This chapter provides an overview of the risk and infrastructure landscapes and highlights the opportunity to invest in critical infrastructure resilience. As climate risks and other natural hazards, digital threats, and security risks can disrupt infrastructure services with far-reaching socio-economic consequences, analysis in this chapter expresses the importance of adopting an all-hazards and threats approach to critical infrastructure resilience. In light of the increased interdependencies between infrastructure systems, the rapid pace of innovation transforming infrastructure, and the upscaling of infrastructure investments, the chapter makes the case for adjusting critical infrastructure policies and investing in their resilience.
Good Governance for Critical Infrastructure Resilience
1. Making of critical infrastructure resilience a policy priority
Abstract
Multiple hazards and threats can disrupt critical infrastructure
Critical infrastructures constitute the backbone of the functioning of our modern and interconnected societies. The disruption of telecommunication services, water or energy supply, transportation or financing systems can cause significant harm to the well-being of citizens and incur adverse economic effects that resonate beyond the directly affected area.
Major shock events of all types, from natural hazards to industrial accidents, terrorist or cyber-attacks, have demonstrated the vulnerabilities of these critical systems. Their destruction, disruption or interruption could lead to cascading effects across sectors and sometimes across national borders. Thus, ensuring service continuity of critical infrastructures should be an essential part of risk management policies in OECD and partner countries alike.
The OECD Recommendation on the Governance of Critical Risks adopted by OECD Ministers in May 2014 reflects this importance by calling governments to identify where disruptions to critical infrastructure can lead to cascading effects (OECD, 2014[1]). In the OECD Survey on the Governance of Critical Risks conducted in 2016 to monitor the Recommendation’s implementation, half of OECD countries indicated critical infrastructure disruption as one of their national critical risks (OECD, 2018[2]).
Natural hazards, industrial accidents, and pandemics can cause severe critical infrastructure disruptions
Critical infrastructure present specific vulnerabilities to shock events, such as natural hazards. Windstorms can make electricity transmission and distribution overhead lines fall down, earthquakes can break water pipes, destroy bridges or tunnels, floods and other water-related disasters can have large impacts on roads, railways, water supply and sanitation facilities, and storm surges and tsunami affect harbours, energy facilities and other infrastructure located in coastal areas . Space weather events such as solar storm can also put electricity grids at risk of a blackout, and endanger satellites and geo positioning systems with potential repercussions on transport and other activities (Krausmann et al., 2016[3]). Industrial accidents may also lead to significant disruptions. Pandemics, such as the SARS in 2009, can overwhelm health systems and impact international air transportation when prevention policies are put in place.
When a critical infrastructure asset or network is affected by a shock event, the disruption of the service provided may quickly lead to large economic or social impacts. Beyond direct disaster damages, service disruptions can have a longer duration, and affect a wider area than the disaster itself. As a result, firms and households can suffer from loss of services, with impact on output, demand and well-being. The continuity of government’s activities can also be significantly affected in some cases, including the emergency response, which can further delay post-disaster economic recovery. Examples in box 1 demonstrate how large such impacts can be in a selection of recent disaster events affecting a diversity of sectors.
Climate change, and associated risks of sea level rise, is expected to increase the vulnerability of many critical infrastructure systems located on the seashore and along waterways, notably in the energy and transport sector. The 2017 United Kingdom Climate Change Risk Assessment has analysed the impact of climate change on the energy sector in depth, highlighting the vulnerability of its energy infrastructure to sea level rise (UK Goverment, 2017[4]).
Box 1.1. Impacts of critical infrastructure disruptions in selected disaster events
The 2011 Great East Japan Earthquake and the subsequent tsunami significantly affected the energy sector in Japan. The nuclear meltdown of the Fukushima Daiichi Nuclear Power Plant and the following shutdown of the nuclear power plants throughout the country, led to a 50 % reduction in electricity production, causing substantial energy supply disruptions across the country.
The 2012 Superstorm Sandy flooded key roads and tunnels connecting Brooklyn and Manhattan as well as train and subway lines in in the greater New York-New Jersey metropolitan area. As a result, 5.4 million commuters were stranded without means of transportation, disrupting business continuity more widely than the Hurricane itself. In addition, an estimated 8.5 million households suffered from electricity shortages.
The closure of European air spaces following the Eyjafjallajökull volcanic eruption in Iceland in 2010 led to more than 100 000 flight cancellations and re-routing around the world. As a result, many companies that depend on air cargo to deliver products and key components were unable to supply markets and production systems throughout Europe and beyond.
The explosion of hazardous materials in Tianjin harbour in China in 2015 led to large-scale rerouting of cargos and tankers connecting to the world’s 6th largest harbour for weeks.
The Chilean earthquake in 2010 caused major disruptions to the transportation and telecommunication systems.
