Browsed by
Tag: interdependency

What Jurassic Park taught us about cyber risk

What Jurassic Park taught us about cyber risk

The tl;dr version of this post: don’t forget about the insider threat!

This week I attended the first in a series of three events by the Institution of Civil Engineers entitled Preparing London. This particular event was designed to consider the human threats to infrastructure.

During a talk from Nathan Jones (see this blog on his talk) my mind wandered and wondered…Did Jurassic Park teach me everything I know about cyber risk?

God damn it! I hate this hacker crap!

Ok, so maybe not everything worth knowing about cyber risk is summarised in Jurassic Park, but it’s a useful introduction into what happens when the tables are turned and technology which usually helps keep us safe, becomes the risk.

Everything in Jurassic Park is connected. The electric fences, the lighting in the visitor centre, the locks on the doors. When it’s working as planned, this connectivity helps the park’s management maintain an efficient operation and a positive guest experience.

However, such a complex system requires some centralised control.  Looking at this through a business continuity lens, this is a clear single point of failure. An inherent risk.

This has clear parallels with our modern society and the interdependencies between systems that I’ve talked about previously.

Dennis Nedry exploits his colleagues limited understanding to enact his attack. He uses his tech-savvy advantage to provide cover for him stealing intellectual property, whilst putting lots of people in danger. The ultimate lesson here is that the real monsters aren’t the dinosaurs.

Objects in mirror are closer than they appear.

As well as a light-hearted moment during the dinosaur chase sequence, I think Spielberg also snuck this in as a metaphor for risks manifesting in ways which had not been considered.

Were the Jurassic Park team aware of cyber risk? Yes, there is literally a scene about passwords. I expect a lot of  people assume that a good password is all they need for their IT security.

It’s clear they had also considered other risks, and had taken proactive action to control that risk. Electric fences, professional hunters, CCTV and motion sensors and the attempt at all-female genetic engineering are just some of the risk controls in the film.

But had the team considered the possibility that an employee would want to hold the park to ransom for personal gain? Could they have identified the vulnerability of the computerised control? Could they have done more in advance to protect the systems from malicious attack?

Dennis, our lives are in your hands.

Early in the film there are hints at Nedry’s personal financial difficulties. Later he mumbles to himself about test runs of his embryo heist.

John Hammond, the park owner recognises the power that Nedry has.

There were clearly signals which the team missed and knowledge which is combined, could have allowed an intervention before he got the opportunity to shut down the park.

Clever girl / I know this.

Just as the team hadn’t anticipated an insider threat, Nedry wasn’t expecting a tech-savvy teenager to thwart his plan.

Just when it looks like the raptors will get into the control room, Lex (the park owner’s granddaughter) recognises the Unix system and takes maters into her own hands.

The actual interface may be debatable (in researching (yes, research!) this post I’ve found that it was technically available, but I’m doubtful that a school student would have been aware), but it comes as no surprise that kids have a natural affinity with the technology that adults have to think about.

Side note: Provided the right precautions are in place to prevent unauthorised use, user friendly systems aren’t just a productivity win; they help prevent people finding work-arounds or backdoors.

Life finds a way.

With the ever increasing access to, and pervasiveness of the Internet and smart devices, Jurassic Park remains relevant today.

I’d argue that we’ve already reached a point where complete understanding of system interdependencies is impossible. Our societies and the technologies used are just too complex. However, we can continue to challenge our assumptions, keep our risk assessments grounded in reality and take action in advance to mitigate that risk.

It’s also a reminder that physical and IT security are just parts of the puzzle when it comes to risk management. Solutions are also required, sadly, to prevent against malicious attack by either insiders or outsiders.

It’s also just a really great film!

Have I Got News For You

Have I Got News For You

Regular readers will be aware that I’ve been working on a project called Anytown over recent months. It’s a project looking at complexities and interdependencies between systems and how that can impact on resilience. Previous blog posts about it are herehere and here.

Rather excitingly, you can now find out about Anytown in Resilience, the magazine of the Emergency Planning Society. Yes, there is now a remote possibility that I will be quoted on BBC prime-time programming, having been published in a niche trade magazine! (I’m hoping Charlotte Church might make a reprise as host for ‘my’ episode….)

They saved the best until last, so head to pages 38 and 39 (but then take a look at the rest of the mag). Even if you don’t learn more about interdpendencies, you’ll have an edge over the missing words round, and everyone likes winning.

As always, comments appreciated either in the box below or direct to my inbox over here.

With thanks to colleagues at the EPS for publication

Anytown – latest visualisation

Anytown – latest visualisation

Displaying complex or detailed information in a digestable way is always an interesting challenge. It’s certainly s certainly one of the challenges that I’ve had with Anytown, my project to better understand interdependencies and complexities within and between systems.

