Risk is at the centre of CNI vulnerability

A Current Perspective on CNI

One of the main barriers to effective security investment in European critical infrastructure is the inadequacy of risk assessment methodologies. Current approaches generally fail to justify the appropriate investment in security, which is causing crucial flaws & vulnerabilities.

The threats of the terrorist attack, and cyber attack have hitherto ranked relatively low as drivers for security investment among infrastructure operators. While risk awareness has considered the threats of sabotage and industrial espionage, they were framed within the scope of physical security threats, and dwarfed by the overriding consideration for of risk health & safety priorities, environmental and natural disaster, and industrial accidents. There is no doubt that moving into 2013 this is changing with the slow emergence of more holistic consideration of security risk, not least because of the emergence of converged risk assessment methodologies born from the higher profile threat attributed to cyber security. Moreover the threat of terrorism is increasing, evident in the recent evidence that terrorists have obtained details of vulnerable critical infrastructure, which could be subjected to both cyber and physical attack.

The trend towards a heightened awareness is evident across all sectors of critical infrastructure, though the evolution of this awareness, the consequent appreciation of risk, and investment priorities vary across the different sectors. The banking & financial sectors, and the ICT sectors are understandably the most reliant on information and communication technology, and therefore more concerned by, and conversant in cyber threats, while transport and utility sectors recognise their somewhat different roles as critical elements of national infrastructure, and have traditionally been more conversant with physical security, and subjected to more frequent attack. Despite management awareness, risk assessment methodologies are still somewhat deficient in being able to cater for the full spectrum of external threats and internal vulnerabilities.

In a financial climate where there is a clear reluctance to invest aggressively in security, greater emphasis is being placed on mitigating higher probability risks, and the ability to react rapidly, and enact contingency plans effectively, which is characterising certain elements of investment in security systems & solutions. This reality goes some way towards building a level of preparedness and resilience within critical infrastructure, but does not sufficiently address more malicious threats from organised crime, state-sponsored actors, and specifically terrorism which will increasingly focus on causing significant economic damage, and threatening the continuity of societal and economic systems through critical elements of vulnerable national infrastructure.

While all critical infrastructure sectors are expected to improve their risk awareness in the near future, and many may set suitable risk management objectives, this improvement is counteracted by the lack of progress towards developing a more effective risk management process and measures relative to their level of vulnerability. As all sectors are expected to face a heightened level of threat in the future, the inadequate projected investment in security measures will lag the rise in threats, leading to a greater net vulnerability and little improvement in real terms particularly with regard to the cyber security.

Risk Governance

Inadequate risk governance is central to the current vulnerability of European critical infrastructure, and effecting a change in attitudes to risk investment is central to building greater resilience.

Risk governance can provide a framework for improving some of the mechanisms within the risk management cycle, but attention also needs to address: the influence of heuristics on risk attitudes; the weaknesses of management processes, and their impacts on investment priorities for security & risk.

Many of the roots of current vulnerabilities have been established by decisions taken over the historic medium term, and management decision-making still has the potential to compound risk & vulnerabilities in the way it responds to warning signals, sudden-impact events, and defines risk appetite, and strategy.

By focusing attention on risk awareness, effective anticipation, and encouraging a more risk- informed approach to dealing with uncertainty, operators are likely to develop a more balanced stance when considering a full range of risk to organisational objectives. In order to do so, operators need to revisit their risk agenda.

Redefining the Operator Risk Agenda

In the current dynamic environment, firms are challenged to fully identify the emerging reality they will face in the immediate future, whether because of the evolving threats, the capabilities of new technology, or the impact of the economic climate on their industries. There is less reason now more than ever, to assume that risk mitigation strategies are valid year-on- year, and can remain effective by incrementally refining, rather than re-defining their plans.

The latest developments in cyber threats have illustrated how disruptive sudden changes can be to evaluating and redeveloping security plans, and budgets. They also highlight the limitations of techniques that take a static view of risk within conceptual boundaries, because they fail to account for ‘external’ factors, and flows of information through connected processes & technologies, which limits risk mitigation to local or ‘internal’ contexts.

In 2013, all operators of critical infrastructure will need to conduct critical reviews of risk & investment strategy, based on a questioning of the assumptions that underlie their decision-making, particularly regarding inter-dependencies and the ‘inherited’ risks they bring.

There is no doubt that the increasing scrutiny from regulators and other public sector stakeholders will force executive boards through this difficult process, and demand more evidence of risk- informed assessments which will require better risk intelligence, and appreciation of the external context.

Moreover it will require a more open-minded and broader consideration of lower probability & catastrophic incidents, through a better appreciation of the dynamic and converged risk environment, and a concerted appreciation of ‘Black Swans’ or unknown unknowns.

For many infrastructure operators this will require a process that will systematically challenge current thinking & attitudes to these converged risks, which still needs to be intelligence-driven, and threat-modelled, while developing a more relevant appreciation of dynamic risk methodologies.

New risk assessment methodologies need to adopt a multi-dimensional analysis of risk, and infrastructure operators require a methodology that can be adapted to different ‘domains’ whether upstream or downstream, and for different types of risk...from operational security to operation management & process control software security.

Posted: 4 February 2013 by Optimal Risk Administrator | with 0 comments