# Resilient Critical Infrastructure: Bayesian Network Analysis and Contract-Based Optimization

###### Abstract

Instilling resilience in critical infrastructure (CI) such as dams or power grids is a major challenge for tomorrow’s cities and communities. Resilience, here, pertains to a CI’s ability to adapt or rapidly recover from disruptive events. In this paper, the problem of optimizing and managing the resilience of CIs is studied. In particular, a comprehensive two-fold framework is proposed to improve CI resilience by considering both the individual CIs and their collective contribution to an entire system of multiple CIs. To this end, a novel analytical resilience index is proposed to measure the effect of each CI’s physical components on its probability of failure. In particular, a Markov chain defining each CI’s performance state and a Bayesian network modeling the probability of failure are introduced to infer each CI’s resilience index. Then, to maximize the resilience of a system of CIs, a novel approach for allocating resources, such as drones or maintenance personnel, is proposed. In particular, a comprehensive resource allocation framework, based on the tools of contract theory, is proposed enabling the system operator to optimally allocate resources, such as, redundant components or monitoring devices to each individual CI based on its economic contribution to the entire system. The optimal solution of the contract-based resilience resource allocation problem is analytically derived using dynamic programming. The proposed framework is then evaluated using a case study pertaining to hydropower dams and their interdependence to the power grid. Simulation results, within the case study, show that the system operator can economically benefit from allocating the resources while dams have a average improvement over their initial resilience indices.

## I Introduction

Critical infrastructure (CI), such as power grids and transportation systems, are vital to modern day cities and communities [1]. As such, maintaining proper operation of CIs, in presence of failures or security threats, is therefore a critical challenge. In particular, reliability and resilience are two key measures that can be used to evaluate the functionality and the ability of an infrastructure to deliver its designated service, under potentially disruptive situations. In practice, there is a significant difference between reliability and resilience. Reliability is a term that describes the frequency or the likelihood of a CI’s failure [2]. Resilience, on the other hand, has multiple definitions that are typically application-dependent [1]. Most of these definitions pertain to resilience in response to a change in or a corruption to the system’s normal functionality. A general definition of resilience, given by the Department of Homeland Security (DHS) advisory council, is the ability of an infrastructure to adapt to or rapidly recover from a potentially disruptive event [3].

The importance of studying reliability and resilience for CIs stems from the fact that they are prone to many disruptive events such as natural disasters, hazardous conditions, subversive attacks, aging, or even inadequate maintenance [4]. Thus, it is crucial for CIs to operate reliably and to be resilient in face of potential failures and disruptions. Given that CIs cut across multiple domains that include communications, dams, power grids, transportation systems, and water systems [5], and that the resilience lacks a standard definition, resilience improvement techniques are typically infrastructure-specific, for instance [2] considered the resilience of water systems, [6] proposed a framework to improve the resilience of the power grid, and [7] considered the resilience of petrochemical CIs. This poses many challenges for assessing and developing resilience improvement techniques for different-type interdependent CIs. A general framework is therefore needed to evaluate the resilience of different CIs and to help in designing general resilience improvement techniques. Some studies in the literature, e.g., [8, 9, 10, 11], proposed general resilience frameworks for CIs. However, the approaches proposed in this prior art mostly evaluate the CI resilience based on satisfying a number of pre-determined criteria as detailed in the next section. The resilience measures based on these properties fail to capture the effect of different disruptive events on the CI. In contrast, here, our goal is to introduce a general framework to evaluate and improve CI resilience based on the effect of disruptive events on the CI’s components. Prior to providing our key contributions, we will first review existing related frameworks and techniques in the next section to pinpoint their limitations.

### I-a Related Work

Critical Infrastructure resilience has recently attracted significant attention [8, 9, 10, 11, 12]. In [8] the authors considered four properties for resilience: robustness, redundancy, resourcefulness, and rapidity and the resilience was quantified using four interrelated dimensions: technical (physical), organizational, social, and economic. The authors in [9] proposed a resilience framework that seeks to achieve three resilience properties pertaining to the ability of a system to absorb the impacts of perturbations, adapt to undesirable situations, and quickly return to its normal operations. In [10], a three-stage framework, reflecting the infrastructure’s resistant, absorptive, and restorative capacities, is introduced to analyze the resilience. The DHS work in [11] developed the notion of a resilience measurement index (RMI) which is an indicator to determine the degree to which the elements pertaining to resilience have been implemented by a CI. These elements include the preparedness of the CI to possible failures and the extent to which recovery mechanisms and mitigation measures are installed. The work in [12] introduced a quantitative assessment for infrastructure’s resilience using optimal control design in which recovery processes and costs are integrated to derive the resilience. However, one key limitation of these studies, [8, 9, 10, 11, 12], is that they can be used to compare different CIs, yet, they do not capture the effect of specific events on the infrastructure. Therefore, their use is mostly limited to evaluating the resilience of CI but not to improving it.

Other studies in the literature have focused on improving CI resilience by allocating CI-specific physical resources [13, 14, 15, 16]. In [13], the resilience of a cyber-physical system is improved by allocating a number of inter-network edges to the nodes of the interdependent network connecting the system’s cyber and physical layers. The effect of cascading failure among nodes is studied to help in the process of resource allocation. The authors in [14] proposed a new approach to repair system components using a graph-theoretic approach. In [15] and [16], CI resilience is studied from a general perspective without defining a quantitative metric for resilience. The authors in [15] consider the problem of allocating resources to highway bridges to improve the resilience of a transportation system. In [16], a framework is proposed to allocate resources to CIs based on their vulnerability level. Contract theory is used to formulate the problem to optimize the economic benefit from the allocated resources which are offered to CIs through contracts managed by the system operator. Note that, in [10], beyond defining resilience properties, a framework is proposed to improve CI resilience. The framework depends on allocating resources to improve the resilience by hardening CI’s components, duplicating components, or ensuring rapid recovery of failed components. The framework is applied to improve the resilience of a power grid whose components are the generators and the resources are allocated to the generators.

