26th February 2018 | London

Infrastructure and Societal Resilience to Black Sky Hazards

Seminar Report

The LondonBlack SkySeminar//2018

THE LONDON

BLACK SKY

SEMINAR//2018

Infrastructure and

Societal Resilience to

Black Sky Hazards

London, Feb 26, 2018

The London Black Sky Seminar 2018

was organized and hosted by:

C O U N C I LIS

The Electric Infrastructure Security

(EIS) Council

Department of Engineering

ENCORE Network

7

Executive Summary

Introduction

The Need for Systemic Resilience to Black Sky Hazards

Infrastructure systems provide an indispensable platform for societal and economic activity.

They generate and enable a continuous flow of emergent desired outcomes, without which

civilisation as we know it could not exist.

Modern infrastructure systems comprise an increasingly interdependent web of infrastructure

components, decision making processes and the external environment. This interdependent

web greatly enhances the scale and scope of benefits enabled by infrastructure, while

simultaneously magnifying the potential for disruption to trigger far reaching consequences

across all infrastructure sectors, society and the economy (cascading failure).

Systemic Resilience to this type of cascading failure is therefore vital for a successful economy

and society. We need to develop infrastructure that is resilient and can be restored following

any form of disruption to normal operations. Moreover, we require societal, community, and

institutional structures that are resilient to the impacts of infrastructure failure.

The near universal dependence of modern infrastructures on a continuous supply of

electricity, and the potential for Black Sky hazards to cause national scale power outages of

indeterminate duration make these resilience goals urgent.

Resilience to Black Sky hazards cannot be achieved by scaling up plans for short term

localised power outages. However, the creation of systemic resilience to Black Sky hazards

will yield significant benefits for short, medium and long-term resilience planning.

Building on findings from the first workshop in this series, this academic seminar brought

together representatives from across infrastructure disciplines and related interdisciplinary

fields to examine four themes of strategic significance to such an approach.

Theme 1: Managing Infrastructure and Assets for Black Sky Hazard Response,

Restoration and Recovery Focused on the operational and management challenges of

sustaining, restoring and recovering infrastructure assets during a black sky event.

Theme 2: Resilient Processes, People and Protocols for Black Sky Hazard Alert,

Emergency, Restoration and Recovery The people, plans, processes and procedures

required to respond to a black sky event, and to what extent these can be developed prior

to an event.

Theme 3: Establishing Systemic Black Sky Resilience as a New Normal Focused on

the long-term challenge of improving systemic resilience.

Theme 4: Building and Enabling Black Sky Resilient Communities and Institutions

–Focused on the role of community resilience and social capital, as essential complements

to the infrastructure focused elements of resilience planning.

8

Key Points

We live in an interdependent world, sustained by increasingly interdependent and

vulnerable critical infrastructures that are all powered by electricity.

The interdependent infrastructures that make advanced, societies and economies possible

are vulnerable to a broad, long-duration power outage – a Black Sky event. The cascading

effects of a massive power outage on other infrastructures could lead to catastrophic loss

of life.

Black Sky hazards will inevitably occur in the coming years

Six types of hazards have the identified potential to cause a Black Sky event, EMP, cyber-

attack malicious physical damage, earthquake, severe space weather and severe terrestrial

weather. Cyber-attacks on critical infrastructure have already occurred. North Korea’s

nuclear program makes an EMP attack imaginable. Hurricane Maria caused a bounded

Black Sky disaster in Puerto Rico in 2017. As John Heltzel of EIS Council said,

“If you don't understand what Black Sky is, let's talk about Puerto Rico. More than six

months on, the island still does not have dependable power.”

Given the seriousness and plausibility of these threats, Lord Toby Harris emphasized that

“Black Sky hazards should be high on the agendas of decision makers, and awareness of

these threats should be raised at all organizational levels.”

9

Protecting against Black Sky hazards requires cost-effective resilience investments

and detailed cross-sector planning and exercising

As Professor Brian Collins put it, "Most of you will have worked on disaster-recovery plans

which assume that some supporting services are intact after the event. Black Sky challenges

every one of those assumptions." Consequently, Black Sky recovery plans for each sector

need to pay close, detailed and realistic attention to what support may be available from

other sectors, and how each sector may support the others. Avi Schnurr of EIS Council

stressed,

“There have to be very concrete Black Sky plans that lay out what each sector must

achieve in such a crisis and what it will require from other sectors.” Such planning has yet

to take place in most countries and sectors.”

Critical Infrastructure design needs to incorporate systemic resilience as a core

objective.

Tom Dolan presented eight recommendations towards the goal of making systemic resilience

a core objective of all infrastructure decision making and implementation. Continuing the

theme that our infrastructure needs higher levels of built-in resilience, Kristen Mc’Askill noted

that currently “the cost-benefit analysis criteria for new infrastructure do not adequately

capture the future benefits of a more resilient solution.”

“Calling in the army” will not work as a response to a Black Sky event in the UK

Lord James Arbuthnot warned that it will be unrealistic to expect the military to step in as

the last resort solution in a Black Sky event. In addition to the UK military’s shrunken size,

infrastructure recovery today requires highly specialized skills. Moreover, defense sector

will also be dealing with “the cascading effects of a loss of electricity leading to a loss

of communication, understanding, order, cohesion, fuel, water, food and money.” To be

prepared, the defense sector needs to take the same steps as others:

“They need to recognize there's a problem. They need to have a plan and to practice

it. They need to have spares and redundancy. They need to work on recovery and do a

constant audit.”

Developments in Artificial Intelligence and Machine Learning provide important

opportunities for building Black Sky resilience.

Professor Liz Varga pointed to the potential of AI-based tools to help protect against Black

Sky threats. The sheer volume of cyber-attacks on infrastructure requires the deployment

of AL-driven automated response to most events. Avi Schnurr explained that EIS Council’s

GINOM™ project aims to meet the need for “very good-quality models that lay out all of

the infrastructure interdependencies, provide simulation and forecasting mechanisms and

make those available for decision makers.”

10

Standardization of systems and parts provides efficiency benefits but also

resilience dangers

Professor John Clark pointed out that “the downside of standardization is that if it breaks

once, it breaks everywhere. You have hugely distributed systems where chips are embedded

in the fabric of society. If all your hardware is duff, it’s going to cause big problems.” Such

systemic failure was a cause of the recent Wannacry ransomeware cyber-attack.

Regulators have a major role to play in establishing processes and metrics for

Black Sky resilience and recovery

Avi Schnurr reported that regulatory sector involvement in Black Sky preparation is beginning

to happen in the United States, saying “the regulatory community in the United States has

got to the point where they're concerned and recognize Black Sky has to be addressed.

They are looking for help, especially in terms of finding Black Sky resilience metrics that they

could utilize.” The consensus of speakers was that rather than creating a new regulator

for Black Sky, the need is rather to empower existing regulators to develop and implement

cross-sector metrics standards and processes that bridge the private and public sectors.

The Black Sky threat is global and the solutions require global cooperation

Critical infrastructures today are globally interconnected, carrying a risk that the impacts of

a massive outage will overspill national borders. Consequently, the solutions also require

broad international knowledge-sharing and collaboration. This event, bringing together

leading experts and practitioners from a number of countries including the U.K., U.S. and

Israel served as a beginning and an example of the international cooperation that is required.

11

Introductory

Session

14

Welcome and Introduction

Professor Brian Collins, UKCRIC Chairman

Professor Brain Collins welcomed participants with some introductory remarks on the “Black Sky”

challenges that the day would address.

He noted that the threat nexus of long-term power outages, combined with critical dependence

of all infrastructures on electric power and the interdependence of smart infrastructures was

particularly acute in cites. Humanity is undergoing intensive urbanization, with 70% of people on

Earth predicted to live in cities within 20-30 years, implying that the threat will only become more

severe.

Collins emphasized key qualitative differences between Black Sky and other disasters for which

participants may have prepared: “Black Sky is about the unthinkable situation of everything

failing. Most of you will have worked on disaster-recovery plans, business-resumption plans,

which assume that some supporting services are intact after the event. This is about challenging

every one of those assumptions. Whatever you assumed was going to work in order that your

disaster-recovery process could be booted or started up, that assumption is invalid. That’s what

we mean by Black Sky.”

