Inconceivable but possible?
Blackout: What to do in the worst-case scenario
Nowadays, a secure electricity supply is essential for industry and individuals. But what if an emergency does occur and suddenly nothing works as it is supposed to? Is it possible to prepare for the worst-case scenario?
The experts Eckehard Bauer, Executive Vice President Business Development Safety Management, Business Continuity, Risk, Security, Compliance and Transport, Quality Austria and Klaus Veselko, CEO of CIS - Certification & Information Security Services GmbH, answered the questions at our virtual roundtable!
Blackouts – sudden, long-lasting failures of electricity or infrastructure – are scenarios that neither companies nor private individuals would wish for, but which are nevertheless entirely possible even in a country like Austria with a secure supply system. Almost all technical aids, from TV and mobile phones to public transportation and the supply of critical infrastructures and vital facilities, depend on electricity. In the event of a power outage, many factors would be immediately lost, products and services could no longer be delivered, and infrastructures would come to a standstill.
How „real” are Blackouts?
Eckehard Bauer: In our country, a blackout is comparable to a unicorn. Almost everyone has heard about it, but no one has ever seen it. While the unicorn is a myth, the blackout is a real threat that can affect us.
From my point of view, the topic „blackout” includes a „preventive approach – to prevent the blackout” and an „operational perspective – when the long-term and widespread blackout actually has occurred“. Just last year, we narrowly escaped a Europe-wide blackout due to a frequency drop – thanks to regularly practiced safety measures and constant communication.
Nevertheless, the probability is high that we will be confronted with this in the next few years. In terms of prevention, a wide range of technical and organizational activities is possible, from energy supply companies to network operators and consumers, in order to avoid the blackout or to limit its duration and location.
Our society becomes increasingly interconnected, and so does the complexity that accompanies us every day. This leads to non-linear developments and certain scenarios are simply not predictable. Are there still ways for companies to protect themselves in the event of unforeseen events?
Eckehard Bauer: If a blackout occurs despite all precautions, not only the public, but every company and individual is challenged to deal with the situation so that it can be controlled to a maximum through coordinated actions and does not result in panic. Mastering such an exceptional situation only works with adequate concepts and existing awareness to take away the blackout’s horror and to avoid high damage.
Due to great and dynamic changes in technology and organization, a continuous adaption of preventive actions and emergency concepts is indispensable in order to be successful. Management systems support through their systemic approach, as they „systematically” align themselves to changing circumstances (context of the organization) and, by means of targeted risk assessment (risks and opportunities), allow prioritized measures to be prepared, which can then be implemented operationally. In this context, the Plan – Do – Check – Act cycle works in full force, since the concepts and scenarios created are tested (e.g. through simulation or realistic exercises, etc.) and the exercise findings have a direct impact on the preventive actions or existing action plans in the sense of continual improvement (CIP). It is very important to see the exercises as an instrument to develop the emergency response capacity of employees, which in turn is decisive as to how great a damage can be or how much it can be reduced.
With its risk-based approach, the classic ISO 9001 provides a framework for maintaining an organization’s ability to deliver. With ÖNORM D 4901 (note: risk management) and ISO 22301 (note: BCM – avoidance of business interruptions), the deepening in the direction of business continuity and rapid recovery of operational capability are strongly optimized and used to the economic advantage of the organization. The new concept of the High Level Structure is fully applied here, as all three standards are based on the High Level Structure and complement each other in a meaningful and harmonious way. This addition strongly promotes the effectiveness and promptness of the benefits provided by the standards.
Recently, cyberattacks on businesses have also been on the rise – i.e., attacks on companies’ IT structure in the form of data theft, industrial espionage or cyber sabotage, to name only a few examples. Where does this rapid increase in recent years come from, and can cybercrime trigger a blackout?
Klaus Veselko: The development of the last few years cannot be attributed to a single event – several influencing factors are to be considered here.
