Euracom - Risk Assessment and Contingency Planning Methodologies

March 26, 2018 | Author: khalilv3x6739 | Category: Risk Management, Business Continuity, Risk, Emergency Management, Risk Assessment


Comments



Description

DELIVERABLE D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Deliverable: D 2.3 Integrated report on the link between RA and CP Version: Seventh Framework Programme Theme ICT-SEC-2007-7.0-01 Project Acronym: EURACOM Project Full Title: European Risk Assessment and Contingency Planning Methodologies for interconnected networks Grant Agreement: 225579 Coordinator: EOS D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies <THIS PAGE IS INTENTIONALLY BLANK> Page 2 of 118 D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Table of Contents 1 2 3 Introduction .................................................................................................................................. 10 1.1 Context of EURACOM ........................................................................................................... 10 1.2 WP2 Deliverables.................................................................................................................. 11 1.3 WP 2.3 Objectives ................................................................................................................. 12 1.4 Links of WP2.3 with other EURACOM deliverables ................................................................ 12 1.5 Structure of the document.................................................................................................... 13 1.6 Acronyms ............................................................................................................................. 14 Analysis of links between available Risk Assessment and Contingency Planning methodologies ..... 16 2.1 Objectives of the section ...................................................................................................... 16 2.2 Relationship between Risk Assessment & Contingency Planning ........................................... 16 2.2.1 The preparation loop: from RA to CP ................................................................................ 17 2.2.2 The lessons learnt loop ..................................................................................................... 17 2.2.3 The relationship at a glance .............................................................................................. 18 Founding principles of the approaches........................................................................................... 20 3.1 The Scope of applicability of the approaches ........................................................................ 20 3.2 Glossary of Terms and Risk Management Concepts .............................................................. 23 3.2.1 Definition of terms ........................................................................................................... 23 3.2.2 Impact for the combined structure of Risk Assessment and Contingency Planning approaches .................................................................................................................................... 26 3.2.3 4 Towards a holistic, combined, all-hazards approach ......................................................... 27 Risk Assessment............................................................................................................................. 29 4.1 EURACOM WP 2.1 Desktop Study ......................................................................................... 29 4.2 Methodology for Holistic Risk Assessment ............................................................................ 30 Page 3 of 118 D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4.2.1 Overview of Structure....................................................................................................... 30 4.2.2 Introduction to Holistic Risk Management ........................................................................ 31 4.2.3 Methodology description.................................................................................................. 32 4.2.3.1 STEP 1: Constitute the Holistic Risk Assessment Team .................................................. 32 4.2.3.2 STEP 2: Define the scope of the Risk Assessment .......................................................... 33 4.2.3.3 STEP 3: Define the scales for risk evaluation ................................................................. 34 4.2.3.4 STEP 4: Understand the assets in the scope .................................................................. 36 4.2.3.5 STEP 5: Understand the threats .................................................................................... 37 4.2.3.6 STEP 6: Review security and Identify vulnerabilities ...................................................... 38 4.2.3.7 STEP 7: Evaluate the associated risks ............................................................................ 40 4.2.4 4.3 5 Maintenance of the risk assessment ................................................................................. 41 The implementation of EURAM within the Energy Sector...................................................... 42 4.3.1 Electricity Transmission .................................................................................................... 42 4.3.2 Gas Transmission .............................................................................................................. 49 4.3.3 Oil Transmission ............................................................................................................... 56 Contingency Planning .................................................................................................................... 63 5.1 Introduction ......................................................................................................................... 63 5.2 EURACOM WP 2.2 Desktop Study ......................................................................................... 63 5.3 The Contingency Planning Approach at a glance ................................................................... 66 5.4 Preparation Phase ................................................................................................................ 67 5.4.1 The Objectives and scope ................................................................................................. 68 5.4.2 Organisation for Contingency Planning ............................................................................. 70 5.4.3 Risk Mitigation Strategy Setting ........................................................................................ 73 5.4.4 Implementation of Prevention and Protection measures .................................................. 75 Page 4 of 118 D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Implementation of Response and Recovery measures ...................................................... 78 5.4.5 5.4.5.1 Approach - Scenarios selection ..................................................................................... 78 5.4.5.2 Continuity of Supply objectives..................................................................................... 79 5.4.5.3 Derive Supply Continuity Objectives in the infrastructure ............................................. 79 5.4.5.4 Define possible strategies to meet the Supply Continuity Objectives ............................ 80 5.4.5.5 Selection of strategies .................................................................................................. 80 5.4.5.6 Implementation of Response and Recovery Measures: the contingency plan ............... 81 5.4.5.7 Supporting data: the key elements of a Contingency Plan ............................................. 82 5.4.5.7.1 Incident Management .............................................................................................. 82 5.4.5.7.2 Crisis Management................................................................................................... 83 5.4.5.7.3 Business Continuity Management ............................................................................ 84 5.4.5.7.4 Disaster Recovery Management ............................................................................... 85 5.5 5.5.1 Contingency Planning Training .......................................................................................... 87 5.5.2 Test the Contingency Plan ................................................................................................ 89 5.5.3 Contingency Exercises ...................................................................................................... 91 5.6 6 7 The Test, Exercise & Training Phase ...................................................................................... 87 The Maintenance Phase........................................................................................................ 94 5.6.1 Contingency Planning Maintenance .................................................................................. 94 5.6.2 Lessons Learnt .................................................................................................................. 97 The EURACOM Combined Risk Assessment and Contingency Planning Approach ......................... 100 6.1 The preparation loop .......................................................................................................... 101 6.2 The lessons learnt loop ....................................................................................................... 102 Managing Dependencies of the energy sector in Risk Assessment and Contingency planning ...... 104 7.1 Introduction ....................................................................................................................... 104 Page 5 of 118 D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 7.2 Managing dependencies in risk assessment (EURAM) ......................................................... 105 7.2.1 Defining the scope of the analysis and the risk assessment team .................................... 106 7.2.2 Identifying vulnerabilities stemming from interdependency situations within a wider scope 106 7.2.3 Evaluating (inter)dependency risks ................................................................................. 108 7.3 Managing dependencies in contingency planning ............................................................... 109 7.3.1 Preparation Phase .......................................................................................................... 109 7.3.1.1 The Objectives and scope ........................................................................................... 109 7.3.1.2 Organisation for Contingency Planning ....................................................................... 110 7.3.1.3 Risk Mitigation Strategy Setting .................................................................................. 110 7.3.1.4 Implementation of Prevention and Protection measures ............................................ 111 7.3.1.5 Implementation of Response and Recovery measures ................................................ 111 7.3.2 Test Exercise and Training Phase .................................................................................... 112 7.3.2.1 Contingency Planning Training.................................................................................... 112 7.3.2.2 Test the Contingency Plan .......................................................................................... 113 7.3.2.3 Contingency Exercises ................................................................................................ 113 7.3.3 7.3.3.1 Contingency Planning Maintenance............................................................................ 114 7.3.3.2 Lessons Learnt ............................................................................................................ 114 7.3.3.3 Monitoring and Information Sharing .......................................................................... 114 7.4 8 Maintenance Phase ........................................................................................................ 114 Current Framework for Operational Practices ..................................................................... 115 Conclusion ................................................................................................................................... 118 Page 6 of 118 ... 21 Figure 7: Focus of RA and CP approach .................................................................. 66 Figure 23: Contingency Planning Preparation Phase structure ........................................................................................ 20 Figure 5: Energy players from organisational to international ......................................................................... 52 Figure 16: Probability Scales for Gas Transmission ............................... 24 Figure 9: The EURAM 7 step Risk Assessment approach................................................................ 47 Figure 14: Holistic Risk Assessment Team .............................................. 42 Figure 11: Impact Scales for Electricity Transmission ........... 49 Figure 15: Impact Scales for Gas Transmission ........................................................................................................................................ 44 Figure 12: Probability Scales for Electricity Transmission .................................................................................................................................................................. 19 Figure 4: The energy networks analysis framework........................................................................................................................................... 56 Figure 19: Impact Scales for Oil Transmission ..........3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Table of Figures Figure 1: Structure of the EURACOM project ............................................................................ 31 Figure 10: Holistic Risk Assessment Team .......................................................................................................... 22 Figure 8: The collection of the Risk Management processes ................................................................ 21 Figure 6: High level overview of the Supply Chain ......... 59 Figure 20: Probability Scales for Oil Transmission ................................................................................................................................. 61 Figure 22: The Contingency Planning 3 Phase Approach ............................................. 67 Page 7 of 118 ........................................ 54 Figure 18: Holistic Risk Assessment Team . 59 Figure 21: Common Threats to Oil Transmission operators .................................................................. 18 Figure 3: Interactions between Risk Assessment and Contingency Planning.......... 52 Figure 17: Common Threats to Gas Transmission operators ..........................D2........................................................................................................................................................................................................................................................................ 45 Figure 13: Common Threats to Electricity Transmission operators ........................................................... 11 Figure 2: Interactions between Risk Assessment and Contingency Planning.......... ................. 101 Figure 33: The “lessons learnt” loop ........................................................................... exercise and training phase . 100 Figure 32: The preparation loop ............................................................D2..................... 79 Figure 28: Continuity Objective .................................................................................................. Contribution – External Matrix ......................................................... 94 Figure 31: The Combined Approach Taken by EURACOM to Risk Assessment and Contingency Planning..................... 105 Figure 35: A unique severity scale for multi-stakeholders scopes ............ 80 Figure 29: The test................. ...................................... 102 Figure 34: The High Level Analysis of Risk Assessment and Contingency Planning........................................................................................................................................................................................................................................................ 72 Figure 27: Continuity Objective Profile ............................................................................................... 108 Page 8 of 118 .................................................................................................................. 69 Figure 25: Role vs............................................... 71 Figure 26: Role vs.................................................... 107 Figure 36: A unique severity scale for multi-stakeholders scopes ........... Contribution – Internal Matrix ........ ........................................................................................................ 87 Figure 30: The maintenance phase .................3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 24: Risk Assessment Scale .................................................................. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies <THIS PAGE IS INTENTIONALLY BLANK> Page 9 of 118 .D2. from individual companies up to European level. The EURACOM project has been structured accordingly. from production to distribution. the structure depicted in Figure 1 is applied to the EURACOM project. large energy users. including threats from natural causes. sharing of data and close co-operation between energy operators. In order to develop the methodology and supporting tools. This approach requires common methodologies all along the value chain. human failure. and other stakeholders.1 Context of EURACOM The objective of EURACOM is to identify. EURACOM has to cover all applicable hazards to the energy sector. regulatory bodies. dependencies of other Critical Infrastructures and other dependencies. The objective is to create more resilient energy infrastructures by developing methodologies and tools that assure a dialogue. It also requires common methodologies at different hierarchical levels. technical failure. In the development of the EURACOM project. This is to facilitate the establishment of appropriate levels of resilience within critical energy services across the whole (‘end-to-end’) energy infrastructure chain. it was apparent that methodological solutions and supporting tools should be developed in close cooperation with European Critical Energy Infrastructure operators. together with European Critical Energy Infrastructure operators. security solution suppliers.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 1 Introduction 1. Page 10 of 118 . EURACOM’s activities to define common risk assessment and contingency planning methodologies will build upon the EURAM project results: the concepts of the EURAM methodology will be specifically developed further for the energy sector. human intent. a common and holistic approach (end-to-end energy supply chain) for risk assessment and contingency planning methods. administrations.D2. national guidance and energy standards. Deliverable 2.1: Concerns the analysis of available Risk Assessment approaches to identify good practices from several domains including security industry.D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 1: Structure of the EURACOM project 1. WP2 has three deliverables: Deliverable 2. Deliverable 2.2: Concerns the analysis of Contingency Planning approaches to identify good practices from several domains including security industry.2 WP2 Deliverables The role of Work Package 2 (WP2) in EURACOM is the identification of a common and holistic approach for risk assessment and contingency planning. Page 11 of 118 .3 (This Report): Concerns the analysis of the communally accepted links between Risk Assessment and Contingency Planning practices and the creation of Risk Assessment and Contingency Planning approaches which can be combined and are clearly targeted to the energy sector. national guidance and energy standards. 1 “Generic system architecture with relevant functionalities for hazard identification“: D1. on the scope of interconnected energy infrastructures involving many operators).2 “Common Areas of Contingency Planning Methodologies“: D2.3 (WP 2. As such. after presenting the results of the analysis performed in a Desktop study of available Risk Assessment approaches. 1.3 Objectives The objective of Work Package 2. D1.1. after presenting the results of the analysis performed in a Desktop study of available Contingency Planning approaches. These good practices will be used in order to develop the EURACOM Risk Assessment approach as described in section 4.3 as described in section 3. a holistic approach (end-to-end energy supply train: from fuel transport. • D2.1. this report will deliver a combined and holistic approach to Risk Assessment and Contingency Planning in a format that can be used as a framework for implementation by the Energy sector operators.3 WP 2. • D2. In addition to the analysis of the link between Risk Assessment and Contingency Planning methodologies. power generation and transmission) for risk assessment and contingency planning solutions…” The scope also includes the requirement to “report on the link between Risk Assessment and Contingency Planning Methodologies”. 2.1 models and describes the Energy environment in which the approaches described in this present deliverable will be applicable. These main additional aspects are delivered through: 1.2 Project Summary: Abstract: “… EURACOM objective is to identify. provides conclusions about the good practices of the discipline.2.1 “Common Areas of Risk Assessment Methodologies“: D2.4 Links of WP2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 1. the creation of a risk assessment and of a contingency planning approach to be implemented at operator (=organisation) level and.D2.3) is described in the EURACOM Description of Work document: A 1. provides Page 12 of 118 . as the last section of the document recommendations on how risk assessment and contingency planning processes can be implemented and supported at higher level of analysis (i.3 has relationships with several other EURACOM deliverables: • D1. together with EU Energy Infrastructure Operators.e.1 is a major input in defining the scope of D2.1.3 with other EURACOM deliverables This deliverable D2. • D2.3 are also combined in order to feed into the analysis of the links between Risk Assessment and Contingency Planning practices as described in section 2.e. 1. These methodologies will have evolved from the approaches of D2. above the single operator level) for Managing Dependencies of the energy sector in Risk Assessment and Contingency planning Page 13 of 118 .2 and D2.3 “Update and validation of used Risk Assessment and Contingency Planning methodologies“: D6.3 thanks to the input of the case studies (WP4) and associated workshops (WP5).5 Structure of the document The document is broken down in several sections: • Section 2 provides an analysis of links between available Risk Assessment and Contingency Planning methodologies.3. This will help in refining the approach and in particular to tailor it to the needs of the Energy sector.3 will contain the final version of the EURACOM Risk Assessment and Contingency Planning methodologies.D2. • Section 3 presents the founding principles of the approaches by first presenting the scope of applicability they are designed for. by positioning them against other concepts in a wider Risk Management perspective and by providing some of the key characteristics they will have to comply with. • Section 5 presents the results of our work to propose a Contingency Planning approach to the energy sector. • Section 6 summarises how the Risk Assessment approach and the Contingency Planning approach interact to deliver “The EURACOM Combined Risk Assessment and Contingency Planning Approach”. • Section 4 presents the results of our work to propose a Risk Assessment approach to the energy sector.