Previewing some of the issues to be discussed during the day, Collins noted the importance of

striking the “right balance between the unthinkable and the normal” in research so that resources

are directed towards both extreme and more common threats. He also underscored that resilience

investments have an unavoidable cost-effectiveness dimension, so that we can distinguish

between “what is it that we have to afford, what is it that we can consider we need to afford, and

15

what is it that is nice to have?” This implies a critical appraisal of the resilience value of investment

in technology and systems, people and training, process and protocols and the right mix of these

elements. A further issue that Collins raised is “the balance of being prepared, being able to react,

and then being able to recover.”

Collins pointed out the importance of this being an international event: he said, “we’re living in

a very interdependent world. Cities and

nations depend on each other for their

livelihood, mainly through trade, but also

through cultural exchanges and through

knowledge exchange. We are developing

our sharing of knowledge and our sharing

of capability to provide Black Sky resilience

on a global scale – that’s very important.”

He also stressed the significance of

bringing university researchers together

with those tasked with practical resilience

efforts. “We’ll hear about research and also about some of the activity that is going on in this

country so that what we think is a good idea is practiced and rehearsed in real terms, so that

people can find out what works and what doesn’t.”

We’re living in a very interdependent world.

Cities and nations depend on each other

for their livelihood. We are developing our

sharing of knowledge and our sharing of

capability to provide Black Sky resilience on

a global scale

16

Black Sky Interdependency Challenges

A Global Perspective

Avi Schnurr, CEO and President, Electric Infrastructure Security Council

Avi Schnurr, CEO of EIS Council began by acclaiming the tremendous expertise of those in the

room. He called the group, “the infrastructure brain trust of the United Kingdom and also, to a

degree, of the world.”

He proceeded to define a Black Sky event as “a very large-scale power outage” and referred to

six hazards, both malicious and natural in origin that could cause such an event: EMP, cyber,

physical attack, space weather, severe terrestrial weather and earthquakes. Schnurr underscored

that such outages can cause “the failure of everything, through cascading failures or interconnected

infrastructures and resource supply chains.”

He pointed out that the mega-cities in which so many of us now live are only possible because

of hyper-connected networks in which not just infrastructures, but also the supply chains for

those infrastructures are thoroughly

interdependent.

Schnurr compared this interdependence

to a living organism. “The strength,

efficiency, and effectiveness of

interconnected infrastructures enables

our unprecedented living standards

and levels of culture today. However, he

warned, “the problem is that in any organic system if you pull out some major piece, the organism

collapses.” Whereas living organisms have immune systems to deal with such dangers, “there is

There have to be very concrete Black Sky

plans that lay out what each sector must

achieve in such a crisis and what it will

require from other sectors.

17

no systematic immune system for the interdependent infrastructures and resources that we utilize

today. That is an extremely dangerous situation.”

Schnurr pointed out that these interdependencies are not only multi-sectoral, they are also

international. Infrastructures and supply chains are today globally connected and so a global

effort is required to address the threat of their potential failure. This reality requires that “we find

ways to be outwardly looking, so that our primary concern when it comes to resilience becomes

what is it that my sector, my company,

and ultimately my nation must do to

support all the others.” Schnurr stressed

that such an approach “will be absolutely

mandatory if we’re going to protect this

organic system that we now live in that

supports our lives.”

Schnurr added, extending the physiological

metaphor, that our systems today lack not

only an immune system, but also a level

of “fat” that can serve as a buffer against

crises. “Infrastructure by infrastructure, what remains in supply chains is now down to about three

days. That means there are three days between failure of infrastructures in a large area and lack

of water, lack of food, lack of pharmaceuticals, lack of fuel.”

Turning to the required solutions, Schnurr declared that the first requirement is integrated cross-

sector planning. “There have to be very concrete Black sky plans that lay out what each sector

must achieve in such a crisis and what it will require from other sectors.” EIS Council’s EPRO

Sector program lays out such a planning process; in the UK this initiative is led by Lord Toby

Harris.

The next requirement is to put in place infrastructure coordination mechanisms that can operate

in real time. This coordination must, Schnurr explained, do two things: “firstly, support restoration

of infrastructures so they can return to operation, both to repair damage and to restart those

infrastructures; and secondly to sustain the population while that restoration is going on.” Crucially

this requires plans that are regularly exercised. EIS Council’s annual EARTH EX international,

multi-sector exercise, which takes place this year on August 22nd aims to help meet this need.

Schnurr elaborated on two other essential recovery tools. The first is “a very robust emergency

communication system that is deployed to all sectors. It needs to have international connectivity,

and an internal self-powered capability to last weeks if we want this whole process to work.”

Schnurr reported on a private-sector initiative called the BSX Emergency Communication System

within the United States, which is potentially applicable relevance internationally.

The second tool that Schnurr described is the GINOM modeling process that EIS Council is

developing. Schnurr explained that this is designed to meet the need for “very good-quality

models that lay out all of the infrastructure interdependencies, provide simulation and forecasting

mechanisms and make those available for decision makers.”

Schnurr concluding that developing these tools is a community effort and thanked all those

present who are contributing to it.

Infrastructure coordination mechanisms

must first, support restoration of

infrastructures so they can return to

operation, both to repair damage and to

restart those infrastructures; and second

sustain the population while that restoration

is going on.

18

Current and Future Challenges, Priorities for

Black Sky Resilience a UK Perspective

Lord Toby Harris, EPRO ESC Coordinator, UK

Lord Toby Harris opened by reprising some of the essential themes that emerged from the highly

successful 2017 Black Sky seminar at the Royal Society. Firstly, as Lord Martin Rees warned,

“Our power grids are becoming ever more crucial. Cities will be paralyzed without electricity. And

the lights going out will be the least of the consequences. Everything else that urban life depends

on is vulnerable to breakdowns, errors, or even intentional sabotage.”

Secondly, Harris declared, “no single sector can function without the partner sectors that each

depends on. Consequently, coordinated planning and engagement are essential.”

Thirdly, a prolonged, widespread power outage would cause cascading failures of other systems.

Fourthly, policy, for understandable reasons tends to focus on the high-probability risks. However,

“it is also essential to plan for the mitigation of low-probability but devastatingly high-consequence

events.”

All of this is vastly complicated by the

nature of the Black Sky environment,

which Professor Liz Varga describes

as VUCA - volatile, uncertain, complex,

and ambiguous. As Harris put it,

“infrastructure systems are now so

intricately interconnected that we cannot

possibly understand the magnitude and

consequences of these interconnections.

Our power grids are becoming ever-

more crucial. Cities will be paralyzed

without electricity. And the lights going

out will be the least of the consequences.

Everything else that urban life depends on

is vulnerable to breakdowns, errors, or even

intentional sabotage. [Lord Martin Rees]

19

There is instability, a lack of information, and when things go wrong, an inability to know what is

causing events.”

Harris stressed that “the overriding conclusion of the day was that Black Sky hazards should be

high on the agendas of decision makers, and that awareness of these threats should be raised

at all organizational levels.”

Harris noted a number of institutional and cultural trends that make tackling Black Sky threats

more difficult. He pointed out the tendency of people today to work in specialized silos, which

inhibits the cross-sector cooperation that is necessary. In addition, the increasing reliance on

technology, improves efficiency but introduces new vulnerabilities.

He also pointed to a phenomenon specific to recent UK history, “the cultural change that has

accompanied the shift from public to private ownership of the key lifeline utilities,” and the way in

which “the business cases for investment that require short-term returns militates against work to

address low-probability events, even where the potential consequences are massive.”

Moving on to define Black Sky/black start event, Harris set out the following key definitions and

characteristics:

• Black Sky is a prolonged, wide area electricity outage affecting the whole of the UK or

a substantial part of it for several days or more.

• Black Start is term used by the

National Grid for restarting the

Grid from a total power down.

• Best estimates now suggest

that this would require up to

seven days before most of the

country had power restored.

• However this estimate assumes that the National Grid itself has not been damaged by

the event that triggered the outage.

Turning to the causes that could trigger a Black Sky event, Harris listed six that are widely agreed

upon, and also suggested a possible seventh.

The first three causes are malicious and man-made:

1. Concerted physical assault. Harris noted that in 1996, the IRA planned just such an

attack, involving 37 explosive devices, designed to disable six substations and deprive

London of electricity.

2. Electromagnetic pulse attack. This would involve a nuclear blast in the atmosphere,

something incidentally that, Harris remarked, “the North Koreans announced in official

news release only last year that they were contemplating.”

3. Cyber-attack. Harris described this scenario as “worryingly plausible,” observing that

“we know this has been deployed against the Ukraine. And last year, the U.S. Department

of Defense Science Board reported that the U.S. grid had been so effectively penetrated

No single sector can function without the

partner sectors that each depends on.

