Page 19 - Read Online
P. 19
Page 120 of 139 Clédel et al. J Surveill Secur Saf 2020;1:11939 I http://dx.doi.org/10.20517/jsss.2020.08
1. INTRODUCTION
Risk assessment has been the dominant paradigm for system design and management for decades, especially
in the case of cyber-physical systems (CPS). These systems are used in critical infrastructures, and a “well-
designed risk assessment of CPS will provide an overall view of CPS security status and support efficient al-
[1]
locations of safeguard resources” . Furthermore, “With an understanding of risk, it is then possible for an
operator to prioritise the implementation of resilience measures” [2] (additional research results related to this
work are available at: http://www.cost-recodis.eu). However, unprecedented adverse events such as natural
disasters (the Fukushima Daiichi nuclear accident) or cyber-attacks (StuxNet or BlackEnenergy) have caused
unexpectedlosses. Theseeventshavehighlightedsomeweaknessesofwell-establishedmodelsandframeworks.
As a consequence, it has recently been accepted by scientific communities and governments that risks threat-
ening critical infrastructure cannot all be identified or prevented and that there is a need for new approaches
to mitigate damages. Resilience emerged from this lesson as the logical way to overcome the limitations of
previous dominant approaches that are risk assessment and system safety.
While systems were considered safe by design and failures caused by human errors, it is now accepted that
mismatches exist between administrative procedures and the ways in which systems actually run. Indeed,
normal system performance, resulting from required adjustments, adaptations, and optimizations must be
[3]
distinguished from normative system performance that is prescribed by rules and regulation .
Some studies and audits have been conducted in modern industries and different environments to assess
whether resilience was considered during the design and planning phases of industrial processes, and how
[4]
resilience strategies are applied during the operational phase. Studied environments include nuclear plants ,
[8]
[5]
[9]
electricity distribution , chemical plants [6,7] , sea fishing , oil distribution plants , railways [10] , etc.
[4]
Carvalhoetal. introduceda frameworkfortheanalysisofmicroincidentsduringnuclearpowerplantopera-
[5]
tions. Saurin et al. improved a method for assessing health and safety management systems. Azadeh et al. [6]
presented a new concept of resilience engineering, which includes teamwork, self-organization, redundancy,
and fault-tolerance, while Shirali et al. [7] identified the challenges that occur in the process of building re-
silience engineering and its adaptive capacity in a chemical plant. Morel et al. [8] focused on “the relationship
between resilience and safety, and discusses the choice of strategies for safety-improving interventions, taking
into account the system’s financial performance and the legal pressure to which it is subjected”. Abech et al. [9]
presented the challenges in order to improve resilience in an oil distribution plant. Hale et al. [10] proposed an
evaluation, which shows that railways are “examples of poor, or at best mixed, resilience, which can, however,
stillachievehighlevelsofsafety, atleastincertainareasoftheiroperations”. Mostofthesestudiesconcludethat
some resilience mechanisms inherently exist in these environments. However, these resilience mechanisms
may not always be recognized as such by employees. They demonstrate how people adapt to challenging situ-
ations where operational, plannings and procedures are in conflict.
The absence of consensus for a definition of resilience, as well as the abundance of metrics evaluating resilience
and the over-dominance of risk assessment and system safety, can explain that resilience is rarely applied
and considered as a system design and management paradigm. However, it can be noticed that definitions
and metrics are not as heterogeneous since only few criteria are used in the current article to classify them.
While some metrics clearly differ from the others and do not evaluate the same “resilience”, many definitions
and metrics are in fact variations of others. Some of them can be considered as refinements of older metrics
or definitions. Occasionally, variations can be justified by a will to produce a domain specific evaluation of
resilience.
The goal of this article is not to provide an exhaustive list of articles that deal with resilience. Many articles
propose mechanisms, techniques, and technologies to improve resilience of systems but fewer articles provide
their own definition and/or metric of resilience, and fewer still provide an original definition or metric. In fact,