One limitation of these previous studies [10] and [13, 14, 15, 16], is that individual CIs are abstracted within the system, e.g. as nodes within a generic graph. This provides no information on improving individual CIs resilience as the solutions introduced in these studies [10] and [13, 14, 15, 16] consider the resilience of an entire system of multiple CIs while being agnostic to each individual CI’s resilience properties. Indeed, individual CIs and their specific failures are largely abstracted and not considered in enough details. Hence, in such prior art, when resources are allocated within the system, no information is provided on how to effectively allocate them at the level of each CI.

In light of the preceding discussions, we propose a general framework to study and improve the resilience of CIs. The framework addresses the resilience at the level of both individual CIs and their collective effect on an entire system of multiple CIs. We introduce an analytical resilience index to quantify the resilience of individual infrastructures and to give insights about improving this resilience. Resilience is evaluated as a function of the CI’s probability of failure derived from the cascading failure of its physical components. Resources are then allocated to the individual CIs according to their contribution to the entire system. Examples of resources here include redundant components or monitoring devices such as sensors or cameras. Finally, each infrastructure can use the allocated resources to improve its resilience based on the introduced allocation algorithm. The key contributions stemming from this framework are outlined next.

### I-B Contributions

The main contribution of this paper is a comprehensive analytical framework for analyzing and optimizing the resilience of CIs. The proposed framework can be applied to different systems and CIs to evaluate their resilience and optimize it. The framework considers the resilience of each individual CI and allows improving it based on the economic contribution of each CI to the entire system of multiple CIs. We model the CI performance state using a Markov chain that allows us to derive a novel quantifiable resilience index. The proposed resilience index relates to the CI’s probability of failure which is induced from the probabilistic inference of a Bayesian network modeling the relationships between the various components of a given CI. The Bayesian network captures the effect of each component’s failure on the CI’s probability of failure. This allows calculating the effect of fixing each component on the probability of failure and hence on the infrastructure’s resilience index. We also develop an algorithm, using the Bayesian network, to prioritize each CI’s components based on their effect on the resilience index. This algorithm can be used by individual CIs to determine the order in which they should secure their key components through external resources.

A case study pertaining to hydropower dams is introduced to highlight the importance of the proposed framework and to evaluate its performance. Within this case study, a hydropower dam’s resilience is evaluated based on its probability of successfully generating electricity. We propose a new approach for improving the dam’s resilience by securing its main components using external resources. The problem of allocating these resources to multiple dams, based on their economic contribution to the entire system (the power grid), is modeled using contract theory [17] and the optimal solution to this problem is derived using dynamic programming. Through simulations, we show that both the system operator and individual CIs can benefit from the process of resource allocation. The system operator can maximize its reward from the allocated resources using contract theory, while CIs significantly improve their resilience indices.

The rest of this paper is organized as summarized in Fig. 1. The Markov chain model and the analytical analysis for deriving the resilience index is presented in Section II. The Bayesian network analysis and components’ prioritization algorithm is discussed in Section III. The case study of hydropower dams and the optimal solution to the problem of CI resource allocation is derived in Section IV. Numerical results are presented and analyzed in Section V. Finally, conclusions are drawn in Section VI.

## Ii Evaluating the Resilience of Critical Infrastructure using Markov Chains

Consider a critical infrastructure whose performance at a given time is a function of the state of the system as captured by the random variable . can take values from a set whose values represent three CI states: success (), warning (), and failure (). The success state, , represents normal service, i.e., the infrastructure is properly delivering its designated service. The CI will be in a warning state, , with the occurrence of a partial failure to its components that may lead to a complete failure. The failure state, , represents the failure of the CI to deliver its designated service. This failure can occur either suddenly due to, e.g., natural disasters, or as a result of a partial failure from a previous warning state. We introduce a Markov chain to model these states as shown in Fig. 2.

The transition probabilities between the different states can be induced from the Markov chain. Let where . Then, the full transition probability matrix will be given by:

(1) |

The values within each row of will sum to as they represent the probability distribution for all possible next states whenever the system is at a specific state.

In practice, it is intuitive to assume that the probability is zero. This is due to the fact that, once a failure happens, the CI will either remain at this state or will recover to the success state not to a warning state. Here, we also assume that, whenever the infrastructure is at a warning state, it is either fixed and restored to a success state or it continues to fail and eventually goes to a failure state. This transition is based on the actions taken at a given time step, however, there is still a small probability that no action is taken at this time step as captured by the probability of remaining in the warning state . We assume that is fixed to a value which should be small. Based on these assumptions, the transition probability can be simplified, as follows:

(2) |

Note that, the probability matrix specifies transition probabilities for a single time step. Transition probabilities for time steps can be calculated as . The probabilities of being at a given state i.e., , and , can be calculated using and the vector of the initial probability distribution of being at each state , as follows:

(3) |

where is the probability distribution vector of being at each state after time steps.

We define the resilience of an infrastructure to be the reciprocal of the probability of being in the failure state in the long run as:

(4) |

where is the probability corresponding to the failure state in the vector . This probability will always exist if the Markov chain is irreducible as shown in [18], i.e., there is no absorbing state. In practice, the chain in Fig. 2 cannot have an absorbing state so it is irreducible. The resilience here, is inversely proportional to the probability of failure thus reducing the probability of failure will increase the resilience. Reducing the long run probability of failure implies that the CI will have fewer time steps at the failure state which conforms to the definition in [3]. Note that, relating the resilience to the probability of failure was introduced in [2] however, in [2], the CI was allowed to only operate in either a satisfactory or a failure state.

To calculate the value of , the value of needs to be evaluated at high values of which in turn will depend on . The powers of for high values of can be calculated in advance if is a regular transition matrix [18]. The powers are shown to converge to a matrix in which all rows are the same and each row is a strictly positive probability distribution vector [18] if is a regular transition matrix. Converging to a constant matrix means any further multiplications of with will not change , i.e.,

(5) |

As all rows in are the same, the probability vector , in (3), will no longer depend on the initial probability distribution . Multiplying the values of , which sum up to , with the constant columns of will yield the same constant values of . Hence, (3) can then be written as:

(6) |

Let the vector be the constant row of which assigns different transition probabilities to all possible states. According to (5), this vector will satisfy the following property:

(7) |

As discussed earlier, matrix only exists if matrix is a regular Markov matrix. In the following theorem, we prove the necessary conditions that must satisfy in order to be a regular Markov matrix.

