Risk Management Framework
Role of Perception, Collaboration and Shared Responsibility among various Stake-holders in Critical Infrastructure Risk Management
Sandeep Mittal, I.P.S.,*
Indian Journal of Criminology, Volume 42 (1) & (2) January & July 2014
The well-being of a nation depends on its critical infrastructure and how secure and resilient it is to sustain the services to its citizen and maintain normal life and activity. In today’s world the critical infrastructure is so widely distributed in time and space that the entire process of establishing, maintaining, securing and making it resilient involve a number of stake holders like the governments at the federal, state and local levels; specialised technical organizations in public and private sectors; private vendors, security agencies and last but not the least the citizens or the society. Each one of them has to play a role in close collaboration with other stakeholders. Moreover the critical infrastructure is increasingly becoming more dependent on cross- sectorial processes governed by technology and humans. All of them closely interact with each other, e.g., the humans interact with humans, humans interact with technologies, and this interactive process is highly complex, complicated and biased due to their cultural values, judgements and perceptions which in turn are dynamic in space and time(Ramamurthy, 2012). In this essay, we would examine how the process of building the security and the resilience in critical infrastructure can be achieved through a collaborative approach and neutralising the cultural perceptions.
The Collaborative Approach to Critical Infrastructure and Cultural Perception
Let us have a look at the case study of a disturbing incident regarding a Critical Infrastructure facility in the southernmost State of India, Tamilnadu viz., the public agitation against the Nuclear Power Project at Koodankulam.The Nuclear Power Corporation of India under Department of Atomic Energy, Government of India was in the advance stage of commissioning two 100 MW nuclear power reactors in a coastal village of Tamilnadu at a cost of about GBP 1600 Million.
Recently one of the reactors had started producing the electricity at commercial scale. These reactors are under planning and construction for more than a decade but there are repeated public uproars regarding the safety of these nuclear power plants, more vigorously after the Fukushima Nuclear Disaster in Japan. Offlate, the ‘safety-concerns’ regarding the commissioning of this critical-infra-structure project have itself taken the shape of a ‘security-threat’ to this critical-infrastructure project, due to disturbed perception dynamics of various stakeholders the local community which went berserk posing serious threat to the critical-infrastructure including long time disruptions to the critical operations necessitating intervention by police authorities to diffuse the situation as per the rule of the law. The Tamil Nadu Police did an extremely trying job of restoring the peace and public order in an outstanding professional manner while maintaining, at the same time,utmost restraint, patience and respect for the human rights of the agitators.
This is when the ‘safety-fear’ became the ‘security-threat’ to critical infrastructure itself…The following narrative based on information gathered from various sources would explain the scenario.
“On September 11, 2011 the protestors began an indefinite fast. Efforts were made by police and administration to peacefully settle the issue. Group of senior Ministers (15th September, 2011), Hon’ble Union Minister (20th Sep-2011), Hon’ble Chief Minister of Tamil Nadu (22nd September, 2011), Hon’ble Prime Minister of India (7th October, 2011) met with representatives of the protestors. On 22ndSeptember, 2012 a resolution was passed by the State Cabinet to halt work at KKNPP till fears of people are allayed.On 13th October, 2011, during local body election campaign, the protestors laid siege to KKNPP and blocked all roads.The protestors later withdrew on Oct 16thOctober, 2011 and the local body elections were conducted peacefully. A Central Committee conducted several rounds of discussions with representatives of protestors and concluded that the plant was safe. A State Committee also examined the safety aspects and concluded that the nuclear plant was safe.On 18th March, 2011 work was fully resumed at KKNPP with police security.Declaration of the prohibitory order under Sec.144 Cr.P.C. was challenged by 3 public interest litigations in Writ Petitions No.7520, 7633 and 7634/12 before the Division Bench of the Hon’ble High Court of Judicature at Madras wherein the order was passed on 26th March, 2012 by the Hon’ble High Court upholding the prohibitory, and is reproduced in part as follows,
“……In view of the above, we hold that the impugned order is only a regulation and not a prohibition altogether for avoiding breach of peace. Therefore, we are not inclined to interfere with the impugned prohibitory order, passed by the second respondent. However, it is made clear that the District Administration shall ensure uninterrupted supply of essential commodities like milk, water and electricity etc., and bus facilities and take all steps against the persons indulging in activities like digging of the roads, blocking the roads with boulders, pillars etc., by taking action in accordance with law. It is needless state that any persons aggrieved by the impugned prohibitory order would be at liberty to avail the remedy available under section 141 (5) of Cr.P.C, if so advised…..”
