the london black sky seminar//2018 - eis council...opportunities for building black sky resilience....
TRANSCRIPT
26th February 2018 | London
Infrastructure and Societal Resilience to Black Sky Hazards
Seminar Report
The LondonBlack SkySeminar//2018
THE LONDON
BLACK SKY
SEMINAR//2018
Infrastructure and
Societal Resilience to
Black Sky Hazards
London, Feb 26, 2018
The London Black Sky Seminar 2018
was organized and hosted by:
C O U N C I LIS
The Electric Infrastructure Security
(EIS) Council
Department of Engineering
ENCORE Network
7
Executive Summary
Introduction
The Need for Systemic Resilience to Black Sky Hazards
Infrastructure systems provide an indispensable platform for societal and economic activity.
They generate and enable a continuous flow of emergent desired outcomes, without which
civilisation as we know it could not exist.
Modern infrastructure systems comprise an increasingly interdependent web of infrastructure
components, decision making processes and the external environment. This interdependent
web greatly enhances the scale and scope of benefits enabled by infrastructure, while
simultaneously magnifying the potential for disruption to trigger far reaching consequences
across all infrastructure sectors, society and the economy (cascading failure).
Systemic Resilience to this type of cascading failure is therefore vital for a successful economy
and society. We need to develop infrastructure that is resilient and can be restored following
any form of disruption to normal operations. Moreover, we require societal, community, and
institutional structures that are resilient to the impacts of infrastructure failure.
The near universal dependence of modern infrastructures on a continuous supply of
electricity, and the potential for Black Sky hazards to cause national scale power outages of
indeterminate duration make these resilience goals urgent.
Resilience to Black Sky hazards cannot be achieved by scaling up plans for short term
localised power outages. However, the creation of systemic resilience to Black Sky hazards
will yield significant benefits for short, medium and long-term resilience planning.
Building on findings from the first workshop in this series, this academic seminar brought
together representatives from across infrastructure disciplines and related interdisciplinary
fields to examine four themes of strategic significance to such an approach.
Theme 1: Managing Infrastructure and Assets for Black Sky Hazard Response,
Restoration and Recovery Focused on the operational and management challenges of
sustaining, restoring and recovering infrastructure assets during a black sky event.
Theme 2: Resilient Processes, People and Protocols for Black Sky Hazard Alert,
Emergency, Restoration and Recovery The people, plans, processes and procedures
required to respond to a black sky event, and to what extent these can be developed prior
to an event.
Theme 3: Establishing Systemic Black Sky Resilience as a New Normal Focused on
the long-term challenge of improving systemic resilience.
Theme 4: Building and Enabling Black Sky Resilient Communities and Institutions
–Focused on the role of community resilience and social capital, as essential complements
to the infrastructure focused elements of resilience planning.
8
Key Points
We live in an interdependent world, sustained by increasingly interdependent and
vulnerable critical infrastructures that are all powered by electricity.
The interdependent infrastructures that make advanced, societies and economies possible
are vulnerable to a broad, long-duration power outage – a Black Sky event. The cascading
effects of a massive power outage on other infrastructures could lead to catastrophic loss
of life.
Black Sky hazards will inevitably occur in the coming years
Six types of hazards have the identified potential to cause a Black Sky event, EMP, cyber-
attack malicious physical damage, earthquake, severe space weather and severe terrestrial
weather. Cyber-attacks on critical infrastructure have already occurred. North Korea’s
nuclear program makes an EMP attack imaginable. Hurricane Maria caused a bounded
Black Sky disaster in Puerto Rico in 2017. As John Heltzel of EIS Council said,
“If you don't understand what Black Sky is, let's talk about Puerto Rico. More than six
months on, the island still does not have dependable power.”
Given the seriousness and plausibility of these threats, Lord Toby Harris emphasized that
“Black Sky hazards should be high on the agendas of decision makers, and awareness of
these threats should be raised at all organizational levels.”
9
Protecting against Black Sky hazards requires cost-effective resilience investments
and detailed cross-sector planning and exercising
As Professor Brian Collins put it, "Most of you will have worked on disaster-recovery plans
which assume that some supporting services are intact after the event. Black Sky challenges
every one of those assumptions." Consequently, Black Sky recovery plans for each sector
need to pay close, detailed and realistic attention to what support may be available from
other sectors, and how each sector may support the others. Avi Schnurr of EIS Council
stressed,
“There have to be very concrete Black Sky plans that lay out what each sector must
achieve in such a crisis and what it will require from other sectors.” Such planning has yet
to take place in most countries and sectors.”
Critical Infrastructure design needs to incorporate systemic resilience as a core
objective.
Tom Dolan presented eight recommendations towards the goal of making systemic resilience
a core objective of all infrastructure decision making and implementation. Continuing the
theme that our infrastructure needs higher levels of built-in resilience, Kristen Mc’Askill noted
that currently “the cost-benefit analysis criteria for new infrastructure do not adequately
capture the future benefits of a more resilient solution.”
“Calling in the army” will not work as a response to a Black Sky event in the UK
Lord James Arbuthnot warned that it will be unrealistic to expect the military to step in as
the last resort solution in a Black Sky event. In addition to the UK military’s shrunken size,
infrastructure recovery today requires highly specialized skills. Moreover, defense sector
will also be dealing with “the cascading effects of a loss of electricity leading to a loss
of communication, understanding, order, cohesion, fuel, water, food and money.” To be
prepared, the defense sector needs to take the same steps as others:
“They need to recognize there's a problem. They need to have a plan and to practice
it. They need to have spares and redundancy. They need to work on recovery and do a
constant audit.”
Developments in Artificial Intelligence and Machine Learning provide important
opportunities for building Black Sky resilience.
Professor Liz Varga pointed to the potential of AI-based tools to help protect against Black
Sky threats. The sheer volume of cyber-attacks on infrastructure requires the deployment
of AL-driven automated response to most events. Avi Schnurr explained that EIS Council’s
GINOM™ project aims to meet the need for “very good-quality models that lay out all of
the infrastructure interdependencies, provide simulation and forecasting mechanisms and
make those available for decision makers.”
10
Standardization of systems and parts provides efficiency benefits but also
resilience dangers
Professor John Clark pointed out that “the downside of standardization is that if it breaks
once, it breaks everywhere. You have hugely distributed systems where chips are embedded
in the fabric of society. If all your hardware is duff, it’s going to cause big problems.” Such
systemic failure was a cause of the recent Wannacry ransomeware cyber-attack.
Regulators have a major role to play in establishing processes and metrics for
Black Sky resilience and recovery
Avi Schnurr reported that regulatory sector involvement in Black Sky preparation is beginning
to happen in the United States, saying “the regulatory community in the United States has
got to the point where they're concerned and recognize Black Sky has to be addressed.
They are looking for help, especially in terms of finding Black Sky resilience metrics that they
could utilize.” The consensus of speakers was that rather than creating a new regulator
for Black Sky, the need is rather to empower existing regulators to develop and implement
cross-sector metrics standards and processes that bridge the private and public sectors.
The Black Sky threat is global and the solutions require global cooperation
Critical infrastructures today are globally interconnected, carrying a risk that the impacts of
a massive outage will overspill national borders. Consequently, the solutions also require
broad international knowledge-sharing and collaboration. This event, bringing together
leading experts and practitioners from a number of countries including the U.K., U.S. and
Israel served as a beginning and an example of the international cooperation that is required.
11
Introductory
Session
14
Welcome and Introduction
Professor Brian Collins, UKCRIC Chairman
Professor Brain Collins welcomed participants with some introductory remarks on the “Black Sky”
challenges that the day would address.
He noted that the threat nexus of long-term power outages, combined with critical dependence
of all infrastructures on electric power and the interdependence of smart infrastructures was
particularly acute in cites. Humanity is undergoing intensive urbanization, with 70% of people on
Earth predicted to live in cities within 20-30 years, implying that the threat will only become more
severe.
Collins emphasized key qualitative differences between Black Sky and other disasters for which
participants may have prepared: “Black Sky is about the unthinkable situation of everything
failing. Most of you will have worked on disaster-recovery plans, business-resumption plans,
which assume that some supporting services are intact after the event. This is about challenging
every one of those assumptions. Whatever you assumed was going to work in order that your
disaster-recovery process could be booted or started up, that assumption is invalid. That’s what
we mean by Black Sky.”