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies conclusions about the good practices of the discipline. These good practices will be used in order to develop the EURACOM Contingency Planning approach as described in section 5. It looks in particular at the way the two processes are relying on one another. • D6. • Section 7 presents recommendations to allow the implementation of the EURACOM approaches at higher level of analysis (i. D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 1.6 Acronyms BCM Business Continuity Management BCP Business Continuity Planning (or Plan) BIA Business Impact Analysis CI Critical Infrastructure CIP Critical Infrastructure Protection CM Crisis Management CP Contingency Planning (or Plan) DR Disaster Recovery EU European Union ICT Information & Communication Technologies IM Incident Management IPOCM Incident Preparedness and Operational Continuity Management KPI Key Performance Indicator OR Organisational Resilience PDCA Plan – Do – Check – Act PM Project Management RA Risk Assessment RAM Risk Assessment Methodology RM Risk Management TSO Transmission System Operator Page 14 of 118 . D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies <THIS PAGE IS INTENTIONALLY BLANK> Page 15 of 118 . 2 also identified that although this Risk Assessment link/requirement was included within most of the Standards and Guidelines. the issue that the majority of Risk Assessment standards and methodologies make little. that the majority of the Business Continuity and Contingency Planning Standards and Guidelines included some element of Risk (and Vulnerability) Analysis (and also Business Impact Analysis) within the structure of their framework. by its non-inclusion.D2. The EURAM methodology is an exception in this respect as it discusses contingency and includes scenario based contingency workshops within the methodology itself. even though Contingency Planning processes rely on a clear evaluation of the business impact of adverse events. Please see Figure 8: The collection of the Risk Management processes .2 Relationship between Risk Assessment & Contingency Planning Risk Assessment and Contingency Planning are both key elements within an organisation’s Risk Management process. for a high level overview on where the two processes reside within the Risk Management process. The scope of this section satisfies the EURACOM Description of Work requirement to “…report on the link between Risk Assessment and Contingency Planning Methodologies…” 2.2 (Contingency Planning Methodologies and Business Continuity) highlighted within section 2.1 (Common Areas of Risk Assessment methodologies) highlighted. if any. processes are created and implemented to manage incidents should they occur. The EURACOM deliverable D2. D2. In contrast to this. the findings within the deliverable D2. They are essential in the effort to ensure that risk are identified. treated and where risk mitigation is not feasible.1 Objectives of the section The objective of this section is to identify the links and the interactions between Risk Assessment and Contingency Planning.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 2 Analysis of links between available Risk Assessment and Contingency Planning methodologies 2. the depth of this Risk Assessment link/requirement is very limited with little or no granularity. prevented.4 “Relation to Risk Management”. However. there are some links between the two set of practices even if those are not translated into standards. Page 16 of 118 . reference to the Contingency Planning processes. This section aims at clarifying what these links are and therefore provides objectives for the development of the Risk Assessment and Contingency Planning sections developed later in this document. 2. Therefore the Risk Assessment process. • Then the mitigation controls may be reviewed in order to cover the gaps identified by the lessons learnt. Page 17 of 118 .D2. along with the Business Impact Analysis. The Contingency Planning process receives the majority of its input from the Risk Assessment process (including the Business Impact Analysis). Contingency Planning is used by an organisation to plan for the prevention of incidents by implementing formal protective controls and also with ways of minimising the effect of an incident by creating appropriate response and recovery processes. Avoid or Accept) in line with the organisations Risk Management objectives. 2.1 The preparation loop: from RA to CP As the essential underpinning element of the Risk Management process. several maintenance actions can take place at multiple levels: • First the previous Risk Assessments may require to undergo re-evaluation in order to integrate new data about risk elements through better understanding of vulnerabilities. Following this input.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 2. finer evaluation of threats or better appreciation of the actual chain of reaction that would cause the ultimate impact on the organisation.2 The lessons learnt loop The lessons learnt following Contingency Planning exercises. Risk Assessment is the initial process used to assess the potential impact and the likelihood of threats exploiting vulnerabilities.2. provides an organisation with the necessary information required to address risk (Treat. testing or incidents (within the organisation or more largely within the energy sector) will provide a feed back to the organisations Risk Management Life Cycle. documents. For this purpose.). and change in operations. it is possible to build a high-level picture of relationships between Risk Assessment and Contingency Planning processes. On the other hand. The introduction of maintenance in the link is introduced below: Page 18 of 118 . it is possible to introduce a maintenance process which will coordinate all updates of Risk Assessment and Contingency Planning from lessons learnt but also on other events like periodical review of plans. It is therefore important that this loop is controlled through a sound process. the lessons learnt loop is better controlled and the changes they can induce are managed consistently with the other changes that can result from other maintenance operations.2. taking into account lessons learnt is an activity. plans. Figure 2: Interactions between Risk Assessment and Contingency Planning The preparation loop is a very linear process of implementation of the succession of steps in Risk Assessment and Contingency planning. etc. change in environment (new threats.3 The relationship at a glance From the first principles described in the preparation loop and in the lessons learnt loop. cascade the results into the later stages and to ensure that all underlying elements (processes.D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 2. By doing this.) are kept up to date in a controlled manner. etc. update information. which requires coming back to previous stages of the analysis. Page 19 of 118 .3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 3: Interactions between Risk Assessment and Contingency Planning This high level view provides the desired output for the EURACOM RA and CP approaches to operate in a combined manner and sharing a common maintenance process.D2. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 3 Founding principles of the approaches 3. and a way to model the energy networks.D2. Network Information Process Strategy European level National level Organisational level ELECTRICITY GAS OIL Figure 4: The energy networks analysis framework On this framework.1 The Scope of applicability of the approaches The EURACOM deliverable D 1. the issue of resilience of energy networks is applicable in and across all the dimensions depicted in this diagram: • From Organisational to European levels as the issues are not only intrinsic to the individual organisations and the consequences and the management of adverse events have respectively the potential and the necessity to spread at European scale. Page 20 of 118 .1 provides a view of the energy networks which are analysed. These views are analysed on different layers as illustrated on the following diagram. D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Transmission Operators Distribu tion Operators Traders / Sh ippers Suppliers Producers End Users Ow nership of commodities Figure 5: Energy players from organisational to international • Within each of the Oil. Electricity and Gas services throughout their energy sector supply chain and also across sectors as energy flows move from one sector to another (mainly from Gas to Electricity). processes. Figure 6: High level overview of the Supply Chain • In all the layers of one organisation – Strategy. Process. Page 21 of 118 . Information and Network as the risk factors and the associated responses do not reside in a single layer and rather form a holistic posture where all the measures taken at strategic. information or network level are meant to work in conjunction. e. Risk Assessment + Contingency Planning) will have to operate. this picture is very important to set and to integrate to understand in which context each single operator Risk Management approach (i. To meet this objective.1 already provides an insight to the order of magnitude of the complexity of the subject and it is not the objective of EURACOM to provide answers to all of this. National or European level). On the contrary.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies This very short introduction to the scope (not entering into any detail) of D 1.D2. distribution. Oil and Gas. On the contrary.). This does not mean that the full picture does not need being taken into account. This focus on single operators should not forget the relationships they have with other external stakeholders. it should treat them as critical but from the sole perspective of the entity on which the analysis is applied. These sectors are analysed through the focal point constituted by TSOs which are at the heart of mutual dependencies at European level and by taking into account their connections to the rest of the supply chain (source.e. etc. The objective and therefore the scope of D2. Page 22 of 118 . the EURACOM D2. The justification of this is that the implementation of consistent and efficient risk management by each operator within its organisation is the prerequisite and foundation for a collective and federated resilience across sectors and borders.1 and is to build up the method to start with the operator level and expand to higher levels at later sections in the document (i.3 deliverables proposes first a generic approach to Risk Assessment and Contingency Planning for energy operators and then provides specific information on how to actually implement this generic approach into the distinct sectors of Electricity. other grids.3 is to concentrate on the energy operators for which the Risk Assessment and Contingency Planning methodologies are meant (as depicted on the figure below).3 is governed by the EURACOM deliverable D 1. Network Information Process Strategy European level National level Organisational level ELECTRICITY GAS OIL Figure 7: Focus of RA and CP approach The scope of applicability for WP 2. 1 Integrated Emergency Management concept . For the purpose of this document.1 and task 2. The stance taken in EURACOM is one of integrated risk and contingency management1. response and recovery.2 that the use of terms varies considerably with mixes of notions like contingency planning and business continuity planning. the descriptions of the different terms are as follows: Risk Management This is the collection of processes that form an organisations formal threat and vulnerability management process.Guidance on Part 1 of the Civil Contingencies Act 2004 – HM Government United Kingdom Page 23 of 118 . then the end of the document gives some directions to reflect on for analysis at higher levels where interactions are not any more seen only from one organisation perspective but from the point of view of a “network of organisations”. risk acceptance.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies The initial path explored by the document was to view Risk Assessment and Contingency Planning at the operator level. risk avoidance. risk treatment.1 Glossary of Terms and Risk Management Concepts Definition of terms It has been identified as part of the desktop studies of task 2.D2.2 3. This includes all processes for risk assessment.2. 3. Risk Avoidance Risk Avoidance is used where the Risk Treatment is too costly or too impractical to implement and where Risk Acceptance is not a viable option for an organisation to consider. Business Impact Analysis Business Impact Analysis is the analysis of how a risk scenario can cause a loss to an organisation.D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 8: The collection of the Risk Management processes Risk Assessment Risk Assessment is the process used to assess the potential impact and the likelihood of a threat exploiting vulnerabilities in order to provide a risk rating prior to the implementation of any risk treatment or mitigation. this analysis is primarily orientated on the impact on the organisation’s business processes. Risk avoidance is a decision Page 24 of 118 . Risk Treatment Risk Treatment is where the risk is reduced by the implementation of countermeasures designed for risk mitigation. Risk treatment measures are aimed at reducing the probability and/or the severity of risk factors. protection. Contingency Planning Contingency Planning is required to plan for incidents by implementing formal controls to assist with the prevention of incidents and also with ways of minimising the effects should an incident occur by creating appropriate response and recovery processes. Major Incidents. Contingency Plan Contingency Planning is the process by which an organisation prepares itself for the management of incidents and this covers the identification and implementation of prevention. 2. response and recovery mechanisms. Risk Acceptance Risk Acceptance is utilised when the risk level is acceptable to the business or when the risk can not be avoided or mitigated to an acceptable residual risk level. Contingency Plan A contingency plan is one of the results of Contingency Planning. Incidents. The decision is ultimately taken by the organisation risk owner(s) to accept the risk or residual risk. an organisation would deal with incidents as part of a routine Incident Management Process. Contingency plans are the set of controls materialised through organisation. Disasters & Crises Various definitions exist for these terms. measures and resources which are put in place as a response and recovery capability to respond to major incidents. Incident is a term used for the occurrence of issues which are a priori of limited magnitude. Disasters and Crises are reserved for issues whose order of magnitude or complexity can not be handled through a routine incident management process and require the Page 25 of 118 .D2. EURACOM proposes to classify these terms in two categories depending on their magnitude and the reaction they trigger for an organisation: 1.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies to change the company infrastructure or more largely the mode of operation to ensure there is no more exposure to a risk. Contingency Planning vs. As a consequence. The contingency plan is a result of this process focusing on formalising the mechanisms for response and recovery should an incident occur. Major incidents. crisis cell mobilisation. situation awareness and communication of directives). Business Continuity and Disaster Recovery. It is worth mentioning that. Business Continuity Business Continuity ensures that business recovery processes are implemented to ensure continuity of service with the minimum of disruption.D2.2 has shown. most of the Business Continuity or Contingency Planning approaches integrate a Business Impact Analysis stage. Page 26 of 118 . Crisis Management Crisis Management is used to formally manage an active incident which has escalated beyond the routine Incident Management process. Our choice to remove that step has been taken as the EURACOM Contingency Planning approach will receive those inputs from the EURACOM Risk Assessment approach. High Impact. Crisis management is the organisational and infrastructure measures put in place to ensure that an organisation can be organised in times of crisis (alert rising.2 Impact for the combined structure of Risk Assessment and Contingency Planning approaches The clarification of these terms allows for the scope and definition of the boundaries and the links between the Risk Assessment Approach and the Contingency Planning approach. Incident Management Incident Management is a process that an organisation puts in place to manage the occurrence of incidents of low to moderate magnitude. Disaster Recovery Management Disaster Recovery Management is often used as IT Disaster Recovery Management. the choice has been taken to remove all Risk Assessment or Business Impact Analysis from the Contingency Planning approach. decision taking. The Incident Management process has the possibility of escalating into Crisis Management should the situation deviate from a low to moderate magnitude. When considering the combined nature of the two approaches developed in this document. Business continuity is mainly targeted at continuity of supply of goods or services. it provides the processes for the recovery of key ICT systems following an incident.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies special dispositions of Incident Management (or Crisis Management). 3. Low Frequency events fall for example in this category. as the analysis within D2.2. Business Continuity. • All-hazards. in the sense it will cover the two main categories: 1. or linked to external dependencies). • Combined in the sense that Risk Assessment and Contingency Planning processes need to be closely integrated with clear linkages between one another. which means that it should include all aspects that contribute to operations.D2. Deliberate (Human). and 2. These should be: • Holistic in terms of infrastructure coverage. Page 27 of 118 .2. combined. Incident & Crisis Management and Disaster Recovery. all-hazards approach The EURACOM approach should respond to three main characteristics. the organisation (including links to external stakeholders) and human factor aspects. Natural causes. the physical infrastructure.3 Towards a holistic. 3. and the human resources.e. the ICT infrastructure. Accidental (Human or Technical. All these notions are federated and are clearly differentiated under the umbrella of Contingency Planning which covers the entire spectrum of issues. i.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Also EURACOM clarifies the differences and relations between concept whose boundaries are often fuzzy like Contingency Planning. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies <THIS PAGE IS INTENTIONALLY BLANK> Page 28 of 118 .D2. we can conclude: • • • • • The EURAM method is still one of the few methods which is both holistic. […] The further recommendations from WP2.1 Desktop Study EURACOM WP2. The EURAM method is still rather conceptual and has few supporting tools (although it includes the start of some supporting checklists). o Develop a supporting glossary of the terms used. The major conclusions from WP2.1 performed an analysis on available risk assessment methodologies in order to learn from good practices and also to assess their suitability to the context of EURACOM.1 are: […] When we look at the EURAM method and compare it to the RA methods we assessed. The analysis. The EURAM method complies with the common good practice approaches identified in most of the other Risk Assessment methods.1 Common areas of Risk Assessment Methodologies. Develop a checklist whereby the user can determine beforehand what information is required to complete the RA and where it may be found. the results and the recommendations are reported in D2. and easy-to-follow steps that require a minimum of expertise of the user. The EURAM method is unique in the sense that it provides a mechanism to spread responsibilities for risk management over all levels while assuring all risk factors are addressed. Additionally.D2.1 EURACOM WP 2. Page 29 of 118 . o Support the execution of the method with simple. this is facilitated by a non-prescriptive mechanism. tangible.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4 Risk Assessment 4. The EURAM method is one of the few methods that can be applied to all operational and organisational levels of CI and even trans-sector. easily distributable tools. all-hazard and generically applicable to all Critical Infrastructure (CI) sectors.1 to develop the EURACOM Risk Assessment approach are: […] • • • Develop supporting tools (checklists or otherwise) to support easy application of the method with respect to determining: o Threats o Vulnerabilities o Effects o Assets Supply clear. vulnerabilities. 4. and effects that are most relevant to the sector.1. […] These conclusions and recommendations are used to develop the EURACOM Risk Assessment approach.g. energy). it can be further honed to the needs of that specific sector (e.2 and Oil in section 4. This will further heighten the ease of use.2 4. The changes introduced by EURACOM will become visible at a more granular level and will include the tailored approach for the energy transmission operations within the energy sector including: Electricity in section 4.3. In this sense energy sources and distribution knock on effects are analysed through the point of view of the transmission networks and especially the impact they can induce on energy transmission networks and in turn how these networks can propagate the impact to the distribution. Page 30 of 118 .1 Methodology for Holistic Risk Assessment Overview of Structure The seven steps of this risk assessment process are described below from a high level perspective. Gas in section 4.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Of course. These are directly extracted from the results of the EURAM approach. when the RA method is to be applied to a single sector.2. The decision to narrow the scope to transmission is justified by the fact that energy grids are the pivotal point of dependencies and cascading effects at European scale whether we talk about dependencies between grids themselves or their interaction with source and distribution. by conforming to the terminologies of the sector.3.D2. threats. concentrating on specific assets.3.3. Human factor aspects regarding security. A “holistic approach” or “holistic risk management” aims at managing risks using a joined up approach.2 Introduction to Holistic Risk Management Before presenting the detail of the methodology.2. these dimensions are: • • • • Physical security. Information and Communication Technology security.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 9: The EURAM 7 step Risk Assessment approach 4.D2. • Vulnerabilities. Organisational security. Page 31 of 118 . These four dimensions will be used to analyse each of the components of the risk (please refer to the glossary section): • Assets. • Effects. This joined up approach requires each dimensions of risks to be considered. • Threats. it is important to present what a “Holistic Approach to Security” means. The implementers will be consulted during the risk assessment process and will contribute with their expert knowledge. For the reliability of the risk assessment process the team members should be independent. Physical Security. those not implementing the process. HR.3 Methodology description 4. Concerning the lead associated to the exercise.D2. this means that the ownership of the risk assessment has to be taken at senior management level above the various departments or functions. When the scope is at a company or operator level.2. i. Output: An operational holistic risk assessment team 2 “Silos” is referring to the compartmentalisation often noticed in organisations where risk factors are not managed across the whole organisation but in “silos” (e.). it is recommended that the responsibility of the implementation of the approach be at a transversal level to avoid the pitfall of silos 2often found in organisations.3.1 STEP 1: Constitute the Holistic Risk Assessment Team The objective of this step is to select a team that will be in charge of conducting the holistic Risk Assessment. Page 32 of 118 . Information and Communication Technology. This team will be ideally composed of several persons including: • A team leader that will be responsible for the completeness. IT security.