d5.7 article/information on ciras tool and project · 2018. 1. 3. · version 1.0 status final...
TRANSCRIPT
This project is funded from the European Commission’s Directorate – General Home Affairs
CIRAS - Critical Infrastructure Risk Assessment Support
D5.7 – Article/Information on CIRAS tool and project
ATOS
Document Number D5.7
Document Title Article/Information on CIRAS tool and project
Version 1.0
Status Final
Document Release 2016/09/03
Contributors Jaime Martín (ATOS); Barbara Flisiuk, Andrzej Białas, Dariusz Rogowski, Jacek Bagiński (EMAG); Peter Klein, Reinhard Hutter (CESS)
Reviewer Barbara Flisiuk (EMAG), Andrzej Białas (EMAG), Jaime Martin (ATOS)
Keyword List Publication, dissemination, information, audience, journal, promotion
Target Group Public
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 2 of 15
Abbreviations
CI Critical infrastructure
CIP Critical infrastructure protection
EU European Union
EC European Commission
R&D Research and development
WP Workpackage
CII Critical information infrastructure
DRS Document Review Sheet
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 3 of 15
Executive Summary
The objective of the deliverable is to provide a self-explanatory article that reports about CIRAS
project and to report as well about publications articles that were written by the project team
members with respect to the project topic, objectives and results.
The document contains a list of relevant publications. These publications are part of dissemination
activities described in Workpackage 5 and are targeted mainly to the audience of CI stakeholders,
experts and other interested parties.
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 4 of 15
Table of Contents
1 Introduction ................................................................................................................................... 5
2 Article about CIRAS tool and project .......................................................................................... 6
3 Other publications by the project team ....................................................................................... 11
4 Conclusion .................................................................................................................................. 13
Appendix 1 -Presentations about CIRAS........................................................................................... 14
Figures
Figure 1: CIRAS conceptual model ..................................................................................................... 7
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 5 of 15
1 Introduction
Presentations, and the publication of articles and information about the CIRAS tool and project is a
part of Workpackage 5 “Dissemination and exploitation” and covers all time span of the project.
The publication of articles and information about CIRAS is one of dissemination tasks listed in
D5.1 Dissemination and Communication Plan. The objective of this task is to make known the
project, contribute to its structured and effective promotion and communicate the project results to
the interested audience.
The Dissemination and Communication Plan includes a section about publications in journals and
monographs. The project team members devoted themselves to submit articles related to the project
topic to be published in relevant journals and/or monographs, in English and/or in the native
languages of the CIRAS consortium partners. There was a table prepared with a preliminary list of
journals to be approached.
Section 2 provides a self-explanatory article about CIRAS project
Section 3 lists other publications that were done
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 6 of 15
2 Article about CIRAS tool and project
Introduction
From some time past ensuring the security of critical infrastructures has become a serious concern
and priority. As a result policies are being adopted and defined at national and international level.
For instance one of the targets of the Sendai Framework for Disaster Risk Reduction is “
Substantially reduce disaster damage to critical infrastructure and disruption of basic services,
among them health and educational facilities, including through developing their resilience by 2030.
” This is so important a framework that the United Nations Office for Disaster Risk Reduction
(UNISDR) has been tasked to support the implementation, follow-up and review it. At European
level there are several dedicated research programmes focusing on critical infrastructures.
Nowadays decision-makers are facing more and more threats in a challenging and evolving
situation where they may follow different approaches and alternatives.
Thus, adopting the best possible decision to achieve the required protection for infrastructures, as
well as and the people around them, has become a real need. The staff in charge must assess
thoroughly the available information to reach the highest accomplishment.
CIRAS project has been executed from 2014 to 2016. It aims at supporting decision-makers by
providing a methodology and toolset to compare several alternatives. The project promotes a new
approach to risk assessment in critical infrastructure protection (CIP). It is focused on advanced risk
assessment which compares security measures alternatives and takes into account the typical critical
infrastructure (CI) effects of interdependencies of systems, and of cascading and escalation of
incident consequences.