Previewing some of the issues to be discussed during the day, Collins noted the importance of
striking the “right balance between the unthinkable and the normal” in research so that resources
are directed towards both extreme and more common threats. He also underscored that resilience
investments have an unavoidable cost-effectiveness dimension, so that we can distinguish
between “what is it that we have to afford, what is it that we can consider we need to afford, and
15
what is it that is nice to have?” This implies a critical appraisal of the resilience value of investment
in technology and systems, people and training, process and protocols and the right mix of these
elements. A further issue that Collins raised is “the balance of being prepared, being able to react,
and then being able to recover.”
Collins pointed out the importance of this being an international event: he said, “we’re living in
a very interdependent world. Cities and
nations depend on each other for their
livelihood, mainly through trade, but also
through cultural exchanges and through
knowledge exchange. We are developing
our sharing of knowledge and our sharing
of capability to provide Black Sky resilience
on a global scale – that’s very important.”
He also stressed the significance of
bringing university researchers together
with those tasked with practical resilience
efforts. “We’ll hear about research and also about some of the activity that is going on in this
country so that what we think is a good idea is practiced and rehearsed in real terms, so that
people can find out what works and what doesn’t.”
We’re living in a very interdependent world.
Cities and nations depend on each other
for their livelihood. We are developing our
sharing of knowledge and our sharing of
capability to provide Black Sky resilience on
a global scale
16
Black Sky Interdependency Challenges
A Global Perspective
Avi Schnurr, CEO and President, Electric Infrastructure Security Council
Avi Schnurr, CEO of EIS Council began by acclaiming the tremendous expertise of those in the
room. He called the group, “the infrastructure brain trust of the United Kingdom and also, to a
degree, of the world.”
He proceeded to define a Black Sky event as “a very large-scale power outage” and referred to
six hazards, both malicious and natural in origin that could cause such an event: EMP, cyber,
physical attack, space weather, severe terrestrial weather and earthquakes. Schnurr underscored
that such outages can cause “the failure of everything, through cascading failures or interconnected
infrastructures and resource supply chains.”
He pointed out that the mega-cities in which so many of us now live are only possible because
of hyper-connected networks in which not just infrastructures, but also the supply chains for
those infrastructures are thoroughly
interdependent.
Schnurr compared this interdependence
to a living organism. “The strength,
efficiency, and effectiveness of
interconnected infrastructures enables
our unprecedented living standards
and levels of culture today. However, he
warned, “the problem is that in any organic system if you pull out some major piece, the organism
collapses.” Whereas living organisms have immune systems to deal with such dangers, “there is
There have to be very concrete Black Sky
plans that lay out what each sector must
achieve in such a crisis and what it will
require from other sectors.
17
no systematic immune system for the interdependent infrastructures and resources that we utilize
today. That is an extremely dangerous situation.”
Schnurr pointed out that these interdependencies are not only multi-sectoral, they are also
international. Infrastructures and supply chains are today globally connected and so a global
effort is required to address the threat of their potential failure. This reality requires that “we find
ways to be outwardly looking, so that our primary concern when it comes to resilience becomes
what is it that my sector, my company,
and ultimately my nation must do to
support all the others.” Schnurr stressed
that such an approach “will be absolutely
mandatory if we’re going to protect this
organic system that we now live in that
supports our lives.”
Schnurr added, extending the physiological
metaphor, that our systems today lack not
only an immune system, but also a level
of “fat” that can serve as a buffer against
crises. “Infrastructure by infrastructure, what remains in supply chains is now down to about three
days. That means there are three days between failure of infrastructures in a large area and lack
of water, lack of food, lack of pharmaceuticals, lack of fuel.”
Turning to the required solutions, Schnurr declared that the first requirement is integrated cross-
sector planning. “There have to be very concrete Black sky plans that lay out what each sector
must achieve in such a crisis and what it will require from other sectors.” EIS Council’s EPRO
Sector program lays out such a planning process; in the UK this initiative is led by Lord Toby
Harris.
The next requirement is to put in place infrastructure coordination mechanisms that can operate
in real time. This coordination must, Schnurr explained, do two things: “firstly, support restoration
of infrastructures so they can return to operation, both to repair damage and to restart those
infrastructures; and secondly to sustain the population while that restoration is going on.” Crucially
this requires plans that are regularly exercised. EIS Council’s annual EARTH EX international,
multi-sector exercise, which takes place this year on August 22nd aims to help meet this need.
Schnurr elaborated on two other essential recovery tools. The first is “a very robust emergency
communication system that is deployed to all sectors. It needs to have international connectivity,
and an internal self-powered capability to last weeks if we want this whole process to work.”
Schnurr reported on a private-sector initiative called the BSX Emergency Communication System
within the United States, which is potentially applicable relevance internationally.
The second tool that Schnurr described is the GINOM modeling process that EIS Council is
developing. Schnurr explained that this is designed to meet the need for “very good-quality
models that lay out all of the infrastructure interdependencies, provide simulation and forecasting
mechanisms and make those available for decision makers.”
Schnurr concluding that developing these tools is a community effort and thanked all those
present who are contributing to it.
Infrastructure coordination mechanisms
must first, support restoration of
infrastructures so they can return to
operation, both to repair damage and to
restart those infrastructures; and second
sustain the population while that restoration
is going on.
18
Current and Future Challenges, Priorities for
Black Sky Resilience a UK Perspective
Lord Toby Harris, EPRO ESC Coordinator, UK
Lord Toby Harris opened by reprising some of the essential themes that emerged from the highly
successful 2017 Black Sky seminar at the Royal Society. Firstly, as Lord Martin Rees warned,
“Our power grids are becoming ever more crucial. Cities will be paralyzed without electricity. And
the lights going out will be the least of the consequences. Everything else that urban life depends
on is vulnerable to breakdowns, errors, or even intentional sabotage.”
Secondly, Harris declared, “no single sector can function without the partner sectors that each
depends on. Consequently, coordinated planning and engagement are essential.”
Thirdly, a prolonged, widespread power outage would cause cascading failures of other systems.
Fourthly, policy, for understandable reasons tends to focus on the high-probability risks. However,
“it is also essential to plan for the mitigation of low-probability but devastatingly high-consequence
events.”
All of this is vastly complicated by the
nature of the Black Sky environment,
which Professor Liz Varga describes
as VUCA - volatile, uncertain, complex,
and ambiguous. As Harris put it,
“infrastructure systems are now so
intricately interconnected that we cannot
possibly understand the magnitude and
consequences of these interconnections.
Our power grids are becoming ever-
more crucial. Cities will be paralyzed
without electricity. And the lights going
out will be the least of the consequences.
Everything else that urban life depends on
is vulnerable to breakdowns, errors, or even
intentional sabotage. [Lord Martin Rees]
19
There is instability, a lack of information, and when things go wrong, an inability to know what is
causing events.”
Harris stressed that “the overriding conclusion of the day was that Black Sky hazards should be
high on the agendas of decision makers, and that awareness of these threats should be raised
at all organizational levels.”
Harris noted a number of institutional and cultural trends that make tackling Black Sky threats
more difficult. He pointed out the tendency of people today to work in specialized silos, which
inhibits the cross-sector cooperation that is necessary. In addition, the increasing reliance on
technology, improves efficiency but introduces new vulnerabilities.
He also pointed to a phenomenon specific to recent UK history, “the cultural change that has
accompanied the shift from public to private ownership of the key lifeline utilities,” and the way in
which “the business cases for investment that require short-term returns militates against work to
address low-probability events, even where the potential consequences are massive.”
Moving on to define Black Sky/black start event, Harris set out the following key definitions and
characteristics:
• Black Sky is a prolonged, wide area electricity outage affecting the whole of the UK or
a substantial part of it for several days or more.
• Black Start is term used by the
National Grid for restarting the
Grid from a total power down.
• Best estimates now suggest
that this would require up to
seven days before most of the
country had power restored.
• However this estimate assumes that the National Grid itself has not been damaged by
the event that triggered the outage.
Turning to the causes that could trigger a Black Sky event, Harris listed six that are widely agreed
upon, and also suggested a possible seventh.
The first three causes are malicious and man-made:
1. Concerted physical assault. Harris noted that in 1996, the IRA planned just such an
attack, involving 37 explosive devices, designed to disable six substations and deprive
London of electricity.
2. Electromagnetic pulse attack. This would involve a nuclear blast in the atmosphere,
something incidentally that, Harris remarked, “the North Koreans announced in official
news release only last year that they were contemplating.”
3. Cyber-attack. Harris described this scenario as “worryingly plausible,” observing that
“we know this has been deployed against the Ukraine. And last year, the U.S. Department
of Defense Science Board reported that the U.S. grid had been so effectively penetrated
No single sector can function without the
partner sectors that each depends on.