The Northeast United States and Canadian Power Outage in 2003 was caused by trees falling on a high-voltage power line in northern Ohio triggering cascading failures in south-eastern Canada and eight states in the Northeast United States impacting 50 million people in both the United States and in Canada at an estimated cost of USD 6 billion.
Note: Annex 1 presents the impacts of these selected events that led to critical infrastructure disruptions in more details and the lessons learned from them.
Source: Annex 1
These disruptions can lead to significant economic damages and losses
Estimating the economic and social impact of critical infrastructure disruption proves to be difficult to assess. These indirect impacts of disaster events are not as straightforward to measure or model than direct damages, for which classic techniques are increasingly in place across OECD countries (OECD, 2018[5]). Nevertheless, in large disasters the economic impact of these disruptions is generally too large to ignore (Rose et al., 2012[6]).
The OECD analysis on the risk of flood from the Seine river in Paris metropolitan area provides an idea of the extent of economic losses related to critical infrastructure. Based on flood scenarios of different magnitudes centred around a 100-year return period event, potential damages to critical infrastructure such as transport, energy or water assets and networks represent between 35% and 55% of the total direct damages caused by flood. More importantly, business losses caused by disruptions of the electricity and transportation sectors in Paris metropolitan areas can reach up to 85% of the total business losses modelled for the entire area (OECD, 2014[7]).
Critical infrastructure can be targets for malicious attacks from terrorism to digital security threats
Malicious actors have also identified critical infrastructure as potential targets in light of the major impact that their disruption can generate. This holds true for acts of terrorism, and increasingly for digital threats. The emerging risk of hybrid threats, characterised by malicious actors playing with the vulnerabilities of civilian activities such as essential lifelines to impact societal trust in open and democratic societies, have also received an increased attention from risk managers in OECD countries (OECD, 2018[8]).
As presented in Box 1.2, digital threats can affect critical infrastructure in different ways from software to hardware, and through impact on demand. The rapid evolution of technologies and increasing digitalisation of many critical infrastructure processes call for a constant watch of digital security threats and a regular assessment of emerging capabilities of malicious actors.
Regarding the risk of terrorism, transport infrastructures – from air traffic over maritime transport to railways and subways - are highly vulnerable targets for terrorist attacks that can be complex to protect. If attacked, the negative impacts can cascade much beyond the loss of lives, as systems may be disrupted for weeks to follow and repercussions on citizen’s trust be hard to regain. Chemical plants and nuclear reactors can also be targeted by terrorist attacks, resulting in large-scale spills that can render areas inhabitable for long time-periods. Terrorist may also target water systems with bacteriological or chemical contamination.
For both risk to digital security and terrorism, insider threats is an important issue for critical infrastructure operators. Having access to facilities and knowledge of security measures provide indeed a significant advantage for malicious actors willing to commit such acts.
Towards an all-hazards and threats approach to critical infrastructure risks
In this dynamic risk landscape, the portfolio of risks that policy-makers will need to address to build a more resilient nation is constantly evolving. Vulnerabilities of critical infrastructure to this range of hazards and threats call for increased attention to critical infrastructure security and resilience. Disaster risks, compounded by climate change, present a set of challenges for infrastructure resilience. In addition, the rise of hybrid threats and associated digital security risks calls for increased resilience of critical infrastructures to digital security incidents. Security measures against terrorism risk need to include infrastructure resilience as well. This diversity of hazards facing critical infrastructure, calls for an all-hazards and threats approach to critical infrastructure resilience.
Box 1.2. Digital threats to critical infrastructure
Digital threats can affect critical infrastructure in different ways:
Malware affecting command and control systems: The Stuxnet malware discovered in 2010 demonstrated for instance the vulnerabilities of the command and control systems governing complex industrial processes such as the functioning of power plants or water and oil distribution networks. Taking direct control of complex industrial and technical processes linked to critical infrastructure requires robust technical capacities. The 2015 attack on the Ukrainian electricity grid was a warning signal highlighting the sophistication of attacks and the availability of tools to take partial control and disrupt power supply.
Ransomware affecting a large set of computers can similarly block systems and affect critical infrastructure operators in their routine activities with potential implication on their operations. In 2017, Wannacry and NotPetya ransomwares led to severe disruptions on a series of critical infrastructure systems over Europe, including the United Kingdom National Health Service, the telecommunication company Telefonica in Spain, the German railway company Deutsche Bahn, or the Danish shipping company Maersk.
Distributed control on Internet of Things devices affecting demand: Increasing concerns relate to the vulnerabilities of Internet of Things devices, which usually have low levels of protection against digital threats. Controlling a large number of devices can be utilised to create a demand shock on utility’s services. For instance, the simultaneous switch on of devices can generate an electricity demand peak disturbing the balance between electricity production and consumption, with repercussions on the network’s stability.
