RISKY THINKING - February 2009
by Michael Z. Bell
Principal Consultant, Albion Research Ltd.
A free newsletter providing essays, analysis, insights, and oddities related to Business Continuity, Disaster Recovery, and Risk Management.
To subscribe, visit: http://www.RiskyThinking.com/newsletter
Most essays are also available from the RiskyThinking website at http://www.RiskyThinking.com/.
- Looking for Lessons from Mumbai
- Missed Newsletters and Preparing for Pandemics
- News Of The World
- Your 15 Minutes of Fame?
- Seminar Update
- Administrivia, Subscribing and Unsubscribing
The tragic events in Mumbai are rapidly disappearing over the world's news event horizon. Often the only positive feature of any tragedy is to ask what lessons can be learned from it. What lessons can be learned by business continuity planners from the terrorist attacks in Mumbai?
It wasn't evident at the time, but the attacks actually started somewhere between the 13th and 26th November 2008. The Kuber trawler, a 25 meter vessel with five crew was hijacked and taken over by a group of at least 10 armed men. The crew was murdered (one body found, four crew members missing) and the trawler used to enter Indian waters off the coast of Mumbai.
On 26 November the terrorists used a boat and an inflatable dinghy to reach land.
A busy railway terminus (Chhatrapati Shivaji), two landmark hotels (Taj Mahal Palace and Oberoi Trident), and a Jewish outreach center frequented by Israelis (Nariman House) were attacked, along with various lesser targets of opportunity crowded with people.
By the time the last terrorist had been killed or captured, 179 people had been killed and another 300 injured.
One of the positive things we can look for in any human tragedy is some lesson that can be learned to reduce the risk of similar things happening again.
Is there anything that we can learn from a business continuity perspective from what happened in Mumbai?
Small well-armed teams of attackers can cause large-scale casualties in surprise attacks with modern weapons and explosives.
This unfortunately is hardly new. We need only list the 9/11 attacks, Columbine School, Dunblane Massacre, London and Madrid bombings, Oklahoma city bombing, etc. to remember that history is full of such cases. The attacks may be well or poorly planned, more or less effective, motivated by politics, revenge, or boredom, and occur in places with or without strict gun controls. It is unrealistic to believe that the threat of such attacks can ever be totally eliminated. We therefore need to be prepared for when they do occur.
- Lock-down procedures are needed as well as evacuation procedures.
When the hotels were attacked, brave staff reportedly went from room to room warning visitors to lock themselves in. If a single deranged person attacked your place of work, do you have an effective mechanism to warn staff to lock doors and stay in place? Or do you only have a procedure which will cause everyone to evacuate and place them in harm's way?
- Fire-proof is a lot better than fire-resistant or fire-retardant.
During the attacks, the attackers tried to set fire to the hotels they were in. What would have happened if the Taj Mahal or Oberoi Trident had merely been designed to give people enough time to evacuate in the event of a fire?
- Places where people gather are always potential targets.
The attackers picked on targets of opportunity while moving across the Mumbai. While it's unrealistic (and not necessary) for every cinema, cafe, or restaurant to consider what they would do if a terrorist attack occurred on their premises (the probability is just too low), it is not unreasonable for them to consider what they might do in the event of similar and more probable events: a fight, shooting incident, armed robbery, or medical emergency.
- Security Forces (and Emergency Responders) need familiarity with buildings.
Reportedly valuable time was lost because the anti-terrorist forces were not familiar with the layout of the hotels (they came from a different city), whereas the terrorists were. Staff had to sketch out plans of the buildings. Building plans and photographs should be readily available for emergency responders. Ideally, emergency responders should be familiar with the layout of the building through site visits or exercises.
- You donít have to be the target to be affected.
Businesses near to an incident — be it a fire, shooting, or full-scale terrorist incident may find their premises inaccessible for an extended period of time. Near here may mean not just adjacent: it may mean within line-of-sight, or within half a mile or so for an incident involving a potential explosion. Are you prepared to evacuate your buildings for a few days at short notice?
- Attackers are not always interested in saving their own lives or negotiating.
Most of the defences that work well in normal society do so because attackers place a higher value on their own life or liberty than on their cause. If you believe you may have potential attackers that do not conform to this assumption then deeper and stricter security measures are essential.
- Metal detectors donít stop armed intruders. They only provide an alarm.