Consequently, coordinated planning and
engagement are essential.
20
by both Russian and Chinese hackers that either could switch off electricity supplies at
will. There is no reason, Harris stressed, “to suppose UK systems are any more secure.
The next three causes are natural:
1. Extreme terrestrial weather. Hurricane Harvey and Superstorm Sandy both led to
prolonged power outages. Hurricane hurricane Irma reportedly left eight million people
without power, including the whole of Puerto Rico. This was effectively a Black Sky event for
the island.
2. Coronal mass ejection – Extreme space weather. Harris referenced the devastating
Carrington event of 1859 which burned out telegraph systems across the globe. Harris
warned that today we are enormously more dependent on electrical systems, “to say nothing
of the GPS satellites that would be fried” by such an event. Indeed, in 2012 a massive solar
storm narrowly missed the Earth. Had it hit, the economic impact has been estimated at two
trillion dollars.
3. Earthquake “There are plenty of places in the world where severe earthquakes would
undoubtedly create Black Sky hazard,” Harris said.
Harris proposed an additional cause of Black Sky, which he called “human error and plain bad
luck.” As he explained, our infrastructure systems are now so complex and interconnected that
unpredictable things can go badly wrong when “apparently unconnected incidents can combine
for catastrophic effect.” As an example, he gave the incident in 2012 when, “a pump in the
Trafalgar Square fountains failed. This caused a leak and an overflow of the fountain. That in turn
disrupted power supplies including those for Charing Cross Station, which took out the Bakerloo
underground line.”
Moving on to examine the potential impacts of a Black Sky event, Harris cited the River Lune
flooding in December 2015 as a result of Hurricane Desmond, which led to the inundation of a
substation. Some of the ensuing impacts that Harris detailed were:
• 60,000 homes and business, 100,000 people left without power for four days
• Transport and communications were disrupted; ATMs were out of action; garages could
not pump petrol. Text messaging, digital radio, and the internet ceased to be available.
• 75 emergency generators were brought to Lancaster from all over the country
Harris added, “As the Royal Academy of Engineering noted, this was a comparatively localized
area manageable in size. In a much larger area or locality with a much bigger population, bringing
in generators from other areas would not have worked.”
Extrapolating to the impacts of a Black Sky event, Harris posited that:
• Most organisations plan for an emergency that just affects their organisation. Disaster
response plans tend to tacitly assume that other organizations will be functioning as normal.
However, this will emphatically not be the case in a Black Sky event.
• Civil order is likely to break down. Harris reported on an exercise he took part on with the
London Resilience Forum in which martial law was declared around day four of the scenario.
• Emergency generators are not in themselves a panacea. They must be of sufficient capacity,
21
properly maintained and regularly tested. Even then they are likely to break down and will
need regular refuelling to keep going in a long-term outage.
• Water supplies and the management of waste water are critical. “A city without fresh water,
or where wastewater and sewage cannot be removed rapidly, quickly becomes uninhabitable,”
Harris warned.
• Communications will break down.
“We all use mobile communications
devices, but these have to be
charged. In any event, how long will
cell phone continue to operate in the
absence of power?”
• Food distribution will be severely
disrupted. Domestic freezers will break down as will those of small retailers. Harris recalled
that MI5, Britain’s security service famously reported in 2004 that the U.K. was four meals
away from anarchy, and it does not take much to imagine the implications for civil order of
this sort of disruption in food supplies.”
• ATMs will not function. “In Lancaster, the ATMs stopped working. So how long would the
financial system continue to function?” Harris asked.
Harris key messages and conclusions were:
• No service or utility can plan for a Black Sky event on its own.
• Every sector has to recognise its mutual dependencies on other sectors.
• A lot of work is needed to understand, predict and manage public behaviour under
extreme, Black Sky circumstances.
• There is a general problem of situational awareness. “In a UK Black Sky scenario, it will
be hard both for any individual organization and for government to have a clear view on
what is happening around the country, Harris warned.
“None of this is easy,” Harris acknowledged, but the consequences of failing to do it are
incalculable.”
A city without fresh water, or where
wastewater and sewage cannot be
removed rapidly, quickly becomes
uninhabitable,
22
Connectedness, (aka Complexity) and
Machine Learning for Black Sky Avoidance
Liz Varga, Cranfield University Professor of Complex Infrastructure Systems
Professor Liz Varga began by observing that “we’re more interconnected than we ever were. The
more interconnected we are the more at risk we are of systems failures, particularly of critical
infrastructure.”
She noted the dearth of academic studies about Black Sky. A search of key, Black Sky related
terms in the Science Direct database yielded only 19 papers since 2012. “There’s not enough
conversation going on about these Black Sky events. There isn’t enough information for us to
know exactly what the impact will be for all the consequences of cascading effects, and there’s a
lack of knowledge across systems.”
Our infrastructure systems are becoming ever more smart, digitalized and automated. “The
human is out of the loop but the human
receives the consequences of any failures
in these systems,” as Varga put it.
She defined the following general
characteristics of resilient systems:
The ability to address the actual; knowing
what to do: how to respond to regular
and irregular disruptions and disturbances
either by implementing a prepared set of
responses or by adjusting normal functioning.
There’s not enough conversation going
on about these Black Sky events. There
isn’t enough information for us to know
exactly what the impact will be for all the
consequences of cascading effects.
23
The ability to address the critical; knowing what to look for: how to monitor what is or can become
a threat in the near term. The monitoring must cover both events in the environment and the
performance of the system itself.
The ability to address the factual; knowing
what has happened: how to learn from
experience, in particular how to learn the right
lessons from the right experience; successes
as well as failures
The ability to address the potential;
knowing what to expect: how to anticipate
developments, threats, and opportunities
further into the future, such as potential changes, disruptions, pressures and their consequences.
Varga suggested that we should develop automated systems that have these characteristics and
are able to identify and respond to risks to infrastructure systems in an intelligent fashion. “What
I’m proposing,” she said, “is that we need a new generation of machine learning which not only
deals with an objective of higher performance, but also thinks about safety and resilience.”
Such machine learning systems need in-built mechanisms to isolate systems, to have local
redundancy, alternative means to create services and also tools to intervene to avoid Black Sky
events when it begins to detect them.
As an example, Varga discussed a project she is working on with Highways for Britain developing
“Intelligent Excavation” with utility detectors and sensors on excavators that can identify buried
artifacts in real time.
She acknowledged, there can also be “a dark side to machine learning,” citing a recent paper by
the Center for Existential Risk in Cambridge, called “Malicious Use of Artificial Intelligence” which
discusses how machine learning can give opportunities for people to create disaster events
through the newly connected routes.”
Varga summed up the key messages of her talk as follows:
• Disasters are a measure of social resilience.
• Increasing connectivity of infrastructures across and within sectors is the new norm and
brings the risk of more frequent and severe disasters.
• Technologies arising from ‘smart technologies’ such as Machine Learning have a potential
to divert disaster and minimize social impact.
• Machine Learning needs to detect emerging disasters (and should be able to do so.)
• Machine Learning mechanisms must be available to maintain social resilience in the
event of disasters.
• Emerging threats from Machine Learning will co-evolve together with the benefits.
We need a new generation of machine
learning which not only deals with an
objective of higher performance, but also
thinks about safety and resilience.
24
Strategic Insights for Black Sky Resilience
Planning and Preparedness: The Defense
Sector as a provider and user of critical
support resources
Lord James Arbuthnot, Former Chair of the UK House of Commons Defense Committee
Lord Arbuthnot focused his talk on the UK defense sector. He explained why the traditional belief
that in a major UK disaster “they would call in the army” to restore society to functionality is
misconceived. “The army is not equipped to deal with social collapse,” Arbuthnot warned.
There are a number of reasons for this. The UK armed forces have shrunk to their smallest
size since records began, with fewer than 200,000 men and women under arms. The power of
modern weapons appears to justify having fewer personnel, which means fewer ambassadors in
society for what the armed forces do and less support for the army among the broader population.
Moreover, there are many competing spending priorities, particularly those related to welfare.
The role of the armed forces in responding to disasters has been statutarily weakened
In addition, Arbuthnot explained that the Civil Contingencies Act of 2004 makes army intervention
in emergencies less likely. The Act “placed a duty on a number of different organizations to plan
for all manner of emergencies. The resilience model is one in which an incident is dealt with at the
lowest level possible building on local, multi-agency working arrangements. Under that act, no
statutory duty is placed on the Ministry of Defense or the armed forces.”