Backdoors on hardware components of critical infrastructure: Beyond software, digital threats may also come from hardware components. Supply chains of critical industries have become a major area of consideration for policy makers, for instance with the on-going deployment of 5G technologies. In the context of hybrid threats, the intentional threat that information technology suppliers could build hardware and software backdoors in IT/OT systems used for critical infrastructure operations is a growing concern.
Source: Presentations and discussions at the OECD Workshop on System-thinking for critical Infrastructure resilience and Security, (2018), available at http://oe.cd/critinf
A new landscape for investing in critical infrastructure resilience
Aside from the evolution of the risk factors, the infrastructure sector itself is undergoing significant changes and evolutions, which can affect resilience. First, interconnectedness and interdependencies between infrastructure systems and between countries have significantly increased with globalisation, upscaling the potential for shock events to cascade.
Second, innovation and technology advancements give emergence to new forms and types of infrastructure systems, from smart cities to autonomous vehicles. These new kinds of ‘smart infrastructure’ principally use innovations aimed at reducing costs and increasing efficiency, which may have implications on risk and resilience that still need to be understood properly. In parallel to emerging new infrastructure, ageing infrastructure creates vulnerabilities in many OECD countries.
Third, investments in infrastructure are on the rise globally, which creates a key opportunity to strengthen resilience from the start, provided these investments integrate resilience in their design.
Interconnectedness and interdependencies of infrastructure assets and systems are on the rise
Global investments in infrastructure, along with the deployment of global value chains, as well as the rise of information and communication technologies, have increased interconnectedness and interdependencies between sectors and countries around the world. Increased flows of data, goods, people and energy feed global value chains and sustain economic growth. Critical infrastructures are the hubs, nodes and networks of an increasingly complex web of interdependencies and interconnectedness, through which threat agents can navigate and the impact of disruptions can cascade. Therefore, the failure or disruption of one critical infrastructure system can have far-reaching consequences, in other sectors, or in other locations, sometimes globally (OECD, 2011[9]).
For instance, the 2011 large-scale floods in Bangkok affected the car industry of Japan significantly, as suppliers located in the flooded area were disrupted. Cross-border infrastructures such as high-voltage electricity grids are another way through which disruptions can propagate. Failures of electricity or telecommunication systems can have consequences for other critical sectors that depend on power supply or on telecommunication systems to operate, from water treatment, to critical industries or government systems (Figure 1.1).
Some sectors are almost entirely dependent on key critical infrastructure to operate: for instance the aviation sector depends upon the Global Positioning System (GPS) for the management of planes routes around the world; global data exchanges rely on a limited number of submarine cables through which more than 90% of the world’s data traffic passes (Figure 1.2).
Innovation and digitalisation are transforming infrastructure
Innovation is transforming infrastructure systems at a rapid pace, with consequences on risks and vulnerabilities that critical infrastructure resilience and security policies should integrate. From the energy to the information or transportation sectors, large transformations are under way. The energy sector provides opportunities for significant innovations with the increasing share of renewable resources, the development of smart grids, and more decentralised and localised approaches to energy production and consumption. The rapid development of autonomous vehicles along with progress in artificial intelligence promises to change radically the transportation sector. Information and communication technologies have significantly transformed the way we exchange data and communicate in our daily lives. Smart cities, governed by a data-centred approach, aim to combine the data revolution with innovative and interconnected city services, reshaping metropolitan areas, where a majority of the global population lives.
As the pace of innovation continues to accelerate, this has implications for risk management. Overall, the current innovation trends suggest that more decentralised systems and autonomous mechanisms will progressively replace centralised networks with command and control automation. Such characteristics could strengthen resilience through increased redundancy and flexibility. However, it could also produce new forms of vulnerabilities: the multiplication of weak points in decentralised systems and the widespread risk of more damaging cyber-attacks to these systems, which increasingly rely on data flows and coding.
Rising investments in infrastructure provide opportunities for resilience
Major investments in new infrastructures are planned for the next decades and this constitutes a valuable opportunity to ensure that resilience is integrated from the outset. A recent OECD analysis suggests that USD 95 trillion is needed to cover infrastructure investments needs for the 2016-2030 period (OECD, 2017[10]). In many OECD countries, ageing infrastructure requires investments and innovation provides opportunities to make these investments contribute to increased productivity.
Getting such infrastructure investments not only right, but also resilient requires revisiting the overarching governance models for infrastructure delivery. The OECD has developed a framework for better infrastructure governance (OECD, 2017[11]) which aims to make the right projects happen, in a way that is cost effective, affordable and trusted by users and citizens. This framework stresses the need to integrate resilience upfront in the design of these investments, in order not only to protect these investments against hazards or threats, but also to maintain their function running at times of disasters.
