Blog
How the decline of the freight rail industry highlighted the importance of community resilience: Booneville, Arkansas

How the decline of the freight rail industry highlighted the importance of community resilience: Booneville, Arkansas

In my last post, we explored the story of the small farming town of Murdo, South Dakota after the closure of the Chicago, Milwaukee, St. Paul & Pacific Railroad. By establishing the 1880 Town, an attraction providing a glimpse into Murdo's railroad heyday, the town was able to provide a means of survival. However, Murdo's survival past the closure of its railroad lifeline is not entirely unique, nor is the means by which they did so. Whereas Murdo mainly relied on the railroad to connect it to the rest of the world, some towns built their entire economy around the railroad, making the task of survival more difficult. Despite the odds, Booneville, located in Western Arkansas, is one example of a town that did, despite their previous dependence.

by Yitzhak Henry
Blog
GRI research assistants reflect on lessons learned from Northeastern University’s Preparedness Day

GRI research assistants reflect on lessons learned from Northeastern University’s Preparedness Day

Preparedness Day at Northeastern University was a round of training and informational sessions taught by police officers, detectives, and experienced health and safety experts. Our research assistants attended various sessions that included a wide range of categories from personal preparedness in daily lives to international travel safety. The key takeaways from each session contributed to GRI’s resilience preparedness informational toolkit, which can be seen summarized below. Overall, our team learned a lot about how the theme of resilience must be incorporated into all aspects of preparedness. We are excited to participate again in the future!

by: Erin Bourque, Delanie Smither, Maria Robson, Ari Young, Towsif Ahasan, Amanda Knightly, Yitzhak Henry
Blog
Cognitive bias and community resilience

Cognitive bias and community resilience

Have you ever tried to convince your boss, your spouse, or someone else about something? And found your blood pressure rising as you thought to yourself “Why can’t he / she keep an open mind?” You may have been a victim of the other person’s cognitive biases (of course there’s always the possibility that you were wrong!). When we receive new information, we try to fit it into our existing mental models – the patterns that we have formed to help us organize information. These patterns are important and useful because they help us rapidly respond to warnings. However, sometimes our existing mental models act as barriers to incoming information, especially if the new information doesn’t fit into an existing pattern very well. This is known as cognitive bias. Community leaders are human. They are just as subject to cognitive bias as anyone else. As a result they may under- or overestimate risks facing the community, or ignore potential solutions to the community’s problems, or accept “solutions” that simply won’t work. Thus, cognitive bias can have profound impacts on a community’s resilience. In this post, I want to explore some common kinds of cognitive bias in a community context.

by John Plodinec
Blog
Dungeons, Dragons, and Resilience: Role playing as a thought model for complex resilience

Dungeons, Dragons, and Resilience: Role playing as a thought model for complex resilience

In the 1970’s, game designer (and former insurance underwriter) Gary Gygax invented a game for simulating medieval combat he called Chainmail. This basic system then became the melee mechanics for his next game, Dungeons and Dragons. Almost every role-playing game since, in-person or online, has drawn inspiration from or elaborated on this model. Today and every day around the globe, millions of people (both affectionately and derisively called ‘gamers’) play in-person or online role-playing games. They simulate repeated interactions between attackers (which can be intelligent adversaries or forces of nature) and defenders. They roll dice or depend on computers to do the dice rolling, and they fret and argue the details about how to best prepare for, resolve, and ‘survive’ these encounters.

by Howard Smith
Blog
Rebranding: “Chaos Engineering” as “Resilience Testing”

Rebranding: “Chaos Engineering” as “Resilience Testing”

Last week, I had the opportunity to hear Aaron Rinehart brief on “Chaos Engineering”. Aaron is the Chief Enterprise Security Architect at UnitedHealth Group. His job is to break things. And by break things, I don’t mean innovate as in “move fast and break things” or break-in to things as in penetration testing but actually break systems. It’s a cool job. UnitedHealth is a beast of a company. Cobbled together through dozens of acquisitions, it has 270,000 employees and 200 million in revenue. Also worth noting, when seemingly every other health insurance company got owned by the Chinese in 2015, UnitedHealth dodged the bullet. Maybe they weren’t targeted. Maybe the breach wasn’t discovered. Maybe they got lucky. Or maybe there is something to this approach. As networks and applications (and their interactions) grow increasingly more complex and interdependent, the likelihood of cascading (and therefore devastating) failure also increases. Purposefully causing these failures in a deliberate and controlled fashion is possibly the only rationale way to persist in the faith of both system error and malicious activity.

