Scenarios Analyses via Simulation

The ultimate target of Modelling and Simulation (M&S) activities in the ﬁ eld of CIP is to provide Models, Methodologies and tools to help in the analysis of different crisis ’ scenarios and, subsequently, in crisis management decision making. A CIs ’ disruptions scenario is simply a sequence of random events following a well-de ﬁ ned chronological order. Generally, each identi ﬁ ed scenario produces a set of consequences which is a function of: the initiating event, the concerned CIs and the geo-organizational context of the disrupted CIs. Formal sciences represent the reality of our surrounding world. But formal sciences are imperfect and what we call “ reality ” is the projection of the inaccessible “ Reality ” on our world. This projection is the only reality we are talking about in formal sciences. Subsequently, formal sciences construct objects in which small parts of the sensible reality are grasped and formalized. These objects can be called “ models ” . We are limiting our interest here to formal sciences and engineering activities that cover both conceptual and phenomenological modelling processes. Models are ﬁ rst validated before being admitted in the construction of a global model of the sensible reality. Regarding our focus on crisis scenarios modelling, simulation and analysis (MS&A), engineers ’ ambition is to simulate not only independent isolated phe-nomenon but also interacting multi-physic multi-scale phenomenon.


Introduction
The ultimate target of Modelling and Simulation (M&S) activities in the field of CIP is to provide Models, Methodologies and tools to help in the analysis of different crisis' scenarios and, subsequently, in crisis management decision making.
A CIs' disruption scenario is simply a sequence of events following a well-defined chronological order. Generally, each identified scenario produces a set of consequences which is a function of: the initiating event, the concerned CIs and the geo-organizational context of the disrupted CIs. If these consequences represent a significant risk to the citizen safety, society security and or governance continuity, one will talk about a crisis.
The assessment of the consequences of each potential or active scenario of CIs' disruptions results in fundamental pieces of information for robust crisis management and decision making processes.
Having stated the fundamental importance of scenarios assessments, it will be necessary to highlight the major aspects of scenarios simulation and analysis.

Scenarios Simulation
The terms "modelling" and "simulation" are differently perceived by the public depending on the field of science, the topic and the context of use.
Formal sciences ultimate target is to represent the reality of our surrounding world. Many philosophers and scientists believe that the reality revealed by science describes only a "veiled" view of an underlying reality that Science can not access. This belief is mainly because of two reasons: formal sciences are imperfect and what we call "reality" is the projection of the inaccessible "Reality" on our world. This projection is the only reality we are talking about in formal sciences. Let's put it in that way: Models and simulation can never reproduce the real "reality". More interesting points of views may be found in [1,2].
Subsequently, formal sciences construct objects in which small parts of the sensible reality are grasped and formalized. These objects can be called "models". We are limiting our interest only to formal sciences and engineering. That covers both conceptual and phenomenological modelling processes. Models are first validated before being admitted in the construction of a global model of the sensible reality.
Regarding our focus on crisis scenarios modelling, simulation and analysis (MS&A), engineers' ambition is to simulate not only independent isolated phenomena but also interacting multi-physic multi-scale phenomena.
The simulation of well-defined sequences of events in the case of major crises is of great help in: • Decision making in order to elaborate the best strategies in managing crises and severe accidents.
• Helping operators to prioritize actions in real situation facing systems' primary disruptions and their propagation. • Helping designers to improve systems' design in view of minimizing disruptions' frequency, disruptions propagation and consequent hazards. • Training future technical staffs and qualified persons who will be engaged in systems design, systems operation and crisis management.
Developing powerful integrated simulation capabilities is a serious challenge to all scientists and engineers in the field of CIP. This ambition gives birth to two major challenges: • Developing and validating models considering CIs vulnerability to threats and CIs mutual dependencies. • Integrating stochastic phenomena in a global coupled modelling process.
We should then understand the disruption of critical infrastructures under the action of a threat, the dependence between CIs disruptions, disruption propagation and their dynamic characteristics.
Towards the understanding of the CIs' disruptions MS&A, let's start by introducing the different types of models.

