Sat May 17 10:29:53 PDT 2014

Risk Management: Interdependencies: How should real-time interdependency risks be managed?


Options:

Option 0: This situation should be avoided - do not proceed under this condition.
Option 1: Real-time interdependencies should be ignored as too complex to identify in advance.
Option 2: Real-time interdependencies should be identified in advance but only to the borders of the facility or enterprise.
Option 3: Real-time interdependencies should be identified in advance as far as they reasonably extend.
Option A: Interdependent failures should be mitigated in real-time as part of the incident response process.
Option B: Interdependent failures should be mitigated in advance by adding redundancy and/or hardening interdependent systems.
Option B: Interdependent failures should be mitigated in advance through failsafe and alternative operating modes.
Option C: Event sequences leading to potentially serious negative consequences should be examined in detail for specific mitigation sequencing strategies.

Decisions:

The suggested approach to real-time interdependency risk management is as follows:

Risk Level Skill Maturity Alternatives
High High Optimizing Real-time interdependencies should be identified in advance as far as they reasonably extend. AND
Event sequences leading to potentially serious negative consequences should be examined in detail for specific mitigation sequencing strategies.
High High Managed+ Real-time interdependencies should be identified in advance as far as they reasonably extend. AND
Interdependent failures should be mitigated in advance by adding redundancy and/or hardening interdependent systems. AND
Interdependent failures should be mitigated in advance through failsafes and alternative operating modes. AND
Interdependent failures should be mitigated in real-time as part of the incident response process.
High --- Defined- This situation should be avoided - do not proceed under this condition.
High Med- --- This situation should be avoided - do not proceed under this condition.
Medium Med+ Defined+ Real-time interdependencies should be identified in advance but only to the borders of the facility or enterprise. AND
Interdependent failures should be mitigated in real-time as part of the incident response process. AND
Interdependent failures should be mitigated in advance by adding redundancy and/or hardening interdependent systems.
Medium --- Repeatable- This situation should be avoided - do not proceed under this condition.
Medium Low --- This situation should be avoided - do not proceed under this condition.
Low Low Repeatable+Real-time interdependencies should be ignored as too complex to identify in advance. AND
Interdependent failures should be mitigated in real-time as part of the incident response process.
Low Low Initial-This situation should be avoided - do not proceed under this condition.
Real-time interdependency risk management

Basis:

Real-time interdependencies should be ignored as too complex to identify in advance.
When the consequences are sufficiently low, inadequate expertise is available, or maturity is inadequate for interdependency analysis, analysis of real-time interdependencies is likely to be infeasible. But failure to do this analysis should limit the risk acceptance threshold to low risk situations.

Real-time interdependencies should be identified in advance but only to the borders of the facility or enterprise.
In cases where the consequences of failures don't extend beyond the facility or enterprise, the interdependency analysis can reasonably stop there. However, the enterprise may wish to extend its analysis further to further understand its risks.

Real-time interdependencies should be identified in advance as far as they reasonably extend.
For high consequence situations, interdependencies should not be limited to the facility or enterprise, as they effect the rest of society. They should extend as far as they need to go until no identified interdependencies of significant consequence remain.


Interdependent failures should be mitigated in real-time as part of the incident response process.
While it would be nice to never require real-time incident response to mitigate from failures in interdependent systems, as a practical matter, some amount of this is always likely to be required. However, as a primary mode of operation, it is really the last line of defense, and should not be the first line when consequences are high enough to justify alternatives.

Interdependent failures should be mitigated in advance by adding redundancy and/or hardening interdependent systems.
Redundancy and hardening are particularly useful in cases where large classes of failure modes can be covered, but often leave common mode failures. Their use often relieves that need for real-time response, which allows reduced operational costs and sustained operations until repair can be undertaken.

Interdependent failures should be mitigated in advance through failsafes and alternative operating modes.
Some interdependencies cannot be resolved by redundancy or hardening (e.g., common-mode failures, insider malicious acts, etc.). In these cases, coverage via failsafe modes and other alternative (often sub-optimal) modes often resolves the real-time issues.

Event sequences leading to potentially serious negative consequences should be examined in detail for specific mitigation sequencing strategies.
When consequences are sufficiently high to warrant through examination of the situation, this approach is the more definitive approach. In essence, it combines the other approaches to employ an optimal strategy which takes into account all of the identifiable event sequences (or classes of them) and likely uses each when and where appropriate in a coordinated fashion.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved