Friday, July 23, 2010

New USB virus targets SCADA systems

The first known virus to specifically target SCADA systems has been discovered (see CNET article). The virus spreads via USB drives, and hunts for Siemens control systems installed on the infected computer. The virus appears to transmit information from these systems back to a remote server, and gains access to the local control system database. The ultimate purpose of the virus is unknown. It is well known that malicious interception of SCADA systems could cause widespread infrastructure failures, including power outages.

Wednesday, July 21, 2010

Here is another potentially useful book written by Paul Purcell. It offers a method for  disaster planning including an "preparedness encyclopedia". The author also wrote the Top 12 myths of Disaster Preparedness and The secrets of teaching disaster preparedness.

Tuesday, July 20, 2010

The Unthinkable: Who Survives When Disaster Strikes - and Why

This one has been around for a few years, but really is essential reading for anyone wanting to prepare for disaster situations. It looks at the psychology of how we respond in all kind of emergencies from fire alarms to widespread disasters (hint: a bigger problem than panic is freezing and not taking any action). With numerous and moving examples from 9/11 the author really makes you rethink what you assume about what you and others will do in a disaster

New book on preparedness

This seems like a really good new book on realistic preparedness (vs the "disaster kit" mentality -- see previous posts). From the description: This important book by one of our leading experts on disaster preparedness offers a compelling narrative about our nation’s inability to properly plan for large-scale disasters and proposes changes that can still be made to assure the safety of its citizens.

Five years after 9/11 and one year after Hurricane Katrina, it is painfully clear that the government’s emergency response capacity is plagued by incompetence and a paralyzing bureaucracy. Irwin Redlener, who founded and directs the National Center for Disaster Preparedness, brings his years of experience with disasters and health care crises, national and international, to an incisive analysis of why our health care system, our infrastructure, and our overall approach to disaster readiness have left the nation vulnerable, virtually unable to respond effectively to catastrophic events. He has had frank, and sometimes shocking, conversations about the failure of systems during and after disasters with a broad spectrum of people—from hospital workers and FEMA officials to Washington policy makers and military leaders. And he also analyzes the role of nongovernmental organizations, such as the American Red Cross in the aftermath of Katrina.

Redlener points out how a government with a track record of over-the-top cronyism and a stunning disregard for accountability has spent billions on “random acts of preparedness,” with very little to show for it—other than an ever-growing bureaucracy. As a doctor, Redlener is especially concerned about America’s increasingly dysfunctional and expensive health care system, incapable of handling a large-scale public health emergency, such as pandemic flu or widespread bioterrorism. And he also looks at the serious problem of a disengaged, uninformed citizenry—one of the most important obstacles to assuring optimal readiness for any major crisis.

Redlener describes five natural and man-made disaster scenarios as a way to imagine what we might face, what our current systems would and would not prepare us for, and what would constitute optimal planning—for government and the public—in each situation. To see what could be learned from others, he points up some of the more effective ways countries in Europe, Asia, and the Middle East have dealt with various disasters. And he concludes with a real prescription: a nine-point proposal for how America can be better prepared as well as an addendum of what citizens themselves can do.

An essential book for our time, Americans at Risk is a devastating and realistic account of where we stand today.

What do you really need in your disaster kit?

In the last decade, we have all received periodic exhortations to be prepared for the next major man-made or natural catastrophe by putting together a “disaster kit”. These all are some variant on the same theme, generally some mix of flashlights, first-aid kits, radios, batteries, food and water for three days, and various other bits and bobs (apparently now not including duct tape). A good example of this is the government-blessed kit described at Further, nonprofits and companies have seized the opportunity to make some money out of this with a variety of bizarre objects specifically designed for your kit (if you don’t believe me, check out some of the available gadgets at the Red Cross store). Having this kit, together with a family evacuation plan, is supposed to prepare us for the next major catastrophe.

There are three problems with this. First, a kit is only as useful as your knowledge of what to do with its contents, and it’s workability (food not expired, batteries not leaking, etc). You do not become an expert in emergency medicine by buying a first-aid kit; rather you become an expert in emergency medicine through training and experience, and then assemble the equipment you need based on your training and experience. Second, the kind of kits described are almost laughably inadequate for many real emergency situations, in the same way as cowering under a table is not likely to protect you from a nuclear detonation. Third, by definition a “disaster kit” is something you will probably never use, versus something you get used to using day in and day out. Thus I think it’s better to think in terms of everyday items that will help in a disaster, rather than a designated “disaster kit” (for example, I think it’s best to keep a “rolling buffer” of 2-3 weeks’ worth of food - that is, you just keep extra stock of the stuff you use normally - than having a separate “emergency food supply”).