In an emergency, the defense sector brings
organization, logistics, ingenuity, discipline,
and the sort of dedication that comes from
a trained body of men and women that are
ultimately prepared to lay down their lives
25
A further reason why the army is unlikely to be equipped to take a major role in a Black Sky
emergency is that running infrastructures today requires highly specific and sophisticated skills
that the army does not have.
Arbuthnot argued that the armed forces should provide military aid to the civil authority in two
main types of cases. The first is when the army has specific capabilities that civilians lack; bomb
disposal is an example. The second is when the armed forces “have the capacity to augment
any emergency response drawing on people and resources available at the time if the scale and
duration of any emergency might overwhelm civil capabilities.” In such a situation the defense
sector brings “organization, logistics, ingenuity, discipline, and the sort of dedication that comes
from a trained body of men and women that are ultimately prepared to lay down their lives.”
The armed forces will be too preoccupied with the effects of a Black Sky event to play
a decisive role in assisting the rest of society
However, Arbuthnot continued, “we mustn’t think that because the armed forces are brilliant, they
are the answer. They’re not.” The armed forces are too small to make a decisive difference and
moreover they themselves would be overwhelmed by a Black Sky event. “All of the effects of a
Black Sky event, the cascading effects of a loss of electricity leading to a loss of communication,
understanding, order, cohesion, fuel,
water, food, money, all of these would
apply no less to the defense sector than
to every other sector,” he warned.
For example, energy, particularly oil, is the
largest consumable of the British military.
“In a Black Sky event, you need to have
quite a lot set aside. Whatever the armed
forces have got will not be enough.”
Arbuthnot noted the dilemma of how to “discover the extent of the resilience of the armed forces
without exposing vulnerabilities to the eyes of people who might want to do us harm.” However,
research is needed into this, “perhaps by the Royal United Services Institute who would deal with
the issue in a secure and sensitive way.”
Lord Arbuthnot concluded that to reduce its vulnerability, the defense sector needs to take the
same essential steps as other sectors:
“They need awareness. They need to recognize there’s a problem. They need to have a plan and
to practice it. They need to have spares and redundancy. They need to work on recovery. And
finally, they need to do a constant audit of precisely where their vulnerabilities lie, because those
vulnerabilities will change over time.”
All of the effects of a Black Sky event, the
cascading effects of a loss of electricity
leading to a loss of communication,
understanding, order, cohesion, fuel, water,
food, money, would apply no less to the
defense sector than to every other sector.
26
The Road Ahead for Coordinated, Multi-Sector
Planning in Complex Catastrophes
Brig. Gen. (Ret.) John Heltzel, Director of Resilience Planning, EIS Council
John Heltzel began his talk by acknowledging that coordinated multi-sector planning is not easy.
He explained, “the reason is because to be prepared for most organizations means a change in
their culture. And all my time in the military and in government, the single hardest thing to change
is culture.”
Heltzel focused his presentation on three points, awareness and active engagement,
documentation and alignment and training and exercises.
Awareness and Active Engagement
Heltzel explained that in the US, EIS Council has sector coordinators working with all of the critical
lifeline sectors. “We are going across the United States point by point, meeting with various
organizations to let them understand what the threat of a Black Sky hazard actually is,” he said.
Heltzel observed that though the U.S. spends a lot of money on emergency preparedness, “we
tend to do the simple and easy things over and over.” Many organizations are not prepared for a
complex catastrophe that could cost many lives.
He remarked that recent events have made
the task of explaining the seriousness
and plausibility of Black Sky hazards
easier, saying, “if you don’t understand
what Black Sky is, let’s talk about Puerto
Rico. More than six months on, the island
still does not have dependable power.”
For most organizations, preparing for
Black Sky means a change in their culture.
And the single hardest thing to change is
culture.
27
Similarly, “it used to be difficult to get EMP across to people. Now all I do is talk about the nuclear
threat from North Korea and people understand EMP.”
Highlighting some of the significant successes of this engagement program, he cited a program
in California where “we met with the California Cabinet Secretaries. For almost four-and-a-half
hours not a single secretary got up and left the table. They all stayed engaged.”
Documentation and Alignment
The core of this element is the EPRO Black Sky Playbook program, in which EIS Council has
developed and put online detailed playbooks for Black Sky resilience, restoration and recovery
for each of the main lifeline infrastructure sectors. The playbooks are iterated for continuous
improvement and include the internal and external requirements for each sector; what they need
from within their own sector and what they would require from other sectors to ensure restoration
and recovery. The most recent iteration, version 3.0 also contains a set of assessment tools, so
that any organization can evaluate its level of preparedness.
EIS Council is also producing building a matrix of cost-effective resilience investments some
general and some sector specific. A further project in this area is the BSX Black Sky command
and control coordination system designed to enable communication in a Black Sky environment.
Finally, the EIS Council is working on a “Black Sky Resilience Doctrine,” that aims to present
founding principles for achieving synchronization and synergy across sectors.”
Training and Exercises
Heltzel described the suite of Black Sky
exercises that EIS Council offers leading
to organization-specific incident action
plans. He noted a major gap in most
incident response plans. First responders
will adequately address about 98% of
incidents. Emergency management will
engage about 1% of cases. However,
there are almost no guidelines protocols for the restoration of critical lifeline infrastructures in
the end that they fail. “Puerto Rico is a classic example,” Heltzel said. “There is not a built-in
mechanism that tells us how we restore critical lifeline infrastructure.” The EPRO III Handbook
authored by Dr. Paul Stockton is designed to fill this critical gap.
Finally, Heltzel highlighted Earth Ex, a major, self-facilitated, self-assessed, cross sector,
international Black Sky exercise that EIS Council ran for the first time in August 2017. There were
thousands of participants representing over 500 companies and 14 countries.
Heltzel announced that the next Earth Ex exercise will take place on August 22nd 2018 and will
simulate a massive cyber-attack on critical infrastructure. The exercise is designed around five
hubs with corresponding video injects and scenario updates as well as an individual and family
preparedness lane. Heltzel ended by warmly inviting companies, organizations and individuals
from the UK to take part.
If you don’t understand what Black Sky is,
let’s talk about Puerto Rico. More than six
months on, the island still does not have
dependable power.
28
Roundtable Discussions
Part 1 | Theme Resilient Processes,
People and Protocols for Black Sky Hazards
Questions Discussed:
What are the biggest challenges you face when making the case for systemic resilience to your
organisation/ sector/ clients/ colleagues?
What are the greatest opportunities you see to overcome these challenges?
What motivates you to be a champion for systemic Resilience?
Prior to a prolonged power outage, what plans, protocols or processes would it be
most useful to already have put in place?
• For the benefit of your operations?
• For the benefit of the system as a whole?
• For the benefit of the wider society
29
Part 2 | Managing Infrastructure Assets
and Systems for Resilient Response,
Restoration and Recovery
Questions Discussed:
During a prolonged power outage:
1. What would be the overall impact of your ability to
a. Sustain normal operations?
b. Sustain minimum service levels
c. Avoid critical failures?
Upon restoration of power after a prolonged power outage
2. What critical internal resources will you need to enable restoration and recovery?
3. How could other sectors best support your restoration and recovery?
4. Which assets/process would be your strategic priorities for restoration?
5. Which assets/processes will take the longest and/or be the most expensive to return to
normal operations?
30
Part 3 | Building and Enabling Black Sky
Resilient Communities and Institutions
Questions Discussed:
• How can we collectively best empower the creation of Black Sky resilient individuals,
households, communities, institutions and societies?
• What actions are needed now (prior to a Black Sky event) to build resilient capabilities
and empower community resilience?
• What are the best ways to engage the public in Black Sky scenarios?
• What capabilities and social capital does a resilient society require?
• What actions are needed now to build these capabilities and empower community
resilience prior to a Black Sky event?
• In what ways can community resilience be beneficial at each stage of the resilience cycle?
• What strategic information does a resilient community require at each stage of the
resilience cycle?
31 31
Black Sky
Resilience
Overviews
34
Multi-Sector Infrastructure Mapping and
Simulation for Extreme Hazards:
The GINOM™ Opportunity
John Organek, Administrative Director for Simulation and Modelling, EIS Council
John Organek spoke about the EIS Council’s GINOM™ initiative to model critical infrastructure
interdependencies. He characterized infrastructure as a “complex adaptive system” – an organism
with multiple interactions at multiple levels.
Organek defined the key challenge as “how to look at the complexity of these infrastructures and
their interdependencies to understand them, to explain them, and to make decisions about
them.”