Types of Models
Formal sciences recognize four types of models: conceptual, empirical-statistical, logical and qualitative-descriptive models. Brief examples are given in the following.
Conceptual models occupy a large place in formal science R&D activities and cover all domains of scientific investigations, e.g. in: • Empirical and statistical models occupy also an important place in formal sciences R&D activities and cover domains such as: Qualitative and Descriptive models occupy the major place in decision making activities, especially when numerical details do not play an essential role or may muddle up the decision making process. In sever crisis situations, decision makers need only to construct a synthetic view containing only a reduced number of the most vital/strategic parameters to be considered In Fig. 1, we borrow from [3] the Flood Risk Matrix with a slight modification, as an example of a qualitative-descriptive tools for risk assessment.
The grid shown in Fig. 1 is certainly based on a numerical modelling and assessment. But the final representation of the assessment is given in a qualitative model. The qualitative presentation is synthetic and allows decision makers to grasp the most pertinent information about a given crisis situation.
Certainly, one can't perform algebric operations using qualitative information, in a direct manner.
Having identified the types of models, we should proceed to the identification of the basic elements used in describing crisis scenarios.

Scenarios' Basic Elements
In order to model, simulate and analyze scenarios of disruptions, one should consider the following elements: the threat action, the CIs' reactions and the consequences. Threat can be identified and specified by their magnitude and their occurrence likelihood (probability and/or frequency).
The critical infrastructures are described through their vulnerability to the threat action, their mutual dependency and the CIs' disruptions cascading modes and mechanisms.
The consequences describe the impacts of the threat and the CIs disruptions on their environment. Impacts can be of different order: citizen safety, society security, societal moral state, organizational chains rupture, financial losses, assets damage and risk of governance loss of continuity.
The coverage of the above mentioned topics is the ultimate goal of the MS&A activities even if the state-of-the-art in MS&A does not cover satisfactory all three topics: threat, CIs disruption and consequences.

Identification and Specification of Threats and Consequences
Threat identification and characterization is a first act in any crisis scenario MS&A process. The identification and characterization of threats should necessarily be based on the use of the most appropriate security metrics. A threats is generally an initiating event that ignites a crisis scenario. Threats are then identified according to their belongings: nature actions, systems disruption and/or man malicious actions. Threats belonging to the category of nature actions are such as: floods, quakes, extreme temperature conditions, hurricanes, tornados, tsunamis etc.… The crisis initiating event can also be originated from industrial systemic disruptions. Industrial systemic disruptions are such as: oil spell accidents, electrical power plants accidents, road (/air/maritime) traffic accidents, chemical and processing plants accidents, power or communication networks' disruptions, financial stock market collapse, human errors etc.… The set of malicious actions covers: criminal actions, vandalism, terrorist actions, etc.… Once the threat is identified, CIP engineers, end-users and crisis mangers proceed to threat specification. A threat is ideally specified by two figures: its likelihood and its magnitude/strength. Formally speaking, "likelihood" is a probabilistic measure and can be given in two different metrics: the occurrence probability (dimensionless) or the occurrence rate (per unit time/unit distance/cycle/shock). One can quantify the occurrence probability and the probability rate if historical data are available and have high statistical quality. Otherwise, one uses qualitative metrics such as: certain, highly probable, probable or rare to qualify occurrence probabilities; and high, moderate or low to describe the occurrence rates. The numbers of considered levels depends on the application type.
The threats are also specified by their magnitudes/strength, such as: the magnitude of an earthquake, the quantity of the rain, the amount of released radioactive substances, the speed of the wind, the rate of water level increase in a flooding river, etc.
Very often, one may uses the term "intensity" to specify threats. One says "an earth quake with high intensity. It causes the death of some hundreds of victims and some thousands of displaced persons".
Using the term "intensity", people refer rather to the impact of the threats and the associated CIs' disruptions. In our methodology, we keep the term "intensity" to measure the consequences of the impact of the threats and the corresponding CIs' disruptions on their environment.
Similar to the double use of metrics (quantitative/qualitative) in specifying the threats, engineers and crisis managers use both kind of metrics (quantitative/qualitative) to specify the consequences (impact) of a given crisis. Consequences can then be measured using different types of natural metrics: number of injuries, fatalities, evacuated persons, destroyed buildings, inaccessible roads, loss of services (transport/water/communication/heating/electricity) and ultimately loss of governance/public unrests.
Once one identified and specified the threat, one still need to know how to model and simulate them.

