Analyzing Cascading Effects within Infrastructure Sectors for Consequence Reduction

Analyzing Cascading Effects within Infrastructure Sectors for Consequence Reduction Rae Zimmerman, Professor of Planning and Public Administration and Director, Institute for Civil Infrastructure Systems, Wagner Graduate School of Public Service, New York University, 295 Lafayette Street 2 nd floor, New York, NY 10012, (212) 998-7432, rae.zimmerman@nyu.edu Carlos E. Restrepo, Research Assistant Professor, Institute for Civil Infrastructure Systems, Wagner Graduate School of Public Service, New York University, 295 Lafayette Street 2 nd floor, New York, NY 10012, New York, NY 10012, (212) 992-9867, carlos.restrepo@nyu.edu Proceedings of the 2009 IEEE International Conference on Technologies for Homeland Security, HST 2009, Waltham, MA. Abstract Cascading effects of infrastructure failures from terrorist attacks or natural hazards can greatly increase the magnitude of impacts from a failure of any given infrastructure. Interdependencies among infrastructure sectors in part drive these effects. Capturing how interdependencies operate and heighten impacts to develop procedures and policies to improve recovery is less well understood. This paper first presents an accounting system to identify where interdependencies are likely to occur. Second, given interdependencies, ways to portray vulnerabilities from interdependencies and estimate magnitude with qualitative or integer scales are presented from prior research and event databases. The methodology to quantify interdependencies and associated cascades builds on work on electric power outages and impacts they had on other infrastructure, such as oil and natural gas, electricity, transportation, and water. The method can be used to analyze connections between restoration times and types of interconnections failed and alternative technologies to reduce impacts of cascades. 1. INTRODUCTION What is Critical Infrastructure? The concept of critical infrastructure has arisen most recently in connection with security primarily from terrorist attacks, though the concept has since broadened to include other kinds of threats. Since the mid-1990s, when an initial attack on the World Trade Center (WTC) occurred in 1993 followed by the World Trade Center (WTC) attacks of September 11, 2001, the U.S. has developed legislation and programs to protect key infrastructure [1, updated]. Prior to the WTC attacks in 2001, federal initiatives included the 1996 Executive Order 13010, and a special infrastructure protection commission and office, and in 1998, the Presidential Decision Directive (PDD) 63. In 2001, the USA Patriot Act s Section 1016 defines critical infrastructure as systems and assets, whether physical or virtual, so vital to the nation that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, [or] national public health and safety. Following the Patriot Act, almost annually, critical infrastructure protection (CIP) was featured in various strategies and plans gradually becoming more specific to infrastructure and the individual categories within them. In 2009, the National Infrastructure Protection Plan (NIPP) first produced in 2005, was updated. The coverage of CIP has expanded from terrorist related security to an all-hazards approach, underscored by the devastating impacts on human populations related in part to the failure of critical infrastructures following Hurricane Katrina in 2005. What are Interdependencies and Dependencies? Rinaldi, Peerenboom and Kelly [2] and others [3] differentiate between interdependencies and dependencies in infrastructure systems and provide a typology for interdependencies including spatial and functional distinctions. Spatial Interdependencies: One infrastructure can be located near another infrastructure for economic reasons, so a physical failure in one leads to damage of and a failure in another nearby facility. Functional Interdependencies: Two infrastructures depend on one another to function. For example, information technology requires electricity to function, and electricity requires information technology to manage control systems, so they are mutually interdependent to support each others functions. To some extent the interdependency concept has been integrated into security policy and plans. For example, the NIPP mentions the concept. The Sector Specific Plans developed in connection with the 2005 version of NIPP vary in the extent to which they explicitly identify and emphasize interdependencies. The next section gives examples of interdependencies that provide the foundation for an accounting system.

2. AN ACCOUNTING SYSTEM FOR INFRASTRUCTURE INTERDEPENDENCIES In order to develop an accounting system to portray interdependencies, two steps are necessary. First, where interdependencies are likely to occur is needed as a basis for organizing and quantifying the relationships. Second, given the location of these interdependencies, the estimated magnitude can then be ranked on a qualitative or integer scale based on experiences and event databases over time. Criteria for ranking can, for example, be based on the frequency with which the interdependencies occur or the seriousness should failures occur as a result of the interdependencies. Table 1 presents an overview of some generic interdependencies among key infrastructure sectors: oil and natural gas, electricity, transportation, and water. Information technologies (communication and computing) are included, which have been growing in use, are highly diverse and their use in detection, communication and control systems for other infrastructure is growing. Tables 2 through 5 provide more detail on communication technologies and their relationship to each of the other four infrastructure sectors. Once interdependencies are identified, independent of their vulnerabilities (these vulnerabilities are discussed in section 3 below), significance and importance scores can be assigned based on prevailing knowledge of the extent and severity of the interdependencies. Sector Generating the Service to Another (Receiving) Sector Energy: Oil & Gas Energy: Electricity Transportation Water Communication Table 1 Overview of Generic Interdependencies among Infrastructure Sectors Sector Receiving the Service Energy: Energy: Electricity Transportation Water Communication Oil & Gas Electricity for extraction and transport (pumps, generators) Delivery of supplies and workers Production water Breakage and leak detection and remote control of operations Fuel to operate power plant motors and generators Delivery of supplies and workers Cooling and production water Detection and maintenance of operations and electric transmission Fuel to operate transport vehicles Power for overhead transit lines Water for vehicular operation; cleaning Identification and location of disabled vehicles, rails and roads; the provision of user service information Fuel to operate pumps and treatment Electric power to operate pumps and treatment Delivery of supplies and workers Detection and control of water supply and quality Fuel to maintain temperatures for equipment; fuel for backup power Energy to run cell towers and other transmission equipment Delivery of supplies and workers Water for equipment and cleaning Table 2. Example of Accounting for Interdependencies: Information Technology and Oil and Natural Gas Monitor production, flow, pressure and other pipeline properties for safety and efficiency of operations Identify environmental conditions and intrusions Electronically shut remote or not easily accessible facilities in emergencies Manage remote operation locations from more accessible places

Table 3. Example of Accounting for Interdependencies: Information Technology and Electricity Shut down equipment in emergencies to avoid equipment damage Reroute electricity in response to supply and demand Identify electricity usage and flow rates Identify anomalies or upsets in the system to prevent them from spreading Promote smart grid infrastructure: A "Smart Grid is a transformed electricity transmission and distribution network or "grid" that uses robust two-way communications, advanced sensors, and distributed computers to improve the efficiency, reliability and safety of power delivery and use. [4] Table 4. Example of Accounting for Interdependencies: Information Technology and Transportation Identify the location of disabled vehicles Match the volume of traffic to the provision of transit vehicles Improve vehicular flow through signaling efficiency Detect intrusions into water systems and contamination incidents to enable managers to initiate warnings and adjust system operations Detect leakages in water distribution systems as a basis for taking steps to reduce wasting water Cover a large variety of contaminants in water using increasingly specialized devices for water quality detection Table 5. Example of Accounting for Interdependencies: Information Technology and Water and Wastewater Manage the increasing number and stringency of water contaminants to safeguard water quality Identify contaminant incidents and reduce sources of contamination Identify where deficits exist in water supply as a basis for water conservation Detect terrorist activity and intrusions into water infrastructure with sensors that can detect chemical and biological agents and radioactivity used as weapons 3. QUANTIFYING VULNERABILITIES FROM INTERDEPENDENCIES The Dilemma of Cascades Cascading effects of infrastructure failures from terrorist attacks or natural hazards can greatly increase the magnitude of the impacts of a failure of any given infrastructure. These effects are driven by interdependencies among infrastructure sectors. How to capture the way in which these interdependencies operate and heighten impacts and how this knowledge can be used as the basis to improve recovery is less well understood. The sections below first identify measurements for interdependencies, where interdependencies have been occurring and reflect vulnerability and how one begins to organize this information into an accounting system. Prior Research To take the accounting system to the next step, the paper also presents methodologies to quantify functional and spatial interdependencies and associated cascades. Functional interdependency