Climate change will require also designing resilient infrastructure, adapting or retrofitting existing ones and building protective infrastructure, some of them being considered as critical. The OECD work on climate resilient infrastructure (OECD, 2018[12]) provides guidance on how to ensure climate resilience, through specific designs, strengthening the enabling environment for climate resilience and mobilising public and private investments.
References
[24] Acton, J. and M. Hibbs (2012), Why Fukishima was preventable?, http://www.CarnegieEndowment.org/pubs. (accessed on 25 February 2019).
[31] Alexander, D. (2013), “Volcanic ash in the atmosphere and risks for civil aviation: A study in European crisis management”, International Journal of Disaster Risk Science, Vol. 4/1, pp. 9-19, http://dx.doi.org/10.1007/s13753-013-0003-0.
[25] Bach, C. et al. (2013), “Adding value to critical infrastructure research and disaster risk management: the resilience concept”, http://journals.openedition.org/sapiens 6.1, https://journals.openedition.org/sapiens/1626 (accessed on 25 February 2019).
[34] Critical Five (2014), Forging a Common Understanding for Critical Infrastructure Shared Narrative, https://www.dhs.gov/sites/default/files/publications/critical-five-shared-narrative-critical-infrastructure-2014-508.pdf (accessed on 25 February 2019).
[29] Eurocontrol (2010), Ash-cloud of April and May 2010: Impact on Air Traffic, https://www.eurocontrol.int/sites/default/files/content/documents/official-documents/facts-and-figures/statfor/ash-impact-air-traffic-2010.pdf (accessed on 25 February 2019).
[22] FEMA (2013), Hurricane Sandy FEMA After-Action Report, https://www.fema.gov/media-library-data/20130726-1923-25045-7442/sandy_fema_aar.pdf (accessed on 25 February 2019).
[27] Fermandois, A. (2011), Chile and its earthquake-Preparedness, response and lessons, http://dels.nas.edu/resources/static-assets/materials-based-on-reports/presentations/AmbassadorFermandois.pdf (accessed on 25 February 2019).
[19] Flynn, S. (2015), Bolstering Critical Infrastructure Resilience After Superstorm Sandy: Lessons for New York and the Nation, Northeastern University, Boston, Massachusetts, http://dx.doi.org/10.17760/D20241717.
[16] Fu, G., J. Wang and M. Yan (2016), “Anatomy of Tianjin Port fire and explosion: Process and causes”, Process Safety Progress, Vol. 35/3, pp. 216-220, http://dx.doi.org/10.1002/prs.11837.
[15] Gordon, W., A. Fairhall and A. Landman (2017), “Threats to Information Security — Public Health Implications”, New England Journal of Medicine, Vol. 377/8, pp. 707-709, http://dx.doi.org/10.1056/NEJMp1707212.
[17] Huang, P. and J. Zhang (2015), “Facts related to August 12, 2015 explosion accident in Tianjin, China”, Process Safety Progress, Vol. 34/4, pp. 313-314, http://dx.doi.org/10.1002/prs.11789.
[21] Hurricane Sandy Rebuilding Task Force (2013), HURRICANE SANDY REBUILDING STRATEGY Stronger Communities, A Resilient Region, US Department of Housing and Urban Development, https://archives.hud.gov/news/2013/HSRebuildingStrategy.pdf (accessed on 25 February 2019).
[30] IATA (2010), IATA Economic Briefing Chart 1: The spread and shift of the plume, http://www.iata.org/economics (accessed on 25 February 2019).
[3] Krausmann, E. et al. (2016), Space weather and critical infrastructures : findings and outlook., European Commission Joint Research Centre, https://ec.europa.eu/jrc/en/publication/eur-scientific-and-technical-research-reports/space-weather-critical-infrastructures-findings-and-outlook (accessed on 25 February 2019).
[13] Mattei, T. (2017), “Privacy, Confidentiality, and Security of Health Care Information: Lessons from the Recent WannaCry Cyberattack”, World Neurosurgery, Vol. 104, pp. 972-974, http://dx.doi.org/10.1016/j.wneu.2017.06.104.
[28] Mazzocchi, M., F. Hansstein and M. Ragona (2010), The 2010 Volcanic Ash Cloud and its financial impact on the European airline industry, CESifo Forum No. 2, https://www.cesifo-group.de/DocDL/forum2-10-focus11.pdf (accessed on 25 February 2019).
[23] McGee, S. et al. (2014), Risk relationships and cascading effects in critical infrastructures: Implications for the Jyogo framework, https://www.preventionweb.net/english/hyogo/gar/2015/en/bgdocs/McGee%20et%20al.,%202014.pdf (accessed on 25 February 2019).
[32] Minkel, J. (2008), The 2003 Northeast Blackout--Five Years Later - Scientific American, https://www.scientificamerican.com/article/2003-blackout-five-years-later/ (accessed on 25 February 2019).