Modelling and Simulation of Threats and Consequences
There are two ways for modelling threats and consequences: • Probabilistic: if data allow, one can develop probabilistic models describing either the occurrence probability functions and/or the occurrence probability density functions. The most commonly used probability density functions are: uniform, exponential, gamma, Gumbel, Gaussian, Weibull … • Conditional: given a well-defined threat, one determines the corresponding CIs' disruptions and consequences.
Considering one way or the other, analysts should subsequently proceed to the assessment of the disruptions cascade corresponding to the threat that has been identified and specified, above.

Modelling and Simulation of CIs' Cascade of Disruptions
Cascade of disruptions is widely treated in literature in a very extensive manner and a summary of what was published up to 2009 was assembled by Marhavilas et al. [4]. Generally, we may distinguish two distinct strategies, in MS&A of disruptions' cascade: (1) the agent-based or federated simulation strategy and the pre-established sequences list strategy. Many methodologies are based on a mixed approaches. A detailed screening of the most used or cited methodologies of cascading MS&A are given in the deliverable D2.1 of the EU-PREDICT project report on the state-of-the-art [5].
Focusing on the immediate practical target of this chapter, we have chosen to expose one of the methodologies based on the pre-established scenarios list [6,7].
But, what is the "cascade of disruptions"? A crisis scenario is fully described by a given sequence of chronologically ordered CIs' disruptions and produces hazardous impacts on its natural, economic and societal environment.
The CIs implicated in the crisis scenario can be all or in part vulnerable to the threat and mutually dependent. Subsequently, a robust model-describing the cascading of disruptions with the time-should integrate vulnerability and dependency.

Vulnerability
The term "Vulnerability" is used here to describe the dependency between a well-defined threat and the disruption mode and mechanism of a well-defined CI. Obviously, a given CI may show different types of disruption modes depending on the disruption mechanism and the vulnerability of this mechanism to the threat. Also, a CI does not react to all threats in the same manner.
CI disruptions are fundamentally stochastic processes. They can then occur independently from threats, as well. The occurrence of disruptions in the absence of threats will be called "systemic" disruptions. If disruptions are the result of the occurrence of a threat, they will be called "stressed disruptions". Stressed disruptions depend on the vulnerability of the CIs to the stressing threat.
Most of the models describe CIs vulnerability to threats using one the following approaches: • Qualitative approach; it describes the vulnerability using a qualitative metric such as: extreme vulnerability, vulnerable, medium, low and not vulnerable. • Binary approach; it describes vulnerability using a binary function [1,0]. The value 1 means that the CI is vulnerable to the threat, i.e., if the threat happens, the disruption will certainly occur. The value 0 means that the CI is not vulnerable to the threat, i.e., if the threat happens, no disruption occurs.
• Probabilistic approach; it describes in a probabilistic terms the dependency between the threat and the CI disruption. The vulnerability of a given CI "i" to a well-defined threat "j" will be described using a vulnerability strain factor "t ij ". The disruption rate k i ðjÞ of a given CI "i" under the action of the threat "j" will then be given by: where, k i ðoÞ is the systemic (unstressed) disruption rate of the CI, "i", and t ij is its vulnerability strain factor regarding the threat, "j". If the CI, "i", is acted upon by multiple N threats, its effective disruption rate k N;0 i will, then, be given by: is the effective disruption rate. In the presented model, threats act on the same CI, independently. No available models consider the possibility of a compound damage mechanisms. Considering independently the vulnerability to each threat gives a conservative estimation of the effective disruption rate.
The vulnerability strain factor matrix t ij represents the vulnerability of a disruption mode "i" to a given threat "j". It describes the increase in the disruption occurrence due to the action of the threat, Table 1.

