Nations Development Program, Experience Sharing Workshop on Community Disaster Reduction and Relief;...
  • Cited by (6)

    • Critical review of the threats affecting the building of critical infrastructure resilience

      2021, International Journal of Disaster Risk Reduction
      Citation Excerpt :

      Although there are constructions of security operation centres in place now, preventing CIs from cyber-attacks is still extremely difficult, because security events are too many to be analyse and respond [60]. Ageing infrastructure is a common problem to CIs resilience [33]. Interruption of CIs could be caused by old or antiquated components.

    • Threats, Vulnerabilities and Security Functions in Critical Information Infrastructure

      2021, 2021 8th International Conference on Information Technology, Computer and Electrical Engineering, ICITACEE 2021
    View full text