Disaster Recovery Journal - Winter 2002 - What A Difference A Day Makes (1501-13)

DISASTER RECOVERY
JOURNAL

Return to the Winter 2002
Index

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

EDITOR
Michelle Saab
michelle@drj.com

COPY EDITORS
Edward H. Pearce, CBCP
drj@drj.com
Richard Sandhofer
richards@drj.com

INTERNET /
ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
ww.drms.com.br

Click Here for a Printable Version

What A Difference A Day Makes

By DAN PERRY

This article is intended, believe it or not, to be a positive prediction of the contingency planning direction necessary to prepare the industry for the mid to long-term contingency planning future.
In my capacity, I quickly realized that the magnitude of personal and business losses and trauma caused by the horrors of Sept. 11 would drive me crazy if I didn’t believe that something positive must be gained from that experience. In my opinion, this event is a warning, or wake-up call, giving us a glimpse at the real contingency planning challenges facing us as we traverse through the early 21st century.
Some of the immediate impacts:

Telephone Communication
Cellular, wired and satellite (voice and data) telephone communications, for the expanded New York region, were either destroyed or bombarded with immense traffic, rendering them vastly ineffective or useless. The cause of this was two fold:
1. The World Trade Center complex was a major telephone hub involved in switching and transport for much of that region’s bandwidth.
2. Shear volume to and from that northeastern region was staggering and resulted in serious international and intra-national overload conditions.

Transportation
The impact: to one degree or another, key surface routes were closed and the extended grounding and ultimate expansion of security for national and international air traffic had a demoralizing affect on business.
• Key business technical and management team travel to the affected sites in a timely manner was seriously impeded, delaying sorely needed emergency assistance.
• Just in time (JIT) business solutions, requiring strategically timed product delivery of crucial manufacturing supplies, was unavoidably delayed. This caused extensive revenue losses, not only for businesses at ground zero, but around the world.
• Product delivery to end customers or original equipment manufacturers was impeded for weeks.
• Direly needed blood and organ replacements necessary, due to the horrors of the disaster, could not reach their destination because of the grounding of air support (an indirect result of the disaster).
• Personal crises (death, injury, bereavement, fear) have major impact on all business performance globally.

Internet
Much of contemporary IT thrust is directed toward implementing interactive Internet processing capability. The benefits are obvious: easy access, online visibility, immediate updates, etc.
The staggering Internet volume caused response time, around the world, to be severely impaired, thus having substantial impact on fundamental business functions.
These are just some of the immediate affects on businesses that, if not handled properly with a clear plan, at least, had a dramatic negative impact on numerous businesses around the world and will render many of the unprepared totally out of business.

Government Response
I have total confidence that the direction and action of the combined governments against terrorist organizations around the world will be successful and have a major impact on the magnitude of troops and armaments of the terrorist organizations, as we know them today.

Paradigm Shift
An example of a paradigm shift developing from this disaster is based around “probability.” This is because much of the reasoning behind contingency planning primarily involved protection against “acts of God” events; (i.e. earthquake, flood, tornado). The word “probability” has always been closely related to contingency planning and has been a key gauge while developing a business impact analysis (BIA), i.e. the more probable an event, the higher the exposure.
In light of recent terrorist actions, “probability” conjures an almost reverse impact in my mind, in that, an effective terrorist event is designed to rely heavily on a surprise factor which, to me, seems to automatically define that event as improbable.

Terrorism Evolution
Acts of terrorism, in just a few years, have evolved from a few individual crazies carrying out random events aimed at satisfying a hateful, emotional craving against a handful of society to what we’re experiencing today.
As we witnessed on Sept. 11, terrorism has evolved from the hateful derelict, depicted above, to a refined organization that is willing to invest years in design and planning an event and is no longer satisfied with simply disrupting a targeted portion of society. They are now targeting entire countries with cold robotic precision. They display no regard for human life, whether it be their own or thousands of their countrymen or religious brethren.
From this heartless, high tech development we can deduce that technology will be further exploited in the future and contingency planning challenges will not only be waged against car bombs, radar invisible stealth bombers, commercial airliners or even biological warfare in mind, but will employ state of the art, high tech methods.
The same high tech business capabilities we are developing and deploying today to successfully run the fortune 500 companies will likely be the vehicle utilized to infiltrate and refine the battlefield of tomorrow. These high-tech terrorist businesses will be difficult to differentiate from legitimate, high-tech, profitable businesses but will be equally, no “more” deadly than all of today’s terrorist organizations combined.
We are swiftly approaching the era where it will not be necessary to disable a factory to stop manufacturing; it will be more effective to simply disable the multi-site (redundant) manufacturing execution systems (MES) controlling the environment.
We can no longer believe we are not worthy of being a target of terrorism, that we are a small cog in a large gear.
On the contrary, the one thing that was explicitly demonstrated on Sept. 11, was the ability to plan devastating activity to happen simultaneously. With this in mind, concurrently stopping the top two or three companies in a specific industry could demoralize the entire industry, which could, in turn dramatically impact nations.
We contingency planners, you and I, have to muster the foresight to step outside the proverbial box and begin the preparation to combat the hi-tech, well funded, well educated and trained stealth enemy of the future.
I think the overall direction of attacks will be predictable, directly aimed at applications and database servers, network and infrastructure, and Internet security. The key is designing an ongoing, living organization for analyzing, designing, and implementing solutions that can anticipate exposures before the highly trained armies of hacking enemies can exploit them.
One must bear in mind that given enough incentives, (necessary to attract the “crème de la crème” of the technical pool) whether it be money, power, religious recognition, or martyrdom, etc. many individuals can be convinced of the righteousness and celebrated glory of most any, even abhorrent, activity.
This new contingency planning philosophy must combine the capability of some, here-to-for, diverse organization to anticipate exposure and achieve maximum protection. This will be necessary to adequately provide a secure environment to facilitate personal safety, organizational stability and overall corporate success.
The broadened scope will require the close cooperative activities of organizations today, for example:
Security
• Better controlled facilities access.
• HVAC with enhanced filtration impeding biochemical attacks.
IT
• Better user profiling and recognition (finger print, retina i.d., etc.).
• Expanded security considerations of Internet applications.
• Elaborate infrastructure security (web sites, firewalls, etc.).
As I stated earlier, I’m actually attempting to arrive at a positive set of directions, in which, we, as contingency planning professionals, need to lead our companies.
Although this feeling of inadequate security came about virtually overnight, the symptoms have been creeping upon us for some time.
Airline hijackings have been occurring with ever-increasing consistency for a couple of decades but, up to now, for the most part, were merely inconveniences with planes and passengers arriving at an unplanned destination.
Now we look at commercial airlines in a totally different light and put them in a category akin to the A-Bomb but worse. They are now manned with human intelligence. The main difference lies in the willingness, almost desire, for human beings to pursue their hateful vengeance to death.

