d5.7 article/information on ciras tool and project · 2018. 1. 3. · version 1.0 status final...

This project is funded from the European Commission’s Directorate – General Home Affairs

CIRAS - Critical Infrastructure Risk Assessment Support

D5.7 – Article/Information on CIRAS tool and project

ATOS

Document Number D5.7

Document Title Article/Information on CIRAS tool and project

Version 1.0

Status Final

Document Release 2016/09/03

Contributors Jaime Martín (ATOS); Barbara Flisiuk, Andrzej Białas, Dariusz Rogowski, Jacek Bagiński (EMAG); Peter Klein, Reinhard Hutter (CESS)

Reviewer Barbara Flisiuk (EMAG), Andrzej Białas (EMAG), Jaime Martin (ATOS)

Keyword List Publication, dissemination, information, audience, journal, promotion

Target Group Public

D5.7–Article/Information on CIRAS tool and

project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

Abbreviations

CI Critical infrastructure

CIP Critical infrastructure protection

EU European Union

EC European Commission

R&D Research and development

WP Workpackage

CII Critical information infrastructure

DRS Document Review Sheet


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

Executive Summary

The objective of the deliverable is to provide a self-explanatory article that reports about CIRAS

project and to report as well about publications articles that were written by the project team

members with respect to the project topic, objectives and results.

The document contains a list of relevant publications. These publications are part of dissemination

activities described in Workpackage 5 and are targeted mainly to the audience of CI stakeholders,

experts and other interested parties.


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

Table of Contents

1 Introduction ................................................................................................................................... 5

2 Article about CIRAS tool and project .......................................................................................... 6

3 Other publications by the project team ....................................................................................... 11

4 Conclusion .................................................................................................................................. 13

Appendix 1 -Presentations about CIRAS........................................................................................... 14

Figures

Figure 1: CIRAS conceptual model ..................................................................................................... 7


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

1 Introduction

Presentations, and the publication of articles and information about the CIRAS tool and project is a

part of Workpackage 5 “Dissemination and exploitation” and covers all time span of the project.

The publication of articles and information about CIRAS is one of dissemination tasks listed in

D5.1 Dissemination and Communication Plan. The objective of this task is to make known the

project, contribute to its structured and effective promotion and communicate the project results to

the interested audience.

The Dissemination and Communication Plan includes a section about publications in journals and

monographs. The project team members devoted themselves to submit articles related to the project

topic to be published in relevant journals and/or monographs, in English and/or in the native

languages of the CIRAS consortium partners. There was a table prepared with a preliminary list of

journals to be approached.

Section 2 provides a self-explanatory article about CIRAS project

Section 3 lists other publications that were done


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

2 Article about CIRAS tool and project

Introduction

From some time past ensuring the security of critical infrastructures has become a serious concern

and priority. As a result policies are being adopted and defined at national and international level.

For instance one of the targets of the Sendai Framework for Disaster Risk Reduction is “

Substantially reduce disaster damage to critical infrastructure and disruption of basic services,

among them health and educational facilities, including through developing their resilience by 2030.

” This is so important a framework that the United Nations Office for Disaster Risk Reduction

(UNISDR) has been tasked to support the implementation, follow-up and review it. At European

level there are several dedicated research programmes focusing on critical infrastructures.

Nowadays decision-makers are facing more and more threats in a challenging and evolving

situation where they may follow different approaches and alternatives.

Thus, adopting the best possible decision to achieve the required protection for infrastructures, as

well as and the people around them, has become a real need. The staff in charge must assess

thoroughly the available information to reach the highest accomplishment.

CIRAS project has been executed from 2014 to 2016. It aims at supporting decision-makers by

providing a methodology and toolset to compare several alternatives. The project promotes a new

approach to risk assessment in critical infrastructure protection (CIP). It is focused on advanced risk

assessment which compares security measures alternatives and takes into account the typical critical

infrastructure (CI) effects of interdependencies of systems, and of cascading and escalation of

incident consequences.

Project’s outcomes

The CIRAS methodology and decision support system (DSS) for public and private CI/CIP

managers, which allow a holistic assessment of how to reduce risks in critical infrastructures at a

cost-efficient way, and at the same time considering social and political needs and restrictions. The

CIRAS Decision Support System offers a comparison of different security measures alternatives

that may comprise several subsets of security measures, by performing a series of assessments in

assumed scenarios against a selection of concrete use cases:

• Risk Reduction Assessment: for measuring the risk reduction capability of the different

Security Measures and the Alternatives. It implies two steps: first of all, an Asset oriented Business

Impact Analysis is done to evaluate the consequences and impact levels in case of an incident.