This requires a good understanding of
how all the pieces work together. “What
are the connections? What happens of
this part breaks and that part doesn’t?”
Organek asked. The even more important
and difficult questions are “how do we put
Humpty-Dumpty back together, especially
if all of these pieces and all of these sectors
and infrastructures are interdependent as they are?”
EIS Council is examining this complexity “to come up with a concept that applies before the
event, during the event, and after the event as it happens. We can’t just look at collapse. We have
to look at how we bring it back,” Organek said.
How do we look at the complexity of these
infrastructures and their interdependencies,
to understand them, to explain them, and to
make decisions about them?
35
This initiative is called GINOM™, which stands for Global Infrastructure Network Optimization
Model. It has three parts, modeling infrastructure independence, providing decision makers with
situational awareness and optimizing decision-making in an emergency. A tool called SAND,
Situational Awareness Network Diagnostics, helps understand the situation and formulate
alternatives. A further component of the system known as a CANOE, which standing for Complex
Adaptive Networks Optimization Engine analyses and optimizes paths for restoring systems.
Organek acknowledged that this is a complex undertaking and EIS Council is working on it
together with partners in the utilities, in government, and also in non-governmental organizations
and academia. The product will not spring into existence fully formed but will rather develop in
evolutionary, iterative stages.
In conclusion, Organek invited all those interested to take part in the initiative to participate in
making it a reality.
36
Cyber Security Challenges for Evolving
Infrastructure Systems
John Clark, Professor of Computer and information Security, University of Sheffield
Professor John Clark shared insights from his background in computing and information security
that are relevant for cyber security of critical infrastructures. His key messages were:
We need enhanced pre-stressing of our systems and systems models.
In a climate of increasingly serious cyberattacks on infrastructure – the rash of “denial of service”
attacks being a recent example - Clark emphasized the importance of stress testing our cyber
defense systems to the utmost, by
simulating and exercising all the things
that could go wrong. While for twenty
years we’ve been urge to “think out of
the box,” as Clark put it, “in real systems
and real models, we’re interested not just
in thinking outside the box, but exploring
those nasty parts, those dark corners of
the box that normally we would not reach,”
meaning the little explored possibilities for
failure in our systems.
In real systems, we’re interested not just
in thinking outside the box, but exploring
those nasty parts, those dark corners of
the box that normally we would not reach,
meaning the little explored possibilities for
failure in our systems.
37
We need to live with insecurity on an ongoing basis and this is a challenge.
With attacks coming from diverse actors, the problems of response diagnosis and attribution
are acute. In many cases, certainty will be impossible to achieve. Some of the challenges and
uncertainties that Clark listed were the need to cope with multiple, novel attacks on systems
whose details are perpetually changing and where responsibility may be spread over multiple
domains. Moreover response is often hampered by self-inflicted injuries, such as a kind of
autoimmune reaction where the reconfiguration itself provokes provides a denial of service, and
also frequent mistakes that are made in attempts at remote reconfiguration of systems.
Standardization provides a single point weakness.
Clark pointed out that there are both advantages and potentially major disadvantages to the
increasing standardization of computer parts and security protocols. The downside is that, as he
out it, “if it breaks once, it breaks everywhere. You have hugely distributed systems where chips
are embedded in the fabric of society, you
suddenly realize that all your hardware is
duff, it’s going to cause big problems.” The
single points of failure can have immense
impacts. Clark remarked that it is unclear
what the right response to this problem
should be. Do we strive to improve reliability
of standardized systems, or embrace
heterogeneity?
We need enhanced situational
awareness and response strategies.
Professor Clark argued that there is a pressing need for enhanced situation awareness and
predictive consequential awareness for response actions. We also need to think about what
aspects of cyber-attack response can be automated and how as well as about what automated
support needs to be given to security management teams.
Finally, we need better attribution, forensics and evidence, to identify perpetrators, and also to
address legal implications of cyber assaults.
The downside of standardization is that if
it breaks once, it breaks everywhere. You
have hugely distributed systems where
chips are embedded in the fabric of society.
If all your hardware is duff, it’s going to
cause big problems.
38
London Resilience Partnership
Toby Gould, Deputy Head, London Resilience Partnership
Toby Gould from the London Resilience Group introduced his group as “an all-sector partnership,
so that every public sector, private sector, voluntary sector, can come together with the joint aim
of trying to make London a more resilient city.”
In 2017, LRG conducted a risk assessment of the consequences of a wide area power failure in
London. Gould described some of its findings. He noted that this scenario is rated as a very high
risk on the Community Risk Register for London.
Gould reported that “response capabilities are in place, you’ll be reassured to hear. But capacity
gaps and capability gaps do exist when considering long-duration wide-area disruptions.” He
noted that there is a widespread belief in
the U.K. resilience sector “that in a wide-
area power failure in London, we can take
our plans to deal with smaller ones and
just scale up our response.” The 2017 risk
assessment showed that such a response
will not work.
The risk assessment looked at the impact
of wide power outage with a total blackout for up to 5 days (increased to 7 days following recent
modelling) with prolonged disruption for up to 14 days due to loss of the National Grid.
Capacity gaps and capability gaps do exist
when considering long-duration wide-area
disruptions.
39
In the scenario there would be no (or extremely limited):
• Public water supply
• Healthcare services except critical care; operating theatres and emergency departments
• Road fuel supplies
• Telecoms and internet services
• Financial services / access to funds
• Food supply chain / access to shops
50% of organizations responded they could maintain operational capacity of some description
after one week. Gould reported that existing planning assumptions do not take account of some
of these severe secondary consequence.
The findings of a survey of resilience organizations, (which were restricted) revealed a wide range
of opinions about the preparedness of key player for such a scenario. Respondents assessed
that there were particular gaps in the areas of public communications, public engagement, and
community resilience.
Gould concluded that while “2017 took us to a better understanding of what the problem is, 2018
should be about taking practical actions to improve our preparedness. His key recommendation
was that “all resilience partners should review their ability to maintain critical services and respond
effectively to a wide area long duration power failure including secondary consequences.”
40
Lloyd’s Register Foundation Work
Ruth Boumphrey, Lloyd’s Register Foundation
Ruth Boumphrey introduced some initiatives of her organization, Lloyd’s Register Foundation,
the biggest engineering charity in the U.K. “We have a two-part mission,” she explained. “The
first part is to enhance the safety of life and property. The second is to advance public education.
LRF produces reports, that it terms “foresight reviews,” which analyze areas of infrastructure
security and make recommendations for improvement. These reports are written in “plain English,
so that bankers and accountants as well as technical people can read them.” Boumphrey briefly
discussed three of these reviews.
The first is on resilience engineering. The research focused on the US and used Hurricane
Sandy as the main example, interviewing
workers in ports, construction, health
care and other sectors. The key finding
that she reported was “there are complex
global infrastructure systems and they all
depend on each other. The more they’ve
been globalized the more they’re prone to
cascading failure across wide areas.” She
added that most of these infrastructures
are owned by the private systems. Currently, not enough work is being done on building inter-
sectoral cooperation.
There are complex global infrastructure
systems and they all depend on each other.
The more they’ve been globalized the more
they’re prone to cascading failure across
wide areas.
41
LRF proposes to lead work on improving resilience within critical infrastructure sectors. It plans to
work in the following areas:
• Governance: Helping develop incentives and rules, legal and financial instruments
• Capacity building and engagement: promoting professional development, publications,
communication and public engagement
• Data and supporting tools: developing shared datasets, modelling decision support
• International and global scale networks: advancing studies of global systems, supply
chains and knowledge networks.
The second program is in energy storage. Boumphrey noted that “energy storage is a major
factor in finding solution to resilience.”
The third program is in big data. This study is about resilience and robust infrastructures at
national and international levels, monitoring safety of complex engineer systems, and data-driven
engineering design under uncertainty.
Boumphrey concluded with the key messages of her presentation:
• Complex infrastructure systems need new resilience tools and approaches.
• Globalized sectors need international Cooperation to build resilience
• We need to now move from theory to practical implementation of resilience measures
42
The Resilience Shift Project
Juliet Mian, Reslience Shift Team, Arup
Juliet Mian introduced the work of the Resilience Shift Program, a partnership of the Lloyds
Register Foundation, and ARUP, a global engineering company.
“The mission of Resilience Shift is to make our world safer and better to live in, by catalyzing
change in how critical infrastructure is designed, delivered and operated,” she explained. “We are
promoting a shift in practice in three areas, towards:
Ensuring infrastructure systems remain functional in diverse conditions.
