The Risk Analysis and Evaluation Toolkit (RAET)
RAET is an integrative platform which facilitates the complete workflow for cyber-physical risk assessment, i.e. it helps water companies to:
- identify,
- analyse,
- evaluate threat scenarios and
- explore appropriate mitigation options which can manage these threats effectively.
WHAT IT DOES
RAET binds into a seamless workflow a series of interdisciplinary approaches to synthesize actionable intelligence and support informed decision making. It is comprised of state-of-art tools for fault tree analysis, threat scenario formulation, cyber-physical simulation engines (including hydraulics and quality simulators) that assess the impact of cyber-physical attacks on any water distribution network, results evaluation and visualization applications, along with cyber-physical risks and assorted mitigation measures database. More specifically, RAET offers access to the following solutions:
- Fault Tree Viewer (FT Viewer): The FT Viewer helps visualise the interplays, failure paths and cascading effects between the cyber and physical domains of the entire urban water cycle. Its dynamic and interactive interface illustrates the various relationships and dependencies between risks, events, operations and system assets in an explicit structure from source to tap, for both the quality and the quantity of the water supply.
- Scenario Planner (SP): SP is a user-oriented, intuitive environment which deploys a stepwise process to formulate generic risks into detailed threat scenarios against specific targets, i.e. assets of the utility’s network. The SP automatically creates human readable scenarios, but most importantly it parameterizes all the corresponding simulation model files and autonomously coordinates with the simulation engines.
- Cyber-physical simulation engines: RAET employs novel tools like RISKNOUGHT for the simulation of complex cyber-physical scenarios, which can realistically simulate the interaction between control logic/SCADA of any water distribution network and the network’s hydraulic and water quality processes. The cyber-layer simulation is tightly coupled with the physical layer simulation (the hydraulic model) in a unified process which relies on the feedback loop between the cyber and physical layers simulation steps, to feed input sensor data (e.g., node pressure, tank level, pipe velocities, etc.) to the cyber layer model which ultimately passes decisions back to the physical layer as in a real-life network.
- Stress Testing Platform (STP): STP is a powerful feature of the RAET, which enables users to run in a batch procedure multiple automatically generated variations of a given scenario, similarly to a sensitivity analysis approach. Using this advanced module of RAET, the utilities can investigate the system resilience and efficiently detect critical risk parameters, vulnerable system settings and assets that can lead to higher consequences from cyber-physical threat and prioritize those versus other configurations.
- Key Performance Indicator Tool (KPI Tool): RAET adopts a standardised failure quantification framework, operationalised through the standalone KPI tool, to explore different dimensions of a system failure under user-defined risk criteria and different service levels according to existing regulatory or operational standards that apply to each utility. The network sectorization capabilities of the tool allow the selection of DMAs and the identification of districts/areas with critical customers (e.g., hospitals, government and/or military buildings, etc.) and evaluate the consequences at higher spatial detail. The risk evaluation outputs are presented through enhanced visualization in the interactive interface of the tool, while they can also be exported in a human-readable risk report files.
- RAET Database (RAET DB): RAET DB incorporates the risk-relevant knowledge bases along with the management of the produced scenarios and results, while it brings forth the unified approach for cyber-physical risk assessments with standardised data exchange schemes, APIs and a specifically designed risk taxonomy. Along with the risk knowledge base that formulates the embedded generic Fault Trees, RAET DB also hosts an equivalent expandable database of risk reduction measures that can be adopted to different regions and under different conditions. While the final selection and adaptation of measures to the specific site conditions is the utility’s choice, RAET supports the process with a matching algorithm, which sorts out potential mitigation measures for a given risk.
The modular design of the toolkit, along with its reliance on standardised data exchange schemes, allows it to be expandable and able to be coupled with other external applications. Special considerations are made in RAET’s architecture, information sharing protocols and installation requirements due to the sensitive nature of data handled in the platform, while it can also serve as a working hub recognizing different user roles and assigns the appropriate access rights to tools, databases and information. Its workflow and data sharing architecture allow cyber-physical risk assessment to be supported in a standardized and efficient manner, leading to more robust evaluation results, case-driven crisis management training and data-driven decision making, with significant gains in organisational efficiency.
The toolkit helps water companies to understand and be prepared for potential cyber-physical events or attacks against their systems, thus minimizing their risk exposure and ensuring significant financial, operational and reputational benefits. Furthermore, RAET specifically helps water companies to better protect the most critical parts of their system and their community (e.g., hospitals, government buildings etc.) and as such provide significant co-benefits in terms of security and resilience of societies against emerging concerns of cyber-criminality and hybrid warfare. RAET also has significant internal operational benefits for water companies as it manages and communicates actionable risk information between key company personnel allowing safe intra-organisational communication and cross departmental collaboration notably between cyber and physical operation experts, first responders and decision makers.
RELEVANT PUBLICATIONS
- Moraitis, G., Nikolopoulos, D., Bouziotas, D., Lykou, A., Karavokiros, G., Makropoulos, C., 2020. Quantifying Failure for Critical Water Infrastructures under Cyber-Physical Threats. J. Environ. Eng. 146, 04020108. https://doi.org/10.1061/(ASCE)EE.1943-7870.0001765.
- Nikolopoulos, D., Moraitis, G., Bouziotas, D., Lykou, A., Karavokiros, G., and Makropoulos, C.: RISKNOUGHT: Stress-testing platform for cyber-physical water distribution networks, EGU General Assembly 2020, Online, 4–8 May 2020, EGU2020-19647, https://doi.org/10.5194/egusphere-egu2020-19647.
- Nikolopoulos, D., Moraitis, G., and Makropoulos, C., 2021. “Strategic and Tactical Cyber-Physical Security for Critical Water Infrastructures” in Cyber-Physical Threat Intelligence for Critical Infrastructures Security. Edited by John Soldatos, Isabel Praça and Aleksandar Jovanović. pp. 159–187. Now Publishers. https://doi.org/10.1561/9781680838237.ch7.