Secondly, an Asset Oriented Risk Analysis is carried out to calculate the risks level reduction that

would be achieved by the implementation of security measures alternatives.

• Cost and Benefit Assessment: for assessing the different alternatives based on their life cycle

cost (up-front investment and operational cost) compared to the future benefits of the Security

Measures considered during a defined period of years. These costs are evaluated according to

different financial categories and the results comprise key indicator values such as: total investment

costs, total future benefits and net present value. These indicators allow to rank the alternatives and

to select the financially most reasonable one. The results provide graphs for each financial category

and the calculation of time-profile trade-offs and cost break-even points.


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

• Qualitative Criteria Assessment: for the assessment the ethical, legal, political, societal other

non-tangible impact and relevance of the Security Measures. These criteria are, difficult to measure

objectively. Applying this QCA methodology, thes measures are transformed into normalized

numbers and accumulated. CIRAS offers two ways of performing this kind of assessment. On the

one hand, a Utility Function based method. It allows to associate subjective descriptions with

numerical graphs to quantify the extent of the possible values. On the other hand, CIRAS has

developed an innovative method called Modified Analytical Hierarchical Process that works with a

relative ranking logic.

• Finally, Aggregated Results are provided to compare all the alternatives individually and

combine. A report is generated displaying in tables and graphs how security measures alternatives

are ranked according to the assessments carried out. These reports are of particular importance for

high-level decision support.

Figure 1: CIRAS conceptual model

Conceptual Decision Model

The picture above depicts the CIRAS Conceptual Decision Model. Initial input parameters are

needed to properly define the scenario where decision-makers are required to select the most

suitable alternative among several available options. This information comprises the assets to be

protected, the threats that may harm these assets, the budget to buy or maintain security measures

and societal criteria to be taken into account for acceptance

Then several assessments are performed in parallel:

- Risk Reduction Assessment

- Cost-Benefit Assessment

- Qualitative Criteria Assessment: it may be done by means of UFBA and/or MAHP.

The same set of security measures alternatives are compared in all the assessments and specific

results are achieved by each kind of assessment.


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

Finally, a set of reports are generated providing a summary of the key results which were concluded

in the previous analysis, in a simple or more thorough way according to the end-user´s preference.

The shortest version of the summary report is just one-page long and it makes it possible to have at

a glance a comparison of the security measure alternatives considering all assessments carried out.

It displays the results in tables where alternatives are ranked and makes it possible to have a quick

idea at a glance with bar charts showing the values got. An alternative could be the best according

to an assessment but the worst according to another one. It will be up to the decision-maker to

balance the ranks and choose wisely. For instance, if there is a clear threat the RRA results should

be prioritized no matter the costs.

Use cases and Validation

CIRAS cooperated with stakeholders and operators of transportation and energy critical

infrastructures to prepare and validate six use cases as follows:

Transportation use cases

Transit systems offer an easy target for high order violence. Transit systems combine high visibility

with a design created for openness and easy access. The high number of people using public

transportation means in predictable routes at fixed times make control and security a demanding

challenge. Metro offers a big target for any kind of criminal threats, especially those related with the

low intensity crime. It has many potential targets concentrated in a small area that leave the

platforms and trains very fast, not to return in many hours. At the same time, metro systems are

created to be open and easy to enter and leave fast, making controls very difficult.

Three use cases were prepared regarding Transportation CIs. Stakeholders involved were

Transports Metropolitans de Barcelona (TMB) as main subject and Mossos d'Esquadra (Catalonian

Police) in its Metropolitan Transport Security Area. Several bilateral meetings were arranged with

them to define the use cases detailing the relevant assets, potential threats and a list potential

security measures which could be assigned to deal with one or more threats. Also in the meetings

the progress of the prototype were shown. Use cases had as common location the facilities of the

metro network of the city of Barcelona, Spain.

The use cases were the following:

- Bomb in a train during rush hour: it implies the access to any station of a bomb concealed in the

luggage or in the personal belongings and the deposit of this bomb in a train. There is no need of

trespassing any restricted area.