###### Theorem 1.

The probability transition matrix is a regular Markov matrix.

###### Proof.

Let , then, the values of can be computed using (7), as follows:

(8) |

The solution of this set of equations gives the values:

Substituting in the denominator by , the denominator can be written as , with all the terms being positive. The numerators can then determine the sign of the values of . It is obvious that will have positive values if are nonzero. However, if equals zero, there will be no transition to the warning state when the CI starts at the success state. This implies that the warning state will be isolated which contradicts the fact that the chain is irreducible. The assumption is zero also cannot hold from a practical point of view since in this case the infrastructure cannot be recovered to the success state hence is not resilient.

This shows that the values will always be positive hence they represent valid transition probabilities which proves that is a regular Markov matrix. ∎

After deriving the convergence values, the resilience of an infrastructure will then be:

(10) |

To shed some light on the number of time steps, i.e., powers (iterations) needed for the matrix to converge to , three different CIs are examined as shown in Fig. 3 and Fig. 4. Fig. 3 shows the values of when it reaches a constant value after some time steps, similarly, Fig. 4 shows the values of . In this example, the first CI has high probability of being at a success state, and high probabilities of returning to the success state, . Fig. 3 and Fig. 4 show that the convergence occurs at time steps. The second CI has a high probability of being at a success state but lower transition probabilities and . The convergence in this case occurs at time steps. Finally, the third CI has a low probability and high transition probabilities and and, hence, its convergence occurs approximately at time steps. Clearly, only a few time steps are needed for each CI’s transition matrix to converge which corroborates the practicality of our proposed approach.

In our model, we are interested in studying the effect of improving the probability , on the CI’s resilience. This is because, we want to increase the transition probability from warning () state to the success state () thus reducing the probability of failure. To this end, we evaluate the rate of change of the resilience index with respect to the probability , as given by:

(11) |

This rate of change is strictly negative which implies that will always decrease with the increase of . From (II) and (10), it can be clearly seen that the resilience will have a positive rate of change with respect to the probability .

Finally, we define the resilience index of a CI as:

(12) |

where is the minimum value of that can be achieved at the maximum value of when substituted into (II) and (10). This value achieves a maximum resilience . It is straightforward to show that is positive with . The resilience index in this way helps to evaluate how far each CI is from its maximum achievable resilience. It can also help to compare different CIs as their resilience is measured on the same scale. Fig. 5 shows the values of the resilience index with the increasing values of for different values when .

Next, we study how to compute the probability for an infrastructure and the effect of improving this probability on the resilience of a given CI. A Bayesian network is defined for this purpose as explained next.

## Iii Bayesian Network Model for CI Probability of Failure

To compute , we need to evaluate the probability of failure of a CI, given the probability of failure of each of its individual components. Since the failure of one or more components can cause other components to fail, we need to consider the relationship between the components when computing . To this end, a Bayesian network [19] is a suitable framework.

### Iii-a Bayesian Networks: Preliminaries

A Bayesian network is a network that describes the causality and relationship between independent random variables under incomplete information [19]. A Bayesian network is normally represented by a directed acyclic graph (DAG) in which each node represents one random variable. Let be a Bayesian network, then is the set of nodes which represent different random variables and is a set of directed edges. A directed edge from a node to means that node depends on the node and in this case is called the parent of node . A node can have multiple parents and the set of parent for a node is given by . Every variable can take a value from a finite set of values, e.g., if the variables are binary they can either be true or false. Finally each node is associated with a conditional probability table (CPT) while roots, i.e, nodes without parents, are assigned direct probabilities. A CPT for a node gives the conditional probabilities between and every node in .

Consider a Bayesian network with binary values, each variable in the network can be either true () or false () with a given probability. For a variable , its and probabilities, i.e, are written as where the lowercase letter indicates a value of the variable. The probabilities within each variable sum to , i.e., . If a variable, e.g. , has two parents and , then the CPT of will have eight entries representing the possible combinations of and with the and values of . However, as the and values for any variable sum to , only half of the CPT entries must be stored, i.e., the values of .

Once the probabilities and the CPTs are assigned, probabilistic inference can be performed to calculate the probability of any variable given some evidence in the network. Calculating probabilistic inference in general Bayesian networks in known to be NP-Hard [20], however, Pearl [21] introduced a polynomial time algorithm to perform probabilistic inference in singly connected Bayesian networks. A singly connected Bayesian network, also known as a polytree, is a Bayesian network where it has no loops, i.e., there is only one path between any two nodes in its underlying undirected graph.

### Iii-B Evaluating CI Probability of Failure

For our resilience problem, we introduce a Bayesian network to model the possible failure events of a given CI that can prevent it from delivering its designated service. We model the various possible failure events of the components of a CI which can lead to total CI failure with a given probability. The total failure probability calculated from this Bayesian network will effectively represent the transition probability as this is the probability with which a partial failure causes a total failure. On the other hand, failure events, such as natural disasters, that can cause a sudden CI failure, are not captured by this network. They can be modeled in a separate network to calculate the transition probability .

The Bayesian network is constructed such that failure events are modeled as variables (nodes) in a hierarchical way. Nodes are grouped into levels where failures in one level can cause failures in the next level. Fig. 6 shows the structure of the proposed Bayesian network in which the number of nodes and levels vary according to each infrastructure. Roots in the network, , represent possible failure events to respective CI components. Failure, here, can happen due to external effects or normal wear-and-tear of the components. The subsequent levels represent the cascading failure to other major components, e.g. and . These major failures can, in turn, cause a failure in their next level, with given probabilities, and so on until the whole infrastructure fails. The CI failure is represented by the single leaf in the Bayesian network.

As the variables represent failure events, they can be either true () or false () with a given probability. A value implies that the failure event has occurred and means it has not occurred. Root variables are assigned and probabilities, while the variables at subsequent levels are associated with conditional probabilities for the possible combinations of their parents’ values. Probabilistic inference can then be performed to compute the total probability of failure, of a CI according to the failure probabilities of its components. Note, the proposed network in Fig. 6 is a singly connected Bayesian network and, hence, probabilistic inference can be performed in polynomial time.