On the one hand, the complexity of IT infrastructures is not only continuously but exponentially increasing – especially due to the further development and integration of OT systems (Note: Operational Technology) and IOT connectivity (Note: Internet of Things). Without an effective Information Security Management System and a continual improvement process, an organization cannot keep pace with this rapidly growing complexity. On the other hand, word has spread in certain circles that most companies today cannot be productive without functioning IT and up-to-date real data or information.
Stolen or encrypted data mean system or production downtime – a „corporate blackout” so to speak. Within a few hours, millions of euros of damage could be incurred. These aspects are increasingly motivating people with high criminal energy to steal and encrypt data in order to extort companies on a „money for decryption” basis.
I don’t want to paint things too black, but let’s take this thought further: What does it mean if one or two of Europe’s major energy suppliers are hacked in this way and their energy supplies fail? A reliable energy supply could no longer be guaranteed, the grid would collapse, large parts of Europe would remain dark and everything would come to a standstill – a real blackout would be triggered by cybercrime.
It’s not always just IT failures, but the inattention of employees, errors due to lacking product maintenance or extreme natural events such as floods, earthquakes or storms that can cause blackouts. What advice can you give companies?
Klaus Veselko: I see two main aspects: Blackout prevention is the number one priority; and in the case of an emergency, it’s all about targeted immediate actions.
Modern and, in particular, system-relevant organizations such as energy, water and food supply or health care will have to pay more and more attention to their Cyber Security and thus their invulnerability. The focus will be on neither having a local blackout nor being the weakest link in a networked world and thus the gateway for attacks and resulting widespread blackouts. Furthermore, planning for emergencies must be done in advance, and appropriate contingency plans must be in place for current risks or threat scenarios, with measures to ensure a rapid recovery of all systems or at least an acceptable level of emergency operation.
In addition to planning, regular emergency exercises and simulations with appropriately trained crisis teams are an essential factor in successfully overcoming these challenges. Here, too, the following applies: Those who can ensure at least limited operations more quickly and emerge from the crisis more quickly will be more successful in the medium term.
Business Continuity as well as Information and Cyber Security must be viewed holistically. The relevant norms and standards (Note: ISO 22301 for Business Continuity Management and ISO 27001 for Information Security) provide excellent guidance on the necessary technical and organizational measures. This way, systems and organizations can be protected against failure, and personnel, physical and other aspects can be used for rapid crisis management.
Can employees be sensitized and trained for such extreme situations?
Eckehard Bauer: It is important to realize that a blackout is not a classic power failure in which a building or a street is without electricity. In a blackout, entire regions or countries are without electricity for a longer period of time. This means that all operational considerations must always be seen in the context of the overall situation
The organizations such as Civil Defense, Red Cross, Ministry of Interior, fire departments, cities etc. provide very good and high quality information regarding Blackouts. These information materials and those of the local energy supplier should be used by the companies to prepare their own concepts. Once the concepts are drawn up, it is important to raise awareness among the employees concerned and convert this into knowledge about how to deal with such a situation, and into systematic response capability through targeted exercises.
Continual improvement through feedback discussions with employees is an essential element in increasing the effectiveness of the company’s internal emergency and action concepts.
Organizations that have already implemented management system standards (e.g. ISO 9001, ISO 14001, ISO 45001, etc.) can make great use of the existing systematics on roles, responsibilities, internal and external communication etc., as they do not have to invent anything new, but can built on proven structures.
When a blackout occurs, it is very likely to come abruptly and, according to Murphy’s Law, at the worst possible moment. It is not only the electrical power that is lost with a blackout, but the gradually disappearing infrastructure “cell phones”, „street lighting“, „traffic lights“, „drinking water“, „power from UPS and emergency batteries“ etc. It is important to be aware of this in order to trigger the right reactions among employees in the event of an incident. This can help to keep the damage caused by the blackout as low as possible and to restore operation as soon as possible after the blackout.