Considering infrastructure as socio-technical systems and systems-of- systems.
Defining critical infrastructure systems in
terms of how they protect, connect and
provide for society.
Resilience Shift is a new program. It’s
three main areas of focus are
1. Developing ways and means
to make resilience tangible,
practical and relevant
2. Analyzing and evaluating
Incentives - What is resilience worth? And to whom?
3. Catalyzing a shift from theory to practical implementation
The mission of Resilience Shift is to
make our world safer and better to live
in, by catalyzing change in how critical
infrastructure is designed, delivered and
operated
43
Water Focused Resilience Research
Dr Simon Jude, Cranfield University
Dr. Simon Jude raised some serious concerns about disaster preparedness in the UK, based on
his experience of working on resilience and infrastructure failures with around 150 infrastructure
operators, central government departments and regulators.
He asserted that in reality, “we don’t know a lot about these sort of infrastructure failures. And
even very small failures can result in big impacts that we don’t understand.” As an example,
he cited a 2015 crisis in Central London where a fire in an underground electrical junction box
caused 2000 people to be evacuated and cut internet access in several regions of the city.
Though modeling is indispensable, he also expressed some skepticism as to how far all potentially
catastrophic events can be modelled. “These are really complicated events, and I’m just not sure
we can model them,” he said.
In addition, Jude voiced concern about the
level of realism in many of the emergency
plans that he has seen. “You can see
there are some really huge assumptions
going on,” he said. He cited one regional
flooding contingency plan “that assumes
regional road and rail infrastructure will
remain viable.”
He remarked that in his experience, “people in these organizations are wearing, rose-tinted
spectacles. You start to get group think. People aren’t necessarily disclosing the full nature of
the hazards and risks that they’re dealing with. Can you believe what people are telling you?”
he asked. He recalled how after the 2007 UK floods, Gloucestershire County Council’s best
We don’t know a lot about these complex
infrastructure failures. And even very small
failures can result in big impacts that we
don’t understand.
44
practices protocol was described as a fantasy document by a subsequent report for creating a
false impression of readiness.
Jude raised a number of questions for further research including the following:
• Can we harness social sciences to understand behavior, values, and some of these
governance issues in resilience organizations?
• How can we empower the generally low-paid workers in emergency services to be more
effective?
• Can we enable local communities to take more responsibility for their own resilience?
• What are the ethical and equity issues involved in decisions about whose care we
prioritize in an emergency. “Do we prioritize the vulnerable? Do we prioritize cities against
rural areas?”
• How do we develop a framework to assess systemic risks?
45
Systemic Risk Research
Paul Larcey, Cambridge University
Dr. Paul Larcey discussed risk to electrical infrastructures from his perspective as a member of
the Global Systemic Risk Group at Princeton University. He described systemic risk as emerging
from “highly interconnected, interdependent systems that have fragility built into them by small
subsystem disturbances and amplifications through them.”
He listed the aims of the Global Systemic Risk Network:
• Develop a network of multi-disciplinary groups
• Understand existing methodological approaches
• Create a common communication
mechanism of systemic risk
understanding
• Develop systemic risk research
in a way that it can be applicable
and useful to practitioners and
policy makers
Systemic risk, he explained, is a result of
the growing complexity of our systems.
This has only become truer since Charles Perrow’s 1984 classic analysis of complex systems,
“Normal Accidents,” where Perrow wrote, “Predictably, systems fail but in unpredictable ways.”
He noted that “electrical infrastructure is particularly vulnerable because of the massive
interconnections we’re making” and asked, “How do we design robust networks from the
Systemic risk emerges from highly
interconnected, interdependent systems
that have fragility built into them by small
subsystem disturbances and amplifications
through them.
46
beginning if we don’t fully understand the systemic risks we’re building into them?” He raised
the possibility that we can learn about interconnected systemic risk in the electrical infrastructure
from other disciplines, citing the paper from Nature, “Ecology for Bankers,” which indicated that
diverse fields such as biology and finance can have cross-related methodologies outputs.
Larcey concluded by underscoring these key messages:
• The increasing vulnerability emerging from electrical infrastructure complexity and
interdependency needs to be acknowledged more widely.
• This is not just an engineering problem; human and socio-economic factors are equally
involved.
• We must explore what we can learn from other disciplines working with tightly coupled
systems.
• We need rigorous regulatory reviews and more global best practice sharing.
47
A Review of Digitally Connected Infrastructure
System Reslience
Tom Dolan, University College, London
Tom Dolan described work he did for the National Infrastructure Commission together with ARUP,
a large international firm looking at the resilience of digitally connected infrastructure systems.
(DCIS) One of the motivating concerns for the work was that, as Dolan put it, “there seems to
be a tacit assumption that as we become more digitally connected somehow our resilience will
improve, which I think needs closer examination.”
Dolan reviewed the literature and came up with eight recommendations towards the overall goal
of making systemic resilience a core objective of all infrastructure decision making and
implementation. The recommendations were:
Prioritise organisational paradigms and thinking tools to support Resilient Digital
Transformation
We have greatly enhanced data collection capabilities today, made possible by DCIS, but
our capacity to convert this data into
useful information lags behind. New
organisational paradigms and thinking
tools, that purposefully convert data into
meaningful information are needed. Such
tools could enable and support (i) Real-
time operating decisions and (ii) strategic
systemic decision-making processes,
in particular the National Infrastructure
Assessment (NIA.)
There seems to be a tacit assumption that
as we become more digitally connected
somehow our resilience will improve, which
I think needs closer examination.
48
Additional research to review current approaches and develop organisational paradigms and
thinking tools to enable DCIS to provide the information are needed to improve systemic resilience
and alleviate system vulnerabilities.
Make improving systemic resilience a core objective of all infrastructure governance
and planning
Systemic resilience must be integrated into the core objectives for all infrastructure decision
making processes. Systemic resilience requires equal weighting with efficiency in decision-making
processes, and the impact of any action on that systemic resilience must be made explicit during
decision-making processes.
Develop an interdependency toolkit for systemic resilience analysis
Interdependence analysis potentially enables greater understanding of the root causes of
infrastructure system resilience, vulnerabilities, performance and other systemic challenges.
We need to develop an interdependency toolkit for analysing interdependencies. This should
be applied to support analysis of the interdependencies that enable DCIS; possible options
to minimise new vulnerabilities created when implementing DCIS; the root causes of systemic
resilience and vulnerabilities in DCIS and the underlying infrastructure systems of which they are
a part.
Define DCIS explicitly in terms of interdependency with underlying infrastructure
systems
Interdependency offers a conceptual framework and terminology to better understand and
analyse digitally connected infrastructure systems
Apply LTS (Large Technical Systems) theory and CAS (Complex Adaptive System)
thinking to analyse digital transformation impacts and DCIS resilience
Adopt a more nuanced approach to NAT (Normal Accident Theory) in Infrastructure
Systems
NAT can provide a useful lens to analyse emergent system properties. In the context of
infrastructure systems, the term “normal accident” is applicable to any emergent property of the
infrastructure system. System problems such as local air quality, managing flood risk, congestion
can all be interpreted as normal accidents. Further research to analyse these types of systemic
infrastructure challenges from an NAT perspective is recommended.
Adapt HRO (High Reliability Organization) thinking to develop a set of HR High Reliability
Complex System principles
The concept of high reliability should be given a similar status to systemic resilience as a core
objective for infrastructures. Specifically, achieving high reliability should either be given equal
weighting with efficiency in decision-making processes. Impacts on the ‘high reliability’ of a
system should be made explicit during decision-making processes.
49
Research is needed to (i) investigate the applicability of HRO principles to interdependent
infrastructure systems; (ii) adapt HRO principles based on the findings of (i).
Undertake research to identify leverage points in infrastructure systems for targeted
Resilience interventions.
We need research to assess how insights from Donnella Meadows seminal paper, “Leverage Points:
Places to Intervene in a System,” can be applied to tailor approaches to DCIS implementation
that minimise impacts on systemic resilience and the likelihood of normal accidents.
50
Panel 1Question Time Panel on Strategic Research Priorities for Black Sky Resilience:
Reimagining Systemic and Societal Resilience to Black
Sky Hazards as a New Normal: Blue Skies Research
Priorities for Black Sky Resilience
Panelists: Prof. Brian Collins, Prof. Liz Varga, Ruth Boumphrey, John Heltzel, Prof. John Clark, Dr. Simon Jude
Question Time Panel on Strategic Research Priorities for Black Sky Resilience: “Reimaging
Systemic and Societal Resilience to Black Sky Hazards is the New Normal: Blue Skies Research
Priorities for Black Sky Resilience.”