Consequently, coordinated planning and

engagement are essential.

20

by both Russian and Chinese hackers that either could switch off electricity supplies at

will. There is no reason, Harris stressed, “to suppose UK systems are any more secure.

The next three causes are natural:

1. Extreme terrestrial weather. Hurricane Harvey and Superstorm Sandy both led to

prolonged power outages. Hurricane hurricane Irma reportedly left eight million people

without power, including the whole of Puerto Rico. This was effectively a Black Sky event for

the island.

2. Coronal mass ejection – Extreme space weather. Harris referenced the devastating

Carrington event of 1859 which burned out telegraph systems across the globe. Harris

warned that today we are enormously more dependent on electrical systems, “to say nothing

of the GPS satellites that would be fried” by such an event. Indeed, in 2012 a massive solar

storm narrowly missed the Earth. Had it hit, the economic impact has been estimated at two

trillion dollars.

3. Earthquake “There are plenty of places in the world where severe earthquakes would

undoubtedly create Black Sky hazard,” Harris said.

Harris proposed an additional cause of Black Sky, which he called “human error and plain bad

luck.” As he explained, our infrastructure systems are now so complex and interconnected that

unpredictable things can go badly wrong when “apparently unconnected incidents can combine

for catastrophic effect.” As an example, he gave the incident in 2012 when, “a pump in the

Trafalgar Square fountains failed. This caused a leak and an overflow of the fountain. That in turn

disrupted power supplies including those for Charing Cross Station, which took out the Bakerloo

underground line.”

Moving on to examine the potential impacts of a Black Sky event, Harris cited the River Lune

flooding in December 2015 as a result of Hurricane Desmond, which led to the inundation of a

substation. Some of the ensuing impacts that Harris detailed were:

• 60,000 homes and business, 100,000 people left without power for four days

• Transport and communications were disrupted; ATMs were out of action; garages could

not pump petrol. Text messaging, digital radio, and the internet ceased to be available.

• 75 emergency generators were brought to Lancaster from all over the country

Harris added, “As the Royal Academy of Engineering noted, this was a comparatively localized

area manageable in size. In a much larger area or locality with a much bigger population, bringing

in generators from other areas would not have worked.”

Extrapolating to the impacts of a Black Sky event, Harris posited that:

• Most organisations plan for an emergency that just affects their organisation. Disaster

response plans tend to tacitly assume that other organizations will be functioning as normal.

However, this will emphatically not be the case in a Black Sky event.

• Civil order is likely to break down. Harris reported on an exercise he took part on with the

London Resilience Forum in which martial law was declared around day four of the scenario.

• Emergency generators are not in themselves a panacea. They must be of sufficient capacity,

21

properly maintained and regularly tested. Even then they are likely to break down and will

need regular refuelling to keep going in a long-term outage.

• Water supplies and the management of waste water are critical. “A city without fresh water,

or where wastewater and sewage cannot be removed rapidly, quickly becomes uninhabitable,”

Harris warned.

• Communications will break down.

“We all use mobile communications

devices, but these have to be

charged. In any event, how long will

cell phone continue to operate in the

absence of power?”

• Food distribution will be severely

disrupted. Domestic freezers will break down as will those of small retailers. Harris recalled

that MI5, Britain’s security service famously reported in 2004 that the U.K. was four meals

away from anarchy, and it does not take much to imagine the implications for civil order of

this sort of disruption in food supplies.”

• ATMs will not function. “In Lancaster, the ATMs stopped working. So how long would the

financial system continue to function?” Harris asked.

Harris key messages and conclusions were:

• No service or utility can plan for a Black Sky event on its own.

• Every sector has to recognise its mutual dependencies on other sectors.

• A lot of work is needed to understand, predict and manage public behaviour under

extreme, Black Sky circumstances.

• There is a general problem of situational awareness. “In a UK Black Sky scenario, it will

be hard both for any individual organization and for government to have a clear view on

what is happening around the country, Harris warned.

“None of this is easy,” Harris acknowledged, but the consequences of failing to do it are

incalculable.”

A city without fresh water, or where

wastewater and sewage cannot be

removed rapidly, quickly becomes

uninhabitable,

22

Connectedness, (aka Complexity) and

Machine Learning for Black Sky Avoidance

Liz Varga, Cranfield University Professor of Complex Infrastructure Systems

Professor Liz Varga began by observing that “we’re more interconnected than we ever were. The

more interconnected we are the more at risk we are of systems failures, particularly of critical

infrastructure.”

She noted the dearth of academic studies about Black Sky. A search of key, Black Sky related

terms in the Science Direct database yielded only 19 papers since 2012. “There’s not enough

conversation going on about these Black Sky events. There isn’t enough information for us to

know exactly what the impact will be for all the consequences of cascading effects, and there’s a

lack of knowledge across systems.”

Our infrastructure systems are becoming ever more smart, digitalized and automated. “The

human is out of the loop but the human

receives the consequences of any failures

in these systems,” as Varga put it.

She defined the following general

characteristics of resilient systems:

The ability to address the actual; knowing

what to do: how to respond to regular

and irregular disruptions and disturbances

either by implementing a prepared set of

responses or by adjusting normal functioning.

There’s not enough conversation going

on about these Black Sky events. There

isn’t enough information for us to know

exactly what the impact will be for all the

consequences of cascading effects.

23

The ability to address the critical; knowing what to look for: how to monitor what is or can become

a threat in the near term. The monitoring must cover both events in the environment and the

performance of the system itself.

The ability to address the factual; knowing

what has happened: how to learn from

experience, in particular how to learn the right

lessons from the right experience; successes

as well as failures

The ability to address the potential;

knowing what to expect: how to anticipate

developments, threats, and opportunities

further into the future, such as potential changes, disruptions, pressures and their consequences.

Varga suggested that we should develop automated systems that have these characteristics and

are able to identify and respond to risks to infrastructure systems in an intelligent fashion. “What

I’m proposing,” she said, “is that we need a new generation of machine learning which not only

deals with an objective of higher performance, but also thinks about safety and resilience.”

Such machine learning systems need in-built mechanisms to isolate systems, to have local

redundancy, alternative means to create services and also tools to intervene to avoid Black Sky

events when it begins to detect them.

As an example, Varga discussed a project she is working on with Highways for Britain developing

“Intelligent Excavation” with utility detectors and sensors on excavators that can identify buried

artifacts in real time.

She acknowledged, there can also be “a dark side to machine learning,” citing a recent paper by

the Center for Existential Risk in Cambridge, called “Malicious Use of Artificial Intelligence” which

discusses how machine learning can give opportunities for people to create disaster events

through the newly connected routes.”

Varga summed up the key messages of her talk as follows:

• Disasters are a measure of social resilience.

• Increasing connectivity of infrastructures across and within sectors is the new norm and

brings the risk of more frequent and severe disasters.

• Technologies arising from ‘smart technologies’ such as Machine Learning have a potential

to divert disaster and minimize social impact.

• Machine Learning needs to detect emerging disasters (and should be able to do so.)

• Machine Learning mechanisms must be available to maintain social resilience in the

event of disasters.

• Emerging threats from Machine Learning will co-evolve together with the benefits.

We need a new generation of machine

learning which not only deals with an

objective of higher performance, but also

thinks about safety and resilience.

24

Strategic Insights for Black Sky Resilience

Planning and Preparedness: The Defense

Sector as a provider and user of critical

support resources

Lord James Arbuthnot, Former Chair of the UK House of Commons Defense Committee

Lord Arbuthnot focused his talk on the UK defense sector. He explained why the traditional belief

that in a major UK disaster “they would call in the army” to restore society to functionality is

misconceived. “The army is not equipped to deal with social collapse,” Arbuthnot warned.

There are a number of reasons for this. The UK armed forces have shrunk to their smallest

size since records began, with fewer than 200,000 men and women under arms. The power of

modern weapons appears to justify having fewer personnel, which means fewer ambassadors in

society for what the armed forces do and less support for the army among the broader population.

Moreover, there are many competing spending priorities, particularly those related to welfare.

The role of the armed forces in responding to disasters has been statutarily weakened

In addition, Arbuthnot explained that the Civil Contingencies Act of 2004 makes army intervention

in emergencies less likely. The Act “placed a duty on a number of different organizations to plan

for all manner of emergencies. The resilience model is one in which an incident is dealt with at the

lowest level possible building on local, multi-agency working arrangements. Under that act, no

statutory duty is placed on the Ministry of Defense or the armed forces.”

