SUNRISE CRITICAL INFRASTRUCTURE SERIES

Risk and resilience are interconnected concepts. In fact, one of our goals in SUNRISE is to integrate resilience metrics with risk metrics. Certain indicators and metrics for critical infrastructure (CI) risk can be repurposed for CI resilience or serve as interim metrics, acting as a “bridge” to higher-level resilience metrics. Let’s first explore what resilience means to various stakeholders.

In [1], thorough definitions and a glossary analysis are conducted, alongside a review of the boundaries of this term – what resilience is not. The authors highlight that while risk management focuses on identifying and mitigating specific threats, resilience management aims for a holistic increase in the ability to manage disruptions as they arise, with an emphasis on the temporal dimension (e.g., recovery after the initial disruption). In the narrower context of cyber resilience in the US, Executive Order 13636 calls for the development and implementation of risk-based standards to protect critical infrastructure against cyber threats, yet risk-based approaches do not necessarily foster resilience [2].

Both risk and resilience assessments measure impact and/or performance loss, but resilience also considers the recovery function, thus incorporating a crucial temporal dimension. We can conceptualize the temporal aspect of digital infrastructure resilience across five areas: Identify, Protect, Detect, Respond, and Recover. Although these are iterative processes, they roughly correspond to periods before, during, and after an incident occurs (see Figure 1). A common method to assess CI resilience, incorporating this temporal dimension, is by evaluating performance loss and recovery function.

In the “classical” absorptive capacity approach, static risk assessment is conducted only “BEFORE” an incident. However, in SUNRISE, thanks to the real-time ingestion of relevant events serving as risk indicators, it can be triggered to recalculate risk at any moment, even “DURING” phases typically associated with incident response management (IRM). Why is this innovation important?

There are properties of the infrastructure under assessment (e.g., complexity, dependencies) and external contexts (e.g., threats, hazards, or other risk indicators resulting from temporary situations such as pandemics) that necessitate:

• Dynamic assessment: Impact changes during temporary events (e.g., an incident on a specific day might not have the same impact as on other days).
• Real-time assessments: While many streams of events and data can be delivered in real time, real-time ingestion and processing in risk models and engines, such as the CPR tool in WP6 of SUNRISE, are needed to trigger reassessment.
• Continuous assessment: While continuous risk assessment is virtually impossible, we can introduce frequent reassessment triggered each time a new set of risk indicators meets certain criteria or thresholds.

In all these types of assessments, collaboration with other CI operators and governmental authorities is essential. Risk assessment frequently supports strategic and tactical-level decisions, such as determining investment or mitigation action priorities or selecting risk reduction strategies (prevention, avoidance, protection).

An important distinction between risk and resilience assessment lies in the criteria of uncertainty. Risk assessment typically deals with known vulnerabilities, familiar patterns, or risk models. Resilience, on the other hand, aims to enable a system or infrastructure to effectively respond to any event, even if it is unknown. An increasing number of available security experts and incident response team members during a specific time window is an example of a resilience measure: we do not know what type of incident might happen, but having more experts will enable faster detection, reaction, and response to an incident. Simultaneously, it could serve as a risk mitigation measure as part of a risk protective strategy, indicating a clear overlap.

Finally, risk assessment is also used for reliability and robustness assessments, which are different concepts but are also related to resilience.

Author(s): Aljosa Pasic

[1] Mentges, Andrea & Halekotte, Lukas & Schneider, Moritz & Demmer, Tobias & Lichte, Daniel. (2023). A resilience glossary shaped by context: Reviewing resilience-related terms for critical infrastructures. 10.48550/arXiv.2302.04524.

[2] Computer Security Incident Handling Guide, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-61 Revision 2, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf