Checks the society's toughness
By Knut Øien, Lars Bodsberg, Tor Olav Grøtan
The danger of advanced hacker attacks, physical terrorism and extreme weather has made social security a world-wide burning issue. Today's threats have changed the perceptions of what it takes to secure important social functions. Long-awaited tools are now being developed that will show critical infrastructure owners - everything from transport to finance - where the need for improvement is greatest.
Previously, the owners of such infrastructures could behave like turtles: put their trust in a hard shell. Whether talking about energy companies, waterworks or transport companies, they all use virtually the same medicine against current threats. They protect buildings, installations and computer systems as good as possible - and then leave it with that.
However, the world has changed. Because "everything" is on the internet, the hackers have been given new opportunities to cause harm. Terrorists have expanded their repertoire and the climate is getting more and more extreme. This has prompted many stakeholders to agree on a new prescription for the critical infrastructure. Protective measures alone are no longer sufficient.
The new recipe is to provide critical infrastructure with features that in English are called resilience. Alternative words in Norwegian are "robustness", "tolerance", "toughness" and "adaptability", but none of these are fully adequate. The new thinking, however, means that the companies in question should borrow properties not only from turtles but also from the flower dandelion - and especially inspired by the weed plant's ability to grow up again and again after being cut down.
The EU requests a possibility to measure the necessary features - in order to use the results to improve the security of critical infrastructure. In the joint European research project "SmartResilience", Sintef is developing methodologies for such measurements.
The focus is on hazards related to possible hacker attacks, terror attacks and extreme weather. What to be measured is the business's properties in five distinct phases: Have they done what is needed to understand the risk? Have they prepared for threats and unwanted events? Have they proactively increased the ability to resist and handle familiar and unfamiliar phenomena; to quickly recover from extreme events; and finally learn from them?
In the project, we cover sectors such as energy, water, health, finance, chemical production and transport. The measuring tool consists of questions related to topics that representatives of the individual sectors consider important.
For example, our partner in chemical industry, a Serbian group, has defined "risk register" as one of several important topics or measures within the phase "risk understanding". Therefore, we have asked questions about whether such records exist and whether they are used in decision-making.
The answers give scores, and the score becomes a measure of the company's resilience. A city will thus be able to compare each part of its critical infrastructure and see where any improvements are most needed.
The need to include risk understanding is clearly evident from a serious event in Ukraine, the Christmas Eve of 2015. Then, for the first time in history, cyber terrorists put out a power network. The blackout hit nearly a quarter of a million electricity customers. The attack was well organized. Despite this, protection tools exist that would have reduced damage - if it had only been installed.
In the project, we also develop methods for stress testing through simulated extreme events. These will show how much stress a critical infrastructure can withstand. Had the nuclear power plant in Japanese Fukushima made such a test before the tsunami came in 2011, it could have been discovered that protection against tsunamis was insufficient and improvement measures could have been implemented.
All in all, we believe that a pan-European measurement system that identifies and raises the status of "dandelion properties" as an important complement to "turtle solutions" will help to secure important social functions during crises.
Knut Øien, Lars Bodsberg and Tor Olav Grøtan are Senior Researchers in Sintef.
Published in the newspaper "Dagens Næringsliv" on October 27, 2017 and Gemini.no on October 29, 2017.
Dagens Næringsliv (Norwegian for "Today's Business"), is a Norwegian newspaper specializing in business news. As of 2015, it is the third largest newspaper in Norway.