A mathematical framework to optimize resilience of interdependent critical infrastructure systems under spatially localized attacks

Highlights

• We model the worst-case of spatially localized attacks.

• We model interdependent critical infrastructure systems under disruptions.

• We propose a method to optimize interdependent infrastructure resilience.

• A tri-level defender-attacker-defender model is formulated for the problem.

• A decomposition algorithm is proposed to exactly solve the model.

Abstract

This paper defines the hazards that can cause direct localized damage or interruption as Spatially Localized Attacks (SLAs). The SLAs-induced impact on a critical infrastructure system (CIS) is modeled as the failure of system components that exist within some localized area while those outside this area remain operating. Instead of identifying and analyzing each type of the SLAs-related hazards, this paper makes a worst-case analysis and proposes a mathematical framework to support resilience optimization of interdependent CISs under the worst SLA. For illustrative purposes, this paper mainly considers two types of strategies to enhance CIS resilience, including protecting weak components, and building new components to increase redundancy. The problem is mathematically formulated as a tri-level defender–attacker–defender model, which is exactly solved by a proposed decomposition algorithm. The case study on interdependent power and water systems demonstrates how the proposed approach can not only identify the optimum resilience enhancement strategy as well as the worst-case SLA, but also analyze the importance of considering interdependencies from both the attacker's and the defender's perspectives.

Introduction

Critical infrastructure systems (CISs), such as electric power, water supply, transportation and telecommunication systems, are the backbone for a functioning city or nation as they provide essential services to support the well-being of its citizens. These CISs are not isolated and may be physically, geographically, cyber and logically dependent and interdependent (Ouyang, 2014, Peerenboom et al., 2002, Rinalidi et al., 2001). Strictly speaking, dependencies refer to unidirectional relationships, and interdependencies indicate bidirectional interactions (Rinalidi et al., 2001). Nonetheless, in the literature, dependencies are usually regarded as interdependencies, unless they are particularly referred to, which is also applied in this paper. On the positive side, interdependencies may improve the operational efficiencies of these systems. For example, in China and Japan, geographical interdependencies among some CISs are intentionally designed by constructing utility tunnels, which are passages built underground or aboveground to carry utility lines, such as electricity wires, water pipes, sewer pipes and some communications utilities. These utility tunnels can facilitate the maintenance of the carried CISs and enhance the land use efficiency.

On the negative side, interdependencies may aggravate the damage consequences (Ouyang, 2014). For example, due to the physical interdependencies, failure in one system can propagate to other systems; due to the geographical interdependencies, some extreme events can break the utility tunnels and make multiple CISs fail simultaneously. These issues have been recognized by many governments and scholars. A lot of countries have initiated critical infrastructure protection plans, such as claiming December as critical infrastructure protection and resilience month by the president of the USA in 2009, releasing critical infrastructure resilience strategy and implementation program in Australia in 2010 (Australian Government, 2010), and publishing critical infrastructure resilience program in UK in 2011 (Secretary of State for Environment, Food and Rural Affairs by Command of Her Majesty, 2011). In these plans, the term resilience was emphasized. In the research field, the number of the resilience-related papers in the Scopus database increased exponentially in the past twenty years (Bergstrom et al., 2015, Righi et al., 2015). Then, what is resilience?

Despite many definitions for the term resilience, even only focusing on CISs (ASCE 2013, The Infrastructure Security Partnership (TISP) 2011, The White House 2013), there still exists a consensus. Basically, resilience is the capability of a system to withstand internal/external stresses and recover from them. To quantify the CIS resilience, various metrics have been proposed based on the system performance curves under disruptions (Cavallaro et al., 2014, Franchin and Cavalieri, 2015, Francis and Bekera, 2014, Hosseini et al., 2016). Some resilience metric, like reliability and survivability (Ben Yaghlane & Azaiez, 2017), is described by a probability (Chang & Shinozuka, 2004), but most of existing resilience metrics are described as deterministic values. Despite the absence of a common resilience metric, there are several consensuses. First, when considering the resilience, we need to ask ourselves, “resilience to what”, which means that resilience quantification needs to first specify the type of disruptive event. Second, the value of resilience to a disruptive event is mainly affected by system robustness and system recovery rapidity under this event, where the robustness is quantified as system performance level immediately after the event and before any restoration efforts, and the recovery rapidity describes how quickly the system recovers after the event. Specially, in the case of sufficient repair resources, the resilience is mainly affected by the robustness. As an initial step, this paper simply quantifies system resilience as the robustness. In the literature, scholars have studied the robustness or the performance drop immediately after the event for interdependent CISs under different types of disruptive events, including random failures that are usually modeled by randomly removing a certain fraction or number of CIS components (Baxter et al., 2012, Buldyrev et al., 2011, Gao et al., 2011, Parshani et al., 2010, Rosato et al., 2008, Shao et al., 2011, Svendsen and Wolthusen, 2007, Zio and Sansavini, 2011), natural hazards whose impacts on CIS components are usually modeled according to their fragility curves (Cavallaro et al., 2014, Dueñas-Osorio et al., 2007a; Adachi and Ellingwood, 2008, Federal Emergency Management Agency (FEMA) 2015, Franchin and Cavalieri, 2015, Hong et al., 2015, Ouyang and Dueñas-Osorio, 2011, Ouyang and Wang, 2015, Poljansek et al., 2012 & 2017), malicious attacks that are usually modeled as the failure of important components (Dueñas-Osorio et al., 2007b, Huang et al., 2011, Nan et al., 2013, Zio and Sansavini, 2011, Ouyang et al., 2015, Zio et al., 2012a & Zio et al., 2012b, Pinar et al., 2010, Wang et al., 2013, Chen et al., 2015, Chopra and Khanna, 2015), and some combinations of the above events (Levitin, 2007, Levitin and Hausken, 2009). Actually, the above mentioned disruptive events should strictly be grouped into non-proximity-based events as they do not consider the geographical proximity or correlation of the damaged components.