In an emergency, the defense sector brings

organization, logistics, ingenuity, discipline,

and the sort of dedication that comes from

a trained body of men and women that are

ultimately prepared to lay down their lives

25

A further reason why the army is unlikely to be equipped to take a major role in a Black Sky

emergency is that running infrastructures today requires highly specific and sophisticated skills

that the army does not have.

Arbuthnot argued that the armed forces should provide military aid to the civil authority in two

main types of cases. The first is when the army has specific capabilities that civilians lack; bomb

disposal is an example. The second is when the armed forces “have the capacity to augment

any emergency response drawing on people and resources available at the time if the scale and

duration of any emergency might overwhelm civil capabilities.” In such a situation the defense

sector brings “organization, logistics, ingenuity, discipline, and the sort of dedication that comes

from a trained body of men and women that are ultimately prepared to lay down their lives.”

The armed forces will be too preoccupied with the effects of a Black Sky event to play

a decisive role in assisting the rest of society

However, Arbuthnot continued, “we mustn’t think that because the armed forces are brilliant, they

are the answer. They’re not.” The armed forces are too small to make a decisive difference and

moreover they themselves would be overwhelmed by a Black Sky event. “All of the effects of a

Black Sky event, the cascading effects of a loss of electricity leading to a loss of communication,

understanding, order, cohesion, fuel,

water, food, money, all of these would

apply no less to the defense sector than

to every other sector,” he warned.

For example, energy, particularly oil, is the

largest consumable of the British military.

“In a Black Sky event, you need to have

quite a lot set aside. Whatever the armed

forces have got will not be enough.”

Arbuthnot noted the dilemma of how to “discover the extent of the resilience of the armed forces

without exposing vulnerabilities to the eyes of people who might want to do us harm.” However,

research is needed into this, “perhaps by the Royal United Services Institute who would deal with

the issue in a secure and sensitive way.”

Lord Arbuthnot concluded that to reduce its vulnerability, the defense sector needs to take the

same essential steps as other sectors:

“They need awareness. They need to recognize there’s a problem. They need to have a plan and

to practice it. They need to have spares and redundancy. They need to work on recovery. And

finally, they need to do a constant audit of precisely where their vulnerabilities lie, because those

vulnerabilities will change over time.”

All of the effects of a Black Sky event, the

cascading effects of a loss of electricity

leading to a loss of communication,

understanding, order, cohesion, fuel, water,

food, money, would apply no less to the

defense sector than to every other sector.

26

The Road Ahead for Coordinated, Multi-Sector

Planning in Complex Catastrophes

Brig. Gen. (Ret.) John Heltzel, Director of Resilience Planning, EIS Council

John Heltzel began his talk by acknowledging that coordinated multi-sector planning is not easy.

He explained, “the reason is because to be prepared for most organizations means a change in

their culture. And all my time in the military and in government, the single hardest thing to change

is culture.”

Heltzel focused his presentation on three points, awareness and active engagement,

documentation and alignment and training and exercises.

Awareness and Active Engagement

Heltzel explained that in the US, EIS Council has sector coordinators working with all of the critical

lifeline sectors. “We are going across the United States point by point, meeting with various

organizations to let them understand what the threat of a Black Sky hazard actually is,” he said.

Heltzel observed that though the U.S. spends a lot of money on emergency preparedness, “we

tend to do the simple and easy things over and over.” Many organizations are not prepared for a

complex catastrophe that could cost many lives.

He remarked that recent events have made

the task of explaining the seriousness

and plausibility of Black Sky hazards

easier, saying, “if you don’t understand

what Black Sky is, let’s talk about Puerto

Rico. More than six months on, the island

still does not have dependable power.”

For most organizations, preparing for

Black Sky means a change in their culture.

And the single hardest thing to change is

culture.

27

Similarly, “it used to be difficult to get EMP across to people. Now all I do is talk about the nuclear

threat from North Korea and people understand EMP.”

Highlighting some of the significant successes of this engagement program, he cited a program

in California where “we met with the California Cabinet Secretaries. For almost four-and-a-half

hours not a single secretary got up and left the table. They all stayed engaged.”

Documentation and Alignment

The core of this element is the EPRO Black Sky Playbook program, in which EIS Council has

developed and put online detailed playbooks for Black Sky resilience, restoration and recovery

for each of the main lifeline infrastructure sectors. The playbooks are iterated for continuous

improvement and include the internal and external requirements for each sector; what they need

from within their own sector and what they would require from other sectors to ensure restoration

and recovery. The most recent iteration, version 3.0 also contains a set of assessment tools, so

that any organization can evaluate its level of preparedness.

EIS Council is also producing building a matrix of cost-effective resilience investments some

general and some sector specific. A further project in this area is the BSX Black Sky command

and control coordination system designed to enable communication in a Black Sky environment.

Finally, the EIS Council is working on a “Black Sky Resilience Doctrine,” that aims to present

founding principles for achieving synchronization and synergy across sectors.”

Training and Exercises

Heltzel described the suite of Black Sky

exercises that EIS Council offers leading

to organization-specific incident action

plans. He noted a major gap in most

incident response plans. First responders

will adequately address about 98% of

incidents. Emergency management will

engage about 1% of cases. However,

there are almost no guidelines protocols for the restoration of critical lifeline infrastructures in

the end that they fail. “Puerto Rico is a classic example,” Heltzel said. “There is not a built-in

mechanism that tells us how we restore critical lifeline infrastructure.” The EPRO III Handbook

authored by Dr. Paul Stockton is designed to fill this critical gap.

Finally, Heltzel highlighted Earth Ex, a major, self-facilitated, self-assessed, cross sector,

international Black Sky exercise that EIS Council ran for the first time in August 2017. There were

thousands of participants representing over 500 companies and 14 countries.

Heltzel announced that the next Earth Ex exercise will take place on August 22nd 2018 and will

simulate a massive cyber-attack on critical infrastructure. The exercise is designed around five

hubs with corresponding video injects and scenario updates as well as an individual and family

preparedness lane. Heltzel ended by warmly inviting companies, organizations and individuals

from the UK to take part.

If you don’t understand what Black Sky is,

let’s talk about Puerto Rico. More than six

months on, the island still does not have

dependable power.

28

Roundtable Discussions

Part 1 | Theme Resilient Processes,

People and Protocols for Black Sky Hazards

Questions Discussed:

What are the biggest challenges you face when making the case for systemic resilience to your

organisation/ sector/ clients/ colleagues?

What are the greatest opportunities you see to overcome these challenges?

What motivates you to be a champion for systemic Resilience?

Prior to a prolonged power outage, what plans, protocols or processes would it be

most useful to already have put in place?

• For the benefit of your operations?

• For the benefit of the system as a whole?

• For the benefit of the wider society

29

Part 2 | Managing Infrastructure Assets

and Systems for Resilient Response,

Restoration and Recovery

Questions Discussed:

During a prolonged power outage:

1. What would be the overall impact of your ability to

a. Sustain normal operations?

b. Sustain minimum service levels

c. Avoid critical failures?

Upon restoration of power after a prolonged power outage

2. What critical internal resources will you need to enable restoration and recovery?

3. How could other sectors best support your restoration and recovery?

4. Which assets/process would be your strategic priorities for restoration?

5. Which assets/processes will take the longest and/or be the most expensive to return to

normal operations?

30

Part 3 | Building and Enabling Black Sky

Resilient Communities and Institutions

Questions Discussed:

• How can we collectively best empower the creation of Black Sky resilient individuals,

households, communities, institutions and societies?

• What actions are needed now (prior to a Black Sky event) to build resilient capabilities

and empower community resilience?

• What are the best ways to engage the public in Black Sky scenarios?

• What capabilities and social capital does a resilient society require?

• What actions are needed now to build these capabilities and empower community

resilience prior to a Black Sky event?

• In what ways can community resilience be beneficial at each stage of the resilience cycle?

• What strategic information does a resilient community require at each stage of the

resilience cycle?

31 31

Black Sky

Resilience

Overviews

34

Multi-Sector Infrastructure Mapping and

Simulation for Extreme Hazards:

The GINOM™ Opportunity

John Organek, Administrative Director for Simulation and Modelling, EIS Council

John Organek spoke about the EIS Council’s GINOM™ initiative to model critical infrastructure

interdependencies. He characterized infrastructure as a “complex adaptive system” – an organism

with multiple interactions at multiple levels.

Organek defined the key challenge as “how to look at the complexity of these infrastructures and

their interdependencies to understand them, to explain them, and to make decisions about

them.”