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4. it is suggested that organisations seek external assistance on the above to overcome any skill gaps or other potential internal difficulties. It is important that the skills and experience are carefully selected as it is the basis of a successful risk assessment. With regards to the team leader. consistency and homogeneity of the risk evaluation.2. and • Several team members who will bring their expertise from the four dimensions of holistic security physical. Organisational and human aspects. It is also important to make sure that everybody in the team understands the holistic approach to security. etc.e. the role is extremely important as this person will be in charge of ensuring that all areas of risk are given equal consideration and that the process of information sharing and identification of risk within the team goes smoothly. As this role is so critical.g. the scope of the holistic risk assessment needs to be clearly defined and understood by all the team. as the principles remains applicable with scale.2 STEP 2: Define the scope of the Risk Assessment This step can be implemented on smaller or larger scopes with more or less detail depending on the resources applied and the stakes involved.D2. Please note that dependencies of the organisation towards elements outside of the scope can be analysed using the results of the EURAM project on the “Methodology for (inter)dependency analysis”.2. Page 33 of 118 .3. • It should be composed of defined systems and networks. The scope definition needs to have its reality set from a holistic point of view which means that: • It should have a physical perimeter including physical assets. • It should have boundaries from an organisational point of view with identification of the various job functions involved.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4. Output: Definition of scope understood by all team. However. national records if available) would provide a more extensive view of the number of incidents for a statistical analysis. For these types of events.3. The more appropriate approach to evaluate the probability of such events is to evaluate the feasibility of an attack taking into account various factors as attractiveness of the target (asset).D2. it might be difficult for operators to assess the probability of certain areas of risks. Targeted or intentional attacks. using for example experience or statistics on records from past incidents. For these types of events the most appropriate way to evaluate probability is based on historical evidence. With R = P x S.2. qualitative scales are advised on a 1 to 5 range as it gives enough values to discriminate the risks. In this area. The evaluation of the risk (R) is reached by direct evaluation of probability of occurrence (P) and Severity (S). Page 34 of 118 . there are a few pitfalls and good practices to keep in mind when carrying out the exercise: Probability scales need to fit with mainly two types of adverse events: 1. The Severity and Probability scale can be presented this way. For practical reasons. It is therefore important at the beginning of the project to define the scale against which probability and impact will be evaluated. 2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4. the statistical approach is not as appropriate as the fact that an incident has not occurred yet does not mean it is not a feasible attack and even less that it is not going to happen in the future. motivation/ skills/ resources of the attacker and level of protection of the target (asset).g. Untargeted attacks or accidents. this is where there can be significant value in sharing information with peers from other organisations or to receive intelligence information from national intelligence agencies. These records can be gathered at the operator level on past incidents in their particular infrastructure but for low occurrence events wider scopes of information (e.3 STEP 3: Define the scales for risk evaluation This methodology takes the path of practicality. sector records. Probability 1 2 3 4 5 Very low probability Low probability Medium probability High Probability Near certainty Evaluation of feasibility of an attack or likelihood of an accident Concerning the probability scale and later on in the methodology. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Severity 1 2 3 4 5 Low impact Medium impact Significant impact Critical impact Most severe impact Evaluation of impact on product/ service delivery.3 for detail). Even if impact and probability levels examples have to be adapted to the scope of the analysis. financial impact. or other aspects. image. it is necessary to have a common definition of impact and probability levels. citizen security. Output: Defined scales for evaluation of Probability and Severity. Page 35 of 118 .2. citizen confidence.D2. to enable analysis of interdependencies between critical infrastructures. Therefore generic scales across sectors should be used (please refer to section 7. • Human resources. The objective is therefore to understand the organisation in place.3. the whole team will understand broadly the operations of the critical infrastructure. Output: General understanding of the assets involved and their criticality for the operations (this does not imply formalisation of an exhaustive asset register as it is felt that such a detailed register adds little additional value to the approach suggested) Page 36 of 118 .2. • ICT assets. the infrastructure (physical or IT) necessary to operate and also the skills required. can also assist in understanding how the various assets interact to support the operations. Each expert should also reach a deeper understanding of the assets in his area of expertise: • Physical assets. • Organisational assets.D2. It is important to note that the methodology described in the EURAM project for the analysis of (inter)dependencies. when applied on the same scope as the risk assessment.4 STEP 4: Understand the assets in the scope The objective of this section of the risk assessment is for the team members to get an understanding of how the critical infrastructure delivers its service/product. Through this task.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4. This does not mean that an exhaustive inventory of threats has to be conducted as it is understood that a vast majority of threats are going to be common and already clearly understood by each expert in his domain.3. Gas and Oil.2 and 4. past incidents in the sector or other intelligence on specific threat agents.5 STEP 5: Understand the threats The objective of this stage is to understand the threat context the infrastructure faces. it is necessary that similar types of threats are considered to ensure consistency of results.1. An example of a generic threat classification is given for each specific sector. Electricity. The objective here is more to understand specific areas of the threat profile. i.e. the team should refer to a list of classes of threat to consider when doing the analysis to avoid any gaps. 4. dependence upon other infrastructures is one of the threat categories. Page 37 of 118 . in sections 4.2.3.D2. Output: Threat profile report detailing information on the level of specific threats in the context of the target of the risk assessment. Following this principle. To support the collaboration between critical infrastructures in performing risk analysis and interdependencies analysis. In these classifications. Threats need to be understood in the context of the infrastructure studied: level of terrorist threat in the country.3. past natural disasters in the region.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4.3.3. g. These two types of information can be found in several sources: Industry Associations: Industry associations will provide a good source for the notification of sector explicit and general vulnerabilities. National Government (Security): Government departments will often provide Critical Infrastructure organisations updates on the security threats within the sector which will enable an operator to validate Page 38 of 118 . These sources can be used in order to perform a gap analysis.3. Industry associations may not always provide a service that is very current (dependent on the criticality level of vulnerability).2. given the assets and threat context understood at the previous stages. These sources are much more focused to specific vulnerabilities that may be exploited by specific threats. no screening of key personnel) Sources supporting security review and vulnerabilities identification An energy transmission operator will be required to identify a number of sources for vulnerability information and will also have to rely on their own subject matter experts to verify that vulnerabilities exist. which may reside in a particular technology. no allocation of security responsibilities) Human vulnerabilities (e.6 STEP 6: Review security and Identify vulnerabilities The objective of this step is for the security experts of the team to review the actual security controls in place to protect the infrastructure.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4. as these organisations are setup to aid and assist the industry to maintain good practices and therefore they will highlight vulnerabilities that may harm their members. any significant gap to good practices can be considered as a vulnerability.g. etc. To support this process. no segregation of duties. there are two main types of available information: • Security standards providing good practices on security implementation. or not as the case may be. This will lead to the identification of missing security controls and also the effectiveness of these security controls in managing the risk.D2. no segregation of networks. lack of perimeter protection. poor training. e. monthly. no antivirus) Organisational vulnerabilities (e. • Vulnerability information sources providing data on actual vulnerabilities. especially if they issue periodic vulnerability bulletins. lack of access control) ICT vulnerabilities (e. within the organisation.g. On this principle. This will then lead to the identification of the vulnerabilities across the various dimensions of the holistic risks: • • • • Physical vulnerabilities (e.g.g. It is funded by the National Cyber Security Division of the United States Department of Homeland Security: http://nvd. It is therefore possible through a gap analysis to identify vulnerabilities.securityfocus.com/archive Page 39 of 118 . Internal: It is also very important that an Energy Transmission System Operator utilises it own internal experts to monitor their environment and maintain a level of vulnerability watch within their area of expertise. This Standard provides good practices for ICT security. and to focus effort and share resource where appropriate. Options to subscribe to other Security related information such as “security incidents” is also available: http://www. including an ICT vulnerability watch service.D2. European. The intended outcome is a raised level of protection adopted across international as well as Europe's SCADA and other Process Control Systems.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies if their organisation and infrastructure is potentially vulnerable. As for example: the UK Centre for the Protection of National Infrastructure (CPNI): The CPNI provides Critical Infrastructure within the UK with Security advice and security good practice guidelines.. The National Vulnerability Database (NVD): Is a publicly accessible reference system for publicly known ICT vulnerabilities and exposures. MPSCIE. Examples of other sources for vulnerability information and assistance Guide for ICT Vulnerability Identification: ICT Standard ISO/IEC 27002 for Corporate ICT systems.g. Manufacturers: These will often provide notification of vulnerabilities within their products (software/hardware) and suggestions for remediation.uk Some private companies provide a security assessment and notification service about physical security threats to sectors such as the energy sector (including early detection and remediation advice where appropriate). E-SCSIE and national process control information exchanges (e. and national SCADA (and process control) Security Information Exchanges aims for the process control users. ISACs): The Meridian.cpni.gov/ Bugtraq: This is a mailing list where ICT Security issues and vulnerabilities are sent to subscribers of the service. http://www. governments and research to benefit from the ability to collaborate on a range of common security-related issues.gov. but sometimes they may not be able to provide timely notification or even effective remediation. Some Government departments and private companies will provide an ICT vulnerability watch and notification service where ICT vulnerabilities (including remediation advice where appropriate) are collated and sent out to the subscribed service users. Information about such threats and vulnerabilities are sent out to the subscribed service users.nist. first.D2. the associated scenario(s) of incident can be developed. http://cve. the vulnerability is that one or several assets are dependent on a service provided with limited resilience in case of disruption of this service. Threat: In this context the threat is the disruption of the essential service associated to the dependency. CVE database is a dictionary of publicly known information security vulnerabilities and exposures.mitre. For each vulnerability identified.org/ 2. A scenario of incident associated to a vulnerability is a threat exploiting this vulnerability to harm assets and more largely the infrastructure.org/ CVSS-SIG Common Vulnerability Scoring System Support v2 (CVSS) CVSS provides a universal open and standardized method for rating IT vulnerabilities. selection. measurable set of software weaknesses that is enabling more effective discussion.org/cvss/ Output: Documented list of detailed vulnerabilities on the scope of the study in all areas of holistic security. and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design. http://cwe.gov/publications/nistpubs/800-40Ver2/SP800-40v2. For each scenario.pdf MITRE: 1. associated risks are identified.2. In this context.nist. This dependency analysis will provide useful information for identification of scenarios and ranking of associated risks. 4.3. It is important to note that this step of the risk assessment can also benefit from inputs from an (inter)dependency analysis (please refer to the (inter)dependency analysis approach developed by the EURAM project) carried out on the same scope. probability and severity are evaluated using the scales previously defined which allows then to evaluate the risk associated to each vulnerability. Asset: the assets impacted are the assets being dependent. Page 40 of 118 . Common Weakness Enumeration (CWE) provides a unified. http://www.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies NIST: The US National Institute of Standards and Technology have issued a publication on Creating a Patch and Vulnerability Management system: http://csrc. the different components of the risk will be identified in the following manner: • • • Vulnerability: In the case of a dependency.mitre.7 STEP 7: Evaluate the associated risks From the vulnerabilities listed at the previous stage. description. Output: List of risks that have been qualified in terms of associated vulnerability (ies) and probability & severity levels. • Implementation of new security controls. This methodology used with supporting guidelines ensures: • • • 4. These risks will also be useful to support interdependencies analysis between critical infrastructures. Comprehensive list of threat classes for threat context identification. attack techniques. • Discovery of new vulnerabilities. Page 41 of 118 .D2. etc.2. These risks are all evaluated and ranked which will support decision making in the risk mitigation process part of the contingency planning approach. Consistent scales for impact. The maintenance of the risk assessment can also receive some feedback from experience of real or simulated incidents through “lessons learnt”.4 Consistent definition of scope. Maintenance of the risk assessment This information is the result of the holistic risk assessment and this is the document that will have to be maintained regularly to follow the evolution of the risk profile depending on: • The evolution of the infrastructure (reorganisation. The result of this last step is the list of relevant risks that the infrastructure faces from a holistic point of view.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • Severity: the dependency analysis will provide useful information for severity analysis identifying in particular any possible knock-on effects and evolution of the impact over time. new assets. This experience allows to refine the evaluation of risks and notably in terms of the effects and cascading consequences or to identify new risks which were not anticipated before. probability and risk evaluation. • Changes in the threat context.). By construction these risks can be compared or cross-analysed with risks identified in an other infrastructure provided that the same approach has been followed. • Probability: The evaluation of the probability will be supported by the description of the dependency context. ). Expert and specialist input into the process will be provided by the following organisational functions as and when required to the Holistic Risk Assessment team: Holistic Risk Assessment Team Contributors Maintenance Team (Transmission Infrastructure) Engineering Team (Transmission Infrastructure) ICT & Physical Security Contingency Planning Manager Facilities Team HR Team Control/Dispatch Room Manager SCADA/Telemetry Manager(s) Logistics Team ICT (system & networks) Team Figure 10: Holistic Risk Assessment Team Page 42 of 118 . with the level of their contribution dependent on the risk assessment being undertaken. The Risk Manager is the owner/lead for this process and should be assisted in the process by 3-4 independent individuals.D2.2. etc. 4. It must be mentioned that there will be a number of similarities between the 3 energy transmission sectors (especially gas & oil transmission) and therefore some of the requirements will be the same (e. Gas and Oil) as mentioned in section 4. Setting up the Holistic team.1 Electricity Transmission Step1: Constitute the Holistic Risk Assessment Team The objective of Step 1 is to create and the holistic risk assessment team.g. The team should comprise personnel as described in Figure 10.3 The implementation of EURAM within the Energy Sector The following subsections detail the tailored approached for the energy transmission sector (Electricity. SCADA.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4.3.1. Supporting Electricity Transmission Infrastructure: • SCADA/Telemetry: These contain the key elements for the management.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Step2: Define the scope of the risk assessment It is essential that the definition of the scope of the risk assessment is fully understood by the holistic risk assessment team. etc. Electricity Transmission Infrastructure Dependencies: • Electricity supply: This can be from Nuclear. • Maintenance function: The maintenance function has the role of maintaining the infrastructure and work in conjunction with the engineering function. • Contingency plans: The contingency plans provide the organisation with the tools required to react in an effective manner following an incident. The elements that could be considered for inclusion within the scope of the risk assessment undertaken on an electricity transmission system operator’s environment might be: Primary Electricity Transmission Infrastructure: • Wire (overhead. renewable. monitoring and control of the electricity transmission infrastructure and include real time and historic status information. underwater) • Pylons & Poles • Substations • Interconnector: An Interconnector is the point where the transmission network connects either at a national or cross border/international level with another TSO area.D2. • Facilities: The facilities include the buildings and land where electricity transmission assets are located. Page 43 of 118 . • ICT Networks and Systems: The ICT systems and networks is the infrastructure that supports the operations of the corporate and the SCADA/Telemetry environments. • Engineering function: The engineering function is responsible for the deployment and management of the assets used for the transmission of electricity over the transmission infrastructure. under ground &. Bio. Fossil. Cost of reactive remedial action & Regulator fines as a percentage of revenue during the period of an incident < .g.. . adjacent TSOs.) • Weather (forecasting) services (short term and 24h planning demand as well as wind/solar power supply) Step 3: Define the scales for risk evaluation The objective is to provide defined scales for the evaluation or probability and severity.. In the electricity transmission sector. DSOs. relevant Power exchanges (e. maintenance crews.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • Not owned telecommunications: Communication with own process control elements. APX). Customer compensation.D2. producers (planning 24h and longer term). the scales for risk evaluation of incidents can be estimated in the following terms: Impact Scales The following table indicates the possible impact scales for an electricity TSO: 1: Low impact 2: Medium impact 3: Significant impact 4: Critical impact 5: Most severe impact Extent of loss of supply (by percentage of customers. by percentage of nominal capacity) < 5% >5% > 25% > 50% < 25% < 50% < 75% > 75% Duration of power outage or fluctuation of supply quality (Brown Outs/Surges/Spikes) < 5 Seconds > 5 Seconds > 5 Minutes > 1 Hour < 5 Minutes < 1 Hour < 12 Hours > 12 Hours Financial loss Loss of revenue.5% < 5% < 25% < 50% Figure 11: Impact Scales for Electricity Transmission Page 44 of 118 > 50% . ) Figure 12: Probability Scales for Electricity Transmission Page 45 of 118 . lack of protection and. skills. It is likely that the incident will occur as. Deliberate attacks Attack would require virtually unlimited resources (money. Attractiveness. The incident will happen in the organisation in the close future. Attractiveness. Attack very difficult to perform needing conjunction of expert skills and money. resources of the attacker making the attack perfectly feasible. for example. similar incidents have been reported in the electricity transmission sector. most of the electricity transmission sector has already suffered such incidents.