[26] Muir-Wood, R. (2011), Designing optimal risk mitigation and risk transfer mechanisms to imrove the management of earthquake Risk in Chile, OECD Working papers on Finance, Insurance and Private pensions NO. 12, http://www.oecd.org/daf/fin/wp (accessed on 25 February 2019).
[14] O’Dowd, A. (2017), “Major global cyber-attack hits NHS and delays treatment.”, BMJ (Clinical research ed.), Vol. 357, p. j2357, http://dx.doi.org/10.1136/bmj.j2357.
[2] OECD (2018), Assessing Global Progress in the Governance of Critical Risks, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264309272-en.
[5] OECD (2018), Assessing the Real Cost of Disasters: The Need for Better Evidence, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264298798-en.
[12] OECD (2018), “Climate-resilient Infrastructure”, OECD Environment Policy Paper, No. 14, OECD, Paris, http://www.oecd.org/environment/cc/policy-perspectives-climate-resilient-infrastructure.pdf (accessed on 25 February 2019).
[8] OECD (2018), Countering Hybrid Threats, https://www.oecd.org/gov/risk/strategic-crisis-management-helsinki-agenda-2018.pdf (accessed on 25 February 2019).
[11] OECD (2017), Getting Infrastructure Right: A framework for better governance, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264272453-en.
[10] OECD (2017), Investing in Climate, Investing in Growth, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264273528-en.
[20] OECD (2014), Boosting Resilience through Innovative Risk Governance, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264209114-en.
[1] OECD (2014), Recommendation of the Council on the Governance of Critical Risks, http://www.oecd.org/gov/risk/Critical-Risks-Recommendation.pdf (accessed on 25 February 2019).
[7] OECD (2014), Seine Basin, Île-de-France, 2014: Resilience to Major Floods, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264208728-en.
[9] OECD (2011), Future Global Shocks: Improving Risk Governance, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264114586-en.
[41] OECD and EU JRC (2018), System thinking for critical infrastructure resilience and security - OECD/ JRC Workshop - OECD, http://www.oecd.org/gov/risk/workshop-oecd-jrc-system-thinking-for-critical-infrastructure-resilience-and-security.htm (accessed on 25 February 2019).
[6] Rose, A. et al. (2012), Total Regional Economic Losses from Water Supply Disruptions to the Los Angeles County Economy, https://www.laedc.org/reports/WaterSupplyDisruptionStudy_November2012.pdf (accessed on 25 February 2019).
[18] Swiss Re (2016), Analysis of Tianjin Port Explosion | Swiss Re - Leading Global Reinsurer, https://www.swissre.com/china/Analysis_of_Tianjin_Port_Explosion.html (accessed on 25 February 2019).
[33] U.S.-Canada Power System Outage Task Force (2004), Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommentations, https://www3.epa.gov/region1/npdes/merrimackstation/pdfs/ar/AR-1165.pdf (accessed on 25 February 2019).
[4] UK Goverment (2017), UK Climate Change - Risk Assessment 2017, http://www.gov.uk/ (accessed on 25 February 2019).
Annex 1.A. Lessons learned from past critical infrastructure failures
Wannacry Ransomware Attack 2017
The event and its impacts: The Wannacry ransomware was spread by hackers on the 13th of May 2017 and infected more than 200,000 computers in 150 countries (Mattei, 2017[13])). Wannacry is a malicious software that blocks user access and locks files in the infected systems so that victims are requested to pay a ransom of $300 to $600 in exchange for a decryption key to return the encrypted files. The cyberattack disrupted routine operations and caused chaos in large commercial and government institutions including FedEx, Deutche Bahn, Megafon, Telefonica, or the Russian Central Bank. The National Health Service (NHS) in the UK was worst affected when the cyberattack reached information technology systems in hospitals. As a consequence, hospitals and healthcare facilities had to cancel operations, delay treatments, and declare placement on diversion status across England and Scotland (O’Dowd, 2017[14]). The healthcare system in the UK was crippled and large concerns were raised about threats to the privacy and security of patient data and records.
Lessons Learned: The Wannacry Ransomware cyberattack in 2017 exposed the vulnerabilities and risks to information security systems and cascading effects of interdependent and interconnected systems of critical infrastructure. Information communication technologies are the backbone to many industries and the case highlights the effects of a cyberattack disrupting normal operations of several commercial and government institutions across the globe. In particular, it reveals the need to strengthen security of information systems in healthcare – a sector classified as critical infrastructure in most countries (O’Dowd, 2017[14]). Continuity of business plans should be implemented to ensure continuity for the delivery of treatment and services during disruptions. State-of the art technology can create early-warning systems and ensure privacy and security of patients’ data and records (Gordon, Fairhall and Landman, 2017[15]). Cybersecurity and protection of information communication technologies are increasingly at the forefront of critical infrastructure security strategies. It should take into account advancements in technologies and potential new vulnerabilities and risks, as well as the interdependencies of our modern society highly dependent on information systems. The security of healthcare information should be a first-level national security priority.