This requires a good understanding of

how all the pieces work together. “What

are the connections? What happens of

this part breaks and that part doesn’t?”

Organek asked. The even more important

and difficult questions are “how do we put

Humpty-Dumpty back together, especially

if all of these pieces and all of these sectors

and infrastructures are interdependent as they are?”

EIS Council is examining this complexity “to come up with a concept that applies before the

event, during the event, and after the event as it happens. We can’t just look at collapse. We have

to look at how we bring it back,” Organek said.

How do we look at the complexity of these

infrastructures and their interdependencies,

to understand them, to explain them, and to

make decisions about them?

35

This initiative is called GINOM™, which stands for Global Infrastructure Network Optimization

Model. It has three parts, modeling infrastructure independence, providing decision makers with

situational awareness and optimizing decision-making in an emergency. A tool called SAND,

Situational Awareness Network Diagnostics, helps understand the situation and formulate

alternatives. A further component of the system known as a CANOE, which standing for Complex

Adaptive Networks Optimization Engine analyses and optimizes paths for restoring systems.

Organek acknowledged that this is a complex undertaking and EIS Council is working on it

together with partners in the utilities, in government, and also in non-governmental organizations

and academia. The product will not spring into existence fully formed but will rather develop in

evolutionary, iterative stages.

In conclusion, Organek invited all those interested to take part in the initiative to participate in

making it a reality.

36

Cyber Security Challenges for Evolving

Infrastructure Systems

John Clark, Professor of Computer and information Security, University of Sheffield

Professor John Clark shared insights from his background in computing and information security

that are relevant for cyber security of critical infrastructures. His key messages were:

We need enhanced pre-stressing of our systems and systems models.

In a climate of increasingly serious cyberattacks on infrastructure – the rash of “denial of service”

attacks being a recent example - Clark emphasized the importance of stress testing our cyber

defense systems to the utmost, by

simulating and exercising all the things

that could go wrong. While for twenty

years we’ve been urge to “think out of

the box,” as Clark put it, “in real systems

and real models, we’re interested not just

in thinking outside the box, but exploring

those nasty parts, those dark corners of

the box that normally we would not reach,”

meaning the little explored possibilities for

failure in our systems.

In real systems, we’re interested not just

in thinking outside the box, but exploring

those nasty parts, those dark corners of

the box that normally we would not reach,

meaning the little explored possibilities for

failure in our systems.

37

We need to live with insecurity on an ongoing basis and this is a challenge.

With attacks coming from diverse actors, the problems of response diagnosis and attribution

are acute. In many cases, certainty will be impossible to achieve. Some of the challenges and

uncertainties that Clark listed were the need to cope with multiple, novel attacks on systems

whose details are perpetually changing and where responsibility may be spread over multiple

domains. Moreover response is often hampered by self-inflicted injuries, such as a kind of

autoimmune reaction where the reconfiguration itself provokes provides a denial of service, and

also frequent mistakes that are made in attempts at remote reconfiguration of systems.

Standardization provides a single point weakness.

Clark pointed out that there are both advantages and potentially major disadvantages to the

increasing standardization of computer parts and security protocols. The downside is that, as he

out it, “if it breaks once, it breaks everywhere. You have hugely distributed systems where chips

are embedded in the fabric of society, you

suddenly realize that all your hardware is

duff, it’s going to cause big problems.” The

single points of failure can have immense

impacts. Clark remarked that it is unclear

what the right response to this problem

should be. Do we strive to improve reliability

of standardized systems, or embrace

heterogeneity?

We need enhanced situational

awareness and response strategies.

Professor Clark argued that there is a pressing need for enhanced situation awareness and

predictive consequential awareness for response actions. We also need to think about what

aspects of cyber-attack response can be automated and how as well as about what automated

support needs to be given to security management teams.

Finally, we need better attribution, forensics and evidence, to identify perpetrators, and also to

address legal implications of cyber assaults.

The downside of standardization is that if

it breaks once, it breaks everywhere. You

have hugely distributed systems where

chips are embedded in the fabric of society.

If all your hardware is duff, it’s going to

cause big problems.

38

London Resilience Partnership

Toby Gould, Deputy Head, London Resilience Partnership

Toby Gould from the London Resilience Group introduced his group as “an all-sector partnership,

so that every public sector, private sector, voluntary sector, can come together with the joint aim

of trying to make London a more resilient city.”

In 2017, LRG conducted a risk assessment of the consequences of a wide area power failure in

London. Gould described some of its findings. He noted that this scenario is rated as a very high

risk on the Community Risk Register for London.

Gould reported that “response capabilities are in place, you’ll be reassured to hear. But capacity

gaps and capability gaps do exist when considering long-duration wide-area disruptions.” He

noted that there is a widespread belief in

the U.K. resilience sector “that in a wide-

area power failure in London, we can take

our plans to deal with smaller ones and

just scale up our response.” The 2017 risk

assessment showed that such a response

will not work.

The risk assessment looked at the impact

of wide power outage with a total blackout for up to 5 days (increased to 7 days following recent

modelling) with prolonged disruption for up to 14 days due to loss of the National Grid.

Capacity gaps and capability gaps do exist

when considering long-duration wide-area

disruptions.

39

In the scenario there would be no (or extremely limited):

• Public water supply

• Healthcare services except critical care; operating theatres and emergency departments

• Road fuel supplies

• Telecoms and internet services

• Financial services / access to funds

• Food supply chain / access to shops

50% of organizations responded they could maintain operational capacity of some description

after one week. Gould reported that existing planning assumptions do not take account of some

of these severe secondary consequence.

The findings of a survey of resilience organizations, (which were restricted) revealed a wide range

of opinions about the preparedness of key player for such a scenario. Respondents assessed

that there were particular gaps in the areas of public communications, public engagement, and

community resilience.

Gould concluded that while “2017 took us to a better understanding of what the problem is, 2018

should be about taking practical actions to improve our preparedness. His key recommendation

was that “all resilience partners should review their ability to maintain critical services and respond

effectively to a wide area long duration power failure including secondary consequences.”

40

Lloyd’s Register Foundation Work

Ruth Boumphrey, Lloyd’s Register Foundation

Ruth Boumphrey introduced some initiatives of her organization, Lloyd’s Register Foundation,

the biggest engineering charity in the U.K. “We have a two-part mission,” she explained. “The

first part is to enhance the safety of life and property. The second is to advance public education.

LRF produces reports, that it terms “foresight reviews,” which analyze areas of infrastructure

security and make recommendations for improvement. These reports are written in “plain English,

so that bankers and accountants as well as technical people can read them.” Boumphrey briefly

discussed three of these reviews.

The first is on resilience engineering. The research focused on the US and used Hurricane

Sandy as the main example, interviewing

workers in ports, construction, health

care and other sectors. The key finding

that she reported was “there are complex

global infrastructure systems and they all

depend on each other. The more they’ve

been globalized the more they’re prone to

cascading failure across wide areas.” She

added that most of these infrastructures

are owned by the private systems. Currently, not enough work is being done on building inter-

sectoral cooperation.

There are complex global infrastructure

systems and they all depend on each other.

The more they’ve been globalized the more

they’re prone to cascading failure across

wide areas.

41

LRF proposes to lead work on improving resilience within critical infrastructure sectors. It plans to

work in the following areas:

• Governance: Helping develop incentives and rules, legal and financial instruments

• Capacity building and engagement: promoting professional development, publications,

communication and public engagement

• Data and supporting tools: developing shared datasets, modelling decision support

• International and global scale networks: advancing studies of global systems, supply

chains and knowledge networks.

The second program is in energy storage. Boumphrey noted that “energy storage is a major

factor in finding solution to resilience.”

The third program is in big data. This study is about resilience and robust infrastructures at

national and international levels, monitoring safety of complex engineer systems, and data-driven

engineering design under uncertainty.

Boumphrey concluded with the key messages of her presentation:

• Complex infrastructure systems need new resilience tools and approaches.

• Globalized sectors need international Cooperation to build resilience

• We need to now move from theory to practical implementation of resilience measures

42

The Resilience Shift Project

Juliet Mian, Reslience Shift Team, Arup

Juliet Mian introduced the work of the Resilience Shift Program, a partnership of the Lloyds

Register Foundation, and ARUP, a global engineering company.

“The mission of Resilience Shift is to make our world safer and better to live in, by catalyzing

change in how critical infrastructure is designed, delivered and operated,” she explained. “We are

promoting a shift in practice in three areas, towards:

Ensuring infrastructure systems remain functional in diverse conditions.

