Designing and Retrofitting Resilience into Critical Infrastructures

Giovanni Sansavini

Giovanni Sansavini

Giovanni Sansavini is an Associate Professor of Reliability and Risk Engineering at the Institute of Energy and Process Engineering, ETH Zurich. He holds the AXA Chair at the ETH Risk Center and of the Technical Committee on Critical Infrastructures of the European Safety and Reliability Association. Giovanni Sansavini received his B.S. in Energy Engineering and M.S. in Nuclear Engineering from Politecnico di Milano, in 2003 and 2005. In 2010, he received his Ph.D. in Mechanical Engineering from Virginia Tech and in Nuclear Engineering from Politecnico di Milano.

In order to maintain societal welfare, ‘critical’ systems and sectors are indispensable. Most of these sectors or industries are essential for the continued workings of our societies by providing services such as heating and clean water to meet the basic life needs, as well as electricity supply for manufacturers and the financial sector. Cyber-attacks on any of these sectors or a piece of infrastructure can cause mayhem, as illustrated by the 2021 ransomware attack on the Colonial Pipeline, which has prompted gasoline shortages and panic buying in the south-eastern United States.¹ Whether a piece of infrastructure is considered critical reflects our societal standards and values. Some sectors are deemed critical in one country but not in another, such as commercial facilities or the defence sector. In practice though, there are a lot of similarities.

The current approaches to protecting critical infrastructures from cyber risks are similar to those developed for non-critical infrastructures. They include very well-established risk assessment and risk management processes defined in international standards, such as the ISO (International Organization for Standardization) standards and ensure that there are no major issues in the nuclear sector or in space missions for instance.

Many infrastructures are critical to the workings of our societies. They can be designed or retrofitted to promote cyber resilience.

However, there are limitations to such a risk-based approach. With cyber risks, there is a lot of uncertainty around the nature and magnitude of the threats and on their evolutions. In addition, for some risks, we simply do not know the consequences of a hazard, for example those of a specific chemical spill on human health or on the environment. This type of hazard in the physical world can be related to cyber threats in ways we don’t always see at first. Consider the near miss cyber-attack on an American water treatment plant in 2021,² where hackers tampered the level of sodium hydroxide by a factor 100, which would have made the water dangerous to drink. In that case, the tampering was stopped by human intervention before the water quality was affected, but there were additional safety mechanisms, such as sensors, that could have helped as well. We call these ‘additional layers of protection’.

The idea of ‘layers of protection’ is part of the novel approaches that focus on resilient designs. Indeed, we now design systems so that they can sustain some level of impact and destruction because we acknowledge that we ignore some of the threats and hazards. In some sense, we need to be agnostic to the type of threat we are facing to complement the risk approach.

Modern society relies on networks. We are interconnected in everything from food supply and water treatment to energy supply. Networks allow us to balance commodities and be more efficient. The electricity network for instance is used to balance excess electricity produced in one place to another place with less supply at that time. These networks make us interdependent. In 2015, Ukraine suffered from a cyber-attack on its power grid, cutting the electricity supply of 225,000 people.³ As the European electrical network is interconnected, instabilities could also have cascaded to a rather large scale. Luckily, we have standards for such technical and international networks that national operators comply with diligently.

To ensure a commodity remains available when there is an issue at one point of the network, such as a blackout in an interconnected country, an option is to have ‘buffers’ like local suppliers in place. For other types of networks however, we do observe dramatic cascade effects. The July 2021 ransomware attack on Kaseya, an American IT Management Software provider, led to tens of thousands of computers locked up across the globe, and the hackers demanded $70 million to unlock all the affected systems.⁴

When part of a systems is infected, networks may wish to be temporarily disconnected. A resilient design ensures that the system is able to work in ‘islanding mode’ with islands working independently. Another design adaptation is to have flexibility in the modes of operation, for instance using complementary supplies such as oil and electricity supplies in case the electricity network, or a pipeline, goes down.

These design adaptations are possible to carry out on existing infrastructures by retrofitting their designs or adding layers of protection. This comes at a cost, but we need to do our best to improve existing infrastructures, as building new infrastructures has important impacts, not least environmental ones. However, in the case of new infrastructures that do not yet exist, for example, carbon dioxide storage and distribution networks, and hydrogen production and distribution networks, designing from scratch means we can use the principles described above — islanding, buffers, flexible operation — and others to make our connected infrastructures resilient by design.

1 DHS to Issue First Cyber Security Regulations for Pipelines After Colonial Hack, Ellen Nakashima and Lori Aratani, The Washington Post, May 25, 2021

2Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town, Frances Robles and Nicole Perlroth, The New York Times, February 8, 2021

4 Ransomware Hackers Demand $70 Million to Unlock Computers in Widespread Attack, Robert McMillan, The Wall Street Journal, July 5, 2021