Here’s my latest attempt at showing some of this information, which I developed for an NHS England briefing today, using information from the Hurricane Sandy report “A stronger, more resilient New York.

Linkage

Nodes of different ‘city networks’ are shown in thematic colours (Gas, Electricity, Fuel, Water, Telecommunications and Wastewater). Please note that this is an illustration not a schematic of each network. The connections within networks are shown with black lines, and where there is an interdependency with another network it’s shown in red.

I’m now working on a way of using this alongside the previously developed ripple diagrams to better articulate interdependencies, ideally in an interactive way. If you have any thoughts on how this could best be achieved, drop a comment in the box below, or get in touch directly via Contact Us.

Anytown Unleashed

Anytown Unleashed

For the last 4 months I’ve been spearheading a project known as Anytown. The project aims to help develop better understanding and awareness of how different ‘city systems’ all interlink. Today I unleashed my baby into the world at Defra’s Community Resilience & Climate Change Workshop. Read more on the project below.

When you throw a stone in a pond, ripples propagate from the centre. Similarly in emergencies and disasters, impacts of an initiating event can propagate and cause a cascade of consequences. There are many examples of this both in the UK and overseas, yet there has been little formal consideration of it to date.

The intention of Anytown is to simplify reality and model the interconnections and interdependencies between systems in order to provide a greater level of awareness of these potential impacts.

During my studies we had an assignment involving ‘Complex Cascading Disasters’ and I remember at the time, that there was little readily available research in this area. That situation hasn’t changed significantly so in February, I coordinated a number of workshops bringing together over 100 representatives from 52 organisations to discuss and harvest their knowledge and experience.

Looking back to my ripple analogy earlier, from the workshop data I created ‘ripple diagrams’ which demonstrate how consequences cascade from an incident through various sectors.

Anytown is now free into the world. This is exciting as one of the key aspects that I realised during the development is that a model is only as good as the information that feeds it – so now many more people have the opportunity to contribute. I’ll bring occasional updates on the progress of Anytown as I move from the model development (hopefully) towards visualisation and simulation.

The ‘work’ version of this post is over here

Complexity & Interdependency

Complexity & Interdependency

tt19-Interdependency

I’m currently working on a project investigating Infrastructure Ecology, although that’s not how I describe it at work for fear of alienating the audience! It’s a fascinating area of enquiry, which the diagram above only partially articulates and I’d need more than one blog post to do it justice. So I thought I’d start with why I think it’s fascinating.

When we flick on a light switch, twist a tap or pick up our phone we expect those services to work. We’ve come to rely on them, and largely that doesn’t cause us any issues – the lights come on, water comes of ouf the tap and we hear a dial tone. However, incidents (Gloucestershire flooding 2007 and Hurricane Sandy 2012 to name just two examples) and exercises that I have either participated in or facilitated consistently reveal that these systems are far from 100% reliable.

Too often we treat things in silos, but increasingly we need to consider how the different systems that we have developed and have evolved alongside over many years interact and depend on each other. In a previous role, I facilitated a business continuity exercise for a large teaching hospital. The scenario was pretty basic, but it revealed that all but 4 of the wards in the hospital had planned to use the same fallback space – in the worst case this meant cramming over 200 patients into a 30 bed ward. We find it difficult to think outside of our sphere; I’m not sure of the reasons why, but we need to recognise that it happens and develop a methodology which forces us to think more holistically.

Interdisciplinary approaches are the way forward. Involving a wider range of people and organisations is risky – and makes camels a more likely outcome – but it’s the only solution to get us out of our silos.

Previous attempts to ‘educate’ professionals about these business continuity challenges concentrated on presentations, and as the same lessons are still coming us, I think we can be confident that levels of awareness have remained largely static. My approach has been to redefine the problem (that non-experts don’t understand interdependencies and complexities of systems) and to look for other world solutions (which is where the ‘ecology’ in Infrastructure Ecology comes in).

Experts in biodiversity have known for a considerable length of time that the key to understanding the key to successful interventions is understanding the underpinning relationships between predator-prey-environment. It’s something that I vaguely remembered learning at school, and without much thought it was clear that it was a model which had applications in helping understand the infrastructure problems encountered.

Last week I ran two workshops at City Hall, with representation from a wide variety of sectors organisations and interests to harvest their experience and knowledge. This will be synthesised to produce a model of an urban area which ‘understands’ how the different systems are related and therefore what the consequences of interruption to one will be on other systems.

I’m now in the process of translating the data we collected into something meaningful. I have some grand aspirations for the project, and alternative between getting carried away and reigning myself in to concentrate on the practical! I’ll keep you posted!

Image Source: NARUC