- Bomb at metro maintenance facilities during the night: it implies the trespassing of the metro

depot and workshop facilities (jumping fences, breaking access doors and so on) and placing a

bomb there during the night (while trains are in maintenance and being cleaned).

- Stabbing during rush hour: This scenario covers the act of stabbing at random in a metro

platform during rush hour. It means the use of concealed knives, machetes or other sharp

weapons like screwdrivers or even broken glass.

Energy use cases

Power plants are mostly very large and complex facilities and of high national or international

relevance. Therefore they need extended protection especially against terrorist attacks.


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

Three use cases were prepared as far as Energy CIs are concerned. They were carried out in

cooperation with one of the biggest energy operators in Poland which provides energy to several

million of private and business customers.

The use cases were as follows:

- Bomb brought to a power plant and to a substation: simulating that a person has succeeded to

pass the entrance control or overcome fences or walls around the plant carrying a bomb.

- Sabotage in a power plant to disturb the energy production or decrease it to zero: Sabotage

performed by employees with a criminal or terrorist motivation is an ongoing threat which

needs special protection measures (not necessarily technically oriented).

- Cyber-attack in a power plant to disturb the energy production or decrease it to zero: Cyber

attack to the control system of a power plant and the power network to decrease the power

distribution

CIRAS tool has proven a real success in the described use cases for both Transportation and Energy

CIs. The tool’s flexibility in the combination of different Security Measures and the possibility of

recovering previous recorded scenarios make the tool ideal for the objective of the evaluation of

different Security Measures alternatives.

Events

Events and workshops were organized aimed at creating realistic use cases, preparing input data and

validating results of the CIRAS experiments Stakeholder workshops comprised:

First Stakeholders’ Workshop: March 5th, 2015, Katowice, Poland.

- Second Stakeholders’ Workshop: November 26th, 2015, Aschaffenburg, Germany.

- First Energy CI Workshop: November 10th, 2015, Katowice, Poland

- Second Energy CI Workshop: March 14th, 2016, Katowice, Poland

- Demonstration and validation workshop for Energy CI: May,9th-10th 2016, Katowice, Poland.

- First Transportation CI Workshop: March 11th, 2016, Barcelona, Spain

- Demonstration and validation workshop for Transportation: May, 18th, 2016, Barcelona, Spain.

- First Qualitative criteria Workshop: May, 13th, 2015, Madrid, Spain.

- Second Qualitative criteria Workshop: May, 25th, 2016, Madrid, Spain.

- Final Conference: June,8th

, 2016 in Katowice, Poland.

Achievements

Over 20 deliverables were prepared covering the following:

- Knowledge about state of the art of the existing risk assessment and cost in the scope of

Decision Support Systems

- Preparation of structured requirements for the risk management and decision support tools.

Design of the CIRAS toolset including the architecture, functionalities and software design

- Development and testing of the CIRAS toolset along with a detailed user guide

- Definition and validation of use cases to evaluate the CIRAS toolset in realistic scenarios

- Dissemination material including project presentations, flyers, posters and pen drives


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

- Dissemination actions presented the project and tools at 10 conferences, and prepared 15

publications.

CIRAS Consortium:

The CIRAS Consortium comprises three partners:

- Atos Spain: Atos SE (Societas Europaea) is a leader in digital services with 100,000

employees in 72 countries. The Group works with clients across different business sectors: Defense,

Financial Services, Health, Manufacturing, Media, Utilities, Public sector, Retail,

Telecommunications, and Transportation. Atos Research & Innovation (ARI), whose headquarters

are in Spain is the research, development and innovation hub of Atos and it is a key reference for

the whole Atos group, delivering technology innovation to our customers.

- Centre for European Security Strategies (CESS), Germany: CESS provides strategic,

operational and technical security and risk management expertise. It has competences in security

and defense consulting, decisions support systems, analytical methods and tools, scenario

development and modelling and simulation.

- Instytut Technik Innowacyjnych (EMAG), Poland: EMAG’s R&D include competences in

information society issues, especially in ICT security and safety and ontology-based information

systems including development of computer-aided tools to support information security

management.