Project’s outcomes
The CIRAS methodology and decision support system (DSS) for public and private CI/CIP
managers, which allow a holistic assessment of how to reduce risks in critical infrastructures at a
cost-efficient way, and at the same time considering social and political needs and restrictions. The
CIRAS Decision Support System offers a comparison of different security measures alternatives
that may comprise several subsets of security measures, by performing a series of assessments in
assumed scenarios against a selection of concrete use cases:
• Risk Reduction Assessment: for measuring the risk reduction capability of the different
Security Measures and the Alternatives. It implies two steps: first of all, an Asset oriented Business
Impact Analysis is done to evaluate the consequences and impact levels in case of an incident.
Secondly, an Asset Oriented Risk Analysis is carried out to calculate the risks level reduction that
would be achieved by the implementation of security measures alternatives.
• Cost and Benefit Assessment: for assessing the different alternatives based on their life cycle
cost (up-front investment and operational cost) compared to the future benefits of the Security
Measures considered during a defined period of years. These costs are evaluated according to
different financial categories and the results comprise key indicator values such as: total investment
costs, total future benefits and net present value. These indicators allow to rank the alternatives and
to select the financially most reasonable one. The results provide graphs for each financial category
and the calculation of time-profile trade-offs and cost break-even points.
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 7 of 15
• Qualitative Criteria Assessment: for the assessment the ethical, legal, political, societal other
non-tangible impact and relevance of the Security Measures. These criteria are, difficult to measure
objectively. Applying this QCA methodology, thes measures are transformed into normalized
numbers and accumulated. CIRAS offers two ways of performing this kind of assessment. On the
one hand, a Utility Function based method. It allows to associate subjective descriptions with
numerical graphs to quantify the extent of the possible values. On the other hand, CIRAS has
developed an innovative method called Modified Analytical Hierarchical Process that works with a
relative ranking logic.
• Finally, Aggregated Results are provided to compare all the alternatives individually and
combine. A report is generated displaying in tables and graphs how security measures alternatives
are ranked according to the assessments carried out. These reports are of particular importance for
high-level decision support.
Figure 1: CIRAS conceptual model
Conceptual Decision Model
The picture above depicts the CIRAS Conceptual Decision Model. Initial input parameters are
needed to properly define the scenario where decision-makers are required to select the most
suitable alternative among several available options. This information comprises the assets to be
protected, the threats that may harm these assets, the budget to buy or maintain security measures
and societal criteria to be taken into account for acceptance
Then several assessments are performed in parallel:
- Risk Reduction Assessment
- Cost-Benefit Assessment
- Qualitative Criteria Assessment: it may be done by means of UFBA and/or MAHP.
The same set of security measures alternatives are compared in all the assessments and specific
results are achieved by each kind of assessment.
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 8 of 15
Finally, a set of reports are generated providing a summary of the key results which were concluded
in the previous analysis, in a simple or more thorough way according to the end-user´s preference.
The shortest version of the summary report is just one-page long and it makes it possible to have at
a glance a comparison of the security measure alternatives considering all assessments carried out.
It displays the results in tables where alternatives are ranked and makes it possible to have a quick
idea at a glance with bar charts showing the values got. An alternative could be the best according
to an assessment but the worst according to another one. It will be up to the decision-maker to
balance the ranks and choose wisely. For instance, if there is a clear threat the RRA results should
be prioritized no matter the costs.
Use cases and Validation
CIRAS cooperated with stakeholders and operators of transportation and energy critical
infrastructures to prepare and validate six use cases as follows:
Transportation use cases
Transit systems offer an easy target for high order violence. Transit systems combine high visibility
with a design created for openness and easy access. The high number of people using public
transportation means in predictable routes at fixed times make control and security a demanding
challenge. Metro offers a big target for any kind of criminal threats, especially those related with the
low intensity crime. It has many potential targets concentrated in a small area that leave the
platforms and trains very fast, not to return in many hours. At the same time, metro systems are
created to be open and easy to enter and leave fast, making controls very difficult.
Three use cases were prepared regarding Transportation CIs. Stakeholders involved were
Transports Metropolitans de Barcelona (TMB) as main subject and Mossos d'Esquadra (Catalonian
Police) in its Metropolitan Transport Security Area. Several bilateral meetings were arranged with
them to define the use cases detailing the relevant assets, potential threats and a list potential
security measures which could be assigned to deal with one or more threats. Also in the meetings
the progress of the prototype were shown. Use cases had as common location the facilities of the
metro network of the city of Barcelona, Spain.
The use cases were the following:
- Bomb in a train during rush hour: it implies the access to any station of a bomb concealed in the
luggage or in the personal belongings and the deposit of this bomb in a train. There is no need of
trespassing any restricted area.
