Critical Infrastructure (CI) interdependencies are increasingly important as our society’s functions are more dependent on these CI sectors, such as energy, water, communications, transportation, finance, and information technology. Organizations often conduct physical or cyber risk assessments on their facilities to ensure they identify and correct weaknesses that may be exploited by malicious actors. However, these assessments are usually done independent of each other: when cyber vulnerabilities are discovered, there is no means to quantify the physical impact to that facility. This runs the risk of preparing a cyber-mitigation that may not fully mitigate the physical risk, and vice versa.
A methodology is proposed to combine the cyber risk assessment process and a physical system interdependency model to show the connections and interdependencies of the entire eco-system. An illustrative example is provided to highlight the cyber and physical risks, as well as the impact to the facility’s mission. This methodology may allow the decision makers the ability to visualize the impacts of mitigation efforts, physical and/or cyber hardening of selected nodes, or changes to resource allocations. The mission impact is quantified to enable informed decision making of the entire solution space.