While disposing a batch of Writ Petitions in W.P.Nos.24770 and 22771 of 2011, 8262 and 13987 of 2012 and W.P.(MD) Nos.14054 and 14172 of 2011, 1823 and 2485 of 2012 by the order dated 31st August, 2012 the Hon’ble High Court at Madras observed which is reproduced in part as follows,
“……By taking note of the overall situation explained in detail, we are of the view that the KKNPP in respect of Units 1 and 2 do not suffer from any infirmities either for want of any clearance from any of the authorities, including the MOEF, AERB, TNPCB, and the Department of Atomic Energy, and there is absolutely no impediment for the NPCIL to proceed. ……..”
Even after the Hon’ble High Court order, the protestors decided to lay siege to the nuclear plant. There was a law and order flare up on September10, 2012 when the protestors forcefully and violently tried to proceed towards the plant. Police dispersed the unlawful assembly observing utmost restraint and with the use of minimum force. The police remained highly disciplined, professional and tactful and quickly de-escalated the tense situation. The Hon’ble High Court of Judicature at Madras considered the law and order incidents at Koodankulam in W.P. (MD).No. 12093 of 2012 and W.P. (MD) No. 12091 of 2012 and observed as follows,
“…..Certainly each citizen has got every right to raise his objection to any public issue. But there is a method to raise objection and there is a manner in which that has to be raised, but not as adopted by these agitators by attacking the police, etc. The stand of the petitioners is that they raised their objection peacefully. We are unable to understand whether causing damage to public properties, threatening the people to close down their business establishments and causing damage to vehicles and forcing the general public to yield to their view can be said conducting the agitation in a peaceful manner. Having disobeyed the prohibitory orders and totally ignoring the Division Bench Judgement of this court and taking the law into their own hands and even after the requisition made and notice given to them for the dispersal of the unlawful assembly, if the agitators can continue with this in their own way, causing all irregular and illegal activities, this Court is not able to understand how they are entitled to ask for an enquiry and how this relief can be given, when a citizen himself has taken the law into his own hands?…..”
From the very beginning police and district administration realised that this is a very emotivepublic issue with widespread ramifications. All efforts were made to peacefully resolve the issue by negotiations and restraint. Effective intelligence gathering and tactful handling were key to defeat the evil designs of few people with vested interests who were actively misguiding innocent villagers, women and children; and were trying to give communal and extremist colour to the agitation with intent to destabilise the law and order situation in the entire coastal belt of the state. Further an interesting insight into the perception of law-makers in to radiation hazards related to such critical infrastructure projects is revealed when the following unstarred question (Rajya Sabha Unstarred Question No. 485) was asked on the floor of the Upper House of Parliament of India,
“Will the PRIME MINISTER be pleased to state:
(a) in what manner India look at the reported first radiation linked cancer case due to Fukushima disaster;
(b) whether a few similar cases of cancer are still awaiting confirmation of a link to accident; and
(c) in view of above, whether the Ministry reconsider its decision about nuclear energy, if not, the reasons therefor?”
This was answered by THE MINISTER OF STATE FOR PERSONNEL, PUBLIC GRIEVANCES & PENSIONS AND PRIME MINISTER’S OFFICE as follows,
“(a) According to Reuters news dated October 20, 2015 the dose received by the deceased worker is 19.8 millisievert (mSv) of which 15.7 mSv was received between October 2012 to December 2013 during post Fukushima clean-up operations. World over occupation workers involved in radiation jobs are governed by the International Commission on Radiological Protection (ICRP) recommendations for dose limits by regulatory bodies. The dose limit for an occupational worker is 20 mSv/year averaged over a period of 5 years and in a year, the limit is 30mSv as per the guidelines of Atomic Energy Regulatory Board (AERB). The dose received by the worker in the present case is within the safe limit stipulated by the respective regulatory body. Although radiation is considered as a possible cause of cancer, according to literature survey, and based on the experience, the cancer cannot be conclusively attributed to radiation at this low dose. The dose received by the worker is well within the safe limit being practised world over.
(b) These cases of exposure are not directly resulting from release of radioactivity to environment from Fukushima disaster, but they are from the planned exposure situation during post clean-up operations at Fukushima. At low doses (within the safe limit), it cannot attribute radiation as the only cause of cancer if detected only in few individuals. The scanning of large number of population anywhere in the world can find cases of cancer like leukemia, lung cancer, thyroid cancer etc., even if they are not exposed to radiation. There is no scientific evidence of confirmed cancer incidences for exposure to less than 100 mSv and the exposure reported from Fukushima is much below this dose.
(c) Indian nuclear power programme believes in protection of the worker, public and their environment from potential radiation hazards, while at the same time making it possible for advancing the nation to enjoy all the benefits resulting from use of nuclear energy. There is no reason to reconsider the decision of going ahead with nuclear energy programme in India. Fukushima accident was caused by an unexpected severe tsunami followed by a massive earthquake. Such major nuclear accident is not anticipated in any of the Indian Nuclear Power Plants due to their location as well as engineering design and operating condition. The Indian Nuclear Power programme follows stringent guidelines on safety at all stages such as siting, design, construction and operation of nuclear power plant and strict regulatory control and compliance. The safety of the workers and public is ensured during normal operation as well as under off-normal conditions. Hence, the Government does not see any detrimental impact on worker and public due to nuclear energy programme.”
A perusal of the above case study would reveal the varying perceptions of the Law Enforcer himself, the politicians, the courts and the civil society on the same issue.These perceptions- related fault-lines in the risk management of critical-infrastructure are mainly due to varying perceptions of governments, politicians, public etc. This case-study amply demonstrate that for security and resilience in Critical Infrastructure, a partnership between the federal and state governments, local, tribal and territorial entities and public and private owners and operators of critical infrastructure proving Douglas and Wildavsky right when they said that, as we are dealing with “‘known’ and ‘known’- unknowns” and no one person can be aware of all the risks and therefore calculate it (Douglas and Wildavsky, 1982). However, before each one collaborates, they need to understand the risk environments affecting critical infrastructure which is complex, complicated and uncertain as the threats and vulnerabilities have evolved over a period of time. The evolving threats to critical infrastructure are climatic condition, technical failures, accidents, acts of terrorism and last but not the least cyber threats (US Department of Homeland Security, 2013).
The Web of Complexity
The increasing interdependence across the sectors and reliance on Information and Communication Technology (ICT) has heightened the potential vulnerabilities to the critical infrastructure.The interdependency and inter-connectivity of the operating environment necessitates collaboration in both planning and action to shape the security and resilience environment of critical infrastructure. The increasing use of cloud computing, mobile devices and wireless connectivity has dramatically changed the operational aspect of critical infrastructure. The use of COTS-products (Commercial- off- the- shelf) has exposed the system to greater risks. The perception of various stake holders in using the COTS-products would differ in time and space thus affecting the operational environment. The critical infrastructure assets in regards to various aspects like ‘location of Physical Assets Versus Location of Services’, ‘Ownership of Assets Versus User of Asset’ are distributed in space and time. This necessitates the partnership across the sectors, across the jurisdictions and across the national borders to build security and resilience in the operating environment. However the cultural perceptions in space and time would affect the mechanism of collaboration thus affecting the resilience mechanism.