To compute the probability of failure for any given CI, we start by calculating the prior marginal probability of failure. This probability is calculated from the initial assigned probabilities. Assume, without loss of generality, that is the variable representing the failure, then the prior marginal probability of , the value of , can be calculated in a manner analogous to [22]:

(13) |

where is the joint probability for all the instantiations of the independent random variables . The summation is calculated over all variables except , thus these variables are marginalized from the joint probability. The joint probability in (13) is given by:

(14) |

where when the set is empty.

This prior marginal probability represents the initial in our CI Markov chain model. It can be used to calculate the initial resilience index of a given CI. Then, the effect of each node on improving the resilience index can be calculated and, hence, the components of a CI can be prioritized based on their effect on . However, the effect of each component should not be considered separately, as securing a component will reduce which will also reduce the effect of other components on . The proposed procedure for sorting the components is given next.

We calculate the posterior marginal probability of failure given the evidence of each root variable separately. Let the number of root variables be . Then, the marginal probability will be given by [22]:

(15) |

where is the evidence value for the variable when . We consider the false (failure) probability to capture the positive effect of a variable on the total probability of failure. This is calculated for all root variables and the values are sorted in a descending order. The variable that causes the greatest reduction in then represents the first component of the CI that must be overhauled. This variable is also used as a new evidence variable in the Bayesian network to determine the second most affecting variable (component) from the remaining roots.

Assume without loss of generality that is the root with the most effect on , then the next posterior marginal probability is calculated considering only the instantiation of . The probability is calculated for the remaining root variables individually as given by:

(16) |

This procedure is applied to all the roots adding one root to the evidence variables each time. The procedure will end by sorting all the components of a CI in a descending order according to their effect on the probability of failure. The steps of this procedure are summarized in Algorithm 1.

Note that, according to (14), the joint probability considers the parents of each node. Thus, (III-B) can be derived from (15) by considering changes in the branch between the leaf node and the new variable only. All the other summations in (15) will not change as the evidence variable does not belong to this branch. This allows a reduction in the complexity of calculating the updated probabilities after fixing the components.

Algorithm 1 can then be used by any CI to determine the order according to which it must fix its components. As CIs typically allocate resources to improve their resilience [10, 13, 14, 15, 16], Algorithm 1 can help CIs to determine the components to which resources will be allocated within each CI.

Here, we note that, in practice, CIs operate within larger systems (e.g., an entire city) that are composed of multiple, interdependent CIs that collectively provide a common service. As such, the function loss of one CI will impact other interdependent CIs and, therefore, when analyzing the resilience of a large-scale system, one must consider all the interdependent CIs. This, in turn, brings forward a new problem of allocating resources, such as monitoring devices among a system of multiple CIs which is addressed next. Within the context of resource allocation, Algorithm 1 is applied by each CI to make the best use of its allocated resources.

## Iv Resource Allocation for Optimized Resilience

As evident from the previous discussion, our next step is to study the problem of allocating resources in a system of multiple CIs, while taking into account the individual Bayesian network model of each CI. Resources can range from cyber resources to personnel or physical equipment. We classify resources into two categories: preventive and rapid intervention resources. Preventive resources are resources that help CI’s components become less vulnerable to failures. This might include replacing some components with more reliable ones or installing redundant components. Rapid intervention resources, on the other hand, requires monitoring and alarming systems to be deployed and requires the existence of on-site facilities that can be used to fix or replace corrupted components in a timely-manner. The choice of either category of resources depends on the nature of the infrastructure and the cost of using each. For instance, in a power plant, preventive resources can represent installing redundant switches or replacing old stators, while rapid intervention resources can represent excessive monitoring of the generators to repair any defects once they occur to help keep the generator working.

As resources are infrastructure-specific, we introduce an application-specific case study to highlight the importance of our framework. Though the framework can be applied to any CI, studying the problem of resource allocation within the context of a specific CI, as a case study, helps better illustrate our framework, as shown next.

### Iv-a Hydropower dams: A case study

We apply the proposed framework to hydropower dams and their impact on power systems as a practical CI in order to measure the resilience improvement that can be achieved. Dams are classified as one of the critical infrastructure sectors according to the US DHS [5]. Hydropower dams provide a good platform to apply our proposed framework as they have many connected components that could be affected by numerous failure events. Recall that, according to our proposed framework, failure will be defined as the inability of the dam to produce electricity.

A Bayesian network is designed for each dam where the parents to the node representing failure are the dam’s main components such as penstocks, generators, turbines and transformers. In turn, these variables are modeled as children nodes of the variables representing smaller components such as stators, rotors, intake gates, and blades. Components are connected in a hierarchical manner until the roots that represent small components failure. Fig. 7 shows a scheme for a hydropower dam highlighting its main physical components along with part of the Bayesian network defined for this dam. We use previous failure statistics and reliability analyses [23] to assign probabilities of failure to the roots of the Bayesian network. Conditional probabilities between components are assigned based on the components’ relations similar to method used in fault trees. Note that the same method of assigning probabilities can be applied to any other CI.

From a resources perspective, preventive resources are seen as a long-term solution to improve the resilience of dams in service. Preventive resources require some components to be replaced, which might not be applicable when the dam is in service. Therefore, we focus on rapid intervention resources which include monitoring devices, such as sensors and cameras, and maintenance equipment. We propose to use both fixed sensors and drones in the monitoring process. Drones can be used in general to inspect areas of interest in CIs [24] and help to inspect hard-to-reach points where conventional sensors/monitoring methods cannot be used. Recently, the use of drones to inspect even the inner parts of the dam was shown to be applicable in [25]. In this work, the authors modified a drone and used it to inspect the inside of the pentstocks of a number of dams. Mechanical robots on the other hand can be used to inspect a dam’s key sections that cannot be reached by drones such as underwater components [26].