Considering infrastructure as socio-technical systems and systems-of- systems.

Defining critical infrastructure systems in

terms of how they protect, connect and

provide for society.

Resilience Shift is a new program. It’s

three main areas of focus are

1. Developing ways and means

to make resilience tangible,

practical and relevant

2. Analyzing and evaluating

Incentives - What is resilience worth? And to whom?

3. Catalyzing a shift from theory to practical implementation

The mission of Resilience Shift is to

make our world safer and better to live

in, by catalyzing change in how critical

infrastructure is designed, delivered and

operated

43

Water Focused Resilience Research

Dr Simon Jude, Cranfield University

Dr. Simon Jude raised some serious concerns about disaster preparedness in the UK, based on

his experience of working on resilience and infrastructure failures with around 150 infrastructure

operators, central government departments and regulators.

He asserted that in reality, “we don’t know a lot about these sort of infrastructure failures. And

even very small failures can result in big impacts that we don’t understand.” As an example,

he cited a 2015 crisis in Central London where a fire in an underground electrical junction box

caused 2000 people to be evacuated and cut internet access in several regions of the city.

Though modeling is indispensable, he also expressed some skepticism as to how far all potentially

catastrophic events can be modelled. “These are really complicated events, and I’m just not sure

we can model them,” he said.

In addition, Jude voiced concern about the

level of realism in many of the emergency

plans that he has seen. “You can see

there are some really huge assumptions

going on,” he said. He cited one regional

flooding contingency plan “that assumes

regional road and rail infrastructure will

remain viable.”

He remarked that in his experience, “people in these organizations are wearing, rose-tinted

spectacles. You start to get group think. People aren’t necessarily disclosing the full nature of

the hazards and risks that they’re dealing with. Can you believe what people are telling you?”

he asked. He recalled how after the 2007 UK floods, Gloucestershire County Council’s best

We don’t know a lot about these complex

infrastructure failures. And even very small

failures can result in big impacts that we

don’t understand.

44

practices protocol was described as a fantasy document by a subsequent report for creating a

false impression of readiness.

Jude raised a number of questions for further research including the following:

• Can we harness social sciences to understand behavior, values, and some of these

governance issues in resilience organizations?

• How can we empower the generally low-paid workers in emergency services to be more

effective?

• Can we enable local communities to take more responsibility for their own resilience?

• What are the ethical and equity issues involved in decisions about whose care we

prioritize in an emergency. “Do we prioritize the vulnerable? Do we prioritize cities against

rural areas?”

• How do we develop a framework to assess systemic risks?

45

Systemic Risk Research

Paul Larcey, Cambridge University

Dr. Paul Larcey discussed risk to electrical infrastructures from his perspective as a member of

the Global Systemic Risk Group at Princeton University. He described systemic risk as emerging

from “highly interconnected, interdependent systems that have fragility built into them by small

subsystem disturbances and amplifications through them.”

He listed the aims of the Global Systemic Risk Network:

• Develop a network of multi-disciplinary groups

• Understand existing methodological approaches

• Create a common communication

mechanism of systemic risk

understanding

• Develop systemic risk research

in a way that it can be applicable

and useful to practitioners and

policy makers

Systemic risk, he explained, is a result of

the growing complexity of our systems.

This has only become truer since Charles Perrow’s 1984 classic analysis of complex systems,

“Normal Accidents,” where Perrow wrote, “Predictably, systems fail but in unpredictable ways.”

He noted that “electrical infrastructure is particularly vulnerable because of the massive

interconnections we’re making” and asked, “How do we design robust networks from the

Systemic risk emerges from highly

interconnected, interdependent systems

that have fragility built into them by small

subsystem disturbances and amplifications

through them.

46

beginning if we don’t fully understand the systemic risks we’re building into them?” He raised

the possibility that we can learn about interconnected systemic risk in the electrical infrastructure

from other disciplines, citing the paper from Nature, “Ecology for Bankers,” which indicated that

diverse fields such as biology and finance can have cross-related methodologies outputs.

Larcey concluded by underscoring these key messages:

• The increasing vulnerability emerging from electrical infrastructure complexity and

interdependency needs to be acknowledged more widely.

• This is not just an engineering problem; human and socio-economic factors are equally

involved.

• We must explore what we can learn from other disciplines working with tightly coupled

systems.

• We need rigorous regulatory reviews and more global best practice sharing.

47

A Review of Digitally Connected Infrastructure

System Reslience

Tom Dolan, University College, London

Tom Dolan described work he did for the National Infrastructure Commission together with ARUP,

a large international firm looking at the resilience of digitally connected infrastructure systems.

(DCIS) One of the motivating concerns for the work was that, as Dolan put it, “there seems to

be a tacit assumption that as we become more digitally connected somehow our resilience will

improve, which I think needs closer examination.”

Dolan reviewed the literature and came up with eight recommendations towards the overall goal

of making systemic resilience a core objective of all infrastructure decision making and

implementation. The recommendations were:

Prioritise organisational paradigms and thinking tools to support Resilient Digital

Transformation

We have greatly enhanced data collection capabilities today, made possible by DCIS, but

our capacity to convert this data into

useful information lags behind. New

organisational paradigms and thinking

tools, that purposefully convert data into

meaningful information are needed. Such

tools could enable and support (i) Real-

time operating decisions and (ii) strategic

systemic decision-making processes,

in particular the National Infrastructure

Assessment (NIA.)

There seems to be a tacit assumption that

as we become more digitally connected

somehow our resilience will improve, which

I think needs closer examination.

48

Additional research to review current approaches and develop organisational paradigms and

thinking tools to enable DCIS to provide the information are needed to improve systemic resilience

and alleviate system vulnerabilities.

Make improving systemic resilience a core objective of all infrastructure governance

and planning

Systemic resilience must be integrated into the core objectives for all infrastructure decision

making processes. Systemic resilience requires equal weighting with efficiency in decision-making

processes, and the impact of any action on that systemic resilience must be made explicit during

decision-making processes.

Develop an interdependency toolkit for systemic resilience analysis

Interdependence analysis potentially enables greater understanding of the root causes of

infrastructure system resilience, vulnerabilities, performance and other systemic challenges.

We need to develop an interdependency toolkit for analysing interdependencies. This should

be applied to support analysis of the interdependencies that enable DCIS; possible options

to minimise new vulnerabilities created when implementing DCIS; the root causes of systemic

resilience and vulnerabilities in DCIS and the underlying infrastructure systems of which they are

a part.

Define DCIS explicitly in terms of interdependency with underlying infrastructure

systems

Interdependency offers a conceptual framework and terminology to better understand and

analyse digitally connected infrastructure systems

Apply LTS (Large Technical Systems) theory and CAS (Complex Adaptive System)

thinking to analyse digital transformation impacts and DCIS resilience

Adopt a more nuanced approach to NAT (Normal Accident Theory) in Infrastructure

Systems

NAT can provide a useful lens to analyse emergent system properties. In the context of

infrastructure systems, the term “normal accident” is applicable to any emergent property of the

infrastructure system. System problems such as local air quality, managing flood risk, congestion

can all be interpreted as normal accidents. Further research to analyse these types of systemic

infrastructure challenges from an NAT perspective is recommended.

Adapt HRO (High Reliability Organization) thinking to develop a set of HR High Reliability

Complex System principles

The concept of high reliability should be given a similar status to systemic resilience as a core

objective for infrastructures. Specifically, achieving high reliability should either be given equal

weighting with efficiency in decision-making processes. Impacts on the ‘high reliability’ of a

system should be made explicit during decision-making processes.

49

Research is needed to (i) investigate the applicability of HRO principles to interdependent

infrastructure systems; (ii) adapt HRO principles based on the findings of (i).

Undertake research to identify leverage points in infrastructure systems for targeted

Resilience interventions.

We need research to assess how insights from Donnella Meadows seminal paper, “Leverage Points:

Places to Intervene in a System,” can be applied to tailor approaches to DCIS implementation

that minimise impacts on systemic resilience and the likelihood of normal accidents.

50

Panel 1Question Time Panel on Strategic Research Priorities for Black Sky Resilience:

Reimagining Systemic and Societal Resilience to Black

Sky Hazards as a New Normal: Blue Skies Research

Priorities for Black Sky Resilience

Panelists: Prof. Brian Collins, Prof. Liz Varga, Ruth Boumphrey, John Heltzel, Prof. John Clark, Dr. Simon Jude

Question Time Panel on Strategic Research Priorities for Black Sky Resilience: “Reimaging

Systemic and Societal Resilience to Black Sky Hazards is the New Normal: Blue Skies Research

Priorities for Black Sky Resilience.”