CI Dependency
The operation of CI depends very often on the operation of some other CIs. One can identify three basic types of dependency: • Physical/structural, • Functional/operational, • Procedural/administrative…. In order to count for the possible dependency between CIs, all the available models use a sort of a disruption dependency matrix (D-D matrix). The matrix elements describe the existing mutual dependency between a given set of identified CIs.
Similar to the vulnerability, the description of dependency can be: The definition of each category is identical to that mentioned above for vulnerability.
The dependency of the disruption of a given CI "i" on the disruption of another CI "j" is described by a factor e ij that we will call the CI disruption dependency strain factor. An academic example of the Disruption Dependency (D-D) matrix is given in Table 2.
The disruption rate k i ðjÞ of a given CI "i" given the disruption of the CI "j" can then be given as: where, k i ðoÞ is the systemic (unstressed) disruption rate of the CI, "i", and e ij is the dependency strain factor regarding the disruption of the CI, "j".
A disruption dependency is called "directional" if the disruption of the CI "j" impacts on the disruption of the CI "i", while the inverse is not true. Then, one has e ij [ 0 and e ji ¼ 0.
If the disruption dependency is not directional, we will talk about "interdependency" rather than "dependency" and have, generally, e ij 6 ¼ e ji [ 0.
An illustrative example of the independence strain matrix e ji is given in Table 2. If the CI, "i", is acted upon by multiple disruptions of other M CIs, its effective disruption rate k 0;M i will, then, be given by: where, k 0;M i is the effective disruption rate. In the presented model, the disruptions of many CIs act independently on a given CI. We have not considered the possibility of a compound damage mechanisms. Considering independently the impact of each other disruption gives a conservative estimation of the effective disruption rate.

Integrating Vulnerability and Dependency
In a complex case, where there are many disrupted CIs and simultaneously multi-threat actions, the overall effective disruption rate k N;M i will be given by: where N refers to the number of the simultaneous acting threats and M refers to the number of the already disrupted CIs.

Cascading of Disruptions
Disruption cascading can be described by the occurrence of some discrete and independent disruptions e i that happen in a well-specified order e 1 ! e 2 ! e 3 Á Á Á ! e n ½ . The corresponding occurring instants are defined by t 1 ; t 2 ; t 3 ; . . .; t n ½ , where t 1 \t 2 \t 3 \ Á Á Á \t n ½ , [7]. Each of these instances t 1 ; t 2 ; t 3 ; . . .; t n ½ has its distribution probability function (pdf), qðtÞ. The first disruption event is e 1 and the last is e n .
The probability p n ðtÞ that cascading T happens within the interval [0, t] is given by: This integral can be solved numerically for most of the pdf q i ðtÞ and analytically if the pdf q i ðtÞ is of Poisson type.
The pdf q i ðtÞ can be determined if one has a conceptual mathematical model describing the CI disruption. The probability density function q i ðtÞ and the occurrence rate k N;M i are correlated. Knowing one of them allows to determine the other.
Otherwise, the occurrence rate k N;M i can be determined if we have enough data in the CI disruption databases. It is one of the reasons why disruption databases and crisis databases are very important issues for MS&A of CI.
The databases issue touches the determination of the systemic disruption rates, the stressed disruption rates, the vulnerability strain factor and the dependency strain factor.

The Story Time-Line
The cascade is then build up on the time-line with three distinguished phases: active threat, CI-disruptions considering vulnerability and dependencies and finally consequences. However, these three phases are not sequential on the time-line. They can be overlapping. Although, the CI's cascade of disruptions is built up of sequential disruptions, Fig. 2.

A Hypothetical Crisis Scenario
The major target of this chapter is to illustrate how the MS&A of the cascade of disruptions provides critical input data to the decision making and crisis management.
A hypothetical scenario, but inspired form real, will be considered in the following to illustrate the methodology of simulating and analyzing crisis scenarios. We recall that one should: identify and specify the thread(s), identify the concerned CIs, determining their respective vulnerability to the thread(s), specify the CIs' Each identified cascading of disruptions lead to a pre-identified set of consequences (hazardous impacts). The likelihood of yielding a given set of consequences is proportional to the likelihood of the occurrence of the corresponding scenario.