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Probability Scales The following table indicates the possible probability scales for an electricity transmission operator: 1 Very low probability 3 Medium probability 4 High Probability The incident is not likely to occur as for example experience of it is very limited in the electricity transmission sector. Attack not easy but could be possible with single expert skills and a reasonable investment in time and effort. It is very likely that the incident will occur in the organisation as. 2 Low probability 5 Certainty Accidental or untargeted attacks It is extremely unlikely that the incident will occur as for example there is merely no experience of it in the electricity transmission sector. resources of the attacker making the attack ordinary. lack of protection and.D2. for example. etc. to switch the energy flow. tripping when lightning. automatic or a combination of both. such as a Power Plant or other interconnections with other transmission networks are also to be analysed. The need at this stage is to understand the criticality of substations within the energy supply chain. Phasors). Circuit Breakers. • The SCADA/Telemetry infrastructure: The need is to understand the potential control of the energy transmission infrastructure that can be achieved using the SCADA/Telemetry components and the potential to cause widespread disruption to the electricity transmission infrastructure should the systems be misused or compromised. This analysis should be done for the different mode of operation of the infrastructure such as seasonal usage and other usage patterns such as increases in peak demand. Substations can also be the point where electricity Transmission System operations exchange power with the Distribution System operations start. and Switches. • The Engineering and Maintenance teams: The need at this stage is to understand what are the critical activities undertaken. and to self-protect the grid elements (e. • The Control/Dispatch Room (including Control Room personnel): The need is to understand the level of resources required to function for different scenarios (normal load. monitoring and control of the systems are manual.g. Page 46 of 118 . who are the key actors within these teams and what other dependencies they rely upon in order to deliver the required levels of service.g. peak time. Also how much of the control rooms management. It is also important to identify any possible route from the ICT corporate infrastructure into the Telemetry infrastructure. Measurement devices in substations provide the TSO with insight in the current energy flows in the grid. Examples of the assets that could be within the scope of the risk assessment and that require their criticality and their priority levels to the electricity transmission service to be understood are: • The transmission grid (wires & cables. wire failures. poles & pylons): The need is to fully understand and appreciate the extent of the network and the resilience levels provided in case of the loss of a line.. • The ICT systems & networks: This is primarily the organisations’ ICT assets and the need to protect sensitive information that may facilitate a compromise of the electricity transmission system infrastructure should its protection fail. These assets contain Transformers. from 110KV to 765KV) to lower voltages (~50KV) (or vice-versa to step up lower voltages to high voltage).D2. to control the reactive power. Dependencies to energy sources. etc). • The substations: These assets are used to step down the voltage from the very high voltages (e. Protection devices. VAR compensators (SVR. technical failure occur).3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Step 4: Understand the assets in the scope The objective of Step 4 is to gain an understanding of the assets within the scope of the risk assessment for operations. incidents. they should proceed to evaluate the level of threat exposure. vehicle against pylon/pole) Geological Ingress of Water Fire Explosion Flood Loss of Energy Supply to the Electricity Transmission Network (Interconnector / Generated supply)Loss of ‘black start’ capability Disclosure of information (Theft/Leakage) Solar Activity Theft (equipment) Industrial action Targeted Cyber Attack Virus/Trojans EMP Act of War Diplomatic Incident Loss of pumped storage capacity Equipment malfunction or failure Chemical (spillage) Loss. Page 47 of 118 .g. but are not limited to. The common threats against an electricity transmission organisation would include. unavailability or turnover of personnel Outdated and unmaintainable technology Figure 13: Common Threats to Electricity Transmission operators An Electricity Transmission System operator is required to review the high level threats listed above and if they are applicable to their context. • The Contingency Plan: The need is to understand the contingency plan and all the resources that can be activated during an incident affecting the scope of the risk assessment.D2. the following: Intent Failure/Accident Nature Extreme conditions Cascade weather Loss of power supply/utilities/services Acts of Terrorism Negligence Acts of Vandalism Mistake Pandemic (Flu/etc) Loss of Telecoms Theft (copper/metals) Impact (e.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • Interconnection points: These assets are where the transmission network interconnects with other networks and what the level of criticality is given to each interconnection. Step 5: Understand the threats The objective is to understand the specific threats in the context of the target of the risk assessment being undertaken. Page 48 of 118 . It is therefore difficult to provide a list of typical vulnerabilities in the TSO domain. However. by virtue of the previous 6 steps being tailored for the Electricity Transmission Operator.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies taking into consideration that the level of the threat of exposure may not be consistent across the scope of the risk assessment. This step is very dependent on the particular situation at hand. and severity levels.D2. Step 6: Review Security and identify vulnerabilities The Step 6 objective is documenting the detailed vulnerabilities within the scope of the holistic risk assessment. As such. probability. the output of Step 7 is specific to the energy sector as a whole. which would by no mean be exhaustive. it is not possible to tailor this explicitly for the energy sector as it is a generic step. Step 7: Evaluate the associated risk The objective of Step 7 is to compile a list of risk factors that have been qualified in terms of associated vulnerability(ies). This would have the detrimental effect of focusing the user of this approach on a finite list of vulnerabilities. The Risk Manager is the owner/lead for this process and should be assisted in the process by 3-4 independent individuals.2 Gas Transmission Step1: Constitute the Holistic Risk Assessment Team The objective of Step 1 is to create and the holistic risk assessment team. The team should comprise personnel as described in the table below.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4.D2. with the level of their contribution dependent on the risk assessment being undertaken.3. Expert and specialist input into the process will be provided by the following organisational functions as and when required to the Holistic Risk Assessment team: Holistic Risk Assessment Team Contributors Maintenance Team (Transmission Infrastructure) Engineering Team (Transmission Infrastructure) ICT & Physical Security Contingency Planning Manager Facilities Team HR Team Control/Dispatch Room Manager SCADA/Telemetry Manager(s) Logistics Team ICT (system & networks) Team Safety Team Figure 14: Holistic Risk Assessment Team Page 49 of 118 . • Blending station (N2 injection). • Facilities: The facilities include the buildings and land where gas transmission and storage assets are located. • SCADA/Telemetry: These contain the key elements for the management.D2. underground & underwater) • Storage Tanks: These are located in strategic points along the transmission network and are used to store the gas and to release it on demand as demand cannot be met by pipes alone. • Contingency plans: The contingency plans provide the organisation with the tools required to react in an effective manner following an incident. • Maintenance function: The maintenance function has the role of maintaining the infrastructure and work in conjunction with the engineering function.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Step2: Define the scope of the risk assessment It is essential that the definition of the scope of the risk assessment is fully understood by the holistic risk assessment team. Odoran). • ICT Networks and Systems: The ICT systems and networks is the infrastructure that supports the operations of the corporate and the SCADA/Telemetry environments. monitoring and control of the gas transmission and storage infrastructure and include real time and historic status information. • Engineering function: The engineering function is responsible for the deployment and management of the assets used for the transmission of gas over the transmission infrastructure. The elements that could be considered for inclusion within the scope of the risk assessment undertaken on a gas transmission operator’s environment might be: Primary Gas Transmission Infrastructure: • Pipe (Over ground. • Gas Transmission Network booster stations (compressors): These are used to maintain the pressure of the gas within a section of the transmission network through the use of compressors. • Odourisation (add bad smell with e.g. Page 50 of 118 . Supporting Gas Transmission Infrastructure: • Offshore gas feeder (gas receipt) station (removal of moisture and condensate). D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Gas Transmission Infrastructure Dependencies: • Tankers (Ship): These contain up to 1506,000 cubic meters of Liquid Natural Gas (LNG) and are used to transport gas to onshore gas terminals ready to be processed and added to the gas transmission network. • Terminals: This is where gas from the gas fields (and Tankers) is stored and processed and where gas is introduced to the national transmission network (also cross border & international via interconnectors). LNG is warmed and converted back to it gaseous form (re-gasification) at the terminal, before being injected into the transmission network. • Interconnector: An Interconnector is the point where transmission networks connect either at a national or cross border/international level. • PIG Launchers: These are ‘Y’ shaped points within a gas pipeline where a maintenance PIG (Pipeline Inspection Gauge) or Scraper is introduced into the pipeline. Step 3: Define the scales for risk evaluation The objective is to provide defined scales for the evaluation or probability and severity. In the gas transmission sector, the scales for risk evaluation of incidents can be estimated in the following terms: Impact Scales The following table indicates the possible impact scales for a gas transmission operator: 1: Low impact 2: Medium impact 3: Significant impact 4: Critical impact 5: Most severe impact Extent of loss of supply (by percentage of customers, by percentage of nominal capacity < 5% >5% > 25% > 50% < 25% < 50% < 75% > 75% Duration of loss of supply or sustained low pressure. < 6 Hours > 6 Hours > 12 Hours > 24 Hours < 12 Hours < 24 Hours < 48 Hours Page 51 of 118 > 48 Hours D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Financial loss Loss of revenue, Customer compensation, Cost of reactive remedial action & Regulator fines as a percentage of revenue during the period of an incident < .5% < 5% < 25% < 50% > 50% Figure 15: Impact Scales for Gas Transmission Probability Scales The following table indicates the possible probability scales for a gas transmission operator: 1 Very low probability 3 Medium probability 4 High Probability 5 Certainty The accident is not likely to occur as for example experience of it is very limited in the gas transmission sector. It is likely that the accident will occur as, for example, similar accidents have been reported in the gas transmission sector. It is very likely that the accident will occur in the organisation as, for example, most of the gas transmission sector has already suffered such incidents. The accident will happen in the organisation in the close future. Attack is very difficult to perform needing conjunction of expert skills and money. Attack is not easy but could be possible with single expert skills and a reasonable investment in time and effort, Attractiveness, lack of protection and, resources of the attacker making the attack perfectly feasible. Attractiveness, lack of protection and, resources of the attacker making the attack ordinary. 2 Low probability Accidental or untargeted attacks It is extremely unlikely that the incident will occur as for example there is merely no experience of it in the gas transmission sector. Deliberate attacks Attack would require virtually unlimited resources (money, skills, etc.) Figure 16: Probability Scales for Gas Transmission Page 52 of 118 D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Step 4: Understand the assets in the scope The objective of step 4 is to gain an understanding of the assets within the scope of the risk assessment for operations. Examples of the assets that could be within the scope of the risk assessment and that require their criticality and their priority levels to the gas transmission service to be understood are: • The transmission grid (pipelines, Interconnectors, compressor stations, odourisation): The need is to fully understand and appreciate the extent of the network and the resilience levels provided in case of the loss of a section of pipelines, Interconnector or special processing facilities. Dependencies exist to energy sources, such as power supply for compression and processing LNG shipping Terminal or other interconnections with other transmission networks. This analysis should be done in a different mode of operations such as seasonal usage and other usage patterns such as increases in peak demand and price fluctuations. • The Terminals, storage facilities, and infeeder processing plants: these assets are used to receive, to process, to store and to pump gas to the gas transmission grid. Gas can be received directly from gas production fields using pipelines or by LNG tanker/harbour facilities. • The ICT systems & networks: This is primarily the organisations ICT assets and the need to protect sensitive information that may facilitate a compromise of the gas transmission infrastructure should its protection fail. It is also important to identify any possible route from the ICT corporate infrastructure into the Telemetry infrastructure. • The SCADA/Telemetry infrastructure: The need is to understand the potential control of the energy transmission infrastructure that can be achieved using the SCADA/Telemetry components and the potential to cause widespread disruption to the gas transmission infrastructure should the systems be misused or compromised. • The Engineering and Maintenance teams: The need at this stage is to understand what are the critical activities undertaken, who are the key actors within these teams and what other dependencies they rely upon in order to deliver the required levels of service. • The Control/Dispatch Room (including Control Room personnel): The need is to understand the level of resources required to function for different scenarios (normal load, peak time, incidents, etc). Also how much of the control rooms management, monitoring and control of the systems are manual, automatic or a combination of both. • Interconnection points: These assets are where the transmission network interconnects with other networks and what the level of criticality is given to each interconnection. • The Contingency Plan: The need is to understand the contingency plan and all the resources that can be activated during an incident affecting the scope of the risk assessment. Page 53 of 118 Page 54 of 118 . vehicle against over ground pipe) Industrial action Ingress of Water Targeted Cyber Attack Explosion Virus/Trojans Disclosure of information (Theft/Leakage) Cascade Extreme weather conditions Loss of power supply/utilities/services Pandemic (Flu/etc) Loss of Telecoms Geological Loss of Gas Supply to the Transmission Network (Interconnector / Supply) Fire Flood EMP Act of War Sabotage Diplomatic Incident Equipment malfunction or failure Chemical (spillage) Loss. but are not limited to. The common threats against a gas transmission organisation would include.D2. unavailability or turnover of personnel Outdated and unmaintainable technology Figure 17: Common Threats to Gas Transmission operators A Gas Transmission operator is required to review the high level threats listed above and if they are applicable to their context.g. they should proceed to evaluate the level of threat exposure.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Step 5: Understand the threats The objective is to understand the specific threats in the context of the target of the risk assessment being undertaken. the following: Intent Failure Nature Acts of Terrorism Negligence Acts of Vandalism Mistake Theft (copper/metals) Theft (equipment) Impact (e. taking into consideration that the level of the threat of exposure may not be consistent across the scope of the risk assessment. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Step 6: Review Security and identify vulnerabilities The Step 6 objective is documenting the detailed vulnerabilities within the scope of the holistic risk assessment.D2. it is not possible to tailor this explicitly for the energy sector as it is a generic step. However. This step is very dependent on the particular situation at hand. As such. Step 7: Evaluate the associated risk factors The objective of Step 7 is to compile a list of risk factors that have been qualified in terms of associated vulnerability (ies). Page 55 of 118 . the output of Step 7 is specific to the sector. probability and severity levels. which would by no mean be exhaustive. It is therefore difficult to provide a list of typical vulnerabilities for gas transmission this would have the detrimental effect of focusing the user of this approach on a finite list of vulnerabilities. by virtue of the previous 6 steps being tailored for the Gas Transmission sector. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 4.D2. with the level of their contribution dependent on the risk assessment being undertaken. Expert and specialist input into the process will be provided by the following organisational functions as and when required to the Holistic Risk Assessment team: Holistic Risk Assessment Team Contributors Maintenance Team (Transmission Infrastructure) Engineering Team (Transmission Infrastructure) ICT & Physical Security Contingency Planning Manager Facilities Team HR Team Control/Dispatch Room Manager SCADA/Telemetry Manager(s) Logistics Team ICT (system & networks) Team Safety Team Figure 18: Holistic Risk Assessment Team Page 56 of 118 . The team should comprise personnel as described in the figure below. The Risk Manager is the owner/lead for this process and should be assisted in the process by 3-4 independent individuals.3.3 Oil Transmission Step1: Constitute the Holistic Risk Assessment Team The objective of Step 1 is to create and the holistic risk assessment team. Page 57 of 118 . Pump stations may also contain oil storage facilities.000 litres of oil and are used to transport oil to onshore oil terminals ready to be processed and injected into the oil transmission network.000.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Step2: Define the scope of the risk assessment It is essential that the definition of the scope of the risk assessment is fully understood by the holistic risk assessment team. • Maintenance function: The maintenance function has the role of maintaining the infrastructure and work in conjunction with the engineering function. • ICT Networks and Systems: The ICT systems and networks is the infrastructure that supports the operations of the corporate and the SCADA/Telemetry environments. The elements that could be considered for inclusion within the scope of the risk assessment undertaken on an oil transmission operator’s environment might be: Primary Oil Transmission Infrastructure: • Pipelines (over ground. underground & underwater) • Oil Transmission Network pump stations: These are used to maintain the flow of the oil within a section of the transmission network.D2. • Facilities: The facilities include the buildings and land where oil transmission and storage assets are located. Supporting Oil Transmission Infrastructure: • Intermediate storage facilities. remove water. monitoring and control of the oil transmission and storage infrastructure and include real time and historic status information. • SCADA/Telemetry: These contain the key elements for the management. • Processing stations (split gas/oil. • Engineering function: The engineering function is responsible for the deployment and management of the assets used for the transmission of oil over the transmission infrastructure. • Contingency plans: The contingency plans provide the organisation with the tools required to react in an effective manner following an incident. Oil Transmission Infrastructure Dependencies: • Tankers (Ship): These can contain in excess of 500. split fractions). D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • Terminals/Depot/Farms: This is where oil from the oil fields (and Tankers) is stored and processed (not refined) and where oil is injected into the national transmission network (also cross border & international via interconnectors). the scales for risk evaluation of incidents can be estimated in the following terms: Impact Scales The following table indicates the possible impact scales for an oil transmission operator: 1: Low impact 2: Medium impact 3: Significant impact 4: Critical impact 5: Most severe impact Extent of loss of supply by percentage of nominal output < 5% >5% > 25% > 50% < 25% < 50% < 75% > 75% Duration of loss of supply or sustained low flow rates. • Interconnector: An Interconnector is the point where transmission networks connect either at a national or cross border/international level. Terminals/Depots/Farms can also be supplied with oil via road or rail (bridging). Customer compensation. • PIG Launchers: These are ‘Y’ shaped points within an oil pipeline where a maintenance PIG (Pipeline Inspection Gauge) or Scraper is introduced into the pipeline. Step 3: Define the scales for risk evaluation The objective is to provide defined scales for the evaluation or probability and severity. In the oil transmission sector. < 12 Hours > 12Hours > 24 Hours > 48 Hours < 24 Hours < 24 Hours < 96 Hours > 96Hours Financial loss Loss of revenue. Cost of reactive remedial action & Regulator fines as a percentage of revenue during the period of an incident < .5% < 5% < 25% Page 58 of 118 < 50% > 50% . resources of the attacker making the attack perfectly feasible. Attractiveness. It is likely that the accident will occur as.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 19: Impact Scales for Oil Transmission Probability Scales The following table indicates the possible probability scales for an oil transmission operator: 1 Very low probability 3 Medium probability 4 High Probability The accident is not likely to occur as for example experience of it is very limited in the oil transmission sector. Attractiveness. similar accidents have been reported in the oil transmission sector. resources of the attacker making the attack ordinary. most of the oil transmission sector has already suffered such incidents. etc. Deliberate attacks Attack would require virtually unlimited resources (money. skills. Attack is very difficult to perform needing conjunction of expert skills and money. Examples of the assets that could be within the scope of the risk assessment and that require their criticality and their priority levels to the oil transmission service to be understood are: Page 59 of 118 .D2. It is very likely that the accident will occur in the organisation as. lack of protection and. 2 Low probability 5 Certainty Accidental or untargeted attacks It is extremely unlikely that the incident will occur as for example there is merely no experience of it in the oil transmission sector. for example. Attack is not easy but could be possible with single expert skills and a reasonable investment in time and effort. lack of protection and. for example.) Figure 20: Probability Scales for Oil Transmission Step 4: Understand the assets in the scope The objective of step 4 is to gain an understanding of the assets within the scope of the risk assessment for operations. The accident will happen in the organisation in the close future. • The Engineering and Maintenance teams: The need at this stage is to understand what are the critical activities undertaken. • The ICT systems & networks: This is primarily the organisations ICT assets and the need to protect sensitive information that may facilitate a compromise of the electricity transmission infrastructure should its protection fail. • The Control/Dispatch Room (including Control Room personnel): The need is to understand the level of resources required to function for different scenarios (normal load. incidents. It is also important to identify any possible route from the ICT corporate infrastructure into the Telemetry infrastructure. the following: Page 60 of 118 . • The Contingency Plan: The need is to understand the contingency plan and all the resources that can be activated during an incident. • The Terminals: These assets are used to receive. process (not refine). This analysis should be done in a different mode of operations such as seasonal usage and other usage patterns such as increases in peak demand and even price fluctuation. automatic or a combination of both.D2. who are the key actors within these teams and what other dependencies they rely upon in order to deliver the required levels of service. The common threats against an oil transport organisation would include. such as oil terminal or other interconnections with other transmission networks need also to be understood. but are not limited to. Oil can be received directly from oil production fields using pipelines or by tanker (via a terminal). Also how much of the control rooms management. peak time. monitoring and control of the systems are manual. Dependencies to energy sources. etc). • The SCADA/Telemetry infrastructure: The need is to understand the potential control of the energy transmission infrastructure that can be achieved using the SCADA/Telemetry components and the potential to cause widespread disruption to the oil transmission infrastructure should the systems be misused or compromised. store and pump oil to the oil transmission grid. • Interconnection points: These assets are where the transmission network interconnects with other networks and what the level of criticality is given to each interconnection. Step 5: Understand the threats The objective is to understand the specific threats in the context of the target of the risk assessment being undertaken.