The session Chair, Professor Brian Collins opened by asking the panelists to name their top one

or two highest research priorities, whether for academia, government or business that would help

us to prepare for a Black Sky event.

John Heltzel responded that we need to ensure continuous improvements in resilience

investment. He noted EIS Council’s resilience investment matrix project as a research project

that can help lead practitioners in this direction. Heltzel also stressed the need for improvement

in the planning process itself. “So many agencies we work with have a very rudimentary plan,”

he said. “We need plans that are very detailed and directive and can be executed without a lot of

kickstarting. People need to know what they must do, and start doing it immediately.”

John Clark answered that he would like to see research that simulates our systems and “pushes

them to extremes,” in order to better understand their strengths and weaknesses. In a different

51

vein, he advocated more social science-based research into how we build the informal trust

networks between companies and organizations that will be absolutely essential to leverage in

a Black Sky event. The final area he discussed was the need to develop far-more extensive

automated decision support for emergency response and to understand much better the

appropriate interaction between human and automated response systems. “We’re going to be in

difficult situations with systems we don’t fully understand. We’re going to need as much help as

we can get from an automated perspective.” he said.

Liz Varga answered that she would like to see discussion about “what mechanisms there are to

understand that we’re approaching resilience challenges and prevent them becoming Black Sky

events, and then what we can do to help others engage in the practice of keeping systems

resilient.”

Ruth Boumphrey commented that there is a great deal of excellent resilience research being

done and one of the challenges is to implement it more widely in practice. She added that tools

to support situational awareness for decision makers are very much needed. “Just having plain-

English situational maps of what your sector looks like and what its vulnerabilities are would be

tremendously helpful,” she said.

Finally, she noted that, based on her

experience sitting on various company

boards, “you sit there with these risk

registers, and they’re totally useless.

You pull them out every now and then,

when something fails. You look at the

risk register and say, it wasn’t on our risk

register.” She recommended that instead,

organizations should have a “resilience register.” Instead of listing bad things that could happen,

this tool would help companies answer the question, “what are the options to continue the

delivery of our service, should something unforeseen happen?”

Brian Collins highlighted that the panels responses were more about social science, organization

and governance than there was about technology. “We’ve got tons of technology,” Collins

observed. “Unfortunately, in a Black Sky event, a lot of that won’t be very much use to us. Once

it’s all gone, it’s going to be down to people.”

Collins then posed the question: “What role do communities have in building resilience?”

John Heltzel emphasized that communities must be active participants in promoting their

own resilience. Otherwise, they will be ill-prepared to receive and implement the resources and

directives coming from government.

Brian Collins cited the experience of Britain during the blitz in the Second World War. He noted

that “London was prepared at a street level where local people looked after what happened as a

result of that bombing every night, for the best part of a year.” Germany by contrast, did not have

such a local resilience network, one reason why the bomb damage to its cities was much worse.

Brian Collins next asked the panel, how should we manage the risks resulting from complex

systems, different components of which are under the control of separate authorities. If the

“system of systems” needs to be kept resilient, “who owns the system of systems?”

We need plans that are very detailed and

directive and can be executed without a

lot of kickstarting. People need to know

what they must do, and start doing it

immediately.

52

John Clark responded that the answer lies in building trust and cooperation and enabling

organizations to share information. “There needs to be research into how people or organizations

who do not actually trust each other 100%, which is pretty much everybody can collaborate,” he

said. “We also need to understand better how to share information and how to share information

for certain purposes, so that information is not shared for others.”

Ruth Boumphrey commented that in the private sector where firms compete with one another,

there is much room for improvement in cooperation. She added, “I do think there needs to

be a more mature dialogue within sectors, around the delivery of food, water, electricity or

telecommunications that says in times of stress that there are certain protocols that we can share

and use to give priority to those who have greater need.”

53

Open Question & Answer

Randolph Kent from the Royal United Services Institute asked, “what do we really mean in the

21st century by community? Is it a merely geographical or geopolitical concept, or do we also

take into account other non-spatial networks?”

Ruth Boumphrey answered that we learn the habits of resilience in families and extended

communities. We have a feeling for resilience because at a family level we plan for it. We have

insurance, networks, social networks, savings. We build resilience into our own personal and

communal lives because we understand that we need to get over hardship.” Consequently, non-

geographical networks of mutual self-help such as religious communities certainly have a role to

play.

John Heltzel agreed, saying “family is the bedrock, and that’s why in EARTH EX we’re looking at

an individual and family preparedness lane because people have to survive.”

Brian Collins: added that today technology enables communities that are not geographically

defined. As an example, he cited Dr. Ellie Cosgrave, at UCL, who has built a large global network

of female engineers and sustainability

experts who are articulating a distinctively

female perspective on resilience

Professor AbuBakr Bahaj asked “how

do we get infrastructure owners in a room

like this, and how do we get citizens and

their leaders including leaders of cities to

be in a room like this?

John Heltzel responded by referring

to U.S. where this is slowly beginning to

happen. He cited EIS Council’s work in

running a dozen different workshops for state government leaders on Black Sky resilience in

2017. US government has increased owing to the extraordinarily destructive 2017 hurricane

season and mounting awareness of the danger of a massive cyber-attack on infrastructure.

David Rubens from the University of Portsmouth commented on the nature of trust in relation to

resilience saying, “trust is transactional in that you develop it by working with each other. One of

the fundamental truths of crisis management is if you haven’t done something beforehand, you

probably can’t start doing it in the middle of a crisis.” It is essential, therefore to begin early with

the work of developing integrated

frameworks, shared experiences and

shared culture which will enable people

from diverse sectors to cooperate in a

crisis.

Liz Varga said that we should begin

teaching resilience early, at school age.

She asked, “Why aren’t we teaching

There needs to be a more mature dialogue

within sectors, around the delivery of food,

water, electricity or telecommunications

that says in times of stress that there are

certain protocols that we can share and

use to give priority to those who have

greater need.

Trust is transactional in that you develop

it by working with each other. One of the

fundamental truths of crisis management is

if you haven’t done something beforehand,

you probably can’t start doing it in the

middle of a crisis.

54

resilience to young people so that when they come into the communities as adults they’re already

aware of the concept? They already have it embedded in their thinking.”

John Mason asked about how you manage the shock and emotional panic of a massively

disruptive event.

John Heltzel responded that the key emergency response areas “have to practice and practice

and practice,” so that they can continue to do their jobs in the face of what may well be shocking

circumstances. He also affirmed the importance of working with children and families, saying

“when we first envisioned EARTH EX, the idea of an individual and family lane, especially a family

lane, was a novel idea. Now we’re totally committed to it.”

Brian Collins concluded with a call to recognize the urgency of the work needed to prepare for

Black Sky level emergencies, saying “the idea that some sense of pace is needed, some sense

of tempo in this work is really sadly lacking.”

55

Panel 2Question Time Panel on Immediate Actions and Priorities for Black Sky Resilience:

Establishing Systemic and Societal Resilience to Black

Sky Hazards as a New Normal: Immediate Actions and

Strategic Priorities

Panelists: Avi Schnurr, Lord Toby Harris, Toby Gould, Juliet Mian,Lord James Arbuthnot

Lord Harris, the panel Chair framed the discussion by asking the panelists what they thought

were the most important issues to emerge from the day that are actionable for a policy maker,

industry leader or academic.

Avi Schnurr answered that the key insight is the importance of focusing on actionable priorities

to increase Black Sky resilience and not to let study of the problem serve as a substitute for taking

action. “We need to make sure that every

event, every discussion, every meeting

has concrete output that drives to action,

and that the plans are built in a very crisp

way which drives explicit action by the

membership of each sector,” Schnurr

said.

Toby Gould responded that the London

Resilience Partnership’s strategy has four

thematic areas.

We need to make sure that every event,

every discussion, every meeting has

concrete output that drives to action, and

that the plans are built in a very crisp

way which drives explicit action by the

membership of each sector,

56

Understanding risk and the planning assumptions underlying efforts to mitigate risks. Gould

opined that in London this area is relatively well understood

Preparedness to respond to and recover from any incident or emergency

Learning lessons from previous emergency events

Long-term adaptation of systems to be more resilient.

Gould summarized the major priority as being “to put ourselves on a better footing to respond

should we face wide-area power outage tomorrow?”