The majority of dams in the United States, are privately owned [27] and their owners are responsible for their safety. However, there is still a federal role for ensuring dams’ safety as dams can severely affect persons and properties in case of failure. The same applies to electricity supply, the failure of a dam to generate electricity will affect huge parts of the electric grid that it supplies. These facts reveal the importance of having a system operator to manage the process of resource allocation within multiple dams. The system operator is considered as a centralized agency that provides the resources to a dam, or more, to increase their resilience and hence can avoid long interruptions to the electric service. Having a system operator that can manage the resources, especially drones, is useful as the operation of drones is regulated by the federal aviation administration (FAA) [28] and is not granted to all private organizations. In the following, we will use a general notion of resources, without being restricted to drones, as the framework can be applied to any type of resources.

Next, we formulate the problem of allocating resources within a system of multiple dams (CIs). We propose to use contract theory, a powerful framework from microeconomics that provides useful tools for designing contractual agreements between a principal and a number of agents [17]. The system operator is modeled as the principal and the owner of dams as agents, as discussed next in more details.

### Iv-B Resource Allocation using Contract Theory

We consider a system in which an electric grid operator, referred to as the principal, is interested in providing a number of resources to the owners of dams to be used in the process of surveillance and rapid intervention. Let be the set of targeted dams. Dams are assumed to have different owners. These dams, being part of the grid, sell their generated electricity to the power grid managed by the principal. Each dam can utilize the resources to improve its resilience and hence reduce the probability of failure to generate electricity.

The principal has a limited number of discrete (integer valued) resources to be allocated to the dams and, hence, it decides on how to optimally use these resources. The goal of the principal is to invest in improving the probability of power generation and, hence, decreasing the probability of losses due to a dam’s failure. We model the principal’s payoff as the difference between the total rewards it gets from the dams’ owners and the total expected losses due to each dam’s failure. Losses are modeled as a function of the total probability of failure before and after the deployment of resources. The total utility that the principal achieves as a function of the vector of resource allocation is given by:

(17) |

where is the resource allocation vector across all dams with each element specifying the number of resources allocated to dam , is the expected real-time energy price if dam fails to generate electricity, is the average real-time energy price in normal operation, is the contracted power production for dam , the expected number of hours the dam will be out-of-service due to failure, and is the monetary reward the principal gets for a unit of resources which can also be seen as a cost. Note that, the resources in (17) refers to monitoring resources or drones as discussed earlier. We introduce the function to measure the improvement in the resilience of a CI due to the amount of allocated resources. Specifically, the CI evaluates the difference in its resilience index before and after using the resources , and is given as:

(18) |

where and are the values calculated from (II) and (10) respectively for the updated values of . These updated values are calculated from the Bayesian network as the result of fixing a number of variables equal to according to the order specified by Algorithm 1. The effect of the first unit of resources on , for each dam, is calculated from (15) while the effect of the remaining resources is calculated from (III-B) for each additional unit of resources. Without loss of generality, we assume that each component of a CI can be secured by a single unit of resources.

Each dam’s owner will evaluate the amount of resources it receives based on the resilience enhancement that will result from the allocated resources. This resilience improvement is reflected by a higher probability of generating power and, hence, a higher probability to sell the generated power with the real-time prices. The utility of dam is defined as follows:

(19) |

where is the average day-ahead energy price for dam . The remaining parameters are similar to those in (17).

The principal wants to offer contracts to the dam’s owners to maximize its utility in (17). A contract [17] can be seen as an agreement between the principal and the dam’s owner using which the principal provides and operates resources to monitor, inspect, and fix points of interest in the dam and gets monetary rewards in return. Every contract is defined as a pair representing the amount of resources and the monetary reward (cost) the dam’s owner should pay for these resources.

In our model, we assume the principal has complete information about the targeted dams. This information should be provided by each dam’s owner as the resource evaluation, from the Bayesian network, is dam-specific and cannot be estimated by the principal without the dam owners. Moreover, the principal, being the system operator, already knows all of the other parameters. Hence, the focus of the principal is to design contracts in a way to ensures each dam’s owner participation in order to maximize its total benefit. Contracts offered by the principal should then satisfy the key property of individual rationality, under which each dam’s owner is interested to participate only if the benefit it gets is greater than or equal to the amount it pays , i.e.,

(20) |

The principal can then design the optimal contracts by maximizing its utility and satisfying the constraints as follows:

(21) |

### Iv-C Optimal Contract

Solving the problem in (21) is challenging as the function is not continuous. has discrete values for a finite set of values. To address this challenge, we first start by inspecting the properties of the function in order to solve the problem in (21).

###### Proposition 1.

The values of the function represent a monotonically increasing concave sequence.

###### Proof.

We prove this proposition by showing how the values of are calculated. Let the values be any three consecutive values for the improvement in achieved by fixing any three consecutive variables as calculated from Algorithm 1. These values satisfy the following two properties:

(22) |

according to the selection criteria defined in Algorithm 1 in which the biggest improvement is captured first.

Let be the values calculated from (18) for the updated values for , respectively. Each is the difference between the updated and the current . According to (II), the values of are inversely proportional to the values, hence, the values follow the same relation and it can be seen that . Therefore, we can conclude that the sequence is monotonically increasing:

(23) |

and the difference relation becomes:

(24) |

Rewriting the last inequality we get:

(25) |

which proves that the sequence is concave [29]. ∎

Using Proposition 1 with the first constraint in problem (21), we can see that the constraint is a difference between a monotonically increasing concave sequence and a strictly increasing linear sequence . The result will be a concave sequence that can have both positive and negative values depending on the difference between the two sequences. This result is used by the principal to determine the range of values, i.e. , that meets the first constraint and, hence, will be acceptable for the dam’s owners as it satisfied individual rationality.

Next, we study the properties of the objective function in (21) based on the results of the previous proposition.

###### Lemma 1.

The objective function in (21) is a convex sequence with respect to each dam that is monotonically increasing.

###### Proof.

We prove this lemma by showing the relation between the terms of the objective function. For a given dam , the objective function is the difference between the reward and a constant number multiplied by the concave function . The reward term represents a linear strictly increasing function in the number of resources , while the second term is monotonically increasing concave function. Clearly, the difference between both terms will be a monotonically increasing convex sequence. ∎

According to Lemma 1, while being convex, the objective function might have negative values until a certain amount of resources is used, that is when the second term is higher than the rewards term. The principal can use this value to update the minimum number of resources, i.e. , that should be allocated to each dam to represent a feasible solution to the principal. The update is done based on the larger of the two minimum values calculated in proposition 1 and Lemma 1.