Tianjin Port Blast, 2015
The event and its impacts: On August 12, 2015, a hazardous material warehouse exploded at Tianjin Port. The site was a hazardous material supervising station and a licensed unit of the Tianjin Municipal Transportation Commission for hazardous material operations at the port. The major commodity in this warehousing business is hazardous and toxic materials and gases. The crisis occurred in a series of events, starting with a fire alarm at 22h50 and calls made to the local fire department (Fu, Wang and Yan, 2016[16]). Fire brigades quickly came but had difficulty to access the site due to multiple high stacks of containers. As the site became hotter, police and firefighters started to initiate evacuations starting around 23h13. Following the fires, two explosions occurred within a few seconds of one another causing the ground to shake equivalent of a 2.2 and 2.9 magnitude earthquake and producing fireballs. The explosions and fires caused 233 persons to be hospitalized, including three critically ill and three severely ill ( (Huang and Zhang, 2015[17])). Fatalities reached to 173 and insured losses came up to $2.4 bn. making it the worst industrial disaster in years to happen in China (Swiss Re, 2016[18]). More than 17,000 households had doors and windows destroyed by the explosion and 779 businesses suffered losses. The site of explosion was located near a storage place for imported vehicles for companies Volkswagen, Renault, Land Rover, and others, which led to an estimated thousands of imported new vehicles burned, worth more than $31 million.
Lessons Learned: The Tianjin accident triggered concerns about the production, storage, transportation and use of hazardous chemicals – a sector deemed as critical infrastructure. The case reveals many problems associated with failures of risk control and violations of national or industry standards (Swiss Re, 2016[18]). Firstly, correctly identifying and understanding hazardous chemicals and managing them scientifically has become the high priority in risk management and control. To ensure the security and protection of production, storage and transportation of hazardous chemicals, there needs to be routine safety assessments and inspections on complying with those safety requirements. The case further shows the importance of sharing knowledge about hazardous chemicals including: classification and identifying which industries have hazardous chemicals. Enterprises that have activities involved with hazardous chemicals should be required to identify their own major hazardous sources, and carry out safety evaluations of sources of risk. In addition, neighboring enterprises should be informed and have crisis and evacuation plans in case of accidents nearby.
Hurricane Sandy, United States 2012
The event and its impacts: In late October 2012, Superstorm Sandy struck New Jersey and New York, leaving in its wake roughly $68 billion in damages and major impacts on the energy, transportation, communications, water, and health sectors in the greater New York-New Jersey metropolitan area (Flynn, 2015[19]). An estimated 8.5 million households suffered from electricity shortages and 5.4 million people were affected by the loss of subway services. The damages to transport services alone were estimated at more than USD 10 billion (OECD, 2014[20]). Following landfall, the interdependencies of the highly networked fuel supply and distribution system and the electric power sector along the East Coast of the United States became evident. Unlike previous fuel supply shocks following hurricanes in the United States, this event primarily affected consumers not producers. Some of the hardest hit areas were already at a disadvantage prior to landfall, as their fuel retail outlets were low on fuel, or had completely exhausted their supplies due to a surge in fuel demand as a result of resident preparations for the storm. After Sandy hit, many of the fuel outlets that had supplies were non-functional, because their pumps lacked power due to electrical outages Meanwhile, retail outlets without fuel supply could not be resupplied, because compressor stations lacked the auxiliary power capabilities necessary to maintain interstate pipeline operations. These interdependencies between the fuel sector and, electric power sector, and the potential for related cascading impacts, were unanticipated.
Lessons Learned: Four key areas have been identified as being responsible for the observed critical infrastructure failures (Flynn, 2015[19]). First, stakeholders had little understanding of critical infrastructure interdependencies and the potential for cascading impacts associated with system disruptions (e.g., the linkage between the fuel distribution and retail network and the power sector). Second, building standards have not evolved with the development of more modern engineering designs, tools, and practices that are capable of enhancing the resilience of interdependent systems. Critical elements of the transportation system such as tunnels, bridges, rail lines and stations of the New Jersey/New York metropolitan transit services, which serve as the primary means for moving people and goods within the region, are located in low-lying areas and have in many cases not been built to withstand flooding. Third, current organizational management frameworks and regional governance have not been sufficiently designed to address lifeline sector−fuel, electricity, water, transportation, communications and health−interdependencies. For example, healthcare facility evacuation plans prompted the release of all but those patients with the most serious conditions into a community that ultimately did not have power necessary to run medical devices at home or transportation access for caregivers to reach home-bound patients. Fourth there are not enough economic and/or policy incentives for developing resilience and in many cases, institutional and financial disincentives detract from investments in resilience. For example, many public and private operators opt to accept federal financial disaster assistance rather than rely on their own funds to invest in resilience measures. Insufficient regional coordination and collaboration across the New York and New Jersey Metropolitan Areas in managing risks that disasters pose to regional lifeline infrastructures has been another contributing factor that exacerbated disaster impacts .