Immediate Disaster Readiness Action Required
All existing contingency planning approaches must be examined in light of these new, expanded considerations.
• Depending on the criticality of the subject environment, additional protection must be added, taking into consideration the possibility of complete simultaneity of multi-site primary and secondary protection failures.
• Business critical room HVAC capability must, as soon as possible, be capable of filtering gases or other state of the art biological warfare products.
• Physical locations of all shared computer access and security must be taken extremely serious acknowledging the business criticality of the functions and enforcing total anonymity of equipment locations.
• Additional and continuous firewall capabilities must be continuously improved. These must be treated as though they are under constant attack.
• Whereas today’s virus attacks are amateurish, tomorrow’s will be perpetrated by well-organized, exceptionally funded organizations with highly skilled technical individuals who, even though probably willing to, but will not necessarily have to, die for their cause.
• We must recognize IT capabilities are crucial to the business entities and, without which, the corporation will crumble.
• Additional requirements of software selection must include extensive analysis of intrusion vulnerabilities.
• A successful organization will develop extreme paranoia and will suspect everyone and everything:
– Bonding agencies
– Software packages
– Operating System capabilities
– Compilers
– Security companies
– Consultants
– Etc.
NOTE: Above activity must be on-going, respecting the creative talent recruited by the future terrorist organizations.

Summary
Although still threats to be protected against, the real dangers are no longer random twists of fate or disgruntled employees. We will be facing well-funded, faceless organizations dedicated to impacting the overall output of America by disrupting the society, both individually and corporately.
The growing importance of the high tech industry worldwide, combined with strategic hub recognition, makes it not out of the realm of possibility for most any successful company to have the dubious distinction of being considered a prime target.
Following the current trend to its logical conclusion, the, so-called, disasters of the future will be much more focussed, well managed, well funded and possess limitless technical resources. Events will be designed to inflict fullest impact possible.
With the expanded role of IT’s migration into virtually all business and manufacturing processes, it’s only a matter of time for terrorists, whether bombers or hackers, to realize that disabling IT capabilities is tantamount to leveling the factory and probably easier.
The repercussions of the Sept. 11 New York and Washington happenings have altered the business contingency planning terrain forever.
• In addition to random natural phenomena, here to for, being the primary impetus in support of disaster recovery planning, specifically targeted attacks must be of elevated concern.
Multiple site data centers, containing redundant equipment and data has, up to now, been generally considered superb protection against catastrophic events. This, alone, is no longer an adequate solution considering the possibility that an intelligent attack would specifically target multiple locations simultaneously.
The events of Sept. 11 will be preserved in the annals of history as one of the most significant manmade catastrophes ever. Instead of fear we, as contingency planners, must display constant insight and determination in preparing our companies to combat these ever increasing threats at the hands of equally despicable, but more adept, hate mongers of the future.

Dan Perry has managed different computer systems support organizations, (applications, systems and hardware) in excess of twenty years. He has been in management with AMD for approximately 13 years and currently holds the position of a senior IT staff member responsibility for IT disaster readiness worldwide. His duties involve consulting and assisting with disaster readiness plan design, creation, training IT organizations on how to best utilize their specific disaster readiness plans and monitoring annual disaster recovery exercises around the globe. There are currently seven IT computing locations worldwide supporting 15 different application environments. He is responsible for maintaining AMD’s IT disaster readiness Web site containing the plans documentation and other pertinent information related to IT disaster readiness. His duties include coordination with the corporate EHS business contingency planning organizations. He has previously been published in DRJ on the subject of disaster readiness in protection of real-time electronic manufacturing execution systems (MES).

To comment on this article, go to 1501-14 at www.drj.com/feedback.