After determining the range of possible values for each allocation, the principal can use dynamic programming optimization [30] techniques to calculate the solution to the problem in (21). In the dynamic programming representation, stages will represent the current allocation of resources for each dam. The state of each stage represents the current value of the objective function. The update from a stage to another, i.e., from an allocation to another, aims to increase the value of the objective function. If no increase can be achieved at one stage, then the current allocation is the optimal. This is shown next.

###### Theorem 2.

The optimal resource allocation can be found using dynamic programming by updating the number of resources assigned to each dam at each stage while maximizing the benefits of each allocation.

###### Proof.

The values of the objective function are calculated at each value of the resources in the feasible range for each dam , . These values are stored for all dams as a matrix of size . Each value in the matrix is the objective function value evaluated for dam when it is assigned a number of resources . The values of each row represent a monotonically increasing sequence as shown in Lemma 1.

The first stage in the problem starts by allocating the maximum feasible resources to the dam with the highest objective function value, i.e., for the dam with and is the largest among all other dams. As the values for this dam represent a convex sequence and are monotonically increasing, the principal will not gain more by assigning a lower number of resources to this specific dam. Since this value of is the maximum among all dams, this allocation represents the maximum value that the principal can get for this number of resources . The rest of the resources, i.e., are assigned to dam having the largest among all dams.

This allocation represents the optimal solution at the first stage as the principal gets the highest utility for the current resource configuration. The principal then tries to get a higher utility by changing the current allocation scheme. The principal might be able to do so by decreasing the number of resources assigned to dam and assigning the difference to another dam if the following condition holds:

(26) |

where decreases by one unit of resources each time. The principal compares the utility gains that it can achieve by assigning more resources to another dam. These resources are taken from the dam with most resources. The current allocation ensures that the principal gets the largest utility from the allocated resources, so it is the optimal solution at this stage. Here, if the principal cannot increase its utility by changing a unit of resources, then it will try to change more than one at a time until the condition is satisfied or all the values of resources are checked.

The procedure continues at each stage by assigning less resources to the dam with the most resources if a higher utility can be achieved by allocating these resources to another dam. This ensures that the principal achieves its maximum utility at each stage. This procedure by starting at the final allocation and moving backward ensuring the maximum utility is achieved at each stage satisfies the Bellman equation [31] which is the necessary optimality condition in dynamic programming, Hence, the procedure achieves the optimal resource allocation. ∎

The complexity of calculating the optimal resource allocation for the previous dynamic programming problem is where:

(27) |

as for each number of resources in the range , the program at most compares the utility function times for each of the dams.

Finally, we summarize our framework steps in the flow chart shown in Fig. 8. Note that the problem discussed in this section, though discussed within the context of a case study, can be to used to allocate resources in other systems of multiple CIs. Selecting a specific CI, hydropower dams here, helped to design meaningful Bayesian networks and to define CIs utilities in the contract-based allocation. Next, we show some numerical results built on the selected case study, i.e., hydropower dams.

## V Numerical Analysis and Results

Although our framework can be applied to any number of dams, for our simulations, we consider a case of two dams, in order to better highlight each dam’s effect on the process of resource allocation. Two Bayesian networks are designed for the two dams using similar components but with different probabilities. In the following experiments, the transition probabilities are assumed to be the same for both dams , and . However, the first dam is assumed to have a lower initial while the second dam will have . Other parameters are set as follows: MW/h, MW/h, hours, hours, , and . is assumed to be higher than as is assumed to be higher than , so the failure of the second dam will have a larger effect on increasing the prices of power.

In Fig. 9, we show how the total probability of failure can be reduced by overhauling each dam’s components. The components are overhauled using the allocated resources in the order specified by Algorithm 1 then the variables representing these components are adjusted in the Bayesian network. Note that, when decreases, both the resilience and the resilience index increase according to (10) and (12). We can see that the second dam achieves a higher reduction in the probability of failure . This because the second dam has a higher initial , so the difference between the initial and final is higher resulting in a higher difference in . This difference represents the function as in (18). Fig. 9 also corroborates Proposition 1 by clearly showing that the improvement in each dam follows a monotonically increasing concave sequence.

Fig. 10 shows the benefit that each dam receives from the allocated resources, evaluated as the first term of (19) before subtracting the cost, which is a function of . The figure shows the cost of the resources separately. The intersection between the cost and each dam’s benefit will represent the range of values that each dam is willing to accept. Any additional resource beyond will yield a negative dam’s utility as the cost will be higher than the dam’s benefit. The range can be seen from Fig. 10 to be and for the first and second dams, respectively. The first dam has a smaller range as its utility is lower than the second dam, starting at units of resources. This utility is lower as the first dam has a smaller power production and a higher initial resilience index that causes the changes in to be small.

In Fig. 11, we show the utilities of the dams as given by (19). We can see that both dams have nonnegative utilities only in the ranges discussed before, i.e., for the first dam and for the second dam. Fig. 11 also shows that both utilities are concave and each has a maximum value at a certain amount of resources. The first dam has its maximum utility when it uses units of resources, while the second dam can achieve its maximum at units of resources. These values represent the maximum distance between the benefit and the cost in Fig. 10. Note that, according to the proposed framework, the owners of the dams are willing to accept resources in their feasible ranges regardless of their maximum utility. This is because the extra resources will help improve their resilience.

In Fig. 12, we show the principal’s utility calculated for each dam. Fig. 12 shows two curves: one for each dam where the second curve is plotted upside down. The horizontal axes show the amount of resources allocated to each dam, while the remaining resources are allocated to the other dam. Therefore, the principal’s total utility, at each allocation, is the summation of the values from the two curves corresponding to this allocation. Fig. 12 corroborates the result of Lemma 1 where we showed that the principal’s utility calculated for each dam separately represents a monotonically increasing convex sequence. From Fig. 12, we can see that the principal achieves a higher utility by allocating resources to the first dam. This stems from the fact that the first dam has a lower power production and a higher initial resilience, i.e., lower . Fig. 12 also has two solid vertical lines, each of which representing the maximum number of resources for a dam. Any allocation of resources beyond these lines will no longer be feasible as it yields negative dams’ utilities. The lines correspond to the maximum resources in the feasible range for each dam ( for the first dam and for the second dam). The optimal allocation in this case is to allocate units of resources to the first dam and units of resources to the second dam.