The partnership structure of the collaboration between private sectors (owners, vendors, associates, partners etc.) and their government counterpart is a primary mechanism for building security and resilience in critical infrastructure. The concerns and perceptions regarding data privacy and protection have taken a turn-around after the Snowden episode. The Government sector is not willing to trust the private partners. The nature, complexity and interdependency of critical infrastructure operations and risk environment don’t allow any of the entity to manage risk of its own (US Department of Homeland Security, 2013).
In today’s, well connected world, where critical infrastructure is geographically distributed over large areas spacing 100 KM communicating between field units and master tools, the security of the system integrating information technology and operations technology like SCADA and their communication with SOC(Security Operation Centre) assumes significance. A number of frameworks have been designed to assess and mitigate privacy impact of information system, processes, or programmes. Fair Information Practices Principles based on US Department of Homeland Security (2012)is one ofthesuch frameworks. The application of these principles, however, would be influenced by the individual perception of various stockholders at national, regional, local and owner/operator levels when planning for critical infrastructure security and resilience. Theseprinciples are enumerated below, (modified after US Department of Homeland Security, 2013)
- Identification and management of risk in such a coordinated and comprehensive manner across the Critical Infrastructure Components (CIC) so as to ensure optimum allocation of security and resilience resources.
- Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to build security and resilience.
- Sharing information across CIC is imperative to comprehensively address critical infrastructure security and resilience in an increasingly interconnected environment.
- Partnership approach to address varying perceptions of various stakeholders of CIC.
- Regional and State /Local partnerships are crucial to handle perspectives, mostly misplaced due to lack of information or misinformation campaigns.
- International collaboration mutual assistance agreements. The perceptions of national Governments may vary. It is generally perceived that such mechanisms are not very effective.The recent judgement of an US Court directing Microsoft to handover information held in Dublin proves the point (PCWorld, 2014).
- Building security and resilience during the design of assets, systems and networks. This issue looks simple but very difficult to implement as perceptions of owners, developers, project managers and security professionals involved during the product development lifecycle vary and security is generally, if not always, ignored. This is the best example of the ‘perception-fault-lines’.
Designing a Critical Infrastructure Risk Management Framework
To overcome complexity, biases and perception fault-lines, it would be advisable to have a Critical Infrastructure Risk Management Framework (CIRMF). The US Department of Homeland Security (2013), proposed CIRMF to strengthen the collaborative efforts in building Security and resilience and in managing the risk by CIC by taking informed decisions. “While individual risk entities are responsible in managing risk to their organisations, collaborating partners improve understandings of threats, vulnerabilities and each-other’s perception” (USDHS, 2013).
The various security elements of critical infrastructure whichin physical, cyber, human should be explicitly identified and integrated at each steps of process. A model of cyber security getting influence by humans has been proposed where it has been demonstrated by incorporating various measures, users behaviour in information system security can be improved by strengthening the factors that have a positive impact and reducing the factors that have a negative impact on the information system security.
“One must keep in mind that risk analysis of critical infrastructureisdependent upon interactions of ‘human with human’ and ‘human and technology’ which areindeed highly complex cognitive processes. The human by nature are not rational and the risk analysis done by them is not value- free and depends on judgementshaving intuitive biases of risk perception. The risk analysis, therefore should take into account the understanding of public concerns in the context,of cultural meanings and value judgements. The culture here is not meresocial; rather it includes historical, political, national, organizational and individual’s own personal experience. Therefore, some scholars have emphasised that politics (they includeperception, values, culture etc. in it) is an important dimension in Risk Analysis” as shown in following (Slovic& Weber, 2002).