In recognition of the magnitude of recovery, the President of the United States created the Hurricane Sandy Rebuilding Task Force charged with “identifying and working to remove obstacles to resilient rebuilding while taking into account existing and future risks and promoting the long-term sustainability of communities and ecosystems in the Sandy-affected region” (Hurricane Sandy Rebuilding Task Force, 2013[21]). In its report, the Task Force noted the storm’s particularly devastating impact on the region’s energy, communications, transportation, water and wastewater management, and healthcare infrastructure and the significant associated delays in response and recovery efforts and losses in economic activity. Based on lessons learned during the recovery process, the Task Force developed a set of 69 recommendations, nearly half of which included a call to develop resilience in the course of the recovery process. In response to the massive power cut that followed hurricane Sandy in New York and New Jersey the Federal Emergency Management Agency (FEMA) established, at the request of the President, the Energy Restoration Task Force. The Task Force supported a massive private power restoration effort, in which electric utilities executed mutual aid agreements to deploy over 70,000 workers to the affected areas. It enabled air transportation of 229 power-restoration vehicles and 487 personnel to help New York and New Jersey restore power ( (FEMA, 2013[22])).
The Great East Japanese Earthquake, 2011
The event and its impact: In 2011 an earthquake off the coast of Japan caused significant damage on land and triggered a series of large tsunami waves that severely impacted the north-eastern coast. Inland flooding due to the tsunamis, in turn, set in motion a major nuclear accident at the Fukushima Daiichi nuclear power plant (McGee et al., 2014[23]). Although the Fukushima Daiichi nuclear power station survived the earthquake relatively unscathed and even initiated emergency shutdown procedures appropriately, the design of the site was not adequate to prevent flooding from a tsunami that significantly exceeded site barrier heights. Grid-based electrical power to the area had been knocked offline as result of the earthquake and when the tsunami breeched the site’s walls, the subsequent flooding drowned the facility’s back-up diesel power generating units and secondary back-up DC batteries (Acton and Hibbs, 2012[24]). Without power, the plant was unable to provide sufficient cooling to three of its reactors which ultimately suffered a level 7 event full meltdown (on an International Nuclear Event scale of 1-7), in excess of even the 1986 Chernobyl disaster (McGee et al., 2014[23]). An estimated 4.4 million households were affected by reduced power supply provided by TEPCO, the Tokyo Electric Power Company. The Shinkansen high-speed rail was closed during two weeks (OECD, 2014[20]).
Lessons Learned: Post-event analyses revealed that the meltdown was, to some extent, preventable. The incident may have caused fewer impacts had the power plant incorporated the resilience concept into the design. For example, the plant’s cooling system was functionally dependent on assured electrical power, and the fire brigade response might have been more timely and reduced the impact if traffic routes were not blocked (Bach et al., 2013[25]). Although the Japanese nuclear industry had the highest nuclear safety standards in the world in terms of seismic risk management, it may have come at the detriment of accounting for a wider range of potential (knock-on) risks. These contributing factors demonstrate the critical role of effective regulators and the need for regular safety reviews that account for and lead to the incorporation of both the dynamic and evolving threat landscape and contemporary best practices (Acton and Hibbs, 2012[24]).
Chile Earthquake 2010
The event and its impact: The 2010 earthquake that occurred on February 27 off the coast of central Chile resulted in USD 30 billion (18 % of GDP) worth of total damages and of that total, USD 20.9 billion (12.7% of GDP) was due to infrastructure damage. The earthquake affected a region comprising 30-40% of national manufacturing capacity. Almost all commercial activity was suspended in this area for a few days and while most industries were able to restart production, some major industries, in particular relating to pulp paper production, wine making and oil refining had no, or significantly reduced, commercial activity for months. The total decline in national economic activity in March 2010 was assessed at 5 %. Economic disruption continued over the next three months, finally returning to pre-disaster levels by July 2010 (Muir-Wood, 2011[26]). The earthquake’s impacts could have been far worse if not for deliberate planning in the energy sector and strong building codes designed around seismic risk (Fermandois, 2011[27]).
Lessons Learned: Reflecting on the impacts of 2010 earthquake, the Chilean Government took actions to address observed vulnerabilities. At the operational level, the Chilean government committed to resolve the communications outages and monitoring outages that occurred in 2010 with investments in real-time monitoring processes and robust telecommunications systems complete with redundancies (Fermandois, 2011[27]).