Would you like to find out more about CIRAS please visit our website at

http://www.cirasproject.eu/ or contact us via the form at http://www.cirasproject.eu/contact

http://www.cirasproject.eu/

http://www.cirasproject.eu/contact


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

3 Other publications by the project team

In the course of the CIRAS project, the following articles were published by the CIRAS team

members:

1. Bialas A.: Critical Infrastructure – from Risk Management towards the Protection

Management Framework, In: Rostański M., Pikiewicz P., Buchwald P., Mączka K. (Eds.):

Proceedings of the XI International Scientific Conference Internet in the Information Society,

Scientific Publishing University of Dąbrowa Górnicza, Cieszyn, Poland, 22-23 September 2016,

pp.267-283.

2. Bagiński J., Rogowski D.: Software Support for Enhanced Risk Management, In:

Rostański M., Pikiewicz P., Buchwald P., Mączka K. (Eds.): Proceedings of the XI International

Scientific Conference Internet in the Information Society, Publishing University of Dąbrowa

Górnicza, Cieszyn, Poland, 22-23 September 2016, pp.369-388.

3. Bialas A.: Critical Infrastructure Protection – How to Assess the Protection

Efficiency. Proceedings of the Elevenths International Conference on Dependability and Complex

Systems DepCoS-RELCOMEX, June 27 – July 1, 2016, Brunów, Poland. Advances in Intelligent

Systems and Computing, Vol 479, Springer Switzerland, pp. 25-37, DOI 10.1007/978-3-319-

39639-2. http://www.springer.com/us/book/9783319396385

4. Bialas A.: Critical infrastructures risk manager – the basic requirements elaboration,

In: Zamojski W., Mazurkiewicz J., Sugier J., Walkowiak T., Kacprzyk J (Eds.): Theory and

Engineering of Complex Systems and Dependability Proceedings of the Tenth International

Conference on Dependability and Complex Systems DepCoS-RELCOMEX, June 29 – July 3 2015,

Brunów, Poland, Advances in Intelligent Systems and Computing Vol. 365, 2015, Springer-Verlag:

Cham, Heidelberg, New York, Dordrecht, London, pp. 11-24, DOI: 10.1007978-3-319-19216-1_2.

https://fedcsis.org/proceedings/2015/pliks/77.pdf

5. Klein, Peter: MAHP - A simple and reliable method to assess and compare intangible

effects of different security measures in Critical Infrastructures, Presentation held at the

International Conference IGRS Hazards - Detection and Management, Dresden, Germany, Aug 31

– Sep 4, 2015

6. Klein, Peter and Hutter, Reinhard: Qualitative Criteria in the Assessment of Security

Measures – a new Approach, submitted to the conference CRITIS2015, The 10th International

Conference on Critical Information Infrastructures Security, Berlin, Germany, October 5–7, 2015

7. Białas A.: Experimentation tool for critical infrastructures risk management.

Proceedings of the 2015 Federated Conference on Computer Science and Information Systems

(FedCSIS), pp. 775–780 ISBN 978-1-4673-4471-5 (Web), IEEE Catalog Number: CFP1385N-ART

(Web).

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7321566&newsearch=true&searchWithin

=%22First%20Name%22:Andrzej&searchWithin=%22Last%20Name%22:Bialas

8. Białas A.: Research on critical infrastructures risk management. In: Rostański M.,

Pikiewicz P., Buchwald P.: Internet in the Information Society 2015 – 10th International

Conference Proceedings. Scientific Publishing University of Dąbrowa Górnicza, 2015, pp. 93-108.

http://www.wsb.edu.pl/informatyka,m,wyd,1585


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

9. Bialas, A. Risk Management in Critical Infrastructure—Foundation for Its

Sustainable Work. Sustainability 2016, 8, 240. (IF=0.942). http://www.mdpi.com/2071-

1050/8/3/240/htm

10. Klein, Peter and Hutter, Reinhard: Qualitative Criteria in the Assessment of Security

Measures for Critical Infrastructure Protection – a New Approach, submitted to the International

Journal of Critical Infrastructures (IJCIS), January 2016. Paper accepted and finalized Sept. 2016.

11.Martin, Jaime. CIRAS: Critical Infrastructure Risk Assessment Support. European CIIP

Newsletter, July 16-October 16, Vol. 10, Number 2, pp.7-10

Pending publications:

1. Białas A.: Computer Support for Risk Management in Critical Infrastructures,

Advances in Networking Systems Architectures, Security, and Applications (ANSASA), Springer,

2016 (in printing).