- Bomb at metro maintenance facilities during the night: it implies the trespassing of the metro
depot and workshop facilities (jumping fences, breaking access doors and so on) and placing a
bomb there during the night (while trains are in maintenance and being cleaned).
- Stabbing during rush hour: This scenario covers the act of stabbing at random in a metro
platform during rush hour. It means the use of concealed knives, machetes or other sharp
weapons like screwdrivers or even broken glass.
Energy use cases
Power plants are mostly very large and complex facilities and of high national or international
relevance. Therefore they need extended protection especially against terrorist attacks.
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 9 of 15
Three use cases were prepared as far as Energy CIs are concerned. They were carried out in
cooperation with one of the biggest energy operators in Poland which provides energy to several
million of private and business customers.
The use cases were as follows:
- Bomb brought to a power plant and to a substation: simulating that a person has succeeded to
pass the entrance control or overcome fences or walls around the plant carrying a bomb.
- Sabotage in a power plant to disturb the energy production or decrease it to zero: Sabotage
performed by employees with a criminal or terrorist motivation is an ongoing threat which
needs special protection measures (not necessarily technically oriented).
- Cyber-attack in a power plant to disturb the energy production or decrease it to zero: Cyber
attack to the control system of a power plant and the power network to decrease the power
distribution
CIRAS tool has proven a real success in the described use cases for both Transportation and Energy
CIs. The tool’s flexibility in the combination of different Security Measures and the possibility of
recovering previous recorded scenarios make the tool ideal for the objective of the evaluation of
different Security Measures alternatives.
Events
Events and workshops were organized aimed at creating realistic use cases, preparing input data and
validating results of the CIRAS experiments Stakeholder workshops comprised:
First Stakeholders’ Workshop: March 5th, 2015, Katowice, Poland.
- Second Stakeholders’ Workshop: November 26th, 2015, Aschaffenburg, Germany.
- First Energy CI Workshop: November 10th, 2015, Katowice, Poland
- Second Energy CI Workshop: March 14th, 2016, Katowice, Poland
- Demonstration and validation workshop for Energy CI: May,9th-10th 2016, Katowice, Poland.
- First Transportation CI Workshop: March 11th, 2016, Barcelona, Spain
- Demonstration and validation workshop for Transportation: May, 18th, 2016, Barcelona, Spain.
- First Qualitative criteria Workshop: May, 13th, 2015, Madrid, Spain.
- Second Qualitative criteria Workshop: May, 25th, 2016, Madrid, Spain.
- Final Conference: June,8th
, 2016 in Katowice, Poland.
Achievements
Over 20 deliverables were prepared covering the following:
- Knowledge about state of the art of the existing risk assessment and cost in the scope of
Decision Support Systems
- Preparation of structured requirements for the risk management and decision support tools.
Design of the CIRAS toolset including the architecture, functionalities and software design
- Development and testing of the CIRAS toolset along with a detailed user guide
- Definition and validation of use cases to evaluate the CIRAS toolset in realistic scenarios
- Dissemination material including project presentations, flyers, posters and pen drives
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 10 of 15
- Dissemination actions presented the project and tools at 10 conferences, and prepared 15
publications.
CIRAS Consortium:
The CIRAS Consortium comprises three partners:
- Atos Spain: Atos SE (Societas Europaea) is a leader in digital services with 100,000
employees in 72 countries. The Group works with clients across different business sectors: Defense,
Financial Services, Health, Manufacturing, Media, Utilities, Public sector, Retail,
Telecommunications, and Transportation. Atos Research & Innovation (ARI), whose headquarters
are in Spain is the research, development and innovation hub of Atos and it is a key reference for
the whole Atos group, delivering technology innovation to our customers.
- Centre for European Security Strategies (CESS), Germany: CESS provides strategic,
operational and technical security and risk management expertise. It has competences in security
and defense consulting, decisions support systems, analytical methods and tools, scenario
development and modelling and simulation.
- Instytut Technik Innowacyjnych (EMAG), Poland: EMAG’s R&D include competences in
information society issues, especially in ICT security and safety and ontology-based information
systems including development of computer-aided tools to support information security
management.