by Rob Knake
Blog
Cyber resilience: A local approach

Cyber resilience: A local approach

In our previous blog posts we have looked at a case study of a vulnerable water plant and explored using Shodan to scan the internet for vulnerable programmable logic controllers. In researching what I wanted to write about next, I watched a presentation at Blackhat 2017 by two U.S. Attorneys about their investigation, arrest and conviction of Roman Seleznev, a Russian hacker and dealer of stolen credit card information. What struck me during the presentation was that many of his targets were small U.S. businesses (the presentation highlighted a few restaurants in the Northwest U.S.) because many of them were easier to hack as they had poorly configured remote desktop protocols and were storing credit card data in unsecure formats. The result of some of these breaches were the target businesses shutting down shortly after publicly announcing being compromised. This got me thinking, what is the affect of cyber attacks on small businesses? What about on rural hospitals? Or local governments and first responders?

by Nate Toll
Blog
Examining NOLA’s recovery from Katrina, with relevance to Harvey, Irma and Maria

Examining NOLA’s recovery from Katrina, with relevance to Harvey, Irma and Maria

Five years after Hurricane Katrina, I gave a talk with this title at a meeting in New Orleans hosted by FedEx and the Salvation Army. I recently stumbled across my slides (no snide remarks about my less than sterling filing system – please!). I had always meant to write something up along these lines but never quite got around to it. What I learned those few days in NOLA has great relevance to recovery from Harvey, Irma and Maria. Pain is inevitable, suffering is optional. I have come to fervently believe in these words from Ernie Broussard of Cameron Parish. When the winds come, the rains fall and the flood waters rise, lives will be disrupted. Some buildings will be damaged. Some roads will be washed out. We will feel pain. But if we have hardened what we can, if each of us has prepared ourselves for the inevitable and if we have worked with those around us to build those essential mutual support networks, then we can avoid true suffering.

by John Plodinec
Blog
Using Shodan as a tool to find vulnerable devices | GRI Blog

Using Shodan as a tool to find vulnerable devices | GRI Blog

In the last blog post, we looked at the case study of the Kemrui Water company as outlined by the Verizon Data Breach Report which underscored potential consequences of having industrial control systems connected to the public internet. This post will go a little bit deeper and look at the ease in which a device similar to those that were probably in use at the water company and connected to the public internet can be found and potentially exploited. For this process I used the tool ‘Shodan’. Shodan is essentially a search engine for internet connected devices. It ‘crawls’ the internet, sending out connection requests and recording the public results, which include banner information, open ports, and running services. There have been numerous articles and blogs that highlight how Shodan has been used to find internet of things devices such as webcameras, license plate readers, programmable logic controllers (PLC), even ships using satellite antennas and botnet command and control servers.

by Nate Toll
Blog
Making our infrastructure more resilient to cyber-attacks | GRI Blog

Making our infrastructure more resilient to cyber-attacks | GRI Blog

As we develop the concept of CINET, one of our main challenges is to illustrate how separation of control networks from the public Internet and the existence of a dedicated channel for information sharing could help make our infrastructure more resilient to cyber-attacks. There are only a few public cases of disruptive or disruptive cyber attacks targeting critical infrastructure. At this point, Stuxnet and the Ukraine power grid attacks have been beaten to death. In a series of posts, we are going to review a few less well-known ones. For those readers who treat the Verizon Data Breach Incident Report as the Bible of cybersecurity, this case study will be familiar. For the rest of you, here is a brief recap.

by: Robert Knake, Nathaniel Toll
Blog
Constructing a community narrative: Resilience requires action

Constructing a community narrative: Resilience requires action

Community resilience requires action. And in communities “action is at the speed of trust” (Sherri Moore of the USACE). As I’ve pointed out before, trust must be based on shared experiences, shared successes, a shared vision. Eugene Tan in Singapore calls this a “Master Narrative” – a common understanding of who we are, and how we’ve come to be. Let me make it clear up front that the Master Narrative and a call for action aren’t the same. You want your community to become more resilient – that’s the purpose of a call for action. But if that call is to be translated from words to action, your community has to believe in itself enough to take action. That’s where the Master Narrative comes in – one of the thing it must do is inspire confidence that “Yes, we can.” Thus, an effective call for action will have echoes of the Master Narrative embedded in it.

by John Plodinec
Blog
Now are we ready to talk about CINET? | GRI Blog

Now are we ready to talk about CINET? | GRI Blog

On Wednesday I testified before the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection about information sharing. U.S. Rep John Ratcliffe (R-TX), chairman of the subcommittee, and Congressman Jim Langevin (D-RI), ranking member, were particularly interested in what more needs to be done in the two years since Congress passed the Cybersecurity Act of 2015. That act eliminated many of the excuses for why companies don’t share cybersecurity information. It also directed the Department of Homeland Security and other agencies to develop the means to share classified information with private companies.

by Rob Knake
Blog