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • The transmission grid (Pipes & Interconnectors): The need is to fully understand and appreciate the extent of the network and the resilience levels provided in case of the loss of a section of pipeline or Interconnector. D2. unavailability or turnover of personnel Outdated and unmaintainable technology Figure 21: Common Threats to Oil Transmission operators An Oil Transmission operator is required to review the high level threats listed above and if they are applicable to their context. taking into consideration that the level of the threat of exposure may not be consistent across the scope of the risk assessment.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Intent Failure Nature Extreme conditions Cascade Acts of Terrorism Negligence Acts of Vandalism Mistake Pandemic (Flu/etc) Loss of Telecommunications Theft (copper/metals) Impact (e. This would have the detrimental effect of focusing the user of this approach on a finite list of vulnerabilities. which would by no mean be exhaustive. Step 6: Review Security and identify vulnerabilities The Step 6 objective is documenting the detailed vulnerabilities within the scope of the holistic risk assessment. It is therefore difficult to provide a list of typical vulnerabilities in the energy sector. Page 61 of 118 . This step is very dependent on the particular situation at hand. vehicle against pylon/pole) Geological Ingress of Water Fire Loss of Oil Supply to the Transmission Network (Interconnector / Supply) FIRE Flood Theft (equipment) Industrial action weather Loss of power supply/utilities/services Targeted Cyber Attack Explosion Virus/Trojans EMP Act of War Sabotage Diplomatic Incident Disclosure of information (Theft/Leakage) Equipment malfunction or failure Oil (spillage) Loss.g. they should proceed to evaluate the level of threat exposure. As such. probability and severity levels. by virtue of the previous 6 steps being tailored for the Oil Transmission sector.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Step 7: Evaluate the associated risk factors The objective of Step 7 is to compile a list of risk factors that have been qualified in terms of associated vulnerability. Page 62 of 118 . However. it is not possible to tailor this explicitly for the energy sector as it is a generic step. the output of Step 7 is specific to the sector.D2. this document will focus on a single organisational level (the operator). the management of an active incident and the mitigation factors required to reduce the effects of an active incident. The need for a Holistic Contingency Planning process is to ensure that an organisation has considered and incorporated all of the relevant elements into the Contingency Plan. This includes the minimisation of the potential effects of an incident should one occur. in an appropriate and effective manner. by default. across the Local. have multiple interactions with other organisations and agencies. identify the elements an organisation explicitly requires to create an appropriate and relevant Contingency Plan with an emphasis on the energy transmission sector.2 EURACOM WP 2. Regional and National areas. where the effect of an incident may have a significant negative effect and cause considerable disruption for their customers and the general public. Contingency planning is an essential tool to assist with the prevention and the management of incidents. A holistic approach is more a appropriate approach for the Energy sector organisations due to the fact that they. 5.2 was to undertake a comparative analysis and a desktop study and review of current Contingency Planning and Business Continuity Management Page 63 of 118 . therefore providing an organisation with as comprehensive a plan as possible within the scope of the organisation Contingency Plan. However.2 Desktop Study The primary scope of work for EURACOM WP 2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5 Contingency Planning The following section will define the holistic Contingency Planning approach. that the organisation conducts regular Contingency Planning reviews & exercises and that the appropriate levels of training is provided to all the relevant personnel involved with the Contingency Planning processes. Cross Border within the EU and even internationally. The formal implementation by an organisation of an effective Contingency Planning process will also ensure that should an incident occur it can be readily identified. should one occur. 5. The failure to implement all of the required elements within a Contingency Plan will result in the failure to manage and react to an incident.1 Introduction As a critical element of an organisations Risk Management process.D2. impact analysis. i. that could be analysed.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies methodologies from various sources. holistic EURACOM methodology for risk assessment and contingency planning There was one major area of concern that the WP 2.2.2 objectively made a qualitative evaluation of existing standards and guidelines for contingency planning and business continuity management based on a defined set of analysis criteria. incident prevention and response etc. common elements of these existing models. WP 2.2 study (D 2.D2. Definition of criteria for assessment and comparative analysis 3.2 1. the question arises as to how joint exercising. national and domain-specific standards and guidelines. encompassing international. Conclusion and recommendations The conclusions and recommendations that came out of the WP 2. having in mind the goal to develop under this project a common. Selection of resources for analysis 2. providing guidance for the adoption and execution of the proposed approach. allowing for a continuous improvement of the established practices within the Energy Operators.e. integrated with a common approach for risk and vulnerability assessment as well. a common approach for contingency planning under EURACOM (i. As a result of this. Execution of the analysis 4. The study identified the common elements between Contingency Planning and Business Continuity Management methodologies and standards and this facilitated the highlighting of the common ‘good practices’. definition of continuity requirements. to identify good practice.e. the study created a comparison matrix (criteria vs. Page 64 of 118 .g. and assessed the suitability for application in the energy sector. Also identified was that as the interconnectivity of networks and their dependencies are key issues for EURACOM.2 desktop study highlighted and that was the general lack of Contingency Planning methodologies available (most of these were ICT centric).2) was that the analysis undertaken demonstrated the maturity of available holistic BCM standards and guidelines and underlying BCM frameworks and process models and from this perspective. for risk assessment.2 to help the reader readily identify these important and key common good practice elements from the methodologies and standards. standards & guidelines) in the ‘Conclusions’ section of D. The common approach should propose tools and methods tailored to the purpose of the analysis. for application to energy infrastructures) should incorporate the critical. whilst there were a reasonable number of Business Continuity Management methodologies and standards available that provided a good representative sample. maintenance and review is organised. e. The following is the approach undertaken by WP 2.. D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Page 65 of 118 . This approach is broken down in 3 primary phases: • The Preparation Phase.3 The Contingency Planning Approach at a glance The following is a recommendation for an approach to Contingency Planning for the Energy Sector that is based on a formal qualitative analysis of the current standards. • The Maintenance Phase. including industry requirements. Figure 22: The Contingency Planning 3 Phase Approach Page 66 of 118 . and good practice.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5.D2. • The Test Exercise and Training Phase and. This is illustrated by the following diagram. methodologies. 4 Preparation Phase The preparation phase is where an organisation defines the scope. protect.D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. respond and recover from incidents which are relevant to the organisation’s needs and in line with the organisation’s defined objectives and priorities. the objectives and the structure of Contingency Planning and then initiates the processes that are required for the proper mitigation of risk in terms of measures to prevent. Figure 23: Contingency Planning Preparation Phase structure Page 67 of 118 . The primary elements that are considered a fundamental within the Contingency Planning preparation process are illustrated in Figure 22: The Contingency Planning 3 Phase Approach are then described below. D2. as this is required to be addressed within the contingency planning process. the people. the Contingency Planning will have to define first the scope of the analysis. Then following this scope. These could be legislative. the objectives of Contingency Planning will have to be defined.3. Approach In particular. contractual.4. Where transport (water/rail/road) is a primary requirement and/or a contingency requirement.2): either by reusing the scope of the risk assessment or by refining it to the areas that are identified as having predominant risk profiles (areas of high threat exposure or areas where occurrences of risk factors reach particularly high severity).3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. physical infrastructures. ICT infrastructures and more generally the resources that are involved. process. This is for the business to set their expectation about the level of resilience or risk mitigation they want to. or are required to. the details of transport requirements should be included within the scope and the objectives for the delivery of energy by transport. financial. external influences need to be considered. achieve.1 The Objectives and scope Objective The objective of this initial step of the preparation phase is to set the objectives and scope for the contingency planning activities. This can be pragmatically performed by setting the risk appetite of the organisation by identifying the acceptable level of risk the organisation is ready to accept. More generally.2. For practical reasons the scope can be reduced for the first implementation of Contingency Planning process and then later on it can be further expanded in future iterations of the process (see Maintenance Phase: section 5. outputs from the dependency analysis would be used to address external dependencies of the organisation within the contingency planning process. this risk acceptance setting process will set a threshold for the risk level which is generally considered as acceptable. Page 68 of 118 . Depending on the scales selected for the assessment of risk (please refer to Risk Assessment approach).6). etc and set some target risk level in designated areas which could be lower than the organisation own considerations. The scope can be set using the inputs of the Risk Assessment activities (please refer to section 4. environmental. In addition to this. this scope has to be defined holistically in terms of the part of the organisation covered. D2. it is important to note that senior management business representatives need to be involved in order to validate the objectives that will drive this activity for which the primary objective is to serve business and operations.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies -+ Figure 24: Risk Assessment Scale Stakeholders At this initial stage. Business Requirements Impact of Failure Restoration Requirements Page 69 of 118 . which also identifies the different participants needed to make up the contingency teams: Page 70 of 118 . The different level of stakeholder involvement is one or a combination of the following. • Contribute: The participant contributes to the overall Contingency Planning process within their area of responsibility and expertise. In addition. This is demonstrated in the following 2 matrixes. when dependencies are taken into account. e.2 Organisation for Contingency Planning The objective of this second step of the preparation phase is to ensure that all stakeholders required for the roll-out of contingency planning are identified along with their responsibilities.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. within the supply chain or to downstream facilities. • Lead: The participant either leads the overall process or is responsible for a key area of the Contingency Planning process within their area of responsibility or expertise. • Observe: The participant observes the processes from an observers position or from a compliance perspective. relevant persons of contact have to be identified outside the organisational scope.4. accurate and fit for purpose within their area of responsibility and expertise. • Receive: The participant receives relevant information explicit to their needs and requirements. As this is an enterprise wide initiative. large scale disturbances. • Validation: The participant validates that the Contingency Planning processes are relevant. This would ensure rapid access to/passing of information in case of complex.D2.g. most of the functions of the organisation are represented. Contribution – Internal Matrix Page 71 of 118 C/V C C .D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Executive Management O/V Contingency Planning Managers Business Management C Contingency Maintenance Contingency Exercises Contingency Testing Contingency Training C/R C C/O L L L/C/V L/C/V L/C/V L C/V C C/R C C/V L/C C/R Contingency Plan Responders Risk Manager Response & Recovery Measures Internal Stakeholders Prevention & Protection Measures Risk Mitigation Strategy Contingency Process L/C C C O O C/V ICT Security Management C C/V C C/R C C C/V Physical Security Management C C/V C C/R C C C/V L/C C C C C C C Site(s) manager(s) C C C C ICT & Network Managers C C C C Facilities Management C C C C C Maintenance Manager C C C C C Disaster Recovery Manager Operations Representatives Maintenance Engineers Departmental Managers C/R C/R C C C Staff Representatives C C C/R R Figure 25: Role vs. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Contingency Planning Consultants The Industry Regulator(s) C/O C C/O Contingency Maintenance Contingency Exercises C/O C/R L/C C C/O Industry Peers Suppliers Regional Government Contingency Testing C The local Emergency Services Partners Contingency Training Response & Recovery Measures External Stakeholders Prevention & Protection Measures Risk Mitigation Strategy Contingency Process R C C C C C O/R C/R C/O R R R Customers National Government O/R C/R C/O R EU O/R C/R C/O R Figure 26: Role vs.D2. Contribution – External Matrix Page 72 of 118 . 3.D2. risky activities.) Another option for risk avoidance is to transfer the risk through for example the out sourcing of the risky activities to an external partner. etc.7) as part of the Risk Assessment exercise. • Prevention: putting in place prevention measures directly aimed at reducing the probability of the occurrence of a risk. protection. an option can be to avoid the risk.3 Risk Mitigation Strategy Setting Objective The primary objective is to take the output from the Risk Assessment exercises and introduce appropriate Risk Treatment(s) to provide the most appropriate mitigation possible. Page 73 of 118 . risk avoidance can be achieved through modifying the way the organisation operates to avoid the areas where the risk could occur (use of uncertain technologies. response or recovery measures are available. • Risk Acceptance is the final option of risk mitigation either because the risk level falls below the acceptability threshold or because there are no cost effective or even feasible measures to mitigate a risk that can not be avoided. this is achieved by identifying the risk mitigation approach for each of the risk categories in the scope in order to reduce the risk level below the acceptable risk level defined in the objectives. • Risk Avoidance: For risk factors which are considered unacceptably high and for which no suitable or adequate prevention. this is a general statement which proves to be true in most cases. an organisation sets a Contingency Plan aimed at reacting to the risk should it occur.2. • Protection: putting in place protection measures which are tasked with reducing the severity of a risk should it occur. operations in risky regions. • Recovery: This regroups the set of resources and processes that need to be activated in order to resume to a normal state of operation after an incident has occurred and first response procedures have been activated. Approach This process is initiated by a review of the risk factors identified in the scope of the analysis (please refer to section 4. Depending on the circumstances. • Response: for risk factors which can not be prevented or protected.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. It is important to mention at this stage that the risk mitigation solutions have to be envisaged as giving priority to the prevention and protection measures. the subsequent options being often less effective and more costly.4. The first objective is to set the Risk Mitigation strategy. in a not too dissimilar context there are options for organisations to offset part of their risk factors to insurance companies by ensuring against it. ). This risk treatment plan constitutes the strategy of the organisation for risk mitigation. Physical.g. A good risk mitigation strategy may for example attempt to limit the level and reduce the impact of these dependencies (e.D2. It is the Executive Management who will validate the Risk Management Strategy.e. as such this plan. possibly organisational dependencies).. along with the necessary investments and impacts on operation implied by the mitigation measures need to be presented and validated by senior management to ensure senior executive backing and secure the appropriate resources required to implement the Contingency Planning project and processes. On the other hand. This risk treatment plan should include an evaluation of the residual risk level of each risk factor after mitigation.g. Stakeholders The lead stakeholder for the Risk Mitigation Strategy is the organisations Risk Manager who is acting on behalf of the Executive Management. through the availability of alternative communication means. Output Risk Treatment Plan (including mitigation measures. Organisational. basic supplies for energy. relation and relevance with regard to specific risk (e. It should also document the acceptance of the residual risk and in particular highlight all risk factors that are above the agreed risk acceptability threshold. IT and Human aspects security).3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies This process should be documented by a formal risk treatment plan identifying for each risk factor the mitigation options which are retained in all the above categories. communication means may also be impacted by significant natural hazards). which at this juncture means that security measures need to be identified in all areas (i. Page 74 of 118 . potentially the industry regulator who may want some level of assurance that regulatory requirements are being addressed and met. their nature (e. simultaneous suppliers. It has to be re-emphasized that the whole approach undertaken and presented within this document needs to be holistic. risk mitigation strategies must appropriately take into consideration the existence of external dependencies. water.g. their impact. back-up systems etc. residual risk and required investment) validated by senior management. as well as providing input to the process. communication etc. Other stakeholders include key areas of the business that will provide the required input to contribute with the formularisation of the strategy. This is why the prevention and protection measures have been grouped together.D2. This is not the objective of this approach to go into detail for this part as it would be counterproductive to devise a project management framework which would not be totally adapted to the existing processes of an organisation which wishes to follow the EURACOM approach. The proactive prevention of a major incident is preferable to the reactive management of an incident. To this end. It is therefore important to follow this measure as a Key performance indicator (KPI) for the project both for the final result but also for the intermediate milestones to identify how the level of risk mitigation is built throughout the project execution. dependencies and the main milestones of the project.4 Implementation of Prevention and Protection measures Objective The objective of is primarily for an organisation to adopt a proactive approach to Risk Mitigation activities in order to facilitate the prevention of a major incident. Approach The approach for the implementation of the prevention and protection measures is not dissimilar to the approach undertaken to roll out any other projects within the organisation. This is achieved by using appropriate countermeasures to effectively mitigate risk and therefore reduce the probability of occurrence of a risk (prevention) and/ or to limit the impact/ severity of a risk if it occurred. the drivers and other criteria that are crucial for the successful management and implementation of the project: • Risk Mitigation: Risk mitigation is the principal driver of this activity and therefore the various activities and solutions need to be designed to satisfy this goal and to achieve the objectives set out in the Risk Treatment Plan. it is important to underline the key performance indicators. This includes objectives setting and communication. etc.4. definition of a project plan identifying the main phases. Page 75 of 118 . • Holistic implementation: This aspect needs to be closely monitored to ensure that security is not implemented in a multitude of isolated silos and that on the contrary all measures form a complete security posture for prevention and protection.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. resources involved. Although this detailed approach is not described here. procedures for validating the results.. activities. timescales. this activity should be driven following the practices and processes in place within the organisation for the governance. setting of a steering committee. management and control of the project. • Residual Risk: The level of residual risk is the main result of this phase where the prevention and protection measures are implemented to achieve a target residual risk level. Physical and Logical Security. In order to facilitate this process. The main driving factors to take into account are risk mitigation level and measures to comply with regulatory requirements. from occurring.