Would you like to find out more about CIRAS please visit our website at
http://www.cirasproject.eu/ or contact us via the form at http://www.cirasproject.eu/contact
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 11 of 15
3 Other publications by the project team
In the course of the CIRAS project, the following articles were published by the CIRAS team
members:
1. Bialas A.: Critical Infrastructure – from Risk Management towards the Protection
Management Framework, In: Rostański M., Pikiewicz P., Buchwald P., Mączka K. (Eds.):
Proceedings of the XI International Scientific Conference Internet in the Information Society,
Scientific Publishing University of Dąbrowa Górnicza, Cieszyn, Poland, 22-23 September 2016,
pp.267-283.
2. Bagiński J., Rogowski D.: Software Support for Enhanced Risk Management, In:
Rostański M., Pikiewicz P., Buchwald P., Mączka K. (Eds.): Proceedings of the XI International
Scientific Conference Internet in the Information Society, Publishing University of Dąbrowa
Górnicza, Cieszyn, Poland, 22-23 September 2016, pp.369-388.
3. Bialas A.: Critical Infrastructure Protection – How to Assess the Protection
Efficiency. Proceedings of the Elevenths International Conference on Dependability and Complex
Systems DepCoS-RELCOMEX, June 27 – July 1, 2016, Brunów, Poland. Advances in Intelligent
Systems and Computing, Vol 479, Springer Switzerland, pp. 25-37, DOI 10.1007/978-3-319-
39639-2. http://www.springer.com/us/book/9783319396385
4. Bialas A.: Critical infrastructures risk manager – the basic requirements elaboration,
In: Zamojski W., Mazurkiewicz J., Sugier J., Walkowiak T., Kacprzyk J (Eds.): Theory and
Engineering of Complex Systems and Dependability Proceedings of the Tenth International
Conference on Dependability and Complex Systems DepCoS-RELCOMEX, June 29 – July 3 2015,
Brunów, Poland, Advances in Intelligent Systems and Computing Vol. 365, 2015, Springer-Verlag:
Cham, Heidelberg, New York, Dordrecht, London, pp. 11-24, DOI: 10.1007978-3-319-19216-1_2.
https://fedcsis.org/proceedings/2015/pliks/77.pdf
5. Klein, Peter: MAHP - A simple and reliable method to assess and compare intangible
effects of different security measures in Critical Infrastructures, Presentation held at the
International Conference IGRS Hazards - Detection and Management, Dresden, Germany, Aug 31
– Sep 4, 2015
6. Klein, Peter and Hutter, Reinhard: Qualitative Criteria in the Assessment of Security
Measures – a new Approach, submitted to the conference CRITIS2015, The 10th International
Conference on Critical Information Infrastructures Security, Berlin, Germany, October 5–7, 2015
7. Białas A.: Experimentation tool for critical infrastructures risk management.
Proceedings of the 2015 Federated Conference on Computer Science and Information Systems
(FedCSIS), pp. 775–780 ISBN 978-1-4673-4471-5 (Web), IEEE Catalog Number: CFP1385N-ART
(Web).
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7321566&newsearch=true&searchWithin
=%22First%20Name%22:Andrzej&searchWithin=%22Last%20Name%22:Bialas
8. Białas A.: Research on critical infrastructures risk management. In: Rostański M.,
Pikiewicz P., Buchwald P.: Internet in the Information Society 2015 – 10th International
Conference Proceedings. Scientific Publishing University of Dąbrowa Górnicza, 2015, pp. 93-108.
http://www.wsb.edu.pl/informatyka,m,wyd,1585
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 12 of 15
9. Bialas, A. Risk Management in Critical Infrastructure—Foundation for Its
Sustainable Work. Sustainability 2016, 8, 240. (IF=0.942). http://www.mdpi.com/2071-
1050/8/3/240/htm
10. Klein, Peter and Hutter, Reinhard: Qualitative Criteria in the Assessment of Security
Measures for Critical Infrastructure Protection – a New Approach, submitted to the International
Journal of Critical Infrastructures (IJCIS), January 2016. Paper accepted and finalized Sept. 2016.
11.Martin, Jaime. CIRAS: Critical Infrastructure Risk Assessment Support. European CIIP
Newsletter, July 16-October 16, Vol. 10, Number 2, pp.7-10
Pending publications:
1. Białas A.: Computer Support for Risk Management in Critical Infrastructures,
Advances in Networking Systems Architectures, Security, and Applications (ANSASA), Springer,
2016 (in printing).