So my suggested strategy is to start by figuring out what kinds of disasters you need to prepare for. This is not a trivial task, and some disasters will always take you by surprise (think the Blackout of 2003 for instance). However there are well established ways of prioritizing potential hazards based on probability, impact, and mitigation. Emergency managers are trained to perform hazard risk analysis with the “all hazards” model, and most communities maintain a list of the top hazards in your community. Try asking your local emergency manager for a copy of this as a starting point, or try to create one of your own for your household from scratch (you can even take an online FEMA course to help you do this). A simple way to start is by making a list of all the things you think could go wrong, and for each designate a percentage probability it will happen in the next 10 years and write a sentence or two for each on the potential impact if it did happen, and what you have already to mitigate this impact (for instance, having a generator and fuel can mitigate the impact of a short power outage). You can then manually rank them based on these factors.

Once you have gone through this exercise, start preparing for the ones near the top of your list. Think about what you would need to do in each circumstance, and whether there are plans you can make or things you can do, to mitigate the impact. For instance, keeping your gas tank in your car half full mitigates a variety of disasters as it enables you to evacuate up to 200 miles or so (depending on your fuel tank size and mpg) to escape a regional (but not widespread) disaster. These mitigation steps naturally lead you to equipment that you might want to have on hand for a disaster. As an example, take a look at my list of ranked hazards and mitigation steps.

You can also do some training that will help you in an emergency. Practice living without power for a couple of days, in both summer and winter. Train as an EMT or First Responder to give you skills you need if you can’t get medical help in a disaster. Buy a tent and go camping -- this gives you the flexibility of living pretty much anywhere. Think about strategies for keeping warm in winter, and cool in summer. Make sure you know how to turn off your water and gas. In this way, you learn new skills, have fun in the process, and you’ll be much better prepared for the next disaster when it strikes.

A personal family all hazard analysis

Here is an example of a personal family hazard analysis being used to prepare for potential disasters that I prepared for my household. Hazards are ranked with #1 as the highest priority, based on probability, impact, and potential mitigation. Note that personal emergencies like disability are not included, although you may wish to include them in yours. You will want to come up with your own list, based on your own circumstances. Extended infrastructure failure is at the top for us because, despite a fairly low probability, the impact would be critical and I currently have limited capabilities to mitigate the impact. Mitigation steps are described below (you will want to decide on what mitigation steps work for you - for instance, if you have a generator and fuel)

1. EXTENDED INFRASTRUCTURE FAILURE (> 5 days): 15% probability; CRITICAL impact. No heat, cooling, water, communications, food supply, shopping, banking, police, fire or healthcare; civil breakdown; chemical & biological release risks. Risks: dehydration; starvation; hypothermia; heat exhaustion; illness; civil breakdown threats. Mitigation: CAMPING, GAS TANK, ALT-ACCOM, EMT

2. PUBLIC HEALTH EMERGENCY: 15% probability; CRITICAL impact. Biological or chemical release from University or epidemic; civil breakdown, death or disability of family members, limited public services. Risks: disability or death through illness, breakdown in food supply, shopping, banking, public service provision. Mitigation: EMT, CASH, FOOD, ALT-ACCOM, GAS, CAMPING

3. EXTREME WEATHER: 80% probability; LOW impact. Extreme hot or cold; major snow or ice storms; drought. Risks: power outages due to heat. Mitigation: ALT-ACCOM, GAS, CAMPING, POWER, FOOD, CASH

4. EARTHQUAKE: 15% probability; HIGH impact. Widespread property damage; local infrastructure failure; public services overwhelmed. Risks: Physical injury with no healthcare; fire & gas explosion. Mitigation: EMT, ALT-ACCOM, GAS, CAMPING, POWER, FOOD, CASH

5. STRUCTURE FIRE: 15% probability; HIGH impact. House fire damages most of our possessions. Mitigation: SECURE-DOCS

6. SEVERE TORNADO/WIND DAMAGE: 30% probability; MODERATE impact. House damage; no power, heat or light; other damage in local area; public services overwhelmed. Mitigation: EMT, CASH, FOOD, CAMPING, GAS TANK, POWER

7. SHORT INFRASTRUCTURE FAILURE (1-5 days): 40% probability; LOW impact. No heat, cooling, phone, internet; shopping and banking activities limited; limited public services. Risks: hypothermia; heat exhaustion; lack of food, water, entertainment. Mitigation: FOOD, CASH, POWER, EMT, ALT-ACCOM, GAS, CAMPING

Mitigation Steps

EMT - trained as EMT-Basic with Basic Life Support kit
CASH - Keep $300 on hand
FOOD - Rolling food & drink buffer with about 3 weeks supply, plus 12 gallons of water
CAMPING - Camping equipment including tent, sleeping bags, and propane stove/heaters on hand for emergency accommodation away from hazard area and cooking/heating in house. Use carbon monoxide detector in each room with window open a crak. Have 10 extra propane tanks
GAS TANK - >50% tank of gas to travel minimum 200 miles (10 gallons) to escape hazard, plus keep lawnmower gas tank full for extra fuel.
POWER - battery backups and battery/inverter combinations for short term power to electrical devices
ALT-ACCOM - alternative accommodation with relatives, etc., both in local area and >100 miles away
SECURE-DOCS - documents in fire safe or bank