How to Prepare for a Black Swan

A number of unexpected catastrophes and shortages dominated the headlines in the first quarter of 2011.

Japan was hit by a magnitude 9.0 earthquake and tsunami that caused a nuclear disaster, persistent power outages, and a host of other major societal and economic challenges.

China sharply tightened its limits on exports of rare earth minerals, on which the information technology, automotive, and energy industries rely.

The nations of the Middle East and North Africa experienced severe political eruptions, including civil war in Libya and regime-shaking protests in Algeria, Egypt, Iraq, Jordan, Syria, and Tunisia, which pushed oil prices above US$100 per barrel.

Portugal and Greece tottered on the edge of insolvency, destabilizing their political leaders. Christchurch, New Zealand, was hit by two major earthquakes in quick succession, and the state of Queensland in Australia suffered the worst floods in recorded history in at least six river systems, resulting in great social and economic disruption.

All these events are examples of the kinds of high-magnitude, low-frequency upheavals that Nassim Nicholas Taleb labeled black swans, after a historical reference to their improbability.

In The Black Swan: The Impact of the Highly Improbable (Random House, 2007), Taleb defined a black swan as “an event with the following three attributes.

First, it is an outlier, as it lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility.

Second, it carries an extreme impact.... Third, in spite of its outlier status, human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable.”

Whether environmental, economic, political, societal, or technological in nature, individual black swan events are impossible to predict, but they regularly occur somewhere and affect someone.

Some observers argue that the frequency of these events is increasing; others say global communication networks have simply made us more aware of them than we were in the past.

In any case, with the rise of global business, it is likely that black swans carry increased risks for your company, including negative impacts on your customers, suppliers, partners, assets, operations, employees, and shareholders.

Today, not only can a catastrophe in one part of the world affect the sourcing, manufacture, shipping, and sale of products locally, but the interconnections of global financial, economic, and political networks ensure that the effects of such events ripple around the world.

Read the full article at S+G

Zombies Ahead! Spooks in the machines!

An electronic road sign was hacked and changed, to alert drivers to the potential hazard of 'hoards of the undead' jaywalking. This provides a nice example of why the status of the security on the US Grid and associated infrastructure is such a “big deal”.

The hack itself is trivial: an intrepid individual discovered that electronic road signs shared a common default password. The good news is; that the default password would have been discovered and publicized years ago if the systems were connected to the internet. They were only left alone or overlooked, for years because very few people had the initiative or twisted interest, to walk up to one of the signs and attempt what is essentially a simple dictionary attack against the authentication mechanism.

Without the motivation and justification of protecting installations from sustained and multiple attack, engineers saw no reason to improve the security of their systems. Following the threat response reasoning, that defense is only required where attack is likely or where expenditure restrictions veto and supress security issues. (Discuss!) You could also argue that the lack of protection in certain areas forms part of the overall strategy of the threat and those that threaten.

It seems that everyone laughed off the hack as a simple prank, but failed to consider the serious implications and security problems that exist in systems that are legacy-based, semi-automated and semi-attached to the National grid.

There are a large class of systems that are semi-attached to the grid and they also have similar security problems and vulnerabilities. Known as SCADA (Supervisory Control And Data Acquisition) Systems, these computers are responsible for controlling electro-mechanical devices and physical plant as found in nuclear reactors and oil refineries.

Many of these systems were deployed years ago in simpler times, well before the information security industry fully understood code quality problems and how they can be and would be, exploited by attackers. These systems are only safe from exploitation for as long as you can guarantee a substantial air-gap or secure firewall between the control network and anything a human being can touch.

Serious Vulnerabilities

Spies and government sponsored hackers have already been probing the U.S. electrical grid for months and planting software that is intended to be activated at a future date, according to a Wall Street Journal. The report highlights the latest non-physical, indirect threats and vulnerabilities facing the U.S. power infrastructure.

The Journal notes that the spies are from China, Russia and other countries who are more openly threatening. While the news is very disturbing, it isn’t all that surprising. The vulnerabilities of the U.S. infrastructure are well documented. It is also notable that the electrical grids were initially thought to be somewhat hacker proof, until recently. Why? because the grids run on old legacy software, which is often proprietary. This it turns out is its greatest weakness, along with apathy and complacency.

The barbarians are not at the door but they may have remote access to your infrastructure and life support systems! Prepare to repel boarders!