measures build upon work conducted for electric power outages and the impacts they had on other infrastructure, such as water, wastewater, and transportation [5], and other sources are cited as well. The quantification of spatial interdependencies is illustrated with generic types of influences infrastructures have on one another when they fail. The measure formulated by Zimmerman and Restrepo [5] for functional interdependency used a numerical ratio of the time it took for a given infrastructure to be restored relative to the time it took electric power servicing that infrastructure to be restored. The findings in connection with the August 2003 electric power outage are summarized below, and the paper covers other kinds of outages as well. Initial Computer Failures Considered a Contributing Cause (Total Power Outage Duration = 42-72 hours) NOTE: T(e) is the electric power outage duration and T(i) is the affected infrastructure outage duration T(i)/T(e) Transit-electrified rail (NYC) 1.3 Traffic Signals (NYC) 2.6 Water Supply (Cleveland, OH) 2.0 Water Supply (Detroit, MI) 3.0 The application of some of the impacts or cascades measured in the Zimmerman and Restrepo [5] work can be expanded to oil refinery and oil pipeline outages after the Gulf Coast hurricanes. For example, some of the refineries took anywhere from the same time to eight times the

duration for power to be restored. Given that restoration time can be a function of a variety of factors (including mandatory and deliberate shutdowns), research needs to go further in using the method as a screen to analyze more deeply the connections between restoration times and where and what type of interconnections did in fact fail. For instance, some infrastructure such as water supply systems have expanded in a way that has increased the use of pumps hence increasing the dependency on electric power. Other approaches to functional interdependencies have been developed. For example, Haimes et al. [7] have conceptualized and quantified interdependencies in the form of input-output matrices as well as for individual facilities. Apostalakis and Lemon [8] have relied on a detailed understanding of infrastructure networks using userinfrastructure combinations for natural gas, water and electricity. A different approach applied a ratio technique to spatial interdependencies primarily among infrastructure distribution systems using a constructed dataset of actual events that yielded the following results ranked in order of which infrastructure initiated the greatest effect on all others [6]: Ratio of the Number of Times a Given Infrastructure Caused a Disruption in Another Infrastructure vs. Another Infrastructure Disrupting It Water mains 3.4 Roads 1.4 Sewers/ sewage treatment 1.3 Electric Lines 0.9 Gas lines 0.5 Fiber Optic/Telephone 0.5 Examples of Cascading Effects from Infrastructure Interdependencies in Catastrophic Events Interdependencies comprise a highly significant dimension for understanding system vulnerability and potential impacts to users. Interdependencies are now becoming critical vulnerabilities in infrastructure services. Some examples of vulnerabilities where systems were actually brought down or alternatively, damage was prevented specifically from interdependencies are instructive and are an important foundation for accounting for interdependencies and focusing on those that are critical. Given that information technology is a growing area of interconnection and control for many infrastructures, examples are drawn from that area. IT and Transit On August 20, 2003, the entire CSX rail system shut down in 23 states, since a computer system monitoring train movement and signals failed; system restoration relied initially on manual overrides, such as faxing train orders [9]. On May 25, 2006, 112 Amtrak trains and 45 NJ Transit trains were disrupted when a 4 year old computer part failed to relay an order to restore power at one of six Amtrak substations after an electricity reduction for maintenance. Amtrak managed the situation by having substations manned in peak hours, not reducing power capacity for maintenance, and having spare locomotives to move stalled trains. [10] In August 2006, 4,000 people were evacuated and a couple of dozen people and a number of firefighters were injured in a subway fire, largely attributed to delayed communications. Subway operators could not reach radio dispatchers for 5 minutes and radio dispatchers were delayed 13 minutes in getting messages to emergency rescue workers due to the lack of a dedicated radio frequency. [11] In the London train bombings of 2005, CCTV enabled the authorities to initially track the perpetrators and finally apprehend them, though it couldn t avoid the attack [12]. In New York City, September 11, 2001, communications averted deaths by allowing train operators time to prevent trains from entering the area -Within a minute of the first plane hitting the north tower, a train operator alerted the control center of the Metropolitan Transportation Authority (MTA) of an explosion, and emergency procedures began. -Within six minutes Port Authority Trans-Hudson (PATH) began emergency procedures. [13] In Bhopal, India in December 1984, communication warnings may also have enabled trains to be used to move people out of the area and prevent trains from entering Bhopal at the time of the release of methyl isocyanate, thus, preventing many more deaths [14]. Energy: Oil and Gas Pipelines Olympic s Bellingham Pipeline failure occurred in June 1999 after an overloaded Supervisory Control and Data Acquisition (SCADA) system prevented operators from detecting a pipeline problem, resulting in a spill of 277,000 gallons of gasoline [15]. In 1999, a hacker was able to disable a pipeline operated by Gazprom in Russia, though the company denied that had occurred [16]. A dozen or more oil and gas pipeline failures were reported during the 1990s due to deficiencies in information system displays, such as SCADA systems and lack of adequate worker training to understand the displays. Improvements were made in information visualization [17]. Energy: Electricity In the August 2003 Blackout, First Energy control room operators were unaware visually and audibly that an alarm had gone off, since their computer