Icelandic ash cloud, 2010
The event and its impact: In April 2010, the Icelandic volcano Eyjafjallajokull erupted producing an enormous cloud of ash that progressively moved across the European skies. As a consequence, European air traffic control authorities declared no-fly zones for 20 countries within Europe’s airspace due to potentially dangerous conditions of fine ash particles entering into aircraft engines causing equipment failures (Mazzocchi, Hansstein and Ragona, 2010[28]). The British government took the lead in closing airports, on account of information from the London branch of the International Airways Volcano Watch which liaised with the UK’s National Air Traffic Control Service (NATS) (Alexander, 2013). Other countries in northern and central Europe followed the process. The decisions guiding closures were based on approximate data on ash dispersion, but neither data nor maps were provided indicating exact concentration levels across the entire European skies. Closure of Europe’s airports and airspace lasted for a period of over seven days with cancellation of up to 100,000 flights affecting 10 million passenger journeys (Eurocontrol, 2010[29]). The airline industry faced high costs of up to $400 million per day (IATA, 2010[30]). Stranded passengers looked for other transport modes, notably trains, the cross-channel Eurostar and ferries which were neither equipped nor flexible for such an increase in demand. If the crisis had continued longer, the lack of integration between different modes within the European transportation system would have resulted in severe problems to move stranded people and commodities, as well as incurred soaring economic losses (Alexander, 2013[31]).
Lessons Learned: The transportation sector which includes aviation and airports is deemed critical infrastructure in most countries. The Icelandic ash cloud crisis revealed the need for increased coordination across scientific communities and channels to exchange information with authorities for better evidence-based decision-making, especially important during crises (Alexander, 2013[31]). The physical thresholds for density of airborne ash for safe flight were defined somewhat arbitrarily and did not take into account that the cloud did not constitute a uniform hazard to aviation. However, the available information guided risk averse decisions to restrict complete access to airspace, and led to increased disruptions of European transportation systems. Furthermore, the lack of pre-existing procedures and planning to manage this kind of crisis resulted in improvised responses to dynamic and changing meteorological conditions (Alexander, 2013). A closer link is needed between operational, regulatory and political bodies to ensure safe, pragmatic and coordinated decisions (Eurocontrol, 2010[29]). The case shows that the management of crises requires strengthened regional and international coordination for response in disruptions to transportation, as well as the need to develop continuity of business and contingency plans to address stranded passengers and economic costs (Mazzocchi, Hansstein and Ragona, 2010[28]).
Northeast United States and Canadian Power Outage, 2003
The event and its impact: On August 14, 2003, a fault due to a high-voltage power line in northern Ohio brushing against overgrown trees led to a system shut down (Minkel, 2008[32]). This occurrence would have normally set off an alarm, but the alarm system failed. As operators attempted to identify the problem, additional lines touched trees and shut down leading to an overburdening of lines that remained operational. Within two hours of the initial problem, the overloaded lines shut down triggering cascading failures in south-eastern Canada and eight states in the Northeast United States. The outage impacted a range of other critical infrastructure sectors including energy, communications, finance, health care, food, water, transportation, safety, government and manufacturing. Ultimately, the blackout impacted 50 million people in both the United States and in Canada at an estimated cost of USD 6 billion (Minkel, 2008[32]).
Lessons Learned: The 2003 blackout serves as a case study of the challenges associated with varying levels of fragmented control, accountability, and authority for critical infrastructure (U.S.-Canada Power System Outage Task Force, 2004[33]). The official bilateral government report examining the 2003 Northeast Power outage described direct causes and contributing factors of the incident, including: “failure to maintain adequate reactive power support; failure to ensure operation within secure limits; inadequate vegetation management; inadequate operator training; failure to identify emergency conditions and communicate that status to neighbouring systems; and inadequate regional-scale visibility over the bulk power system”. The latter resulted in situations where for example in the city of Ottawa the bridges that crossed over to Quebec were half lit because the power was still on in Gatineau, Quebec but there seemed to be no ability to send that power to the side of the province of Ontario. These findings translated to several notable lessons learned in the form of recommendations. For example, the Task Force asserted that regulators, the electric power industry, and related stakeholders should adhere to high reliability standards, using market mechanisms when and where possible, but always choosing high reliability over commercial objectives should conflicts between the two arise. The report went on to emphasize that both regulators and consumers should recognize that reliability requires investment and operational expenditures that businesses will be unwilling to commit to if the costs are not accompanied by assurances from regulators regarding recoverability. Prompted by the analysis of the blackout incident, the United States Congress passed the Energy Policy Act of 2005, which enabled the Federal Energy Regulatory Commission (FERC) to enforce new North American Electricity Reliability Corporation standards; five years following the incident, FERC had far approved 96 new reliability standards (Minkel, 2008[32]).