The columns for each critical infrastructure sector represent how a sector self-rates (according to interviews conducted with stakeholders) (ibid.) its dependency on information coming from other critical infrastructure sectors — the inbound dependency. Most organizations will intuitively understand their vulnerabilities regarding the information they consume. The rows represent how dependent information-receiving critical infrastructure sectors are on information and data from a given critical infrastructure sector, according to their own assessments — the outbound dependency for each sector. Unlike inbound dependency, most organizations do not have a great deal of insight into how all other critical infrastructure sectors actually need the information and data they produce. In total, more than 4,000 distinct data dependency metrics were gathered from critical infrastructure stakeholders; dependency was ranked on a scale from 1 to 10. The higher the number in the column, the greater the dependency (vulnerability) on data flowing into a sector; the higher the number in a row, the greater the dependency (threat) of others on data flowing out of the sector. By mapping out critical infrastructure interdependencies in this way, we can begin to understand — and take precautions against — the sort of cascading effects that might follow a major cyber attack on a critical infrastructure sector.
Sector-specific Dependency Analysis: Energy Sector The energy sector is primarily concerned with electric power generation and transmission, as well as oil and gas production and storage. Energy is often considered a “super critical” infrastructure because most other critical infrastructure sectors cannot operate if energy is not functioning. The following tornado diagram (see figure below) is used to illustrate the energy sector’s inbound and outbound data dependencies and the resulting cyber vulnerabilities and threats. The diagram is divided vertically by an axis that is valued at zero. The left side displays the median inbound data dependency values for the energy sector, in descending order from highest to lowest. The right side displays the outbound data dependency values for each of the sectors (that is, how do other critical infrastructure sectors depend on the data from the energy sector?). Intra-sector data dependencies are typically strongest among critical infrastructure sectors. Energy is the largest consumer of its own information and data as a result of the tight supply chain linkages between different organizations, for instance, in production versus distribution of both electricity and fossil energies. As shown on the left side of the diagram, the energy sector is a large consumer of data from other sectors and expresses the highest
Energy Sector Data Dependency Inbound data dependency
Outbound data dependency
Energy
Energy
Safety
Safety
Finance
Communications & IT
Transportation
Government
Manufacturing
high (Max inbound)
Source: Author. 72
Governing Cyberspace during a Crisis in Trust
medium
low
Finance
Communications & IT
Transportation
Government
Manufacturing
Health
Health
Water
Water
Food
Food low
medium
high (Max outbound)