The mock emergency included rising heat and humidity, packed hospitals, power failures, commuters stranded in sweltering subway tunnels, media-fed panic, and Microsoft Internet Explorer crashes. In other words, just a typical holiday weekend in New York.
It was a doomsday scenario on the Fourth of July, with heat and humidity rising. The power failed. Subways stopped, stranding thousands of visitors and residents and trapping them in sweltering tunnels.
Microsoft's Internet Explorer was crashing upon startup outside of the city. Power companies could not access mission-critical systems and monitoring applications.
The mock emergency was created by Verizon Business with Information Systems Security Association (ISSA) in what participants said was the first emergency drill of its kind. Though the federal government has conducted similar exercises and many companies have business continuity plans, the event held Wednesday at the New York Athletic Club in New York City was spearheaded by a private business and crossed several sectors.
"This is something most companies never experience," said W. Patrick Pryor, Certified Information Security Specialist (CISSP) for Jefferson Wells, a firm that consults on finance and technology security.
In sessions led by Rick Douton, Verizon Business security assessments director, participants faced several core problems and a cascading deluge of complications that resulted. During four separate breakout sessions, they grouped with others in their role-playing industries, held strategy meetings and staged a press conference. Each hour of simulation represented 12 hours in the real world.
Hospitals crowded with people suffering from heat exhaustion and dehydration. Roads backed up from downed traffic lights. Tunnels closed for lack of lighting, while media reported looting and deaths, possibly from Avian Flu. The terror threat level had been elevated because of fears of a terror plot targeting the city's infrastructure.
It turned out that the power went out because of overload. People had become sick after an angry tenant tampered with one building's water supply and IE experienced failure from a zero-day vulnerability. It took three days to restore electricity and almost as long to declare a state of emergency. Never mind people in hospitals, local government, finance, insurance companies and media getting and relaying accurate information.
"Communication is key, not just within the groups but with other people in the industry and with other industries, which interconnect," said Kenneth Belva, a security expert for a commercial bank and member of the New York Chapter of ISSA.
Frank Cassano, another member of ISSA who handles security for a major credit card company in New York's financial district, said he found the exercises helpful because participants were allowed to react how they chose to react. In that respect, the situation unfolded with confusion similar to that he experienced during the terrorist attacks on Sept. 11, 2001 and during the city's blackout in the summer of 2003, he said.
"I liked the fact that it they didn't try to overly-control the scenario," he said. "They let it play out. The communications channels were blocked, not for the same reason, but the communication problems were very real and they were similar."
Cassano said that once he receives a summary of the responses, timeline and difficulties he will return to his organization with the lessons he learned. Cassano said that before terrorists struck inside the United States, government tried to stage similar events but the private sector was less inclined to collaborate across various channels than it is now. He believes that mock emergencies are helpful, mostly because they allow people to rehearse, which will probably reduce the amount of panic and overreaction in a real situation.
For that reason, Cassano would like to see more high-level executives get involved in similar exercises.
"There are real time constraints, but they're the ones who are going to be the real decision-makers at the end of the day," he said.
Though most companies have their own business continuity plans, few try to work with their competitors and with other industries for better communication and response during emergencies.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.