2. Białas A.: Critical infrastructures risk management – case study, Theoretical and

Applied Informatics, Vol. XX (201X) (accepted).

3. Białas A.: Cost-benefits aspects in risk management. Polish Journal of Management

Studies (PJMS), Vol.14, December 2016 (in printing).

4. Klein/ Hutter: Qualitative Criteria Assessment to Enhance Security Decision Making;

paper for CRITIS-2016 conference and publication, Finalized Document forwarded Sept. 2016


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

4 Conclusion

The deliverable provides an article summarizing the project and its outcomes and use cases as well

as other relevant information.

The document features a list of publications prepared by the members of the CIRAS project team.

The publications presented the project objectives and results and contributed to its promotion

among the target audience of scientists, critical infrastructure stakeholders and experts. The

publications concern the assumptions and results of the project and this way they serve the purpose

of the project dissemination as stated in the WP5 description.


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

Appendix 1 -Presentations about CIRAS

Many presentations of CIRAS projects were done in public conferences. They are provided here as

complementary information.

Andrzej Białas (EMAG) had a presentation on the CIRAS project during the International

Security Exhibition “Safety and Security – Modern technologies, systems and solutions for

information security and personal data protection” 18-20 March 2015 in Zakopane, Poland;

The meeting welcomed experts on information security, personal data protection and critical

infrastructures

Andrzej Białas chaired a seminar at Silesian Governor’s Office in Katowice on risk analysis

in crisis management (21 April 2015). Prof. Białas presented some issues on the protection

of assets and processes in different institutions (OSCAD system). EMAG’s projects were

discussed, including the CIRAS project;

Andrzej Białas (EMAG) was a chief speaker at a seminar in Poland’s Government Centre

for Security (21 May 2015, Warsaw, Poland). The seminar dealt with different aspects of CI

and public administration systems protection. Prof. Białas had a presentation on critical

infrastructure management with the use of procedures and supporting software. The

presentation included the basic objectives, assumptions and expected results of CIRAS;

Andrzej Białas (EMAG) had a presentation at the BIN GigaCon Conference, 28 May 2015

in Katowice, Poland. The conference topics included: information security management,

access control, reliability of IT systems and data bases, security of critical infrastructures,

business continuity, and recovery from disasters. Mr Białas presented briefly the basic

assumptions and objectives of CIRAS.

Peter Klein, (CESS): Paper/Presentation “A simple and reliable method to assess and

compare intangible effects of different security measures in Critical Infrastructures”,

presented at International Conference, 10 years IGRS, 8th Dresden Symposium “Hazards-

Detection and Management" , 31.08.2015, Dresde

Peter Klein, CESS: Report and discussion on CIRAS and other CESS security projects,

I4CM conference of the DRIVER project, 8/9 Dec 2015, Berlin,

Jaime Martin (ATOS) was speaker providing a presentation of CIRAS project at the Critical

Infrastructure Protection and Resilience Europe (CIPRE ), 2nd-3r March, 2016, held in

The Hague, Netherlands

Andrzej Białas had a presentation at the BIN GigaCon Conference, 16 June 2016 in

Katowice, Poland, on risk management as the basis of information security and business

continuity. Mr Białas presented briefly the results of CIRAS.

Jaime Martin (ATOS) was speaker providing a presentation of CIRAS project at the

CIPRNet International Symposium, June,14th-15th, 2016, held in Vancouver, Canada. The

Critical Infrastructure Preparedness and Resilience Research Network (CIPERNet) performs

research and development that addresses a wide range of stakeholders including

(multi)national emergency management, critical infrastructure operators, policy makers, and

the society.

Jaime Martin (ATOS) was speaker providing a presentation of CIRAS project at the

Spanish Ministry of Public Administrations in Madrid, Spain, in November, 16th. The

presentation showed how DG CIRAS decision support system could support public

administration officers in charge of the protection of public critical infrastructures. Even

though the project ended on September,2016 this presentation has been included in an


project

CIRAS

(HOME/2013/CIPS/AG/4000005074)

Version 1.0 of 15

update of the document as flyers were handed out and they are part of te dissemination

material of the project funded by the EC. And as rest of presentations it was explained the

project was co-funded by the EC.

d5.7 article/information on ciras tool and project · 2018. 1. 3. · version 1.0 status final...

Documents