The session Chair, Professor Brian Collins opened by asking the panelists to name their top one
or two highest research priorities, whether for academia, government or business that would help
us to prepare for a Black Sky event.
John Heltzel responded that we need to ensure continuous improvements in resilience
investment. He noted EIS Council’s resilience investment matrix project as a research project
that can help lead practitioners in this direction. Heltzel also stressed the need for improvement
in the planning process itself. “So many agencies we work with have a very rudimentary plan,”
he said. “We need plans that are very detailed and directive and can be executed without a lot of
kickstarting. People need to know what they must do, and start doing it immediately.”
John Clark answered that he would like to see research that simulates our systems and “pushes
them to extremes,” in order to better understand their strengths and weaknesses. In a different
51
vein, he advocated more social science-based research into how we build the informal trust
networks between companies and organizations that will be absolutely essential to leverage in
a Black Sky event. The final area he discussed was the need to develop far-more extensive
automated decision support for emergency response and to understand much better the
appropriate interaction between human and automated response systems. “We’re going to be in
difficult situations with systems we don’t fully understand. We’re going to need as much help as
we can get from an automated perspective.” he said.
Liz Varga answered that she would like to see discussion about “what mechanisms there are to
understand that we’re approaching resilience challenges and prevent them becoming Black Sky
events, and then what we can do to help others engage in the practice of keeping systems
resilient.”
Ruth Boumphrey commented that there is a great deal of excellent resilience research being
done and one of the challenges is to implement it more widely in practice. She added that tools
to support situational awareness for decision makers are very much needed. “Just having plain-
English situational maps of what your sector looks like and what its vulnerabilities are would be
tremendously helpful,” she said.
Finally, she noted that, based on her
experience sitting on various company
boards, “you sit there with these risk
registers, and they’re totally useless.
You pull them out every now and then,
when something fails. You look at the
risk register and say, it wasn’t on our risk
register.” She recommended that instead,
organizations should have a “resilience register.” Instead of listing bad things that could happen,
this tool would help companies answer the question, “what are the options to continue the
delivery of our service, should something unforeseen happen?”
Brian Collins highlighted that the panels responses were more about social science, organization
and governance than there was about technology. “We’ve got tons of technology,” Collins
observed. “Unfortunately, in a Black Sky event, a lot of that won’t be very much use to us. Once
it’s all gone, it’s going to be down to people.”
Collins then posed the question: “What role do communities have in building resilience?”
John Heltzel emphasized that communities must be active participants in promoting their
own resilience. Otherwise, they will be ill-prepared to receive and implement the resources and
directives coming from government.
Brian Collins cited the experience of Britain during the blitz in the Second World War. He noted
that “London was prepared at a street level where local people looked after what happened as a
result of that bombing every night, for the best part of a year.” Germany by contrast, did not have
such a local resilience network, one reason why the bomb damage to its cities was much worse.
Brian Collins next asked the panel, how should we manage the risks resulting from complex
systems, different components of which are under the control of separate authorities. If the
“system of systems” needs to be kept resilient, “who owns the system of systems?”
We need plans that are very detailed and
directive and can be executed without a
lot of kickstarting. People need to know
what they must do, and start doing it
immediately.
52
John Clark responded that the answer lies in building trust and cooperation and enabling
organizations to share information. “There needs to be research into how people or organizations
who do not actually trust each other 100%, which is pretty much everybody can collaborate,” he
said. “We also need to understand better how to share information and how to share information
for certain purposes, so that information is not shared for others.”
Ruth Boumphrey commented that in the private sector where firms compete with one another,
there is much room for improvement in cooperation. She added, “I do think there needs to
be a more mature dialogue within sectors, around the delivery of food, water, electricity or
telecommunications that says in times of stress that there are certain protocols that we can share
and use to give priority to those who have greater need.”
53
Open Question & Answer
Randolph Kent from the Royal United Services Institute asked, “what do we really mean in the
21st century by community? Is it a merely geographical or geopolitical concept, or do we also
take into account other non-spatial networks?”
Ruth Boumphrey answered that we learn the habits of resilience in families and extended
communities. We have a feeling for resilience because at a family level we plan for it. We have
insurance, networks, social networks, savings. We build resilience into our own personal and
communal lives because we understand that we need to get over hardship.” Consequently, non-
geographical networks of mutual self-help such as religious communities certainly have a role to
play.
John Heltzel agreed, saying “family is the bedrock, and that’s why in EARTH EX we’re looking at
an individual and family preparedness lane because people have to survive.”
Brian Collins: added that today technology enables communities that are not geographically
defined. As an example, he cited Dr. Ellie Cosgrave, at UCL, who has built a large global network
of female engineers and sustainability
experts who are articulating a distinctively
female perspective on resilience
Professor AbuBakr Bahaj asked “how
do we get infrastructure owners in a room
like this, and how do we get citizens and
their leaders including leaders of cities to
be in a room like this?
John Heltzel responded by referring
to U.S. where this is slowly beginning to
happen. He cited EIS Council’s work in
running a dozen different workshops for state government leaders on Black Sky resilience in
2017. US government has increased owing to the extraordinarily destructive 2017 hurricane
season and mounting awareness of the danger of a massive cyber-attack on infrastructure.
David Rubens from the University of Portsmouth commented on the nature of trust in relation to
resilience saying, “trust is transactional in that you develop it by working with each other. One of
the fundamental truths of crisis management is if you haven’t done something beforehand, you
probably can’t start doing it in the middle of a crisis.” It is essential, therefore to begin early with
the work of developing integrated
frameworks, shared experiences and
shared culture which will enable people
from diverse sectors to cooperate in a
crisis.
Liz Varga said that we should begin
teaching resilience early, at school age.
She asked, “Why aren’t we teaching
There needs to be a more mature dialogue
within sectors, around the delivery of food,
water, electricity or telecommunications
that says in times of stress that there are
certain protocols that we can share and
use to give priority to those who have
greater need.
Trust is transactional in that you develop
it by working with each other. One of the
fundamental truths of crisis management is
if you haven’t done something beforehand,
you probably can’t start doing it in the
middle of a crisis.
54
resilience to young people so that when they come into the communities as adults they’re already
aware of the concept? They already have it embedded in their thinking.”
John Mason asked about how you manage the shock and emotional panic of a massively
disruptive event.
John Heltzel responded that the key emergency response areas “have to practice and practice
and practice,” so that they can continue to do their jobs in the face of what may well be shocking
circumstances. He also affirmed the importance of working with children and families, saying
“when we first envisioned EARTH EX, the idea of an individual and family lane, especially a family
lane, was a novel idea. Now we’re totally committed to it.”
Brian Collins concluded with a call to recognize the urgency of the work needed to prepare for
Black Sky level emergencies, saying “the idea that some sense of pace is needed, some sense
of tempo in this work is really sadly lacking.”
55
Panel 2Question Time Panel on Immediate Actions and Priorities for Black Sky Resilience:
Establishing Systemic and Societal Resilience to Black
Sky Hazards as a New Normal: Immediate Actions and
Strategic Priorities
Panelists: Avi Schnurr, Lord Toby Harris, Toby Gould, Juliet Mian,Lord James Arbuthnot
Lord Harris, the panel Chair framed the discussion by asking the panelists what they thought
were the most important issues to emerge from the day that are actionable for a policy maker,
industry leader or academic.
Avi Schnurr answered that the key insight is the importance of focusing on actionable priorities
to increase Black Sky resilience and not to let study of the problem serve as a substitute for taking
action. “We need to make sure that every
event, every discussion, every meeting
has concrete output that drives to action,
and that the plans are built in a very crisp
way which drives explicit action by the
membership of each sector,” Schnurr
said.
Toby Gould responded that the London
Resilience Partnership’s strategy has four
thematic areas.
We need to make sure that every event,
every discussion, every meeting has
concrete output that drives to action, and
that the plans are built in a very crisp
way which drives explicit action by the
membership of each sector,
56
Understanding risk and the planning assumptions underlying efforts to mitigate risks. Gould
opined that in London this area is relatively well understood
Preparedness to respond to and recover from any incident or emergency
Learning lessons from previous emergency events
Long-term adaptation of systems to be more resilient.
Gould summarized the major priority as being “to put ourselves on a better footing to respond
should we face wide-area power outage tomorrow?”
