Risk Management: Interdependencies: How are real-time interdependency risks managed?
Options:
Option 0: This situation should be avoided - do not proceed under this condition.Option 1: Real-time interdependencies should be ignored as too complex to identify in advance.
Option 2: Real-time interdependencies should be identified in advance but only to the borders of the facility or enterprise.
Option 3: Real-time interdependencies should be identified in advance as far as they reasonably extend.
Option A: Interdependent failures should be mitigated in real-time as part of the incident response process.
Option B: Interdependent failures should be mitigated in advance by adding redundancy and/or hardening interdependent systems.
Option B: Interdependent failures should be mitigated in advance through failsafe and alternative operating modes.
Option C: Event sequences leading to potentially serious negative consequences should be examined in detail for specific mitigation sequencing strategies.
Basis:
Real-time interdependencies should be ignored as too complex to
identify in advance.
When the consequences are sufficiently
low, inadequate expertise is available, or maturity is inadequate for
interdependency analysis, analysis of real-time interdependencies is
likely to be infeasible. But failure to do this analysis should limit
the risk acceptance threshold to low risk situations.
Real-time interdependencies should be identified in advance but
only to the borders of the facility or enterprise.
In cases
where the consequences of failures don't extend beyond the facility or
enterprise, the interdependency analysis can reasonably stop
there. However, the enterprise may wish to extend its analysis further
to further understand its risks.
Real-time interdependencies should be identified in advance as
far as they reasonably extend.
For high consequence
situations, interdependencies should not be limited to the facility or
enterprise, as they effect the rest of society. They should extend as
far as they need to go until no identified interdependencies of
significant consequence remain.
Interdependent failures should be mitigated in real-time as
part of the incident response process.
While it would be nice
to never require real-time incident response to mitigate from failures
in interdependent systems, as a practical matter, some amount of this
is always likely to be required. However, as a primary mode of
operation, it is really the last line of defense, and should not be
the first line when consequences are high enough to justify alternatives.
Interdependent failures should be mitigated in advance by
adding redundancy and/or hardening interdependent systems.
Redundancy and hardening are particularly useful in cases where large
classes of failure modes can be covered, but often leave common mode
failures. Their use often relieves that need for real-time response, which
allows reduced operational costs and sustained operations until repair
can be undertaken.
Interdependent failures should be mitigated in advance through
failsafes and alternative operating modes.
Some
interdependencies cannot be resolved by redundancy or hardening (e.g.,
common-mode failures, insider malicious acts, etc.). In these cases,
coverage via failsafe modes and other alternative (often sub-optimal)
modes often resolves the real-time issues.
Event sequences leading to potentially serious negative
consequences should be examined in detail for specific mitigation
sequencing strategies.
When consequences are sufficiently high
to warrant through examination of the situation, this approach is the
more definitive approach. In essence, it combines the other approaches
to employ an optimal strategy which takes into account all of the
identifiable event sequences (or classes of them) and likely uses
each when and where appropriate in a coordinated fashion.