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • Prioritising implementation of prevention and protection measures: Organisations operate with finite resources. Page 76 of 118 . penetration testing is aimed at verifying the robustness of these security functions or to check they can not be bypassed. o Security audits or reviews: This is the use of a third party to verify and validate the actual implementation of the security measures. These guidelines need to be established by the organisation but they should consider the following aspects: assessing the driving and the limiting factors for each action in order to identify priorities. complexity of implementation can be considered. Output A comprehensive and formal ‘Prevention and Protection’ measures implementation process and also the actual implementation of the validated Prevention and Protection measures.g. or incidents. User Acceptance.). • Acceptance of security: As expressed above. etc. Some clear guidelines should be identified by management to prioritise the actions. so it is therefore impossible to implement all the prevention and protection measures at the same time. etc. Facilities.D2. the Regulator and Government who may observe and review the implemented controls. a number of key management stakeholders from within the organisation are utilised and cover the different organisational aspects such as ICT. Factory Acceptance. External stakeholders may include industry partners. When it comes to security. social engineering. cost. time. Concerning the limiting factors. etc. any acceptance process should follow the principles of any organisation project management practices (e. Stakeholders The key stakeholders are the Contingency Planning Management Managers whose role is to ensure that adequate Prevention and Protection measures are in place to assist with the prevention of an incident. specific additional steps should be added to the usual acceptance practices: o Security penetration testing: In addition to the functional testing of security aimed at verifying that the security solutions deliver what they are expected to. These types of penetration tests can take various forms: ICT penetration tests (ethical hacking). 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies The risk profile of the organisation has undergone a level of mitigation. Page 77 of 118 . This output should be fed back in the risk assessment process to show the evolution of the risk profile on the scope of the analysis.D2. g.4. an attack concept or a hazard scenario) with the threat agents. solutions. However.g.5.Scenarios selection The approach is initiated following the result of the Business Impact Analysis (evaluated during the Risk Assessment) and of the Risk Treatment phases. On the contrary. The business impact analysis performed during the risk assessment will provide the details of the risk scenarios to be considered: • The scenario of occurrence of the risk (e. financial impact. capital provisioning) or measures for managing brand image impacts (e. corporate image impact. This section is presented after the Prevention and Protection measures implementation to reflect the general fact that responsive measures should always be considered to complement preventive measures.5 Implementation of Response and Recovery measures This process will aim at developing the Response and Recovery capabilities of an organisation against incidents that have been identified through the risk assessment process. The objectives of this section will be to develop the necessary processes.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. therefore the rest of the approach will focus on impacts on supply only. • The evaluation of likelihood. this activity should happen in parallel to the previous one within the limits of the resources available in the organisation. As a result. regulatory obligations. response measures to mitigate financial impact (e. It is not always practical or even feasible for an organisation to develop its Contingency Plan to cover all possible scenarios. legal pursuits. corporate communication plans) will not be covered by the approach. resources to constitute this Response and Recovery capability. The risk treatment phase will provide the actual risk for which response and recovery measures have been selected for risk mitigation. impact on human beings. Page 78 of 118 .1 Approach . It is important to mention that the objective of this report is to be understood in the context of the EURACOM objectives which are targeted at the resilience of supply chain of interconnected energy networks.g.g. 5. this does not mean that this process should happen once the previous one is over. external dependencies should also be considered and analysed from the perspective of their impact on operational continuity. impact on supply. • The evaluation of the impact for the business derived on the various dimension of the impact (e. It will then be possible for an organisation to add new scenarios when iterating and maintaining its contingency plan.4. etc).D2. vulnerabilities exploited and assets that are directly affected. therefore it is often preferable to only start with a subset of them which are selected to dimension the Contingency Plan. 3 Derive Supply Continuity Objectives in the infrastructure Once the objectives have been set.2 Continuity of Supply objectives For each one of these scenarios of risk. systems.4.5. relocation of key personnel. for any given scenario can be expressed in a more granular manner by plotting the profile of recovery of supply against time. to show how the various elements of the infrastructure and also external dependencies and supplies contribute to the supply of the end product.4. Supply continuity objectives need to be expressed in terms of: • Time for Restoration of Supply: Return Time Objectives (RTO) expressed in time. In this way.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. This will result in expressing continuity objectives for elements like assets of the energy network. these supply continuity objectives.5. • Level of Supply: Return Point Objectives (RPO) expressed in terms of percentage of nominal supply and priorities for restoration of Energy.1. etc. This analysis will be supported by the dependency analysis performed as part of the risk assessment.4. by making sure that the operational impact remains in a limit that keeps the risk to an acceptable level. the organisation has to perform an analysis of what are the required RTO and RPO for all the elements of the supporting infrastructure to allow for the supply to be recovered in time.D2. Figure 27: Continuity Objective Profile 5. These Continuity of Supply objectives are derived from the objectives set in 5. Page 79 of 118 . In more elaborated models. scenarios of risks which have a higher probability of occurrence will have more ambitious Continuity of Supply objectives. objectives need to be set in terms of Continuity of Supply. These strategies should at least include: • The actual continuity levels that can be achieved. 5.4. emergency resources.5 Selection of strategies A review of the various strategies needs to be undertaken in order to validate the actual solutions that will be implemented. • Qualitative information on the strategy describing how the plan would operate (plan reliant on technologies.4 Define possible strategies to meet the Supply Continuity Objectives For each scenario. only high level strategies need to be described. It is difficult to stipulate a finite list of criteria to be reviewed for this exercise. backup infrastructure.4. several strategies can be identified in terms of the technical and organisational response and recovery measures that can be implemented. but the following aspects should be given consideration: Page 80 of 118 .3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 28: Continuity Objective 5. • The cost and effort required to develop the associated contingency plan.D2. people. At this stage. etc. external partners.5. the level of detail being set to the right level for decisions to be made.5.). • The cost and effort required to operate against the contingency plan. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • The continuity levels expected with each strategy to be analysed against the Supply Continuity Objectives.4 Implementation of Prevention and Protection Measures.5.2). the procedure for alerting and mobilising a crisis management cell should be the same for all scenarios.5. the organisational structure to manage incidents should allow for a core organisation and set of processes which are common whatever the scenario with possible variations around this core to cope with the specifics of each situation. facilities. • Animate regular cross organisation project reviews. etc. the scenarios and the strategy. Page 81 of 118 . energy network. From there. To illustrate this. on the organisational side of the Contingency Plan. • Focusing on Supply Continuity Objectives. this recognises the fact that real life situations will always deviate from the scenarios used to dimension Contingency Plans and also to recognise that situations can evolve. In addition to general project management principles. 5.D2. it is important to organise cross organisation project progress reviews in order to give representatives of each of the Contingency work stream an understanding of the big picture. • Testing and maintenance. this aspect is closely linked to the practice of the organisation in terms of project management. (ref 5. To further address the complexity developed in the previous point. training and maintenance have to be faultless. This is why these aspects have been developed in a dedicated section. The contingency plan development is an organisation wide project ranging from tactical to strategic levels and covering all resources and operations of the business (IT. however the composition of the crisis management cell would vary depending on the situation and therefore the disciplines and expertise that need to be represented. This is a key part of Contingency Planning.4. below are the specific aspects of a contingency plan development project.4.). The organisational complexity of the project has therefore the potential to be extremely high. even more than in other projects testing.6 Implementation of Response and Recovery Measures: the contingency plan Once the selection of the strategies is performed a detailed plan for their implementation has to be developed. • The use of common strategy elements to cover a maximum of risk scenarios by opposition to resources which can only cover a certain type of risk scenarios. To this respect. • Having flexible solutions which can be adapted to actual events. similarly to step 5. • The cost and effort in perspective to the actual risk which are mitigated. A good cohesion factor for all actions across the organisation is to use the scenario and the strategy as the main reference for all stakeholders to refer to as the mutual main objective. Plan Responders and the Disaster Recovery Manager lead any Response and Recovery measures.5. • Social and HR dimensions of the Contingency Plan.4. Government and potentially the Emergency Services.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Stakeholders The Contingency Planning Managers.1 Incident Management Incident Management is the process through which organisations deal with incidents.D2. • Business Continuity Management • Disaster Recovery Management. the escalation/ resolution of incidents and the review of incidents. It covers the reporting of incidents.7. and updated with.4. • Legal dimensions of the Contingency Plan.7 Supporting data: the key elements of a Contingency Plan The main elements of a Contingency Plan can be organised around the following concepts: • Incident Management. • Finance and Markets dimensions of the Contingency Plan. Other elements of a Contingency Plan which are not covered as part of the project because they are outside of EURACOM’s remit are: • Media Communication Plan. Customers of the Energy Provider will need to be advised of. To effectively respond during and incident. Organisation can have different processes for incidents management depending on their nature: • A structure for reporting by customers of incidents linked to perturbation of supply • A structure for reporting physical security incidents • A structure for managing operational incidents through telemetry • A structure for managing ICT incidents Page 82 of 118 . Industry Peers. they will need to be supported by all relevant elements of the organisation along with suppliers. restoration of service details. • Crisis Management.5. 5. 5. Directory of contacts internal b.4.7.2 Crisis Management Crisis Management is the set of processes. Crisis Management objectives are principally aimed at ensuring that there is a chain of command for the management of the crisis. Organisation in terms of crisis (internal and external) covering roles and responsibilities 2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies All these processes are separate but have all in common the capability to escalate an incident which would go out of proportion to the crisis management process.5. decision communication. Directory of contacts external c. Supporting tools: a. The basic processes cover alert. These processes are very stable whatever the type of crisis or incident with allowance for variations to adapt to different types of situations. Dashboards supporting crisis management Crisis management plans can be set at various levels of an organisation: • Group • Branch • Site • Activity Page 83 of 118 . crisis cell mobilisation. situation awareness building. Special conditions “reflex” actions for specific scenarios 4. enabling decision making in extraordinary circumstances and ensuring that decisions are relayed and that information is reported towards the decision makers. The response and recovery measures specific to scenarios are found in the supporting Business Continuity Plans and Disaster Recovery Plans (see below). decision making. Some of the elements constituting a crisis management plan are: 1. Main procedures from alert to end of crisis 3. 5. All these processes are documented as procedures of the crisis management plan. crisis cell operation. organisational structure and resources for an organisation to actively manage a crisis (by opposition processes linked to tactical resolution actions) from detection to the exit of crisis mode.D2. D2.) 4.7. The plan is also supported via dedicated resources for business continuity.4. typical resources are: • Deployable units for intervention on energy network. • Crisis Management Room(s) in several locations (the level of equipment need to be adapted to the needs).3 Business Continuity Management Business Continuity Management is the set of processes and resources an organisation has identified and provisioned to be activated following adverse events in order to ensure an acceptable level of continuity of operational activities. roles and responsibilities. • Video/ Phone conference facilities (available in time of crisis). typical resources are: • Alert system. Page 84 of 118 . A business continuity plan includes some of the following elements: 1.5. All these measures are documented through procedures in the Business Continuity Plan. • Activation of an external information line. Overall strategy for each scenario along with organisation. The strategy should remind the target continuity objectives. BCM activation. • Special Communication means in case of ICT or electricity blackout. Supporting procedures for the various actions and stakeholders (fall-back procedures. 3. recovery actions. • Crisis Management Case (containing all essentials for crisis management). This plan contains dispositions about management but these aspects are mainly covered in the crisis management plan(s).3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies The plan is also supported via dedicated resources for crisis management. 2. etc. Supporting tools. • Etc. List of scenarios covered. 5. The content of Business Continuity is more focused on more practical operational and tactical measures directly aimed at responding and recovering to specific incident scenarios. typical resources are: • Disaster recovery site.). etc. Telemetry. • Alternate control room. Network management.4. Supporting tools.). • Etc. system.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • Backup infrastructures and systems for energy supply.D2.) 4. 3. A disaster recovery plan includes some of the following elements: 1. • Process Control. it is probable that Disaster Recovery Management will be separated in two main scopes: • Corporate ICT. • Alternate sites for employees in case of unavailability of primary site. disk. ICT (SCADA. • Backup data (on tape. restoration of data.4 Disaster Recovery Management Disaster Recovery Management deals as well at operational as at tactical level and focuses on the measures and resources to be activated in order to recover the required level of ICT capabilities to support the business functions. Concerning the energy sector. Page 85 of 118 . external resources and supplies. ICT and other fundamental. etc. 2. List of scenarios covered.5. etc. applications. • Spare hardware. Supporting procedures for the various actions and stakeholders (swap production environment to DR site. 5. Overall strategy for each scenario along with organisation. The plan is also supported via dedicated resources for business continuity. The strategy should remind the target continuity objectives. Due to the complexity of ICT systems. these dispositions are usually dealt with separately from the other resources managed in the Business Continuity Plan. • Backup communication methods. roles and responsibilities.7. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • Etc.D2. Page 86 of 118 . Exercise & Training Phase These phases are critical to successful execution.5. Any issues that arise from the Test. management and maintenance of a Contingency Plan as they ensure that all the processes developed within the Contingency Plan can be successfully implemented and that the Contingency Plan implementers for Response & Recovery can effectively undertake their roles and fulfil their responsibilities. Exercise & Training phases are fed back into the Contingency Plan in the form of lessons learnt and be used to enhance and stabilise the processes surrounding Contingency Planning and the Contingency Plan. Figure 29: The test.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. Approach The use of subject matter experts without the appropriate Contingency Planning training will not provide an organisation with the level of skills required to manage incidents and to execute the Page 87 of 118 .1 Contingency Planning Training Objective The objective is that as a pre-requisite.5 The Test. exercise and training phase 5. all personnel involved with Contingency Planning need to be fully conversant as to what their roles and responsibilities are and what is required from them during an incident to facilitate a successful implementation of the Contingency Plan.D2. Failure to provide the necessary and appropriate training to personnel will potentially lead to an organisation’s Contingency Plan failing and therefore increasing the potential for an incident to significantly increase in magnitude.D2. 2. The use of subject matter experts without appropriate Contingency Planning training may in fact impede the successful execution of an organisation's Contingency Plan during an incident and would most certainly delay the recovery and restoration processes for the organisation. the execution and the management of the organisations Contingency Plan. The training needed has to be refreshed at regular intervals or when an individual’s role changes. The training for personnel who have a role in assisting with the implementation of the recovery processes Stakeholders Contingency Planning Managers are the key stakeholders (on behalf of the Executive Management) and will lead this element to ensure that all relevant parties within the organisation receive appropriate and relevant Contingency Training in order for them to fulfil their duties within the contingency Plan. 3. There are three main training groups in Contingency Planning: 1. The training of personnel with responsibilities under the contingency plan should be conducted along with testing. Output A comprehensive training plan that accommodates all personnel involved in Contingency Planning and the provision for refresher training or updated training when key factors within the organisation change. The training for personnel who are responsible for the management and implementation of defined recovery processes. The only way to effectively manage this requirement is to provide the appropriate level of training to an individual or group of individuals that is relevant to their role when executing the contingency plan. Page 88 of 118 . Personnel should reach a stage of competence where they are able to execute the roles without the need to refer to a guide and that the level of training must be sufficient enough so that contingency plan execution becomes second nature to personnel. when new personnel have contingency responsibilities or if the organisation evolves.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies appropriate level of response to an incident. The training of strategic personnel for the implementation. Walkthrough: A walkthrough is primarily a formal peer review of an element (or elements) of a contingency plan where each stage is discussed and where its merits and deficiencies are identified and potential improvements are discussed. The following types of testing can be undertaken: a. Call Tree: The function of a call tree is to provide a list of personnel. or not.2 Test the Contingency Plan Objective The testing of the contingency plan is important to provide the appropriate level of assurance that the assumptions made about the quality and effectiveness of the Contingency Plan are tried and tested to confirm its validity and satisfy the organisation that the Test Plan. Table Top: A Table Top exercise would involve a contingency scenario being presented to the contingency team (or teams) where they would describe and discuss the actions they would undertake during and incident without actually executing their actions. etc. that the Contingency Plan’s Call Tree works and it should introduce elements into the testing that address the loss of mobile and/or fixed telecoms or key/senior team members. are fit for purpose and meet the organisations Continuity objectives. they then cascade the process onwards by contacting their contacts. as well as the Contingency Plan itself. c. Approach The testing can be scenario based or it can be tailored to test explicit elements or functions of a Plan. Page 89 of 118 . If the call tree process is automated. This is required in order to validate the plans ability to deliver and meet its objectives and where shortcomings can be addressed in a proactive manner. When contact is initiated to the first group of contacts.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5.D2. and their contact details.5. who in turn contact their contacts. needed to execute and operate the Contingency Plan when an incident occurs. b. this test is also relevant. including the ability to accommodate changes or deviations to the plan. This type of test will verify. The output from this test/review is the most critical of the tests and the lessons learnt from it feed directly into the preparation phase. The tests should include the following to identify the contingency and the actions that need to be taken to address the contingency: 1.D2. Result: What is the expected result? The testing has to be undertaken in a formalised manner and personnel should be fully de-briefed so that any lessons learnt or short comings are captured and fed into the contingency plan maintenance phase. Action: What action is undertaken to address the contingency? 5. including test scripts and scenarios. Output The output will be a formal Test Plan. Activation: What are the activation criteria? 3. Contingency: What is the contingency? 2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies This test follows on from the Call Tree and the Walkthrough and leads towards the execution of a contingency exercise. Stakeholders The Contingency Planning Managers are the key stakeholders for Contingency Testing as they have a responsibility to the Executive Management and potentially the Industry Regulator to validate that their Contingency Testing plans and activities are fit for purpose and as such will lead this element to ensure that all relevant parties within the organisation validate their Contingency Plans through appropriate testing. Page 90 of 118 . Severity: What is impact of the contingency? 