Resilience Corner: The Four Horsemen of Infrastructure Vulnerability

By Dan Eisenberg, PhD, Department of Operations Research, NPS

Resilience is a “new” term creeping into military directives, but what does it mean and how do we use it to guide decisions? Earlier in the Resilience Corner, we described how achieving resilience means improving the robustness, extensibility, restoration, and adaptation of military systems. However, improving resilience is impossible without first knowing system vulnerability.

So, how do we identify vulnerabilities? My answer to this question hinges on the idea that vulnerabilities arise from how we model the predictability and source of threats.

There are at least two ways to model threat predictability. Predictability can be modeled with probabilities representing the likelihood of a threat (e.g., the return period for a flood). Predictability is also modeled with possibilities representing imagined events that are unlikely, but possible. In the military, we often consider possibilities through wargaming and exercises to see how people respond to ficticious situations.

There are also two ways to model the source of threats. Threats can arise as a challenge to a system that causes assets and systems to fail. Here, experts use consequence models to estimate impacts brought by challenges. In contrast, threats also arise from flaws within our systems. Here, bad design or poor management can cause systems to fail. Flaws can be managed without knowing the failures or consequences they may cause.

Taken together, these perspectives allow us to organize a comprehensive framework for vulnerability analysis. Specifically, perspectives relate to four technical fields, each exemplifying one of the “four horsemen of infrastructure vulnerability” that will come to your base to tell you that your energy system is vulnerable. A comprehensive vulnerability analysis should consider each perspective prior to making recommendations on how to improve resilience.

Risk Analysis: Risk analysis identifies predictable challenges to a system. The likelihood of a risk is modeled with probability and the consequences of system failure is explicitly measured. Risk analysis is the language of the insurance industry and actuaries.

Reliability Engineering: Reliability identifies predictable flaws in a system. The reliability of a system is informed by determining the probability it will be inoperable given normal conditions. Reliability engineering focuses on updating poorly managed, out-of-date, and faulty systems before they fail. Reliability is the language of systems engineers and engineering professionals.

Adversarial Analysis: Adversarial analysis deals with possible challenges to a system. While the likelihood of an adversarial attack can only be estimated with possibility, the consequences of an adversarial attack can be explicitly measured. Adversarial analysis is the language of military and security experts.

Safety Engineering: Safety deals with possible flaws in a system. Safety concerns itself with managing dangerous conditions and tries to identify protections and precautions that prevent failures from occurring. Safety is the language of safety professionals and human factors.