Making cities resilient: Houston takes a cyber stress test
To read the new report and find more articles about the Future of Infrastructure, please visit www.infrastructure.aecom.com
For the first time in the U.S., a major city has undertaken a live twin-disaster-simulation exercise to help forge plans to strengthen the resilience of critical infrastructure.
Highlights and learnings from the three-day simulation are recounted here by leading participants from the City of Houston – Larry Satterwhite, George Buenik, Jack Hanagriff, Mel Bartis and Mike Bell.
In the Gulf of Mexico, Hurricane Miguel is gathering strength. As it edges ever closer to the coast, this Category 4 storm is stacking up massive devastation for Houston. Predictions are for extensive flooding, tornadoes and storm surges that could reach up to 16 miles (26 kilometers) inland. As it makes landfall at Freeport, winds are recorded up to 155 miles (250km) per hour making emergency response impossible, and then come reports of a potential cyberattack affecting all local systems at the Texas Medical Center, then the Port of Houston. Next come widespread power outages and communication errors for emergency services radio. The situation gains in intensity.
For everyone in Houston and beyond who remembers the terrifying impacts of Hurricane Harvey in 2017, this fictitious scenario of Hurricane Miguel is all too real. But this time, the scenario also includes the additional element of a coordinated cyberattack.
THE TWIN ATTACK
This fictitious disaster was created as the focus of a real-life exercise involving 135 participants from Houston’s critical infrastructure sectors — transportation, energy, public utilities, telecommunications, education, emergency management, healthcare, and the military. Their task was to produce a united response to the unfolding disaster by working together to find solutions.
Taking place over three days in the Houston Emergency Operations Center, the exercise simulated two simultaneous incidents — a natural disaster and a cyberattack. It examined the challenges those incidents placed on critical infrastructure including assessing response capability, agency collaboration, communications interoperability, and military integration.
Called Jack Voltaic 2.0 (JV2.0), this research project was led by the Army Cyber Institute at West Point in partnership with AECOM as the private-sector lead and the City of Houston. JV2.0 built on the inaugural JV1.0 exercise held in 2016 near New York City. The aim of JV2.0 was to improve preparation for and response to cyberattacks by building partnerships in an innovative, bottom-up approach to infrastructure resilience by enhancing Army research along with local readiness. Primarily, JV2.0 studied the interconnection of critical infrastructure, assessing gaps in cybersecurity capabilities and the impact of physical infrastructure degradation on an interconnected, networked environment (and vice versa). One of the core dilemmas and challenges faced by every community, business and city today is that with increasing network connectivity comes vulnerability.
Here, five key participants – Larry Satterwhite, Assistant Chief, Houston Police Department; George Buenik, Director of Public Safety and Homeland Security at City of Houston; Jack Hanagriff, Law Enforcement Liaison at City of Houston; Mel Bartis, Deputy Emergency Management Coordinator at City of Houston; and Mike Bell, Chief Technology Officer, Houston Police Department – describe their experience of how the Houston exercise unfolded and their key takeaways…
1. EXERCISE ROLES AND OBJECTIVES
“My daily role with Homeland Security means I am constantly dealing with threats, both domestic and foreign, where I have to look to the available resources, assess the issues, provide guidance and act. It was similar in this case for the hurricane component of the exercise because we have been through it before, most recently with Hurricane Harvey. However, this time we had the added complexity of the cyberattack. Immediately we were forced to think differently – how do we do this? How do we adjust?” Larry Satterwhite
“I’ve been involved in major event planning now for 15 years, with everything from hurricanes to hosting the Super Bowl, and one of my objectives here was to understand more about cyber. We carry out a tabletop exercise for hurricane planning every year, but this combined physical and cyber event was something new.” George Buenik
“My job in relation to the exercise was to make the event work; so the role was as coordinator of planning, preparation and execution. We know the city has expertise in handling physical disasters such as hurricanes, but we wanted to look for the gaps in our cyber protection.” Jack Hanagriff
“I was part of the exercise planning team and participated during the day, and my job was to look at our strengths, and our areas for improvement, and to make recommendations. The most important objective for me was to get tangible knowledge to better inform our day-to-day operations.” Mel Bartis
“From my point of view, this was a great opportunity, particularly in identifying any communications gaps. The event was realistic and enjoyable as we learned more through the exercise about the unfolding events and each other.” Mike Bell
2. EXPECTATIONS AND ANTICIPATION
“We were all there to learn. So the expectation was to keep an open mind and pay attention. You do not want to miss anything, so you are constantly asking whether you know enough and how you can add value. We were amongst colleagues, so while confidence is a healthy thing, you also need to be open. No one can know everything, so it is important to surround yourself with subject matter experts in relevant but diverse disciplines and solicit their input when time allows.” Larry Satterwhite