4. to validate the assumptions of the Contingency Plan’s suitability and effectiveness and that it is fit for purpose and meets the organisations objectives. whilst the latter would be more suitable for a smaller internal exercise e. including testing and training.5. with the former being more appropriate for a larger exercise involving multiple parties and agencies. Approach Periodical contingency exercises are important not only as part of the testing and maintenance. but to ensure that personnel fully understand their roles and responsibilities in an actual incident and are conversant with the procedures and protocols should a Contingency Plan be activated. Exercises could be either undertaken in ‘Real’ or ‘Accelerated’ time. Ideally the exercises should include a scenario based approach to a specific incident within the energy sector that will activate a broad range of response and recovery processes using multiple teams from different elements of an organisation's structure to facilitate effective co-operation.3 Contingency Exercises Objective Contingency Exercises will act as a comprehensive method to complement the Testing and Training phases and to validate that they have achieved their goals and satisfy the organisations requirements to the appropriate level with respect to Contingency Plan. Each exercise should have clearly defined objectives as to what the organisation wants to achieve from the exercise and the exercise should have a formal set of evaluation criteria to measure the level of success the organisation has achieved in it’s response and recovery processes. a single site. of a previous event (within the energy sector) would deliver a more realistic scenario simulation and would also be able to validate if the lessons learnt (by the energy sector) have been implemented and incorporated within their risk management processes following the post mortem of the ‘original’ incident. Contingency Exercises should be organised to simulate real world scenarios in a structured and defined format in order to validate the effectiveness of the contingency planning processes. communication and decision making processes. One primary and critical element for any form of contingency exercise is that there must be inbuilt and comprehensive safeguards against the simulated incident exercise being accidentally mistaken for a real Page 91 of 118 . Accelerated time exercises are also more suitable for simulating business responses during an incident.g.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. Such a simulation. but must maintain a focus on the organisations most critical elements which have previously been identified in the Risk Assessment. These should include elements from the Test Plan including executing the Call Tree processes and utilising the scripts and scenarios developed for the Contingency Test Plan.D2. The exercise should include as many elements of the organisation as possible. albeit a customised one. a comprehensive de-briefing process should be undertaken in order to capture and provide a valuable insight into the positive and negative aspects of the exercise (what worked well and what didn’t work very well) and this should then be recorded in a formal and structured manner. National. This could also then create a scenario where a number of personnel may still think they are in the contingency ‘Exercise mode’ and not actually execute the appropriate responses during an actual contingency. The information gained from the de-briefing(s) should then be analysed and then the results from the analysis will then feed into the lessons learnt process and therefore into the contingency plans maintenance phase to ensure that all captured issues that need attention are addressed appropriately. This type of exercise will ensure that major incidents involving multiple organisations can effectively implement and manage multiple contingency plans under a single overreaching contingency plan and that no isolated contingency plan can severely impede the response and recovery processes during a major incident.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies incident which could cause distress and panic for those not realising that an exercise was being executed. Regional. Extended Approach The introduction of major incident scenarios involving multiple organisations (Sector. Emergency Services. strike • Full or partial loss of communications Following any contingency exercise or simulation. These aspects are further developed in section 7 Managing Dependencies of the energy sector in Risk Assessment and Contingency planning. Organisations should also introduce additional elements within a contingency exercise to identify potential shortcomings following: • The loss of large number key staff • Severe weather conditions • Premises being made unavailable • Industrial action. which could potentially lead to an actual incident occurring and placing the organisation in ‘Contingency mode’.D2. Cross Sector. Local. Cross Border and International) and complex exercises should be undertaken to validate the compatibility. Panic driven actions could also be undertaken by poorly trained personnel that may implement real responses to simulated incidents. interconnectivity and interdependency of the different contingency plans and to assist in reducing the probability of an incident from escalating. Page 92 of 118 . embedded in the organisations business processes and implemented effectively within the Contingency Plan. Output A structured and formal scenario based program that will test the organisations Contingency Plan to ensure that the contingency testing and training is adequate and that the decision making processes are in place.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Stakeholders As with Contingency Testing. Industry peers and Government. Contingency Exercises follow on from Contingency testing and not only involve an organisation’s internal resources.D2. but it has the potential to involve a number of external organisations such as the Emergency Services. Customers will need to be advised that an exercise is being staged. the Contingency Planning managers are the key stakeholders for Contingency Exercises as they have a responsibility to the Executive Management and also potentially to the Industry Regulator to validate that their Contingency Plans are fit for purpose. Page 93 of 118 . are input into the maintenance phase as the compromise and/or loss of ICT services can lead to the loss of service delivery for an energy provider. along with inputs from the Risk Assessment element.6.6 The Maintenance Phase The maintenance phase is where the Contingency Plan is modified and updated to meet an organisation’s new objectives and change in their environment of operation and also where the lessons learnt are introduced into the maintenance phase. Figure 30: The maintenance phase 5. Penetration Tests. Page 94 of 118 . e. and its associated processes. To this purpose a maintenance plan should be developed to ensure that the various components are reviewed and maintained on an adapted frequency. Additional results from ICT Security Testing (Risk Assessment).g. it can prevent the generation and distribution of energy. E.1 Contingency Planning Maintenance Objective The objective for Contingency Planning Maintenance is to ensure that the contingency plan. Approach Contingency Plans need to be maintained on a periodical basis to ensure that all dispositions are up to date and reflect the latest changes in the organisation and its environment. is subjected to a constant formal evaluation and maintenance cycle to provide an organisation with a high level of assurance that the Contingency Plan is up to date and satisfies the organisations Contingency objectives and requirements.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5.g.D2. needs to be maintained and incorporated into the contingency plan. then the relevant changes are reflected within the Contingency Plan. 4. This should be reflected in the appropriate business processes such as the company directory. This should include aspects like: 1. removing and updating suppliers on the organisations financial systems. An organisation can therefore embed contingency planning into all of its business processes to ensure that when a decision to introduce. ICT: Changes to key ICT equipment and services can have a significant impact on being able to support a business’s Contingency Plan and as such. the details of transport requirements and the contingency expectations for the delivery of energy need to be addressed within the contingency plan. this should be controlled. changes made to the structure of key ICT infrastructure components must be incorporated into a contingency plan. including comprehensive component descriptors. a stronger approach to Contingency Plan maintenance is to identify all events that can trigger a change in the contingency plan. 3. In the energy sector. This is best achieved through the embedding of contingency plan update requirements into the processes of adding. This process could be embedded within the internal ICT Change Management process where part of the process involves updating the contingency plan and the associated Disaster Recovery Processes.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Further to periodical maintenance tasks. these requirements need to be introduced into the contingency plan. the asset management process is identified as one of the prevalent processes for infrastructure management and maintenance.D2. Page 95 of 118 . As this is critical for the ‘Call Tree’. update or remove a process or service is taken. 2. role. telephone numbers. This could be embedded within the organisation’s ‘Starters & Leavers’ processes. Personnel: Personnel will leave and join an organisation as part of normal business activity but when this happens and when the personnel have a role within the Contingency Plan. it is therefore recommended that this process contains dispositions for Contingency Planning impact analysis when changes are applied to the infrastructure. where personnel movements are managed. Rail or Road) or where there is an alternative contingency requirement to utilise transport when infrastructure (pipes & transmission lines) isn’t available. Transport: Where the energy sector is reliant on transport (Water. This process could be embedded into the infrastructure works and maintenance (new or replacement) project plans and changes to the infrastructure would be recorded as changes are made. Whether transport is a primary requirement and/or a contingency requirement. Physical Infrastructure: The infrastructure is critical to the delivery of service for the majority of energy sector and changes made to this infrastructure. advisories. Page 96 of 118 . Stakeholders Contingency Planning Managers are the key stakeholders of Contingency Planning Maintenance as they have overall responsibility for Contingency Planning Management within the organisation. Where the need for transport is solely to provide a contingency solution following the loss of distribution infrastructure (gas/oil). Disaster Recovery systems in the ICT maintenance process. EU & International) and research. Output The output is a series of formal maintenance update processes covering the different elements of the contingency plan with defined responsibilities. etc). emergency services. National. Most of this information would be manifested in the form of documents. Third parties involved in Contingency Planning (Suppliers. the Regulator and Government in order to ensure satisfactory maintenance levels are achieved. authorities. This requires that formal methods are required to embed the capture of this information into the business processes and this could be achieved by making key contingency planning personnel responsible for this process within their fields of expertise and responsibility. the contingency plan needs updating when requirement for the delivery of supplies is changed (who. 6. etc. For example. In addition to maintaining the strategy and processes of the contingency plan. this need to be reflected within the contingency plan and this can best be achieved at the contract agreement stage and the contingency plan changes undertaken as part of the process of adding/amending suppliers on the financial systems. This process should be embedded so that changes are reflected in the contingency plan as and when the changes are agreed. amount. Standards. the most efficient approach is not to create new maintenance regimes for these specific assets but rather to assign them to existing maintenance processes. it is crucial to ensure the maintenance of critical contingency resources which are not in use in day to day operations. For this purpose. Regional. industry recommendations. etc and should be reviewed internally by the organisations subject matter experts before submitting formal recommendations for changes to be made to the contingency planning process and the contingency plan. bulletins.D2. additional fleet resources would fall under the fleet maintenance regime of the organisation. priority. External Advice: Advice from external agencies could take the form of Regulatory requirements. Government (Local. etc): Where there is a change within third party organisations.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. They will include most elements of the organisation in the Contingency Planning Maintenance Life Cycle and will also take input from external elements such as Industry. Office generators in facility management maintenance process. D2. introduced into the organisations Contingency Plan.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 5. Contingency Incidents a. an exercise. Contingency Exercises 3. Internal b. Good Practices 5. Page 97 of 118 . Contingency Tests 2. Peer Reviews Stakeholders As with Contingency Planning Maintenance. Contingency Planning Managers are the key stakeholders of Contingency Lessons Learnt and as this is an important process they will receive feedback from most elements of the organisation in the Maintenance Life Cycle and will also take input from external elements such as Industry. or areas identified without appropriate and required contingency coverage. are addressed in an effective manner in order to mitigate the identified weaknesses within the contingency plan. Industry Research 6. Approach The approach should be a holistic and organic approach to understanding weaknesses within the contingency planning processes and taking input from a number of different sources including: 1. there will be lessons learnt that need to be studied. the Regulator and Government. analysed and.6. where appropriate. External 4.2 Lessons Learnt Following the testing. or even a contingency incident (within the organisation or external to the organisation). Risk Assessments 8. Security Assessments 7. Objective To ensure that identified and highlighted shortcomings in the contingency plan. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Output The output should be a formal approach and processes to allow the organisation to incorporate the relevant ‘Lessons Learnt’ within the contingency plan to ensure the effectiveness of the organisation implemented contingency plan and contingency planning process. Page 98 of 118 .D2. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies <THIS PAGE IS INTENTIONALLY BLANK> Page 99 of 118 .D2. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 6 The EURACOM Combined Risk Assessment and Contingency Planning Approach From the principles defined in section 3. the two sets of practices for Risk Assessment and Contingency Planning have been designed to be implemented in a combined approach building on the generic links identified in section 2.2. The general relationship between Risk Assessment and Contingency Planning can be illustrated by putting the two approaches on a single diagram and linked by the “preparation loop” on the one hand and the “lessons learnt” loop through the maintenance process on the other hand. Page 100 of 118 .D2. Figure 31: The Combined Approach Taken by EURACOM to Risk Assessment and Contingency Planning. Figure 32: The preparation loop The relationship in detail is as follows: • Definition of scope of Contingency Planning as described in 5. there is a link between the results of the Risk Assessment and the implementation of Contingency Planning.1: “The scope can be set using the inputs of the Risk Assessment activities (please refer to section 4): either by reusing the scope of the risk assessment or by refining it to the areas that are identified as having predominant risk profiles (areas of high threat exposure or areas where occurrences of risk factors reach particularly high severity)”.D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 6. • Definition of the objectives of Contingency Planning as described in 5.4.4. This first link is called the “preparation loop” as it is mainly occurring during the preparation activities when moving from the evaluation of the risk factors to the definition of a Risk Treatment Strategy. Depending on the scales selected for the assessment of risk (please refer to Risk Assessment approach)”.1 The preparation loop On the direct linear sequence of steps. Page 101 of 118 .1: “This can be pragmatically performed by setting the risk appetite of the organisation by identifying the acceptable level of risk the organisation is ready to accept. 3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • Risk Mitigation Strategy Setting as described in 5.2 The lessons learnt loop The “lessons learnt” loop characterises the feedback from tests and exercises into the risk assessment process.3: “This process is initiated by a review of the risk factors identified in the scope of the analysis (please refer to section 4.5.3 : “The information gained from the de-briefing(s) should then be analysed and then the results from the analysis will then feed into the lessons learnt process and therefore into the contingency plans maintenance phase to ensure that all captured issues that need attention are addressed appropriately.D2.4. Figure 33: The “lessons learnt” loop The relationship in detail… • …starts from the results of Tests and Exercises of Contingency Planning as described in 5.… • …goes through the Maintenance process to update the contingency plan and where necessary … Page 102 of 118 .3.2. 6.”.7) as part of the Risk Assessment exercise”. D2. Page 103 of 118 .3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • …feeds into the Risk Assessment for the update of risk factors that are better understood (in terms of effect for example) or newly identified from tests and exercises activities. 1 Introduction In systems theory.). Dependency and interdependency relationships are particularly prevalent in the case of energy infrastructures. Additionally. Page 104 of 118 . or are supported by. cross sector. 7. interdependency). each of the other infrastructures in each mode of operation [CROSS REFERENCE TNO PAPER/BOOK CHAPTER IFIP 2008].D2. The process of identifying and analysing dependency and interdependency relationships requires a detailed understanding of the overall system. and they also typically involve numerous system components. an interdependency exists when a change in the state of one system element induces a change in the state of another system element (i. etc. As the levels of complexity increase and interdependency becomes more prevalent. and they should be treated as such within a risk and contingency management framework. interdependencies may vary considerably both in their scale and complexity.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 7 Managing Dependencies of the energy sector in Risk Assessment and Contingency planning The objective of this section is to describe how risk assessment and contingency planning activities focusing on dependencies in the energy sector can be implemented within a wider multi-stakeholder framework (sector. This process provides valuable and essential information for risk assessment and contingency planning. potentially inducing large-scale effects.e. country. These relationships can create subtle interactions and feedback mechanisms that have the capability to lead to unintended behaviours and consequences. complex and highly interconnected networks. increased levels of risk may occur with higher levels of uncertainty. region. which in turn induces further changes in the state of the first system element via feedback mechanisms (i.e. and in particular how the components of each infrastructure and their associated functions or activities depend on. Problems in one infrastructure can cascade to other infrastructures. which display the characteristics of highly structured. or interact with. dependency). Interdependencies therefore introduce an additional level of vulnerabilities in the system. The general Page 105 of 118 . region.2 Managing dependencies in risk assessment (EURAM) The risk assessment process can be conducted at a multi-stakeholder level to address complex dependency paths and interdependencies within the sector.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 34: The High Level Analysis of Risk Assessment and Contingency Planning. 7. or at higher scales.D2. • with the same guidelines or references (e. by reconsidering the assets.2 Identifying vulnerabilities stemming from interdependency situations within a wider scope The identification of vulnerabilities and evaluation of risks at this higher level of analysis is based on the results of previous risks and interdependency analyses carried out by each organisation/infrastructure. Each member of the workgroup will be in charge of contributing with information concerning their specific area of expertise. along with an overall supervising authority to coordinate/lead the entire process.2. • Information about the external dependencies of each infrastructure with information about their level of resilience over time. Page 106 of 118 .g.D2. The stakeholders involved in the risk assessment process have to be identified at this stage. EURACOM’s threats and asset lists + similar sources for vulnerability analysis) and. A harmonised approach to the identification of dependencies and risks at the organisational level would ensure a well-coordinated implementation of this very important stage in the multi-stakeholder risk assessment process. 7.). it poses the question of comparability of results.g.2. EURACOM).1 Defining the scope of the analysis and the risk assessment team The risk assessment scope has to take into account critical dependency paths at a wider level than the organisational one. Once the scope and coordinating authority are defined.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies approach described in section 4 can be applied at higher levels of analysis. The objective of this approach is not to sum up point risk estimates assessed by each Infrastructure Operator (as this information is also confidential for each operator). The objective is to aggregate: • high level information from the operators about their level of resilience over time to high level categories of risk factors without giving the detail of the associated vulnerabilities in the infrastructure. the risk assessment activities would require the support of a workgroup constituted of business and security experts from the various infrastructures included in the scope. country etc. threats and vulnerabilities in order to fit with the complexity of larger scopes (sector. cross-sectors. It requires therefore that all organisations use • The same approach (e. region. If the risk assessment aims at aggregating more precisely the results of individual risk assessments carried out by each organisation. or a local or governmental authority if the scope is a region or a country. spanning over an entire sector or following a cross-sectoral approach. 7. This could be an industry association within the sector if the scope is sector-specific. A number of specificities related to a multi-stakeholder risk assessment process are described below. these companies could use a limited scale directly linked to the size of their operations with severity levels corresponding to similar ratios of their turnover for financial impact.3) is wide enough to be able to cater for the situation of the various organisations that are supposed to use it.D2. Figure 35: A unique severity scale for multi-stakeholders scopes Concerning the probability scale. Therefore the area of risk when going to a wider scale of analysis would only expand in one dimension as illustrated on the following figure. These scales are then appropriate to each organisation context but can not be compared as they are built on the specific situation of each organisation. To illustrate this using a simple example.