This paper mainly focuses on spatially localized attacks (SLAs), which are defined as the hazards that can cause direct damage or interruption of system components that exist within some localized area while those outside this area remain operating. For example, on September 11, 2001, the New York terrorist attack caused the full collapse of the WTC1 and the WTC2, and the debris caused the damage of some neighboring buildings. These damaged buildings further caused the damage of many infrastructure components within 0.21 kilometers from the attack center, including power substations, water pipes, telecommunication centers and subway tunnels. On August 12, 2015, the Tianjin chemical explosion event caused the damage or interruption of some main road segments, a subway station and many other infrastructure components located within 1 kilometers from the attack center. On July 06, 2016, the Wuhan heavy rainstorm caused the whole city as an ocean, and all three railway stations in Wuhan were flooded and interrupted, but the railway interruption was still localized from the whole country view. From the above events, it can be found that the SLAs can be triggered in various ways and some of which may be unexpected and cannot be identified until they occur. Instead of defining and analyzing each of the SLAs-related hazards, this paper makes a worst-case analysis and proposes a mathematical framework to support resilience optimization of interdependent CISs under the worst-case SLA. In the literature, there are some studies on identifying the worst-case localized attack in interdependent CISs. For instance, Patterson and Apostolakis (2007) studied the interdependent CISs in a campus area by dividing the area into a generic hexagonal grid with a small radius 7 meters, and removed the CIS components within each grid to approximate the localized attack for identifying the worst-case attack. Johansson and Hassel (2010) made a similar analysis by considering square attack areas. Nonetheless, the results from these studies depended on the shape of the attack area (square, hexagon, etc.) and how the infrastructure map was partitioned into small attack areas. Recently, Ouyang (2016) and Ouyang, Tian, Wang, Hong, and Mao (2017) modeled the attack area by a circle shaped area and then proposed an exact algorithm to identify the worst-case attack. However, all these studies did not investigate how to mitigate the SLAs for maximizing system resilience under the worst-case SLA, as also not found in other literature by the author.

Despite the reduced number of studies for interdependent CISs under spatially localized attacks, for single CISs and for non-proximity-based malicious attacks, similar problems have been extensively investigated in the literature. This type of problems needs to introduce a virtual attacker who seeks the most harmful attack strategy to disrupt the system and a defender who can take defense measures to minimize the damage consequences. The interactions between the attacker and the defender can be described by a tri-level defender–attacker–defender (DAD) model. The inner level of this model describes how the defender manipulates component flow to minimize the damage consequences, the middle level describes how the attacker disrupts the system to maximize the disruption consequences, and the outer level describes how the defender can optimally protect the system. This modeling framework has been applied to identify the optimal protection strategies for electric power systems (Brown et al., 2006, Chen et al., 2011), a rail system (Alderson, Brown, & Carlyle, 2014), a notional commodity distribution network (Alderson, Brown, & Carlyle, 2015), and some other CISs (Alderson, Brown, Carlyle, & Wood, 2010) under the non-proximity-based malicious attacks. This paper will adapt the framework for interdependent CISs against the spatially localized attacks and address the modeling and solution challenges due to the interdependencies among CISs. For illustrative purposes, this paper mainly considers two types of strategies to enhance system resilience, including protecting weak components, and building new components to increase redundancy. In addition, different from many existing studies in the literature that adopt probabilistic frameworks to model the actions and outcomes of the attacker and defender (Hausken & Levitin, 2009 & Hausken and Levitin, 2012, Hausken, 2011, Hausken, 2017), where the defender minimizes the maximal expected damage that an attacker can inflict, this paper uses the worst-scenario approach and the defender minimizes the expected damage given that the attacker selects the worst-case attack scenario. Hence, the problem in this paper can be described by a deterministic optimization model.

The rest of the paper is organized as follows: Section 2 introduces the model for resilience optimization of interdependent CISs against spatially localized attacks (ROICISs-SLAs). Section 3 provides the solution algorithm. Section 4 shows the results by applying the proposed approach to interdependent power and water systems. Section 5 gives conclusions and future work.