• Home
• News
  • Business Continuity News
  • Regional news
  • Sector news
  • Events Diary
  • Newsletters
  • Newsfeed
• Jobs
• Topics
  • BC: Facilities & Buildings
  • BC: General
  • BC: Markets & Companies
  • BC: Plan Development
  • BC: Software
  • BC: Statistics
  • BC: Testing & Exercising
  • Crisis Comms & Management
  • Critical Infrastructure Protection
  • Disaster Recovery
  • Emergency Management
  • Enterprise Risk Management
  • Operational Risk Management
  • Pandemic Planning
  • PS Prep
  • Standards
  • Terrorism
• Technology
  • Cloud Computing
  • Data Center / Centre Issues
  • ICT Continuity
  • Information Security
  • Recovery Facilities
• Resources
  • Webinars
  • BC software directory
  • Newsfeed
  • Twitter
  • Advanced BC information
  • Advanced ICT information
  • Basic BC information
  • Basic ICT information
  • How to advertise
  • About us
  • Contact us
  • Privacy
• Newsletters
• Training

WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

US power outage illustrates wider critical infrastructure threats

By Professor John Walker FBCS CITP CISM CRISC ITPC.

The 9th of September 2011 saw a wide-area power outage in the southwest of the United States that affecting 5 million people - the root cause analysis of which is said to have been one single employee switching out a piece of problematic equipment. The upshot of this single act is nevertheless extremely worrying, as it manifested in traffic chaos; cancelation of flights; the shutting down of two nuclear reactors; and widespread direct impacts on businesses and residents.

The event raises a number of questions and points back to the long debate about the security of Supervisory Control and Data Acquisition (SCADA) systems, which are considered, in some cases, to host a soft underbelly for cyber attack. Additionally, if a single employee’s mistake, with just one piece equipment can have such a devastating consequence on what is national critical infrastructure, then what does this tell us about security, change management and, of course, business continuity?

I believe this event again places focus on the frailties of an infrastructure which is subject to targeting by extremists who are seeking to cause disruption, to create chaos, and to possibly follow through with loss of life. It must also be accepted that to place a cyber warfare attack capability alongside a conventional theatre of war would seem to make a great deal of battle field sense - causing wide spread disruption, outage of power, followed by what I would expect to be opportunist public disorder.

The time has arrived to reassess just what security is surrounding the various critical national infrastructures (CNI) around the world, and to place them, where possible, in an enhanced profile of security hardening. It may also be beneficial to revisit the standard operational practices around such areas as change management and business continuity.

Last but not least, I am sure this has been considered, but if Al Qaeda can get one of their radicalised operatives into a prime position of flying an aircraft, gaining employment with a power company in some capacity should prove to be a much less onerous objective.

It is time for the security professionals to take a more proactive stance and look at what needs to be done.

The first task must be to get serious about the landscape of security which surrounds these systems which we rely on to service the CNI. And here I don't just mean applying a few policies, and then following them with the religious contempt that we so very often see practiced in some sectors of IT governance, in the form of tick box security and lip serviced compliance. I am talking about serious programmes that are commensurate to the potential risk and impact posed against, and by these key point infrastructures and assets.

In closing, I see a need for more security professionals with a willingness to go to the next level and embrace this specialist area of SCADA systems, applications, and infrastructure security. And more importantly, for these professionals to immerse themselves in learning, and specialising in these environments, in particular, relative to their foibles and challenges. Possibly here there may even be a future for focused training certification to be created specific to SCADA environments. One thing is for sure, these systems, applications, and infrastructures are not just run of the mill. They are the very lifeblood of the global economy, business, and our communities, and they demand special treatment to secure, and govern their profiles. Nothing less will suffice.

About the author
Professor John Walker, CISM, CRISC, FBCS, CITP, ITPC is CTO of Secure-Bastion.

•Date: 13th Sept 2011 • Region: US/World •Type: Article • Topic: Critical infrastructure protection

Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.