In Fig. 13, we show the resilience index as a function of the amount of resource allocated to each dam. The horizontal axis shows the resources allocated to each dam separately. The two curves show the possible resilience index improvements for both dams. Fig. 13 shows that the first dam has a higher initial resilience index, however, theoretically, both dams can reach their maximum resilience index. The values of the resilience indices for both dams, achieved at the optimal resource allocation, are marked with black squares. From Fig. 13, we can see that the first dam’s resilience index at the optimal allocation equals , while the second dam achieves a resilience index of . This is due to the fact that the first dam has a higher initial resilience index and it is allocated more resources. Fig. 13 shows that the first dam achieves about increase over its initial resilience index, while the second dam achieves about increase over its initial resilience index. This makes the average increase of the resilience index in the system about .

We next study the effect of varying the reward that the principal charges for a unit of resources on the optimal solution. We apply the same parameters as the previous experiments but the reward per resources is now varied from to .

Fig. 14 shows the principal’s utility when applying the proposed allocation and its utility when allocating resources to only one of the dams. We see that the principal can achieve its highest utility at the value of per a resources unit. On the other hand, the value of is shown not to be enough for the principal to achieve a positive utility. The values in the range yield a negative utility for the second dam, therefore the optimal allocation is to allocate the maximum amount to the first dam. In the range , both dams can achieve positive utilities and, hence, the solution involves both dams in the process of resources allocation. At the value of , the first dam will achieve negative utility so resources are allocated to the second dam only, i.e., its maximum allowed value. From Fig. 14, we can also see that the principal can achieve a higher utility if it allocated all the resources to the first dam for reward values of and . This is because the proposed solution is primarily centered around improving the resilience index and not maximizing the principal’s reward. Hence, it allocates all of the available resources, as long as the principal achieves a positive utility. From Fig. 14, we can see that the proposed solution allocates and to the first dam for the reward values of and , respectively. The remaining resources, i.e., and respectively are allocated to the second dam although they caused the principal’s utility to be lower.

In Fig. 15, for comparison purposes, we introduce a slight modification to our dynamic programming procedure to find the optimized solution from the rewards point of view. The main difference between the reward-optimized allocation and our original proposed allocation is that the principal does not have to allocate all the available resources. Instead, the principal allocates resources up to the limit that keeps its utility increasing. For instance, at a reward value of , the reward-optimized allocation assigns units of resources to the first dam and nothing to the second dam, compared to and in the original proposed allocation. This helps the principal to achieve a higher utility at and as shown in Fig. 15. This reward-optimized solution coincides with the first dam’s single allocation in Fig. 14 for the same rewards range.

The extra reward achieved using the reward-optimized allocation comes at the cost of the dams’ resilience. Fig. 16 shows the average resilience index for both dams when using the two allocations. We see that at reward values of and , the average resilience index of the reward-optimized allocation is and less than our proposed allocation, respectively. This is because less resources are used and, hence, dams can achieve less resilience improvement.

Finally, we show the average resilience index multiplied by the principal’s utility to show the combined effect of both, we call this the average resilience utility for the principal. Fig. 17 shows that the gap between the proposed allocation and the reward-optimized allocation is smaller than the case of comparing just the utilities. This happens as the proposed mechanism allocates all the available resources which helps increase dams’ resilience indices and hence the average. In the reward-optimized allocation, some resources are not allocated if they will cause the principal’s utility to go lower, hence, dams achieve lower resilience indices and the average will be lower. From Fig. 17, we can see that the reward-optimized allocation slightly outperforms the proposed-allocation in the average resilience utility only at the value of . It is slightly lower at the value of and coincides with the proposed allocation at all the other values. It is also clear from Fig. 17 that our proposed allocation outperforms allocating resources to only one of the dams in terms of the combined effect of principal’s reward and dams’ resilience.

Here, we note that finding the solution of the reward-optimized allocation increases the complexity of the dynamic programming optimization problem to as the principal needs to check all partial resource allocations. This significantly increases the solution space and the time needed to reach the optimal solution. Moreover, this allocation will achieve a lower average improvement in the resilience index as less resources are allocated. Note that, the last constraint in (21) needs to be relaxed to to allow for partial allocations. Given the complexity of the reward-optimized allocation and the limited improvement it can achieve over our proposed allocation, the proposed allocation will be superior in allocating the resources to a system of multiple CIs.

## Vi Conclusion

In this paper, we have proposed a novel framework to study and optimize the resilience of CIs. A novel resilience index has been introduced that is derived from a Markov chain representing the infrastructure’s performance state. The state is defined to be either success, warning, or failure. The framework focuses on the effect of the probability of transition from warning to failure on the resilience index. We have then proposed a Bayesian network to model the infrastructure’s physical components and their effect on the resilience index. To prioritize the infrastructure’s components in the resilience improvement process, we have introduced a Bayesian network algorithm that captures the effect of each component on the infrastructure’s probability of failure. We have evaluated the proposed framework in a case study of hydropower dams. We have defined a problem of allocating resources to a system of multiple CIs and studied it within the context of the case study. The problem is modeled using contract theory in which a system operator wants to maximize the economic benefit from allocating the resources to CIs. Dynamic programming optimization has been used to derive the optimal solution for the problem of resource allocation. Results have shown that the proposed framework outperforms other allocation methods both in the economic reward for the system operator as well as the average resilience utility.