It is reported that the attackers avoided metal detectors at the front entrances to the hotels by using back entrances. Both hotels have since reopened with upgraded security including X-ray scanners and metal detectors. But would this additional security have made much difference? It might not have been possible to hide weapons in the hotel in advance, but a metal detector makes little difference against a surprise attack unless it can automatically trigger the locking of doors or a similar means of impeding an attackerís progress.
No doubt there are also many lessons being learned by security forces and diplomats everywhere.
I just wish there was more to learn from this.
It seems such a short list for such a terrible event.
http://news.bbc.co.uk/2/hi/south_asia/7757500.stm (BBC Timeline)
http://www.mahalo.com/Mumbai_Terrorist_Attacks, http://www.mahalo.com/Kuber_Trawler (Mahalo.com)
http://www.ndtv.com/convergence/ndtv/mumbaiterrorstrike/video.aspx?id=46680 (New Delhi TV)
My apologies for the recent interruption in newsletters. I've been very busy working with Binomial International on the development of new software for Pandemic Planning. Many companies have business continuity plans which won't be of any practical use to them in the event of a major pandemic: they too often assume that all problems are soluble by relocating staff to an alternative location. Pandemics really are very different from other potential disasters, with many opportunities for the planner to lessen both the likelihood and the severity of their effects.
You can check out what I've been up to (and the reason for the delay in producing this newsletter) by downloading an evaluation copy of the Binomial Pandemic Planning System from www.RiskyThinking.com/bpps . Do try it and let me know what you think.
In this section we look at the interesting, the instructive, and the downright odd from the world of Business Continuity, Disaster Recovery, and Risk Management.
Even Fraudsters Need a Business Continuity Plan
It's good to know that even fraudsters take business continuity seriously.
According to the A Dizzy Life blog, Bernard L. Madoff
Investment Securities LLC had a Business Continuity Plan designed to enable
a rapid recovery and timely resumption of critical operations following a
significant business disruption. I wonder whether the plan included
possible fraudulent behavior by the company's staff. (The business turned out to
be a remarkable $50 billion Ponzi scheme).
Cuts to the Internet?
2008 saw what seemed to be an unusually large number of cuts in submarine cables disrupting international internet communications around the Mediterranean. Whenever I hear of cuts to communication cables I can't help thinking of the failed Bravo Two Zero mission by the Special Air Service (SAS) during the first Gulf War. It's aim was to cut communication cables to force the enemy to use a less secure form of communication. If I wanted to temporarily re-route internet packets...
Books about the Bravo Two Zero mission:
http://www.riskythinking.com/i/0304365548 (According to Michael Asher)
http://www.riskythinking.com/i/0440218802 (According to Andy Mcnab)
http://www.riskythinking.com/i/184018907X (According to Mike Coburn)
http://www.riskythinking.com/i/1597970085 (According to Chris Ryan)
You have to wonder if the ability to handle a pen or a ghost writer as well as a gun is now a requirement for joining the SAS...
Supply Chain Watch: An Interesting Blog
There's an interesting Swedish blog (written in English) by Jan Husdal specifically dealing with risks in the supply chain. Recently he has been translating a 1999 Swedish government publication Säkra företagets flöden (I think that's Supply Chain Risk Management) into English. Worth checking out if you are into supply chain risks.
Also check the case study on Ericsson and Nokia's different handling of a supply chain disruption (fire at a Philips microchip fab), and its dramatic effects on their relative market share.
http://husdal.com/ (Jan Husdal's Blog)
http://husdal.com/2008/10/18/ericsson-versus-nokia-the-now-classic-case-of-supply-chain-disruption/ (case study).
The Return of the Evil Worm!
It's been a while since internet worms have caused major disruption. Could that change with the "Conflicker" or "Downadup" worm?
A worm is a self-replicating program which tries to copy itself to other machines on the network. The Conflicker worm is of interest because (a) it is widespread (3.5 million+ infections), (b) it uses multiple methods to propagate to other computers, (c) it is very well-written, and (d) whatever it is intended to do, it hasn't done it yet.
The fact that nobody can tell what it is intended to do (or stop it doing it) is interesting of itself. The worm tries to download additional instructions from a pseudo-random website whose domain name varies with the current date. So far the target website hasn't existed so it has done nothing except propagate. (Presumably public key encryption is used to prevent a third party from creating a target website and giving the worm their own set of instructions, and the costs of registering every single website the worm might try to download instructions from is prohibitive.)
It's already caused disruption by propagating through a hospital network of un-patched machines. It will also affect systems with weak passwords or users who plug in an infected USB drive and are confused by some ingenious deception into running the "Autorun" executable on the drive.
The hospital network disruption is a particularly interesting case of balancing risks. Windows computers were running with updates switched off since the updates were causing operating theater computers to reboot unexpectedly during surgery. For computers which need to be available 24x7, automatic updates aren't a sensible option.
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml (F-Secure malware analysis)
http://isc.sans.org/diary.html?storyid=5695 (Would you fall for this Vista social engineering trick?)
Some Impressive Data Recovery
It's amazing what can sometimes be recovered after a fire. This BBC video is about a case where data was successfully recovered from a computer that was in a major fire. Impressive feat of data recovery, but it shouldn't have been necessary: the data should have all been on an offsite backup.
How Many Lost Security Passes Do You Have?
If somebody has a government security pass chances are that they work for the government, doesn't it?
Or possibly not.
Apparently 48,000 security passes have been lost by UK government employees over the last 8 years. (It sounds unlikely until you consider the number of passes issued - the loss rate is about 16 a day.) Lets' hope that it's impossible to use a lost pass to enter a building or to prove one's identity when opening a credit account. This is one case where electronic checks are essential: security guards can't realistically check a list of 48,000 lost passes during the morning rush hour. Probably the greater danger is to companies that accept a lost card as proof of identity.
Power Failures Don't Just Lose Data
Tragic personal story of the consequences of a power failure at a paediatric intensive care unit. A reminder that for some places it's not just data that can be lost when the power fails.
http://www.lusakatimes.com/?p=6238 (Lusaka Times)
Who's Looking At Your Keys?
A skilled locksmith can duplicate some keys just by looking at a picture of them. A less skilled locksmith or someone with a computer and image processing skills can develop a program to "read" a set of keys from a blurred picture taken from 195 feet away. Is this another sign of the end of non-electronic key systems?
http://vision.ucsd.edu/~blaxton/sneakey.html (Sneakey abstract and paper)
Backup Generators Would Like To Be Full Time
Miami police headquarters loses power. The good news, the emergency generators come on. The bad news, the emergency generators stay on after power is restored. The resulting power surge kills power to 70% of the building and shut down many phones and computers.
http://www.miamiherald.com/news/miami-dade/story/797461.html (Miami Herald)
Power Surge Fires Sewage Treatment Plant
A power surge wipes out the computer control systems at a sewage plant. The surge was caused by an electricity pole being struck by a car. Backup generators did not turn on automatically since the surge also destroyed the computers that would have turned on the backup generators! Fortunately a second non-computerized system raised the alarm and saved the day. Wonder if the computer damage will be covered by the warranty on their UPS. Is the surge caused by a collapsed pole more powerful than a surge caused by lightning?
http://catless.ncl.ac.uk/Risks/25.43.html#subj1 (Computer Risks article)
Obligatory Global Financial Crisis Mention
A survey of the effects of the global financial crisis on business continuity planning had mixed responses. The impact seems to be more negative in the United States than elsewhere (no surprise), with roughly 47% of respondents reporting a negative impact. More surprising is how well budgets and spending are expected to hold up outside of the United States. So it's good news or bad news, depending upon where you are.
http://www.continuitycentral.com/feature0624.html (Survey Report)
Have you any learned any lessons that would be of interest to other business continuity / disaster recovery professionals? When an incident happened, what went wrong and what went right? Would you be interested in being interviewed (by email or phone) for a future issue of Risky Thinking?
If so, please could you let me know (and tell me a little about yourself) through the contact form on the RiskyThinking.com website. You can be anonymous or claim your 15 minutes of fame as you wish.
The 2009 Seminar series is being planned for Toronto, Ottawa and Vancouver (Canada), Chicago (USA) and London (England). The Toronto seminar will probably be immediately before before the World Conference on Disaster Management which is held in that city. The Canadian locations should help many people to take advantage of the lower exchange rates.
We hope to have some very interesting new material to present which will help attendees develop business continuity plans more quickly and effectively than conventional methods.
Dates are not yet fixed, and the updated seminar information for 2009 should appear on the Risky Thinking website soon.
RISKY THINKING is a free newsletter providing essays, analysis, insights, and oddities related to Business Continuity, Disaster Recovery, and Risk Management. You can subscribe on the web at http://www.RiskyThinking.com/newsletter.
Please feel free to forward RISKY THINKING to colleagues or friends who will find it valuable. You may reprint this newsletter providing it is reprinted in its entirety.
Copyright Michael Z. Bell / Albion Research Ltd. 2009