“The exercise exceeded expectations in the way it was so realistic. The story started to unfold when we learned about the hurricane approaching. It was two days out and right away we were focused — we knew what we had to start doing.” George Buenik
“Our city is good at handling the physical side of disasters, but cyber is a whole other issue. The expectation here was to build collaboration and involve all the city sectors from energy and water suppliers to emergency services and the military. In these types of major events, everyone shares the same pain points.” Jack Hanagriff
“My expectations were that we would be able to bring together a large number of people from a wide range of sectors and address all of our objectives. Thankfully, we achieved exactly that. In addition, it was impressive to see how robust some sector cybersecurity planning is. People really are leaning forward and developing good strategies.” Mel Bartis
“We have very good and longstanding relationships with many of the participants, but it was extremely helpful to build new contacts in areas such as the university and energy providers. In terms of anticipation there was certainly some adrenalin flowing.” Mike Bell
3. BREAKTHROUGH MOMENTS
“Houston is an incredibly resilient city. We have been through many large-scale events so the big moment for me was when we realized a cyberattack had started in the middle of a natural disaster. We had a nefarious agent acting behind the scenes, the water supply was affected, it was creating fear in the public. That forced me to start rethinking. Preparations are never going to be exact, but we must use our imagination to anticipate future challenges then exercise in a manner to best prepare. While we will certainly face threats never accounted for, the act of planning and exercise enhances significantly our ability to successfully mitigate those threats and protect the public.” Larry Satterwhite
“This exercise really opened my eyes. We are used to dealing with things like power outages during hurricanes, but now I know to think broader about the potential causes. In future we’ll always question whether there is a cyber component in there.” George Buenik
“In a military attack the plan is to knock out communications, then the command center, followed by water and energy. With a cyberattack those same things may happen, but cyber is silent and you don’t see it happen. The breakthrough for me is that to beat this hidden enemy all the agencies need to talk more and share knowledge.” Jack Hanagriff
“Highpoints for me were to get exposure to the many different technologies and tools that people are using. I also learned a lot about military capabilities in relation to cyber. They were impressive.” Mel Bartis
“There were several lightbulb moments for me. One in particular was when the university campus messaging system was compromised. That was the moment when the exercise switched into a public safety scenario. If you lose control of public messaging there is a significant escalation in magnitude of your challenges. If lose social media that exacerbates all the problems.” Mike Bell
4. POWERFUL OUTCOMES
“We are always battling silos and trying to break down barriers to communication and process and planning. We still have a long way to go. We work hard and well with our regular stakeholders, and the greatest outcome of this exercise were the relationships we built that day in that room. We are always getting better at understanding each other and knowing how to work together. When we collaborate we can overcome a lot of hurdles.” Larry Satterwhite
“We work well with our county, federal and state partners, but here we also opened up to thinking about who else we could collaborate with. In times of need you don’t want to be starting with introductions, so it’s all about building and maintaining relationships now.” George Buenik
“It takes time to build confidence and trust, but at a time when we are all so reliant on our partners, we need to be talking more.” Jack Hanagriff
“Very often resilience plans are segmented within organizations and there is a disconnect between IT departments and the emergency managers. It’s good to see that better relationships are being developed, but we can all improve, particularly when it comes to including cyber in continuity planning.” Mel Bartis
“When it comes to success in resilience planning, it’s all about collaboration and relationships.” Mike Bell
SIX STEPS TOWARDS IMPROVING INFRASTRUCTURE RESILIENCE
While it’s not possible to predict or avoid all hazards or threats, they can be managed, writes John Esquivel. AECOM has developed a strong framework and approach to reduce the risk and impact of an event and speed the recovery, which dramatically reduces the cost in terms of physical, social and economic loss. National preparedness and infrastructure protection enable government at all levels, the private sector, and nongovernmental organizations to work together to prepare for, prevent, respond to, recover from, and mitigate the effects of incidents regardless of the incident’s cause, size, location, or complexity. In building a plan, we suggest six steps towards improving infrastructure resiliency:
- Act Now – Integrate security into the design
- Think Broad – Plan for the physical and digital
- Team Up – Collaborate across the organization
- Prioritize – Identify critical infrastructure assets
- Assess – Adapt and be ready
- Take Action – Start now!
To discover more read Six Steps to Improving Infrastructure.