Juliet Mian singled out two points; firstly, “when we talk about Black Sky resilience, we should
make sure we’re also thinking about the unknown unknowns and the attributes that will help us
be resilient no matter what, rather than focusing only on the particular hazards.” Secondly, she
stressed the need “to make sure from the beginning that the discussions include private sector,
infrastructure owners and operators.”
Lord Arbuthnot declared that the top priority in a Black Sky event is to have some method of
communicating which is not the mobile telephone network and which will work even if the
electricity system is not operational.
Lord Harris next posed to the panel
a couple of related questions from the
audience about what should be the role of
communities and of the general public in
building resilience and planning for Black
Sky scenarios. In particular, he asked what
the proper balance should be between
constructively involving the community
and sowing unnecessary panic among
the public.
Given societal lifetimes, the probability of a
Black Sky event is 100%. If we’re talking
about the probability in the next year,
it’s certainly not 100%. But do we want
the United Kingdom to be sustained and
continue to exist more than a year? I think
so. More than 100 years, maybe more than
500 years?
57
Toby Gould answered that engaging geographic, business or professional communities in
building resilience is certainly positive. He opined that the best approach is to promote community
resilience to common, easily imaginable hazards such as local floods and that these preparations
may help in the event that rarer catastrophic hazards strike. Juliet Mian agreed that disaster
resilience can be taught in schools and workplaces and floated the idea of a national day of
resilience.
Avi Schnurr declared that “that there no reason to shy away from the challenge of educating
people broadly about Black Sky hazards.” He explained that “given societal lifetimes, the
probability of a Black Sky event is 100%. If we’re talking about the probability in the next year, it’s
certainly not 100%. But do we want the United Kingdom to be sustained and continue to exist
more than a year? I think so. More than 100 years, maybe more than 500 years? Let’s not wait
until it’s too late to educate the public.”
Schnurr continued that it is better to engage the public in preparing for Black Sky events before the
threat becomes so credible that it is terrifying. “We should treat it as an opportunity to challenge
people,” he said, “to get them to feel like here’s something which really is a global threat which
I, an ordinary person, could take an important role in. People look for challenges in their lives,
Schnurr added. “One of the symptoms of depression, which is a big problem worldwide, is that
people have trouble finding broadly useful, creative, compelling missions to work on.”
Schnurr continued that the communications with the public can and should be low-cost, and also
should build up gradually and cumulatively.
On the probability question, Lord Harris added that “if you’ve got six 1-in-100-year events, which
would be catastrophic, you have to recognize that the chances that one of them will at least have
happened by the year 2030 is better than evens more likely than not.”
Ruth Boumphrey suggested that, based on her experience, creating a Cub Scout badge can be
an effective way to communicate such a message. “You can put complex things into a structured,
lost cost framework which reaches children and their families, internationally.”
Mark Chapel from the Emergency Planning Society, proposed that government appoint an
inspector general for emergency management who oversees implementation of Civil Contingencies.
Other speakers questioned whether an additional layer of regulation is necessary and suggested
the issue is the effectiveness of the
existing regulatory bodies. Clive Bairstow
of the National Grid suggested that the
key to successful regulation is to have a
champion in the heart of the government,
a role fulfilled by Oliver Letwin until 2015.
Lord Arbuthnot agreed that identifying
ministers favorable to the resilience
agenda is vital. Avi Schnurr affirmed
that what is required is not creating new
inventory bodies, but empowering the
bodies that already exist, especially in ways that enable them to help build cross-sector, public-
private collaboration.
The regulatory community in the United
States has gotten to the point where they’re
concerned and recognize Black Sky has to
be addressed. They are looking for help,
especially in terms of finding Black Sky
resilience metrics that they could utilize.
58
Andrew Singh proposed “that community leaders of any faith community and charities should
have a competency test that they need to pass, including leading their communities in doing
something useful in times of emergencies. Many people in places of worship haven’t even tested
their fire alarm. We really need people who are competent.”
Professor AbuBakr Bahaj from the University of Southampton argued that just as the Bank of
England imposed stress tests on banks to test their resilience in financial crises, infrastructure
owners should be subject to tests that examine their resilience to extreme risks.
In response to a question about the engagement of US regulators with Black Sky, Avi Schnurr
responded that, “the regulatory community in the United States has gotten to the point where
they’re concerned and recognize this has to be addressed. They are looking for help, especially
in terms of finding black sky resilience metrics that they could utilize.”
Juliet Mian agreed that in the UK too there is a demand from policy makers for a metric than can
assess and communicate resilience levels. There is, though, she said “always a tension between
“is this something you can quantify, and actually can you do anything about it if you can’t quantify
it.” Lord Arbuthnot added that in the UK regulation would need to be coordinated by the Cabinet
Office to avoid gaps between the responsibilities of regulators.
Liz Varga referred to her work in helping create an annex about complex systems to the “Magenta
Book,” which is the UK governments guide to how do to project and infrastructure evaluations.
He suggested this might an opportunity to introduce a requirement that complex systems require
regular resilience checking.
Dr. Kristen MacAskill from Cambridge University raised another area where government can
play a role, in assessing more accurately the value of resilience. She asserted that the cost-benefit
analysis criteria for new infrastructure do not adequately capture the future resilience benefits
of a more resilient solution. “So, we engineers end up building infrastructure we know isn’t the
best infrastructure that we could deliver to the community if we had the remit to actually value it
accurately.” Toby Gould remarked that the Environment Agency has a quantifier that every one
pound spent on flood defense assets in the U.K. delivers four pounds of savings and that a similar
parameter should be introduced into assessment of protection against other risks.
Tom Dolan pointed out that resilience has multiple components, including robustness, reliability,
recovery and recovery. This multiplicity of aspects calls for a collection of metrics and some kind
of weighting on them.
In conclusion, Avi Schnurr argued that it is very helpful to think about Black Sky resilience in
conjunction with the Black Sky playbook development process. As he put it, “what a resilience
metric would mean is that there is a consensus that there are certain things sector by sector
would be important for reaching reach a threshold where that sector is prepared for Black Sky
hazards.”
For such a metric to be meaningful, it needs to be accompanied by a clear consensus regarding
what needs to be done in each sector to arrive at that point of preparedness and what the gaps
are that would need to be filled, which is the essence of the Black Sky playbook development
process. Summarizing the interdependence of metrics and playbooks, Schnurr said, “If you ask
people to do something and you don’t tell them what exactly it is and how to measure success,
you’re going to keep going in circles.”
59 59
60
Closing Remarks
Brian Collins
In his closing remarks, Brian Collins began by quoting a recent former UK Prime Minister who
said, “Infrastructure matters because it is the magic ingredient in so much of modern life.” Collins
commented, “it isn’t magic. It’s hard work by a lot of different people doing a lot of different but
interconnected things. Can we collectively make sure our political leaders actually understand
how this stuff works much better than they appear to?”
Moving on to the question of regulatory reform, Collins noted that the regulatory environment in
the UK was created following the wave of utility privatization in the 80s and 90s to deliver value
as it was then understood. “The regulatory framework was set up in order to handle the transition
from public ownership to private ownership.” After 25 years of working out this model, the utilities
now look relatively stable.
The regulatory challenge today, Collins asserted is “not to create a new regulator but to create a
regulatory environment that is fit for a purpose to handle not only normal conditions but extreme
conditions such as the one we’ve just been talking about.” In addition, he proposed there should
be metrics to ensure that utilities are complying with regulation to prepare for such extreme
events.
Turning to the importance of international
coordination, Collins suggested that
the only comparable historic example
of successful coordination on this scale
was the case of nuclear disarmament. An
outcome of that chapter in international
relations is that “there is a body of
Infrastructure isn’t magic. It’s hard work
by a lot of different people doing a lot of
different but interconnected things. Can we
collectively make sure our political leaders
actually understand how this stuff works
much better than they appear to?
61
literature on how to coordinate very difficult subject matter together to deliver outcomes which
move everyone in the right direction, even though on the face of it in the short term it’s not in
their best interest to do so.” Collins recommended those involved in international efforts aimed at
building infrastructure resilience make use of this literature.
In conclusion, he affirmed that as part of the international transdisciplinary infrastructure research
program that he heads,” we’re very happy to look at research that is needed in order to deliver
infrastructure that is fit for purpose under extreme circumstances. That includes a Black Sky
situation.”
He strongly asserted the importance of international focused collaboration and discussion such as
this event. “We need to understand the globalization of this opportunity as well as its vulnerability,”
Collins stressed.
ELECTRIC GRID PROTECTION
TM