IEEEexample:BSTcontrol

## References

- [1] J. D. Moteff, Critical infrastructure resilience: the evolution of policy and programs and issues for congress. Congressional Research Service US, Aug. 2012.
- [2] T. Hashimoto, J. R. Stedinger, and D. P. Loucks, “Reliability, resiliency, and vulnerability criteria for water resource system performance evaluation,” Water resources research, vol. 18, no. 1, pp. 14–20, Feb. 1982.
- [3] National Infrastructure Advisory Council (US), Critical Infrastructure Resilience: Final Report and Recommendations, Aug. 2009.
- [4] R. G. Little, “Toward more robust infrastructure: observations on improving the resilience and reliability of critical systems,” in Proc. of the 36th Annual Hawaii International Conference on System Sciences. IEEE, Jan. 2003, pp. 1–9.
- [5] Department of Homeland Security, “Critical infrastructure sectors,” 2014. [Online]. Available: http://www.dhs.gov/critical-infrastructure-sectors
- [6] M. Panteli and P. Mancarella, “The grid: Stronger, bigger, smarter?: Presenting a conceptual framework of power system resilience,” IEEE Power and Energy Magazine, vol. 13, no. 3, pp. 58–66, May 2015.
- [7] E. D. Vugrin, D. E. Warren, and M. A. Ehlen, “A resilience assessment framework for infrastructure and economic systems: Quantitative and qualitative resilience analysis of petrochemical supply chains to a hurricane,” Process Safety Progress, vol. 30, no. 3, pp. 280–290, 2011.
- [8] M. Bruneau, S. E. Chang, R. T. Eguchi, G. C. Lee, T. D. OâRourke, A. M. Reinhorn, M. Shinozuka, K. Tierney, W. A. Wallace, and D. von Winterfeldt, “A framework to quantitatively assess and enhance the seismic resilience of communities,” Earthquake spectra, vol. 19, no. 4, pp. 733–752, Nov. 2003.
- [9] R. F. B. Bekera, “A metric and frameworks for resilience analysis of engineered and infrastructure system,” Reliability Engineering & System Safety, vol. 121, pp. 90–103, Jan. 2014.
- [10] M. Ouyang, L. Dueñas-Osorio, and X. Min, “A three-stage resilience analysis framework for urban infrastructure systems,” Structural Safety, vol. 36, pp. 23–31, July 2012.
- [11] F. Petit, G. Bassett, R. Black, W. Buehring, M. Collins, D. Dickinson, R. Fisher, R. Haffenden, A. Huttenga, M. Klett, J. Phillips, M. Thomas, S. Veselka, K. Wallace, R. Whitfield, and J. Peerenboom, “Resilience measurement index: An indicator of critical infrastructure resilience,” Argonne National Laboratory (ANL), Tech. Rep., Apr. 2013.
- [12] E. D. Vugrin and R. C. Camphouse, “Infrastructure resilience assessment through control design,” International Journal of Critical Infrastructures, vol. 7, no. 3, pp. 243–260, Jan. 2011.
- [13] O. Yagan, D. Qian, J. Zhang, and D. Cochran, “Optimal allocation of interconnecting links in cyber-physical systems: Interdependence, cascading failures, and robustness,” IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 9, pp. 1708–1720, Sep. 2012.
- [14] Y.-P. Fang, N. Pedroni, and E. Zio, “Resilience-based component importance measures for critical infrastructure network systems,” IEEE Transactions on Reliability, vol. 65, no. 2, pp. 502–512, June 2016.
- [15] C. Liu, Y. Fan, and F. Ordóñez, “A two-stage stochastic programming model for transportation network protection,” Computers & Operations Research, vol. 36, no. 5, pp. 1582–1590, May 2009.
- [16] A. Eldosouky, W. Saad, C. Kamhoua, and K. Kwiat, “Contract-theoretic resource allocation for critical infrastructure protection,” in Proc. IEEE Global Communications Conference (GLOBECOM), Dec. 2015, pp. 1–6.
- [17] P. Bolton and M. Dewatripont, Contract Theory. Cambridge, MA, USA: MIT Press, 2004.
- [18] C. M. Grinstead and J. L. Snell, Introduction to probability. American Mathematical Soc., 2012.
- [19] E. Charniak, “Bayesian networks without tears,” AI magazine, vol. 12, no. 4, p. 50, Dec. 1991.
- [20] G. F. Cooper, “The computational complexity of probabilistic inference using bayesian belief networks,” Artificial intelligence, vol. 42, no. 2-3, pp. 393–405, Mar. 1990.
- [21] J. Pearl, “Fusion, propagation, and structuring in belief networks,” Artificial Intelligence, vol. 29, no. 3, pp. 241–288, Sep. 1986.
- [22] A. Darwiche, Modeling and reasoning with Bayesian networks. Cambridge University Press, 2009.
- [23] B. C. Yen and Y.-K. Tung, Reliability and uncertainty analyses in hydraulic design. ASCE Publications, 1993.
- [24] J. Irizarry, M. Gheisari, and B. N. Walker, “Usability assessment of drone technology as safety inspection tools,” Journal of Information Technology in Construction, vol. 17, pp. 194–212, Sep. 2012.
- [25] T. Özaslan, S. Shen, Y. Mulgaonkar, N. Michael, and V. Kumar, “Inspection of penstocks and featureless tunnel-like environments using micro uavs,” in Field and Service Robotics. Springer, 2015, pp. 123–136.
- [26] P. Ridao, M. Carreras, D. Ribas, and R. Garcia, “Visual inspection of hydroelectric dams using an autonomous underwater vehicle,” Journal of Field Robotics, vol. 27, no. 6, pp. 759–778, Nov. 2010.
- [27] Federal Emergency Management Agency. (2016) Dam ownership in the united states. [Online]. Available: https://www.fema.gov/dam-ownership-united-states
- [28] Federal Aviation Administration. (2016) Unmanned aircraft systems. [Online]. Available: https://www.faa.gov/uas/
- [29] F. Qi and B.-N. Guo, “Monotonicity of sequences involving convex function and sequence,” RGMIA research report collection, vol. 3, no. 2, 2000.
- [30] S. Bradley, A. Hax, and T. Magnanti, “Applied mathematical programming,” 1977.
- [31] R. Bellman, “On the theory of dynamic programming,” Proc. of the National Academy of Sciences, vol. 38, no. 8, pp. 716–719, Aug. 1952.