Crisis Scenario Description
Consider an aging dam, regulates the flow of a river using a large retention lac behind and has 2 water alarm levels: alarm-level-1 (AL-1) and alarm-level-2 (AL-2).
If the water level attends AL-1 in the retention lac, a nearby water pumping station starts up automatically to evacuate the water excess to a small emergency retention area far from the lac. It is a provisional evacuation in order to stabilize the water at level AL-1 or below.
The pumping station is supplied by electricity from the national grid. In case of grid supply loss accident, a local supply electrical unit (a large diesel generator) can be immediately activated.
If the water level in the retention lac attends level AL-2, the risk of losing the dam's structure integrity becomes significant. A major Crisis is publicly declared and the population in the area should be evacuated within 24-36 h.

Identification and Specification of the Threat
The threat is a combination of an extreme heavy rain and a river flood.
The combination of both threats considered having a strong magnitude on a magnitude scale compromising 6 levels: catastrophic, extreme, strong, medium, low and insignificant.
The vulnerability of the concerned CIs' disruption will depend on this magnitude through the vulnerability strain factor t, Table 3.
The number of levels on the magnitude scale and their corresponding numerical values has no standard rules. It can change in function of the threat and the considered CIs with their geographical-societal context. Very often, it is defined by mixing approaches from: experience feedback and expert judgement.
The levels of magnitude and their equivalence in strain factors, given in Table 3, are for the academic illustration.

Identification and Specification of the CIs and Their Vulnerability
The hypothetical crisis scenario compromises four CIs each shows a specific unique disruption mode. Disruption modes are specified by their systemic occurrence rates, k, respectively. The systemic occurrence of a given disruption mode is a random event. It occurs whether the threat is active or not and whether the disruption mode is dependent on other disruption modes or not. Certainly, we consider the case of coherent disruption modes, i.e., the action of threats and the interdependency on other disruption modes cant but increases the considered occurrence rate.
Considering the above magnitude-vulnerability equivalence grille, in Table 4, and supposing that the impact of the threat is similarly moderate on the considered four disruption modes. The vulnerability strain factor t will be taken equal to 1.5, i.e., the systemic occurrence rate of each disruption mode will be multiplied by a factor equal to 2.5.

Specification of the CIs Dependency
The dependency between the four considered disruption modes are given, in Table 5, below. As one can recognize, both disruption modes d 3 and d 4 are moderately dependent on d 2 . While, the d 4 shows also a dependency on d 3 disruption mode.  Table 5 The dependency strain factors Impacting disruptions

Definition of the Cascade of Disruptions
The following cascade of disruptions is identified as one of the possible scenarios that may lead to a serious crisis. It is defined by the occurrence of the four specified disruption modes in the following order, (d 1 ; d 2 ; d 3 ; d 4 ), while: • Disruption d1: loss of the electricity supply from the grid to the pumping station.

Definition of the Crisis Management Target
The crisis management target is to evacuate at least 99% of the population in the disaster zone within the interval 24-36 h from the crisis declaration starting moment.
The crisis starts when the water level in the lac behind the dam reaches the AL-2.

The Consequence to Mitigate or to Dump
We consider that the crisis is successfully managed if: at least 99% of the concerned population can be evacuated after 36 h from crisis starting moment. There is evidently a no-zero risk not to succeed in achieving this target. The unique hazardous consequence to be considered is "having a non-evacuated population rate higher than 1% after 36 h from crisis starting moment".

Scenario Assessment: Simulation and Analysis
For the sake of our illustrative purpose, we limited our assessment to only two levels of simulations: • Simulation #1: assessing the likelihood of a systemic occurrence of the identified cascading of disruptions. A systemic occurrence supposes no threat's actions and no dependencies. The CIs are called unstressed. • Simulation #2: one considers the threat's actions (vulnerability strain factors non-null) and the dependencies between disruption modes (dependency strain factors non-null). The CIs are called stressed.

Whey the Unstressed Case?
The unstressed case represents a kind of a background crisis. A crisis that we can live with, even unhappily. If we do not accept its likelihood level, we should change the whole system: CIs, operating modes, environment, organization and/or the acceptable level of likelihood. This background crisis serves as a referential to assess the likelihood of the crisis when the CIs are stressed by the action of the crisis active vectors. Again and for the sake of our illustrative purpose, the likelihood of the crisis in both situations (stressed and unstressed) is assessed using only metrics vectors: the occurrence probabilities and the occurrence rates.
The time profiles of the occurrence probability and of the occurrence rates are assessed over a period of time equal to 80 h starting from the moment when the water level behind the dam attends the alarm-level-2. We use the time interval to reach 90% of the asymptotic occurrence probability as a characteristic figure. The 90% of the asymptotic occurrence probability will be called the reduced asymptotic probability (RAP) and the time to attend it is called TTA-RAP. Theoretically, the asymptotic values are attended when t ! 1 which is not a practical measure in taking decisions.
Regarding the occurrence rates, we use the most probable value of the occurrence rate (MPR) as a characteristic figure and the time to attend it will be referred to as TTA-MPR.