Juliet Mian singled out two points; firstly, “when we talk about Black Sky resilience, we should

make sure we’re also thinking about the unknown unknowns and the attributes that will help us

be resilient no matter what, rather than focusing only on the particular hazards.” Secondly, she

stressed the need “to make sure from the beginning that the discussions include private sector,

infrastructure owners and operators.”

Lord Arbuthnot declared that the top priority in a Black Sky event is to have some method of

communicating which is not the mobile telephone network and which will work even if the

electricity system is not operational.

Lord Harris next posed to the panel

a couple of related questions from the

audience about what should be the role of

communities and of the general public in

building resilience and planning for Black

Sky scenarios. In particular, he asked what

the proper balance should be between

constructively involving the community

and sowing unnecessary panic among

the public.

Given societal lifetimes, the probability of a

Black Sky event is 100%. If we’re talking

about the probability in the next year,

it’s certainly not 100%. But do we want

the United Kingdom to be sustained and

continue to exist more than a year? I think

so. More than 100 years, maybe more than

500 years?

57

Toby Gould answered that engaging geographic, business or professional communities in

building resilience is certainly positive. He opined that the best approach is to promote community

resilience to common, easily imaginable hazards such as local floods and that these preparations

may help in the event that rarer catastrophic hazards strike. Juliet Mian agreed that disaster

resilience can be taught in schools and workplaces and floated the idea of a national day of

resilience.

Avi Schnurr declared that “that there no reason to shy away from the challenge of educating

people broadly about Black Sky hazards.” He explained that “given societal lifetimes, the

probability of a Black Sky event is 100%. If we’re talking about the probability in the next year, it’s

certainly not 100%. But do we want the United Kingdom to be sustained and continue to exist

more than a year? I think so. More than 100 years, maybe more than 500 years? Let’s not wait

until it’s too late to educate the public.”

Schnurr continued that it is better to engage the public in preparing for Black Sky events before the

threat becomes so credible that it is terrifying. “We should treat it as an opportunity to challenge

people,” he said, “to get them to feel like here’s something which really is a global threat which

I, an ordinary person, could take an important role in. People look for challenges in their lives,

Schnurr added. “One of the symptoms of depression, which is a big problem worldwide, is that

people have trouble finding broadly useful, creative, compelling missions to work on.”

Schnurr continued that the communications with the public can and should be low-cost, and also

should build up gradually and cumulatively.

On the probability question, Lord Harris added that “if you’ve got six 1-in-100-year events, which

would be catastrophic, you have to recognize that the chances that one of them will at least have

happened by the year 2030 is better than evens more likely than not.”

Ruth Boumphrey suggested that, based on her experience, creating a Cub Scout badge can be

an effective way to communicate such a message. “You can put complex things into a structured,

lost cost framework which reaches children and their families, internationally.”

Mark Chapel from the Emergency Planning Society, proposed that government appoint an

inspector general for emergency management who oversees implementation of Civil Contingencies.

Other speakers questioned whether an additional layer of regulation is necessary and suggested

the issue is the effectiveness of the

existing regulatory bodies. Clive Bairstow

of the National Grid suggested that the

key to successful regulation is to have a

champion in the heart of the government,

a role fulfilled by Oliver Letwin until 2015.

Lord Arbuthnot agreed that identifying

ministers favorable to the resilience

agenda is vital. Avi Schnurr affirmed

that what is required is not creating new

inventory bodies, but empowering the

bodies that already exist, especially in ways that enable them to help build cross-sector, public-

private collaboration.

The regulatory community in the United

States has gotten to the point where they’re

concerned and recognize Black Sky has to

be addressed. They are looking for help,

especially in terms of finding Black Sky

resilience metrics that they could utilize.

58

Andrew Singh proposed “that community leaders of any faith community and charities should

have a competency test that they need to pass, including leading their communities in doing

something useful in times of emergencies. Many people in places of worship haven’t even tested

their fire alarm. We really need people who are competent.”

Professor AbuBakr Bahaj from the University of Southampton argued that just as the Bank of

England imposed stress tests on banks to test their resilience in financial crises, infrastructure

owners should be subject to tests that examine their resilience to extreme risks.

In response to a question about the engagement of US regulators with Black Sky, Avi Schnurr

responded that, “the regulatory community in the United States has gotten to the point where

they’re concerned and recognize this has to be addressed. They are looking for help, especially

in terms of finding black sky resilience metrics that they could utilize.”

Juliet Mian agreed that in the UK too there is a demand from policy makers for a metric than can

assess and communicate resilience levels. There is, though, she said “always a tension between

“is this something you can quantify, and actually can you do anything about it if you can’t quantify

it.” Lord Arbuthnot added that in the UK regulation would need to be coordinated by the Cabinet

Office to avoid gaps between the responsibilities of regulators.

Liz Varga referred to her work in helping create an annex about complex systems to the “Magenta

Book,” which is the UK governments guide to how do to project and infrastructure evaluations.

He suggested this might an opportunity to introduce a requirement that complex systems require

regular resilience checking.

Dr. Kristen MacAskill from Cambridge University raised another area where government can

play a role, in assessing more accurately the value of resilience. She asserted that the cost-benefit

analysis criteria for new infrastructure do not adequately capture the future resilience benefits

of a more resilient solution. “So, we engineers end up building infrastructure we know isn’t the

best infrastructure that we could deliver to the community if we had the remit to actually value it

accurately.” Toby Gould remarked that the Environment Agency has a quantifier that every one

pound spent on flood defense assets in the U.K. delivers four pounds of savings and that a similar

parameter should be introduced into assessment of protection against other risks.

Tom Dolan pointed out that resilience has multiple components, including robustness, reliability,

recovery and recovery. This multiplicity of aspects calls for a collection of metrics and some kind

of weighting on them.

In conclusion, Avi Schnurr argued that it is very helpful to think about Black Sky resilience in

conjunction with the Black Sky playbook development process. As he put it, “what a resilience

metric would mean is that there is a consensus that there are certain things sector by sector

would be important for reaching reach a threshold where that sector is prepared for Black Sky

hazards.”

For such a metric to be meaningful, it needs to be accompanied by a clear consensus regarding

what needs to be done in each sector to arrive at that point of preparedness and what the gaps

are that would need to be filled, which is the essence of the Black Sky playbook development

process. Summarizing the interdependence of metrics and playbooks, Schnurr said, “If you ask

people to do something and you don’t tell them what exactly it is and how to measure success,

you’re going to keep going in circles.”

59 59

60

Closing Remarks

Brian Collins

In his closing remarks, Brian Collins began by quoting a recent former UK Prime Minister who

said, “Infrastructure matters because it is the magic ingredient in so much of modern life.” Collins

commented, “it isn’t magic. It’s hard work by a lot of different people doing a lot of different but

interconnected things. Can we collectively make sure our political leaders actually understand

how this stuff works much better than they appear to?”

Moving on to the question of regulatory reform, Collins noted that the regulatory environment in

the UK was created following the wave of utility privatization in the 80s and 90s to deliver value

as it was then understood. “The regulatory framework was set up in order to handle the transition

from public ownership to private ownership.” After 25 years of working out this model, the utilities

now look relatively stable.

The regulatory challenge today, Collins asserted is “not to create a new regulator but to create a

regulatory environment that is fit for a purpose to handle not only normal conditions but extreme

conditions such as the one we’ve just been talking about.” In addition, he proposed there should

be metrics to ensure that utilities are complying with regulation to prepare for such extreme

events.

Turning to the importance of international

coordination, Collins suggested that

the only comparable historic example

of successful coordination on this scale

was the case of nuclear disarmament. An

outcome of that chapter in international

relations is that “there is a body of

Infrastructure isn’t magic. It’s hard work

by a lot of different people doing a lot of

different but interconnected things. Can we

collectively make sure our political leaders

actually understand how this stuff works

much better than they appear to?

61

literature on how to coordinate very difficult subject matter together to deliver outcomes which

move everyone in the right direction, even though on the face of it in the short term it’s not in

their best interest to do so.” Collins recommended those involved in international efforts aimed at

building infrastructure resilience make use of this literature.

In conclusion, he affirmed that as part of the international transdisciplinary infrastructure research

program that he heads,” we’re very happy to look at research that is needed in order to deliver

infrastructure that is fit for purpose under extreme circumstances. That includes a Black Sky

situation.”

He strongly asserted the importance of international focused collaboration and discussion such as

this event. “We need to understand the globalization of this opportunity as well as its vulnerability,”

Collins stressed.

ELECTRIC GRID PROTECTION

TM