2. Białas A.: Critical infrastructures risk management – case study, Theoretical and
Applied Informatics, Vol. XX (201X) (accepted).
3. Białas A.: Cost-benefits aspects in risk management. Polish Journal of Management
Studies (PJMS), Vol.14, December 2016 (in printing).
4. Klein/ Hutter: Qualitative Criteria Assessment to Enhance Security Decision Making;
paper for CRITIS-2016 conference and publication, Finalized Document forwarded Sept. 2016
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 13 of 15
4 Conclusion
The deliverable provides an article summarizing the project and its outcomes and use cases as well
as other relevant information.
The document features a list of publications prepared by the members of the CIRAS project team.
The publications presented the project objectives and results and contributed to its promotion
among the target audience of scientists, critical infrastructure stakeholders and experts. The
publications concern the assumptions and results of the project and this way they serve the purpose
of the project dissemination as stated in the WP5 description.
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 14 of 15
Appendix 1 -Presentations about CIRAS
Many presentations of CIRAS projects were done in public conferences. They are provided here as
complementary information.
Andrzej Białas (EMAG) had a presentation on the CIRAS project during the International
Security Exhibition “Safety and Security – Modern technologies, systems and solutions for
information security and personal data protection” 18-20 March 2015 in Zakopane, Poland;
The meeting welcomed experts on information security, personal data protection and critical
infrastructures
Andrzej Białas chaired a seminar at Silesian Governor’s Office in Katowice on risk analysis
in crisis management (21 April 2015). Prof. Białas presented some issues on the protection
of assets and processes in different institutions (OSCAD system). EMAG’s projects were
discussed, including the CIRAS project;
Andrzej Białas (EMAG) was a chief speaker at a seminar in Poland’s Government Centre
for Security (21 May 2015, Warsaw, Poland). The seminar dealt with different aspects of CI
and public administration systems protection. Prof. Białas had a presentation on critical
infrastructure management with the use of procedures and supporting software. The
presentation included the basic objectives, assumptions and expected results of CIRAS;
Andrzej Białas (EMAG) had a presentation at the BIN GigaCon Conference, 28 May 2015
in Katowice, Poland. The conference topics included: information security management,
access control, reliability of IT systems and data bases, security of critical infrastructures,
business continuity, and recovery from disasters. Mr Białas presented briefly the basic
assumptions and objectives of CIRAS.
Peter Klein, (CESS): Paper/Presentation “A simple and reliable method to assess and
compare intangible effects of different security measures in Critical Infrastructures”,
presented at International Conference, 10 years IGRS, 8th Dresden Symposium “Hazards-
Detection and Management" , 31.08.2015, Dresde
Peter Klein, CESS: Report and discussion on CIRAS and other CESS security projects,
I4CM conference of the DRIVER project, 8/9 Dec 2015, Berlin,
Jaime Martin (ATOS) was speaker providing a presentation of CIRAS project at the Critical
Infrastructure Protection and Resilience Europe (CIPRE ), 2nd-3r March, 2016, held in
The Hague, Netherlands
Andrzej Białas had a presentation at the BIN GigaCon Conference, 16 June 2016 in
Katowice, Poland, on risk management as the basis of information security and business
continuity. Mr Białas presented briefly the results of CIRAS.
Jaime Martin (ATOS) was speaker providing a presentation of CIRAS project at the
CIPRNet International Symposium, June,14th-15th, 2016, held in Vancouver, Canada. The
Critical Infrastructure Preparedness and Resilience Research Network (CIPERNet) performs
research and development that addresses a wide range of stakeholders including
(multi)national emergency management, critical infrastructure operators, policy makers, and
the society.
Jaime Martin (ATOS) was speaker providing a presentation of CIRAS project at the
Spanish Ministry of Public Administrations in Madrid, Spain, in November, 16th. The
presentation showed how DG CIRAS decision support system could support public
administration officers in charge of the protection of public critical infrastructures. Even
though the project ended on September,2016 this presentation has been included in an
D5.7–Article/Information on CIRAS tool and
project
CIRAS
(HOME/2013/CIPS/AG/4000005074)
Version 1.0 Page 15 of 15
update of the document as flyers were handed out and they are part of te dissemination
material of the project funded by the EC. And as rest of presentations it was explained the
project was co-funded by the EC.