by Chris W. Johnson
In recent years, terrorist attacks, system failures and natural disasters have revealed the problems that many countries face in preparing for national civil contingencies. The diversity of critical infrastructures and the interconnections between different systems make it difficult for planners to anticipate everything. For example, the loss of power distribution networks can disrupt rail and road transportation systems. Knock-on effects can also be felt across telecommunications infrastructures as the uninterruptible power supplies (UPS) that protect mobile phone base stations fail over time. In addition, domestic water supplies are affected when pumping and treatment centres lose power.
It is difficult to underestimate the safety implications of these interdependencies. For example, Pironi, Spinucci and Paganelli describe how the Italian blackout of 2003 affected patients who relied on home parenteral nutrition systems. These individuals used electronic pumps for the overnight infusion of nutritional solutions, and the loss of power disrupted their treatment. Different devices responded in different ways, with some generating alarms and others reverting to battery power. Patients also responded in different ways, as they became worried about whether or not their systems had sufficient power to complete their treatment for that night. The blackout lasted several days across many areas of Italy. This created further problems, as stores of parenteral solution needed to be kept frozen. Other patients were placed at risk when the loss of power began to affect water treatment centres; for instance, it became difficult to guarantee that there was no microbiological or toxic contamination in the water supplies for dialysis patients.
One area of increasing concern is the dependencies that are created by the use of digital communications systems to connect key areas of our national critical infrastructure. For example, the separation of responsibility for maintaining electricity distribution systems and for generating or marketing power has created a situation where software systems are increasingly used to monitor and respond to changing demands across the network. Infrastructure operators rely on digital communications systems to balance the complex interactions between supply and demand, as market pressures encourage large-scale power transfers between low-cost generators and remote end-users. Failures in the digital communications systems can propagate to the distribution networks and vice versa. Many commercial and government agencies have recognized these vulnerabilities and have responded, for example, by placing reliability requirements on the networks and software that support critical infrastructures. However, there is strong commercial pressure for more systems to use the public Internet. At the same time, Hurricane Katrina and the UK floods of 2007 have illustrated that it may be inappropriate to place high levels of confidence in bespoke networks.
Forensic techniques can help to identify patterns of failure across digital communications systems. For example, a number of studies have been conducted into the impact of the 2003 US-Canada blackout on Internet traffic. Abnormal Border Gateway Protocol (BGP) events indicate that 3175 networks lost connectivity. Most of these were in the New York City area. However, we are a long way from being able to conduct more predictive forms of analysis at a regional level. In particular, there are no agreed means of modelling the effects of any future power system failures on national computational infrastructures. This, in turn, makes it impossible to anticipate the secondary impact of the loss of Internet connectivity on the increasing numbers of critical systems that rely upon these networks for the exchange of operational information.
It will take many years before we can predict the knock-on effects that would arise if we were to lose significant sections of our digital communications and power distribution networks. Figure 1 illustrates the interface to a Geographical Information System (GIS) that exploits Bayesian techniques to generate failure scenarios across national critical infrastructures. This approach provides an alternative to the detailed causal modelling of infrastructure interdependencies that are created by the increasing integration of digital communications networks to support everything from food distribution to the monitoring of large-volume gas transmission. Expert judgement can be used to assess the dependent probability of a system failing given that problems have been observed in another infrastructure. Where possible these estimates can steadily be refined, with more accurate probability distributions based on partial causal models or from data obtained during previous contingencies. Further information about these techniques can be obtained from the author and on the Web site indicated below.
Chris W. Johnson
University of Glasgow, UK