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • The same scales for risk evaluation. In this case it is unlikely that a 5 level scale as advised in 0 can be sufficient to cover with enough granularity the full spectrum of severity levels that could arise from the smaller organisations like company A or the largest like company B. etc. customers in terms of energy supply disruption. A being a rather small and focused organisation and B a large organisation concentrating many activities: • For their own internal risk assessment. • If their risk assessment results are to be aggregated. let’s consider two organisations A & B operating Critical Infrastructures in the energy sector. the adoption of shared levels is less an issue as this dimension of the risk is less influenced by scale (size). It is therefore necessary to expand the scale for severity assessment.3. the scales for severity evaluation need to be based on absolute values that can be compared across the board. Concerning the scales for risk assessment. In our case an Impact Level 5 for company A would be far lower than the same Impact Level 5 for company B.2. it is necessary. if a single set of scale is to be applied across a wide scope involving many organisations that the severity scale (please refer to 4. Page 107 of 118 . along with inputs from an (inter)dependency analysis carried out on the same scope will support: • • Identification of the risks which have the more relevance in the wider scope of the study. Page 108 of 118 .3 Evaluating (inter)dependency risks Vulnerabilities identified according to the approach described above.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies Figure 36: A unique severity scale for multi-stakeholders scopes 7. the scale for risk evaluation should also be reconsidered in the frame of the wider risk assessment scope.2. The overall output of these risk assessment activities would then feed into the contingency planning process. Information sharing between the various parties which will allow operators to identify risks that they have not initially considered. It should be noted that.D2. as a precondition to evaluate new risks. 3. or very similar. in a cross-border environment) share fundamental objectives and requirements with regard to risk acceptance (level of resilience or risk mitigation) and risk mitigation strategies. mutual agreement and commitment and requires the participation of representatives from both sides (senior management and assigned lead participants). e. 7. outcomes. Page 109 of 118 . In a situation of interdependence. business continuity (maximum outage time etc. concerted action comes namely through coordination.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 7. Hence.1 The Objectives and scope Coordinated alignment of contingency plans’ objectives among stakeholders helps to ensure that multiple plan components are focused on the same.1 Preparation Phase 7. restoration etc.D2. The following sections describe how the EURACOM approach as described in section 5 should be applied in a multi-operator framework in order to incorporate the management of interdependencies in interconnected networks in the contingency planning process.3 Managing dependencies in contingency planning Contingency and response plans also need to be assessed from an infrastructure interdependencies perspective.3. The formulation of a joint strategy and corresponding objectives bases on a formal. On the other hand. seen as the process of managing dependencies and interdependencies. as well as maximise the capacity and effectiveness to manage dependencies at the organisational level.g. the development and alignment of strategic goals is an obvious.). Several mechanisms can be implemented to address (inter)dependencies within a multi-stakeholder framework and the overall aim of these mechanisms is to facilitate and enhance coordination among stakeholders in complex emergency situations through harmonised information management (sharing) and contingency planning. differences in the respective national regulatory and legislative frameworks and possibly contractual and financial conditions have to be considered. This implies for example that operators on each side (we assume for the sake of clarity a scenario of two interconnected networks.1. for a joint (multioperator) approach to risk management and contingency planning. but important condition and key to deploying an inter-organisational planning effort taking into consideration cross-cutting dependencies. Coordination mechanisms create linkages across system components and facilitate communication and linked action between various entities with preparedness and planning responsibilities. 3. transport. could adversely impact the performance of own infrastructures in the case of: o Normal and stressed operations o Disruptions (including coincident events. Even though out of the scope of the contingency planning approach itself.3. types of dependencies (namely physical dependencies as in power infra-structures and. EURACOM). Fundamental communication means and procedures. Cascading effects vs. and resource dependencies (people. a holistic.g.1. cross-sector. With regards to the management of interdependencies. identifying how backup systems or other mitigation mechanisms can limit and/or reduce interdependence problems all modes of operation. frequency. supply chain. risk of simultaneous failure through common vulnerabilities. types of scenarios (e.3).. It is therefore necessary that the participating operators agree on a common organisational framework and management approach (i. cyber dependencies. operational partners) that.).2 Organisation for Contingency Planning Common approaches to risk assessment and contingency planning have the potential to increase the level of coordination where several organisations and their dependencies are involved. it should be stressed that a detailed knowledge and understanding of the specific (inter)dependency risk scenarios is required in order to identify appropriate and effective risk mitigation solutions (see 5. guidance documents etc. This would cover the following arrangements: • • • Organisational model (set up of a joint expert team) and key roles and responsibilities (see Erreur ! Source du renvoi introuvable. In particular.2). N-2) o Repair and restoration Identifying how interdependencies may change as a function of outage duration. intra-sector. Time characteristics of degradation and restoration.e. cross-border). all-hazards approach to risk assessment is expected to include a focus on: • • • • • Upstream infrastructure assets (e.. and other factors all modes of operation. materials. level of detail of the underlying risk analysis etc. the boundaries of the dependency analysis taking into account all modes of operation.g. if lost or degraded. this also requires previous agreement on the scope.D2. 7.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 7. i.e.4.1. e.3 Risk Mitigation Strategy Setting The identification of the risk mitigation approach for each considered risk category relies on the outputs of a joint risk assessment (see section 7..). . Page 110 of 118 .)). Identifying the linkages between own infrastructure and downstream (in particular community) assets (as potential grounds for major high-scale disturbances).g. Documentation plan (essential documents that sustain a shared contingency management process. . e. 7. of identified risks. Specific response and recovery measures should for example address: • Formation of organisational structures for incident response and recovery (joint teams). cyber) protection of shared network infra-structure components. the participating stakeholders agree on distinct prevention and protection measures applying the formal process as described in 5. • . components (network supply. use of alternative (external. technical means.3. namely with respect to operational continuity in all modes of operation. mitigation.5 Implementation of Response and Recovery measures The planning and implementation of response and recovery measures should follow the formal approach as described in section 5.4 Implementation of Prevention and Protection measures In this step.D2.1.1. acceptance etc. information technology and telecommunications) vs.4. • Coordination of communication and reporting to external stakeholders. with focus on interdependency in all modes of operation... This bases on the selection and analysis of relevant. • backup systems and mitigation mechanisms to limit the impact interdependence problems. • . with focus on network connectivity and supply continuity (as already identified and subject to the underlying risk analysis. • reducing the likelihood of cascading effects.g. Page 111 of 118 .5.4.3. communication) between participating stakeholders..4. 7.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies The conclusions and decisions should be documented in a Risk Treatment Plan or equivalent as part of the overall documentation plan shared and used by all involved operators / stakeholders.3.3). • Set-up and/or activation of back-up infrastructures.. • reducing the likelihood and/or periods of disruptions (outage times of critical components). third-party) systems and components (failing-over strategy). coordination (operational procedures. see above in 7.1. realistic scenarios. These will naturally focus on the prevention.: • (physical. 3. the need for joint training and exercising is evident and has to be supported by a documented contingency training plan. On the other hand. such a joint plan should be elaborated as an extension to the general contingency training plan (in line with considerations for integrated contingency process management made in section 7. scenario-based training (groups.3. 7.3). incident.). e. the flow of communication between stakeholders has to be mutually agreed and relevant contact persons within every organisation identified accordingly.2 Test Exercise and Training Phase 7. addressing key aspects such as: • training of individuals according to their role and responsibility vs.5. thereby increasing their level of resilience. crisis management.3. These alliances and forms of cooperation are considered by the training approach. operators should implement integrated contingency planning processes that satisfy the needs for a joint management of risks related to network connectivity and interdependencies (multistakeholder framework) on one hand. and that also fit into and extend already established processes at the level of each participating organisation on the other. along with established procedures for information exchange and predefined frequency of exchanges in different scenarios (e. through collective groups for incident response management and recovery. This becomes clear when considering that in a real-world scenario certain risks may relate to each other and therefore occur together or in some sequence.1. accident. this integrated approach to risk management and contingency planning is a major challenge from the organisational perspective. ensuring that in the case of a risk occurrence. each operator becomes immediately aware of the incident in order to act according to the established plans (as part of the overall documentation plan) and as fast as possible. Each member of the alliance may take advantage of multiple strengths to address both shared and individual weaknesses. It is important to consider that the management of incident response and recovery for network connectivity and related interdependency issues should not stay isolated from the general contingency plan (of each single operator) and its elements (incident management.5).2.g. the planning of response and recovery measures must pay particular attention to the aspects of communication as well as monitoring and information sharing (see section 7. Page 112 of 118 .D2.3. For each participating operational partner. In other words. As a matter of fact.1 Contingency Planning Training In a multi-stakeholder scenario. up to all participants). can be a powerful means to increase flexibility and resilience in crisis situations through joint synergy and planning. business continuity management).3. Inter-organisational resource alliances. etc. disaster.g.1).3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies In a multi-stakeholder scenario. The planning and organisation of training follows the general approach (section 5. so as to allow them to be better prepared.2. simulation.3. For instance. The roles and responsibilities for each partner should be clearly established and periodically reviewed. thus ensuring consistency.3. completeness. see section 5. This is particularly important for (inter)dependency scenarios as these have by default a higher level of complexity.2 Test the Contingency Plan Contingency plans should also be jointly tested and reviewed. The process of designing such common exercises also has some ancillary benefits. etc. As a prerequisite for these exercises. Page 113 of 118 . such as gradually building mutual trust and therefore facilitate and support future exchanges in real life situations. Exercises should always be followed by a joint review (including ‘lessons learnt’.3 Contingency Exercises Scenarios for incident response and recovery management should be executed on the basis of simulated (invoked. the organisation’s contingency plan should take full consideration of the interface with other similar plans involving external parties (commercial/operational partners. As for testing of contingency plans in general. the commitment from senior and executive management must be continuous in order to support the implementation of such common programmes and also its continued operation. 7. In addition.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies • efficient exchange of information and better communications during incident management and recovery. the operational and communication arrangements within a multi-stakeholder decision-making procedure.2) with participation of the lead and other assigned participants. there are several types of exercises such as formal reviews and auditing. 7. providers.). adequacy and quality of the contingency plan and its main elements. This will give partners an opportunity to think in advance of possible complex contingency occurrences and plan their anticipated responses in the context of an agreed chain of command.6. walk-through. local/regional authorities etc. Table Top exercises are useful tools to test and brainstorm.2. but controlled) real-world scenarios. against a series of pre-defined scenarios involving cascading contingencies. table top exercise. • efficient sharing of resources. effectiveness.D2. This would provide relevant information for the design and preparation of contingency plans. organisations will be reluctant to share information about their risk and response strategies. transparency and clear mechanisms for sensitive information handling. It includes the ability to deploy joint information exchange systems. It is important to mention also here that a pre-requisite for information sharing is to provide trust. and resource management during contingency situations. communication means.. other procedural and organisational aspects. disseminate and utilise information in a timely and efficient manner. • Training.).3 Monitoring and Information Sharing Information sharing concerns the willingness an organisation has to make strategic or tactical data available to others. on the other hand. potentially enhancing the likelihood of a well-informed and successful solution. To effectively plan for..1 Contingency Planning Maintenance In order to incorporate the conclusions of training. These would address any kind of shortcoming identified in the scope of testing and exercising (lessons learnt).3. etc. alternative techniques for response. information and communication flows.D2. and react to various contingencies. providing for a means to collect. 7.3. reflects the ability of an organisation to share and use information exchanged with others.2 Lessons Learnt Maintenance also considers the need for modifications to the planning process and specific arrangements. available resources. assigned responsibilities etc. • Regulation. the participating operators should implement a formal maintenance process. with respect to responsible elements.. organisations should aim to build a common memory on methodologies. actual planning elements. Collaboration.3. best practices.. testing and exercising and to maintain the contingency planning process updated.3. legislation. Without this.3. • Resources (technical infrastructure. lessons learnt on past disruptive events. Timeliness and efficiency refers to inputs being inserted in the optimal Page 114 of 118 .3. etc. notification procedures. . This encompasses all plans and other documents that compose the jointly managed documentation plan.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 7.3. in both normal and stressed conditions. Typical changes and aspects related to interdependencies in all modes of operation are: • Personnel. 7.3 Maintenance Phase 7.. 4 Current Framework for Operational Practices The electric power sector in Europe is undergoing a series of very important changes which have strong impact on power system security. among which. threats. as well as reaching a common understanding and vision of the planning process. The requirement for market-based solutions to cross-border congestion management was introduced by Regulation n. balance management and interconnection outage information. a tested mechanism for rapid decision making involving several partners. However. topics such as congestion management have a strong impact on both power system security and market liquidity. This is a good example of successful collaboration at the sector level. but also at the operational level. by engaging all the parties in a collaborative effort to establish and share joint knowledge and information. targeted to address complex contingencies. cross-border physical flows. Building on existing efforts such as the one previously mentioned. Page 115 of 118 . along with data provision agreements and rigorous information exchange policies. that the process could cease and fail through neglect. sector-specific information exchange platforms can be extended to address dependency issues not only from a market perspective. Collaboration therefore involves an interdependent relationship engaging all the parties to work closely together and create mutually beneficial outcomes. 1228/2003. day-ahead Net Transfer Capacity.D2. and restricts the choice of eligible methods to implicit auctions/market splitting and explicit auctions. The benefits of implementing a multi-stakeholder contingency planning process are numerous. As an illustration of how the information exchange process can be implemented at the sector level. the ENTSO-E Transparency Platform publishes data on congestion management.g. There is however a danger. Furthermore. including cross-sector insights on infrastructure vulnerabilities. requiring effort on monitoring and maintenance. Current regulatory developments in the electricity sector are mainly focused on market based mechanisms. system vertical load. Constant support from senior and executive management and robust procedures for feedback and maintenance are vital to the successful implementation of such schemes. 7. More than thirty European Transmission System Operators (TSOs) participate actively in this exercise by publishing information on e.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies sequence in the process. crossborder commercial schedules and auction information. it is important to mention the underlying effort in developing common standards for data supply and publication. such as congestion management and inter-TSO compensation mechanisms. added value in terms of flexibility and focused effort. planned schedule evolutions. impacts and protective measures. as well as on providing continuity to the process. readiness and availability of resources (notably human and material). access to joint knowledge and expertise. It should be also mentioned that these processes are dynamic in nature. such as establishing and sharing joint knowledge and expertise. for instance in the case of multiple staff changes. maximising available cross-border transmission capacity without compromising system security. namely through partnership agreements and collaborative efforts involving many stakeholders.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies This means that TSOs are responsible for ensuring that capacity allocation complies with security requirements and for defining power transfer distributions which are consistent with the appropriate security standards. The focus is mainly on information exchange among TSOs. along with overall communication and coordination. This process can therefore serve as a means to support risk assessment at interconnectors. • Technical framework for operational security. • Training and certification of TSO staff. commercial data. information on specific methods applied e. Furthermore. i.e. Although the scope of the information currently shared is limited with respect to security issues. These regulatory attempts targeted at the electricity sector illustrate a wider effort to guide current approaches addressing complex risks in the energy sector. Page 116 of 118 . outcomes of contingency analyses. also including a focus on system security. • Organisational framework for synchronous power system operation. security issues at the wider European level were addressed by ERGEG in the 2008 Guidelines of Good Practice for Operational Security.D2. the EtsoVista Transparency Platform has been launched in 2006 and further expanded in 2008 to include information on balance area profile and network capacity.g. data relevant to the secure operation of the power system. The guidelines also envisage a common monitoring system for increased efficiency in disturbance prevention and system defence in cases of disturbed conditions. this ongoing process can serve as a basis to implement wider collaborative processes. namely: • Roles and responsibilities of different stakeholders and market players. and with the aim to support collaboration and coordination between operators. This exchange of information would also include regular joint training between operators to improve the knowledge on the characteristics of neighbouring grids. by focusing on how technical rules and operational procedures could work at a regional level to address interconnectivity issues. to calculate capacity. etc. regarding operational experiences. without specifying however implementation details. Within this perspective. The document covers four areas. This includes an overall effort engaging the many actors in the field to formalise good cooperation and targeted mechanisms and procedures aimed to address interdependencies from a system-wide perspective. D2.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies <THIS PAGE IS INTENTIONALLY BLANK> Page 117 of 118 . it provides a good aid and benchmark to the risk managers and operations managers when asking themselves the question “Have I covered everything?” which is one of the most common worries for these often “lonely” positions. In this way. First by enhancing risk management practices in the energy industry through the implementation of Risk Assessment and Contingency Planning at the level of each operator. Then by providing some mechanisms to develop these risk management practices on larger scopes of applicability including multi-stakeholders and interconnected energy infrastructures. Page 118 of 118 . The result of these exchanges will allow improving the EURACOM methodology in a subsequent version which will be one of the main results of the EURACOM project. gas and electricity and also their regulators and associated national institutions. all hazard and combined approaches to Risk Assessment and Contingency Planning will then be put to discussion in the EURACOM community through 6 workshops gathering experts from the Industry sub sectors of oil. This positive contribution should be achieved in two ways. It is also foreseen that the wide adoption of similar risk management practices across the energy sectors would have some benefits in terms of interoperability of practices and overall efficiency of the security and resilience posture of the whole sector.3 Integrated report on the link between Risk Assessment and Contingency Planning Methodologies 8 Conclusion This document presents some candidate principles for the wide adoption of risk assessment and contingency planning approaches in the energy sector in order to contribute to enhance the resilience level of the interconnected energy networks. This first version of the EURACOM methodology for holistic. This has the benefit of providing operators with a clear reference on which aspects they have to consider and through which process.D2.
Copyright © 2024 DOKUMEN.SITE Inc.