Disaster Planning

Part of 22C:169, Computer Security Notes
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science


Suppose your security system fails and an attacker gets through. Suppose a tornado destroys your file server. Suppose you spill coffee on your laptop computer and your disk drive is unable to handle the caffene rush. No system of firewalls, capability based access control mechanisms, and access control policy can deal with these. In these cases, the protection mechanisms you have in place have failed. This changes the question from how do we prevent an attack to how do we recover.

It is impossible to prevent disaster. Hurricane Katrina flooded many computer centers in New Orleans. There were many corporate and government computer centers in and near the World Trade Center that were destroyed or shut down by the attack of September 11. Many congressional computer systems were shut down when anthrax-laced letters were delivered to various Senate offices, forcing evacuation of one of the Senate office buildings.

Continuity Planning

Continuity planning involves putting measures in place before a disaster in order to assure that essential services will continue to be available after the disaster. Continuity planning is difficult because you cannot determine what the disaster will be, but it is simplified by the fact that measures put in place to help survive one type of disaster will frequently have value if other disasters occur.

The big problem: Upper management is frequently not interested in investing in continuity planning! Continuity planning is inconvenient and can cost money, while uppor management tends to focus on achieving business goals and sometimes is psychologically unprepared to contemplate potential negatives.

Sometimes, nothing happens until management is scared. The widespread fear of the Y2K glitch forced many organizations to put business continuity plans in place. The attacks of September 11, 2001 forced other organizations to confront these issues.

But there is a problem. If continuity planning is good enough, upper management may never notice the disaster! They may take the survival of their organization for granted, failing to notice that survival was only possible because of the investment made earlier on continuity planning.

A good continuity plan requires input from all of the stakeholders.

Typical elements of a continuity plan include:

An Example -- Anthrax in the US Senate

On October 16, 2001, someone mailed letters laced with anthrax to several US senators, leading to the forced evacuation of one of the Senate office buildings. This building included the office of the Secretary of the Senate.

The Secretary of the Senate office was responsible for the Senate payroll and for many of the day-to-day aspects of senate operation. A shutdown of the office of Secretary of the Senate would have shut down the Senate in a very short time, with no paychecks to senate staff.

The Y2K scare drove the Secretary of the Senate office to plan for disaster. The threat was that some essential part of their computer system would fail because of the date rollover from 1999 to 2000, but their plan was fairly general.

Key elements of the plan included go packs maintained in the office. A go pack is a package, maintained near the entrance to an office or home, that contains all or most of the essentials for disaster recovery. The idea is that, in the event of an evacuation, a designated person grabs the go pack on the way out the door. The go pack should contain, for each critical computer system, the most recent backup.

They also agreed with the office of the Sergent at Arms to serve as a backup site for that office, and for that office to serve as a backup site for the Secretary of the Senate. Therefore, they planned their computer systems to be compatible. It is important that the Sergent at Arms office was in a different building!

After evacuation and decontamination, the Secretary of the Senate office was set up on tables in the hallway outside the Sergent at Arms office. Within a short time, they had installed their backup files on the computer systems there, and they were able to meet all essential deadlines in order to keep the Senate running, despite being locked out of their offices.

An Example -- Evacuation of Cedar Rapids Iowa

On July 16, 1985 a demolition worker's cutting torch set fire to the PVC honeycomb that had formed the bulk of a disused sewage treatment structure in Cedar Rapids, Iowa. Burning PVC gives off hydrogen chloride gas, which becomes hydrochloric acid when it combines with water vapor. The toxic plume from this fire swept across Cedar Rapids forcing the evacuation of a large fraction of the population. At the time, this was the largest urban evacuation in US history.

The evacuation was successful, much to everyone's surprise. A large part of the reason for the success was that evacuation plans were in place for the entire area because of the proximity to the Duane Arnold Energy Center, and atomic power plant in Palo, a town just west of Cedar Rapids. In this case, disaster readyness plans developed for one potential disaster were successfully used to cope with a quite different disaster.

Or was it so different? The disaster they were prepared for in connection with the power plant was a release of a plume of radioactive gas that could force evacuation of a large area downwind. The disaster they faced was a release of toxic gas from a different source, but it forced the evacuation of a large area downwind. The unexpected element was that the toxic release was from a municipal sewage treatment plant, a threat that nobody had anticipated.


Congressional Continuity of Operations. Toxic Blaze Routs 10,000 In Iowa.