Mode-Based Vulnerability Analysis

In this activity, you will review a specific critical infrastructure (Level 1) for risk using the MBVA model.
Select a specific Level 1 critical infrastructure used in this module (water in Norfolk, Virginia) and review it for risk using the MBVA model. You may want to focus on a specific sector in your hometown or one that you deem in need of analysis. Use the steps outlined in module 4 to assess the risk. Upon completion of the risk analysis scoring, propose actions or activities that will reduce the risk/vulnerability of the infrastructure. The final paper should show all calculations in the MBVA risk model and include an introduction, summary of your findings, and conclusion where you suggest actions or activities to reduce the risk.
1. Take Inventory: What assets do you have to consider within the scope of the analysis?
2. Perform Network Analysis: Is the network scale-free? Small world? Which are the critical nodes?
3. Construct Fault Tree: Identify vulnerabilities, model the sector using logic gates, and assign probabilities (none, low, medium, high, certain).
4. Derive the Event Tree: Combine all combinations of events and compute probabilities of possible outcomes.
5. Compute Allocation Strategy: Using budgets, cost estimates, and damage estimates.
MBVA is a four stage process:
• The first stage is the network model. We’ve already seen that we can model sectors or parts of sectors as networks of nodes and links. In order to do this, you have to understand how the sector works so you can correctly identify what the nodes and links should be. These are the assets of the sector. The outputs from this stage are the node histogram and the critical nodes or hubs in the network.
• The second stage is the fault analysis. The inputs here are the vulnerabilities, the logic that connects the assets in the sector together, and the probabilities of faults for each vulnerability. Here, we build the fault tree. This is the stage where it is most critical that you understand how the sector works. If you don’t understand how the different parts of a sector operate, you’re almost certain to build a poor fault tree.
• Next, in the third stage, we create the event tree from the fault tree. From this stage we obtain an identification of the threat combinations that we care about the most and the probabilities associated with these (Lewis, 2006).
• Finally, the fourth stage is where we reduce fault or risk to reveal a resource allocation strategy. During this stage, we need to identify what our working budget is, what the costs are if any vulnerability were to be exploited, and lastly, what the damage costs would be to repair that asset if it were successfully attacked (Lewis, 2006).
The final stage of the MBVA process is step five – computing the allocation strategy. Here, the cost and damage estimates are taken to produce an investment strategy for reducing vulnerability or risk. There are eight analytical tools used to complete the MBVA process. The following summary illustrates these eight tools:
1. MBVA Step 5: This final step defines how best to allocate a given budget.
2. Network-Wide Investment: The components of a critical infrastructure network are nodes and links. Asks the question, “What is the best way to allocate funding to nodes and links such that the risk to the entire sector is minimized?”
3. Ranked Allocation: The most common strategy used by practitioners. It funds the highest-ranking components first, the second-highest next, and so on, until funding no longer remains.
4. Apportioned Allocation: A method of allocating limited funds to protect the infrastructure by reducing the likelihood that faults occur across the entire fault tree.
5. Optimal Allocation: The overall fault tree; it may or may not be the same as the other strategies.
6. Manual Allocation: Computes the vulnerability or risk that results when allocation is performed by hand.
7. Network Analysis: Demonstrates that the best allocation strategy for a network is to fund the highest-degreed and highest-valued nodes, and diminish funding of links to zero.
8. FTplus: The FTplus program calculates how much of the budget to allocate to each vulnerability given in the form of a fault tree. It computes the event tree outcomes, applies one of four allocation strategies, and produces an allocation.
In critical infrastructure protection, there is no clear-cut solution as to how to best protect critical sectors. For that reason, the final step of the MBVA process allows for various strategies that may be applied to specific sector scenarios. Basically, this final step requires the derivation of an investment strategy that removes or diminishes the likelihood of faults occurring. Knowing how much money to spend on each threat to minimize the probability of faults occurring is the closest we can get to risk reduction. In the end, it is a policy decision. As Lewis (2006) states, “all of these policy decisions come with a price tag”.
Lewis, T. G. (2006). Critical infrastructure protection in homeland security: Defending a networked nation. Hoboken, NJ: John Wiley & Sons, Inc.