The risk analysis is like an artefact, an object showing human workmanship, encapsulating practitioner’s values and knowledge and revealing the nature of culture in which artefact was produced. Both are valuable.As Adams said, “Its anxious work. In undertaking it, the modern risk manager should strive to avoid behaving like the drunk who looks for his keys not where he dropped them, but under the lamp-post because that is where it is light” (Adams, 2007).
The Critical Infrastructure Security and Resilience is a complex, complicated and uncertain process trying to reduce and manage the risks that are ‘known’, ‘known- unknown’, and ‘unknown- unknown’. The social, political andeconomic cultures;inter-disciplinary biases of academicians and practitioners (e.g., Scientist Vs. Social Scientist or Academician Vs. Practitioner); organisational sub-cultures within and across the sectors; cognitive decision making processes by human beings (who are biased because of their sub- conscious intuitions and personal experiences and emotions); all play an important role in the collaborative dynamics of the critical infrastructure security and resilience building matrix. To overcome these undesirable attributes is easier said than done. However, the systematic, continuous, repeated and consistent efforts to build a collaborative approach in minimising these so called limitations for critical infrastructure security and resilience would go a long way to achieve better and more widely acceptable results. Ultimately, it is the society who has to decide its own fate.
Note: The views expressed in this paper are of the author and do not necessarily reflect the views of the organizations where he worked in the past or is working presently. The author convey his thanks to CheveningTCS Cyber Policy Scholarship of UK Foreign and Commonwealth Office, who sponsored part of this study.
Adams, J.’.2007, Complexity & Uncertainty in a Risk Averse Society, Online http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.169.3637&rep=rep1&type=pdfedn, Omega Conference, London.
Boin, A. & McConnell, A. 2007, “Preparing for critical infrastructure breakdowns: the limits of crisis management and the need for resilience”, Journal of Contingencies and Crisis Management, vol. 15, no. 1, pp. 50-59.
Mittal,S. 2016 “Understanding the Human Dimension of Cyber Security”, The Indian Journal of Criminology & Criminalistics, Vol.XXXIV, no.1pp.141-152.
Douglas, M.’.&Wildavsky, A.’.1982,Risk and Culture: An Essay on the Selection of Technical and Environmental Dangers. First edn, University of California Press, Berkeley.
Masuda, J.R. & Garvin, T. 2006, “Place, culture, and the social amplification of risk”, Risk Analysis, vol. 26, no. 2, pp. 437-454.
PCWorld 2014, Search Warrants extend to Emails stored Overseas us Judge Rules in Microsoft Case. http://www.pcworld.com/article/2148780/search-warrants-extend-to-emails-stored-overseas-us-judge-rules-in-microsoft-case.html, Onlineedn, PCWorld, Online.
Ramamurthy, V.S.’. 2012, Perception and Acceptance of Public Risks. Accessed online
http://eprints.nias.res.in:8081/446/1/L4-12_VS_Ramamurthy.pdf, Science and Society Lecture Series edn, Indian National Science Academy, New Delhi.
Slovic, P.’.& Weber, U.V.’.2002, “Perception of Risk Posed by Extreme Events”, Risk Management Strategies in an Uncertain World., April edn, Pailisades, New York.
US Department of Homeland Security 2013, NIIP 2013: Partenering For Critical Infrastructure Security and Resilience, First edn, USDHS, USA.
US Federal Emergency & Management Agency 2013,
Comprehensive Preparedness Guide 201: Threat and Hazard Identification and Risk Assessment Guide , US Department of Homeland Security, Washington, D.C.
Rajya Sabha Unstarred Question No.485, Radiation Linked Cancer Cases, (Answered on 03.12.2015) Accessed:http://www.dae.nic.in/writereaddata/parl/winter2015/rsus485.pdf
*Sandeep Mittal, I.P.S., Deputy Inspector General of Police, LNJN National Institute of Criminology and Forensic Science, Ministry of Home Affairs, Government of India, Sector-3, Rohini, Delhi -110085, Office No. 011-27521104, Fax No.011-27511571