While IT managers keep an eye on possibilities of system failure, emergencies can often be caused by quite different factors: downtimes can result from failures in building or communications infrastructure, for example. Operational workflows are also at risk if employees are no longer able to get to their workplaces.
When construction workers dug holes by a bridge in Berlin late in the afternoon of 19 February, the lights went out in the suburb of Köpenick. The workers had not struck just one power cable, but two: the redundant supply to the suburb had a weak point and the construction workers found it: by a central bridge, the two power cables ran through a common duct, which meant the cables lay right on top of each other. It was easy for the powerful drill to cut both cables at a single stroke. For businesses and residents in this suburb, there were serious consequences: they had to manage without power for more than 30 hours. The extent of the interruption shows how quickly an extreme emergency situation can arise. This is a lesson for emergency workers, since it illustrates that many businesses are not sufficiently prepared for situations of this nature. Even so, emergency management is an important element in an IT security strategy.
The unexpected repercussions of this devastating excavation provide an idea of the side effects that must be considered under the heading of emergency prevention. Because two cogeneration stations lost power, quite a lot of buildings were left without heating in the middle of the cold season. And that was not all: people also had difficulties in reaching or leaving their homes and workplaces. Trams, the main mode of transport in this suburb, are powered by electricity, and no longer operated. Although they are supplied with electricity from a central point, they passed right through the affected stations in the dark, since the power failure meant the stations no longer had any lighting. Commercial and industrial operations and offices had to close instantly, and checkout terminals no longer functioned, along with automatic doors, freezer cabinets and security cameras. And, of course, IT systems were also affected. Normally, only larger businesses have an emergency power generator in place to cover these functions for the duration of such outages. But even then, Internet connections would have been impossible.
Just how much work and life depend on electricity was made clear in other areas, too. Some people were very badly affected: they were stuck in lifts and in some cases had to wait eight hours to be freed. The water supply in upper storeys also failed, since it relied on electric pumps. And the communications infrastructure also collapsed: neither landlines nor mobile networks were available for the duration. That meant it was virtually impossible to summon help. It also became clear that the authorities were helpless, since they used vehicles with loud hailers, the radio and Internet to tell the public to go to their nearest fire station or police station in an emergency. But without electricity, even this information reached only a limited number of residents.
Help in preventing emergencies
Following this event, many businesses wondered how they could best prepare for such situations. Emergency prevention was the order of the day. Various institutions offer support in this area, especially the Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, BBK). It offers a number of guides, some of which are also relevant for businesses, e.g. the guide on Blackouts. The Office has also developed the warning app NINA, which provides information about outages, storms and crises. For businesses that depend heavily on their IT infrastructure, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) provides support with an online course on its own Standard 100-4 (emergency management).
Alarm sequences are an important element in managing exceptional situations. These must establish who has to contact whom when such cases arise. They must be regularly updated, since telephone numbers can change, and employees may be ill or away on leave. Special apps are also available to support these communication processes.
At the heart of all emergency planning is the method of handling business interruptions, in order to maintain the business’s core processes and be able to quickly resume regular operation, as appropriate (i.e. ensuring business continuity). The underlying principle is that faults should not lead to emergencies if at all possible, or that emergencies should not grow into crises. These three categories describe situations for which preparations are essential if the fourth category is to be prevented: disaster
You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.