system was impaired. This delayed their ability to detect that something was wrong with the electrical system. Subsequently, computer control servers became disabled. [18, p. 51] In the 2003 Blackout, Network congestion caused by the Blaster worm reportedly delayed the exchange of critical power grid control data across the public telecommunications network, which could have hampered the operators ability to prevent the cascading effect of the blackout. [19] A false oil flow alarm shut an electricity transmission line down, causing a widespread blackout in Southern California affecting 500,000 people [20]. In 2009, the penetration of electric power grids by cyberspies was reported that left software that had the potential to destroy electric power infrastructure [21]. In January 2003, the Slammer worm infected the safety monitoring system at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, and replicated so fast that it disabled the system for nearly five hours. The worm knocked out the plant's central command system for six hours. A report from the North American Electric Reliability Council found that power wasn't disrupted, but the failure stopped commands to other power utilities. [22] Water/Wastewater A laptop used to measure water tank levels in a water treatment plant was compromised, pointing to a potential threat, though the water treatment plant was not considered the target [23]. Maroochy Shire sewage spill - In the spring of 2000, a former employee of an Australian software manufacturing organization applied for a job with the local government, but was rejected. Over a 2-month period, this individual reportedly used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system. He altered electronic data for particular sewerage pumping stations and caused malfunctions in their operations, ultimately releasing about 264,000 gallons of raw sewage into nearby rivers and parks. [24] Incorporating Interdependency Vulnerabilities into an Accounting System The accounting framework shown in Table 1 and detailed in Tables 2-5 using information technology as examples in Section 2, contained interdependencies that were neutral with respect to vulnerability. The case-based or event-based information in Section 3 as well as the quantitative indices described in the prior research section and other sources on infrastructure outages are the kind of information that can provide the foundation for applying a system of ranks or scores to those events. 4. CONCLUSIONS AND OBSERVATIONS Interdependencies have become a growing phenomenon across infrastructure sectors as they are not only a point of potential vulnerability but may also compound existing vulnerabilities and carry these vulnerabilities across multiple infrastructure sectors. Given their extensive use, communication technologies present particularly critical interdependencies with other infrastructures. The interdependencies between the communications sector and other infrastructure systems will increase in the near future as society continues to rely on information technology and communications to operate and manage critical infrastructure components. A number of examples included in this paper highlight how vulnerabilities in information technology can lead to various infrastructure failures. These failures can be initiated accidentally, as when a network component fails or in the case of human error, or intentionally, as in the case of attacks by hackers or terrorist groups. Accounting systems that identify key interdependencies and begin to assess and quantify the extent of their vulnerability provide a new dimension to analyzing infrastructure vulnerabilities and constitute an exciting area of risk assessment and risk management research. ACKNOWLEDGEMENTS AND DISCLAIMER This work is presented on behalf of support from the New York University Polytechnic Institute of New York University seed grant funding for the research topic, Critical Infrastructure Policy and Information Security within the seed grant entitled CRISPP: Center for Interdisciplinary Studies in Security and Privacy. This research was also supported by the United States Department of Homeland Security through the Center for Catastrophe Preparedness and Response at New York University, Grant number 2004-GTTX-0001, for the project Public Infrastructure Support for Protective Emergency Services, by the United States Department of Homeland Security through the Center for Risk and Economic Analysis of Terrorism Events (CREATE), Grant number 2007-ST-061-000001, and the Institute for Information Infrastructure Protection (The I3P) under Award 2003-TK- TX-0003. However, any opinions, findings, and conclusions or recommendations in this document are those of the authors and do not necessarily reflect views of the United States Department of Homeland Security. REFERENCES [1] Rae Zimmerman, Critical Infrastructure and Interdependency, Chapter 35 in The McGraw-Hill Homeland Security Handbook, edited by David G. Kamien, New York, NY: The McGraw-Hill Companies, Inc., 523-545, 2006.

