CHAPTER 11: ASSESSMENT OF THE IMPACT OF SERVICE DISRUPTIONS
‘The World Economic Forum affirmed that in the next 10 years there is a 10% likelihood of a major Critical Information Infrastructure breakdown with possible economic damages of over $250 billion. Incidents and attacks are on the rise.
The big message was that cybersecurity is a matter that cannot be left to the technical people. It is a matter for board levels.’15 – Neelie Kroes
As mentioned earlier, not all critical infrastructure services are the same. Some are more important than others, such as power supply and communication services that are needed to operate other critical infrastructure services. Then there are services that depend less on other services and can work relatively independently. Some services are more important at certain times than others, and some are more important for some people than others.
What happens when, for whatever reason, a critical infrastructure service does not work for one minute, ten minutes, one hour, ten hours, one day or ten days? What is the impact of the disruption? Will it immediately result in a threat to people’s lives and health, will it cause economic damage, is there a risk of environmental pollution, is there a threat to the service provider’s assets or to the assets of users?
These impacts should be assessed on different scales. They can be the life and health of people, economic, environmental or reputation-related. The size of the area affected by the service disruption should also be considered when impact is assessed, as well as the number of the service provider’s clients and service users that would be affected by the service disruption.
Impact assessment and analysis is a lot easier if the connections between the services have been described. It is even easier when data has been visualised.
The whole critical infrastructure service may not be disrupted in all incidents. A disruption may simply lower service quality, or it may be possible to provide the service at reduced capacity or reduced functionality. It is important to analyse in terms of the duration of a disruption whether and how quickly damage will increase.
Does the disruption of a service influence the operation of another service, and how? A disruption in power supply is highly likely to influence all other critical infrastructure services. Many companies use an uninterruptible power supply and generators to guarantee power supply for their systems. Generators can usually guarantee power supply in the event of power cuts for a couple of hours, depending on the size of the generator’s fuel tank. However, it would be necessary to put more fuel in the generator’s tank during longer power cuts, so where would you get the extra fuel from if the power cut affects a whole region or an even bigger area? If no fuel is available, the generator is only a temporary solution.
Uninterruptible power supply and electricity generators also guarantee that server rooms and data centres work. However, even if there is electricity in a data centre, there might not be at the bank or an ATM, which means that the client cannot use their services. Even if an uninterruptible power supply or generator was used at the bank, it might still not be enough. Data communication would still be down, as there would be no electricity in some of the data network hubs.
The impact of the disruption of services on the provided critical infrastructure service must also be considered in an impact assessment. How will the disruption of another critical infrastructure service affect the provided service?
Analysing the impact of incidents and the extent of the damage they may cause will hopefully give a better understanding of possible risks and how much should be invested in cyber security.
Lesson 11: Assess the impact of service disruptions.