Unstressed Case
The CIs are not vulnerable to the threat and the CIs' are not dependent. The likelihood of this cascade of disruptions is the following: • The occurrence probability of the cascade is time dependent. It attends the RAP value of 3.15e−6 after 46 h, Fig. 3. • The occurrence rate of the cascade is also a time dependent function. It attends its MPR value 1.13e−7 after 21 h, Fig. 4.
The systemic occurrence of this cascade of disruptions may result inacceptable consequences. Therefore the crisis managers would be interested in identifying the likelihood of the situation and its evolution with the time. Assessing this risk-background is useful in measuring the "time criticality" for deciding and acting during the crisis, as will be explained in the following. Fig. 4 Occurrence rate time-profile for the unstressed (blue) and stressed (red) CIs Table 6 The classification of the criticality according to the occurrence rate Given that the most probable value of the cascade occurrence rate, the background risk-noise, is about 10 À7 and occurs around 21 h, one may propose the following classification based on three classes, Tables 6 and 7: • Class 3-high: the occurrence arte is almost one decade around the most probable value of the noise risk [>10 −7 ]. This is the case between 4 and 60 h from the start of the active phase of the threat. • Class 2-medium: the occurrence rate is one decade less than in class 1, 10 À8 ; 10 À7 ½ . This is the case in two intervals: from 1 to 4 h and from 60 to 85 h.
• Class 1-low: the occurrence rate is one decade below class 2, \10 À8 ½ . This is the case before 1 h and after 85 h, in the unstressed case (background-risk).
The unstressed case services in establishing the scale of criticality to be used in assessing the stressed cases representing crisis situations. Four hypothetical crisis situations are presented in the following.

Stressed Case
All disruptions d 1 ; d 2 ; d 3 ; d 4 ½ are equally vulnerable to the threat and have vulnerability strain factor equal to 1.5. The threat is considered of moderate magnitude similar to case #2. Dependencies between disruptions are considered. Disruptions  Tables 6 and 7: • The occurrence probability of the cascade is time dependent. It attends its RAP value of 8.32e−6 after 17 h, Fig. 3. • The occurrence rate of the cascade is also a time dependent function. It attends its MPR value of 8.00e−7 after 7.8 h, Fig. 4.
The occurrence probability is higher than in case #0 (and all the other cases). Its dynamic behavior is faster than in case #1 but of the same order as the three other cases.

Conclusions
Based on a dynamic model describing the cascade of disruptions, a methodology is proposed to measure the criticality of time to take decisions and actions in crises situations.
A methodology is proposed and can briefly be described as based on: • The vulnerability and the dependency are taken into account in the disruption occurrence rate.
• Disruptions are stochastic events. Subsequently, a well-defined sequence of disruptions may occur even in the absence of the threat action and the dependency between CIs. That is called a systemic cascade and it occurs even when the corresponding CIs are unstressed. • The dynamic of systemic cascade is used as a referential dynamic for all possible stressing modes resulting from the same well-defined cascade of disruptions. • The dynamic of a cascade (stressed and unstressed) is characterized by its occurrence probability and its occurred rate and their time-evolution profile. • The occurrence probability is used to measure the cascade likelihood.
• The occurrence rate time-profile is a good measure of the cascade dynamic. It is used to measure the time-criticality regarding decision and action making.
Using exact dynamic models to assess cascade reveals some interesting effects: • The likelihood of a given cascade does not necessarily increasing with the threat intensity, in spite of the individual increase of the likelihood of the disruptions composing the cascade. • Schematically, higher are the threat magnitude/strength and/or the CIs dependency, faster goes the dynamic of the cascade.