[2] Stephen M. Rinaldi, James P. Peerenboom and Terence K, Kelly, Identifying, understanding and analyzing critical infrastructure dependencies, IEEE Control Systems Magazine, 11-25, December 2001. [3] Rae Zimmerman, Social Implications of Infrastructure Network Interactions, in Sustaining Urban Networks: The Social Diffusion of Large Technical Systems, edited by Olivier Coutard, Richard Hanley, and Rae Zimmerman. London, UK: Routledge, 67-85, 2005. [4] Wikipedia, Smart Grid, April 20, 2009 http://en.wikipedia.org/wiki/smart_grid. [5] Rae Zimmerman and Carlos E. Restrepo, The Next Step: Quantifying Infrastructure Interdependencies to Improve Security, International Journal of Critical Infrastructures, 2 (Nos. 2/3), 215-230, 2006. [6] Rae Zimmerman, Decision-making and the Vulnerability of Critical Infrastructure, Proceedings of IEEE International Conference on Systems, Man and Cybernetics, edited by W. Thissen, P. Wieringa, M. Pantic, and M. Ludema, The Hague, The Netherlands: Delft University of Technology, 2004. [7] Yacov Y. Haimes, Barry M. Horowitz, James H. Lambert, Joost R. Santos, Chenyang Lian, and Kenneth G. Crowther, Inoperability Input-Output Model for Interdependent Infrastructure Sectors. I: Theory and Methodology, Journal of Infrastructure Systems, 11 (2), 67-79, June 2005. [8] George E. Apostolakis and Douglas M. Lemon, A Screening Methodology for the Identification and Ranking of Infrastructure Vulnerabilities Due to Terrorism, Risk Analysis, 25 (2) 361 376, 2005. [9] Chip Jones, Computer Virus Blamed in Temporary Shutdown of CSX Rail System, Richmond Times-Dispatch, Va. Knight Ridder/Tribune Business News, August 21 2003, http://www.allbusiness.com/government/governmentbodies-offices-us-federal-government/10378875-1.html. [10] Associated Press, Amtrak Blames Outage on Computer Flaw, The New York Times, February 23, 2007. http://www.nytimes.com/aponline/us/ap-train- Outage.html. [11] WABC, Blistering report on summer subway fire, Eyewitness News, January 17, 2007. http://abclocal.go.com/wabc/story?section=local&id=49454 19. [12] BBC News, Suicide bomb' CCTV shown to jury. January 16, 2007, http://news.bbc.co.uk/1/hi/uk/6266399.stm. [13] Allan J. DeBlasio, Terrance.J. Regan, Margaret E. Zirker, F. Brian Day, Michelle Crowder, Kathleen Bagdonas, Robert Brodesky, and Dan Morin, Effects of Catastrophic Events on Transportation System Management and Operations, New York City September 11, Draft, Prepared by the Volpe National Transportation Systems Center for the U.S. Department of Transportation. Washington, D.C.: Federal Highway Administration, ITS Joint Program Office, April 2002. [14] Faisal Mohammad Ali, Forgotten hero of Bhopal's tragedy, BBC, December 2, 2004 http://news.bbc.co.uk/1/hi/world/south_asia/4051755.stm. [15] Scott Sunde, National alert from pipeline accident. Regulators urge review of computer systems, Seattle Post- Intelligencer Report, July 9, 1999. [16] Dorothy E. Denning, Cyberterrorism, Global Dialogue, Autumn, 2000. [17] National Transportation Safety Board. Supervisory Control and Safety Acquisition (SCADA) in Liquid Pipelines. Safety Study. Washington, DC: NTSB, 2005. [18] U.S.-Canada Power System Outage Task Force, Final Report on the August 14th 2003 Blackout in the United States and Canada: Causes and Recommendations, The Task Force, April 2004. [19] Dan Verton, Blaster Worm Linked to Severity of Blackout, Computerworld, August 29, 2003, [http://www.computerworld.com/printthis/2003/0,4814,845 10,00.html. [20] Alex Veiga, Sensor Glitch Caused Calif. Power Shutdown, Associated Press, August 26, 2005. http://media3.comcast.net/data/news/html/2005/08/26/2089 66.html. [21] Siobhan Gorman, Electricity Grid in U.S. Penetrated by Spies, The Wall Street Journal, April 8, 2009. [22] Michael Arnone, SCADA on thin ice -Industrial control systems pose little-noticed security threat, May 8, 2006. http://www.fcw.com/print/12_16/news/94273-1.html [23] Robert McMillan, IDG News Service, October 31, 2006. http://www.networkworld.com/news/2006/110106-hackersbreak-into-water-system.html. [24] U.S. Government Accountability Office (GAO), Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, Statement of Gregory C. Wilshusen Director, Information Security Issues, Washington, DC: U.S. GAO, October 17, 2007.