Coping with Sandy's Aftermath
Keeping Critical Systems Available, SecureDays will pass before we will know the full impact of Superstorm Sandy on the availability of key information systems, but early reports suggest that business continuity preparation has paid off.
Alan Berman, executive director of the Disaster Recovery Institute, characterizes Sandy as the "perfect storm," but says many organizations planned more thoroughly for this storm than they have for past disasters.
"We've never seen anything that looks like Hurricane Sandy, and so it's very difficult to prepare for something that's 1,000 miles wide and with waves that we know are going to be 10-to-20 feet high," Berman said, praising public and private sector preparation for Hurricane Sandy. "As bad as this is and it's going to be, we've had a week of preparation where people understood what was going to happen."
Even President Obama recognized the preparation, noting conversations he had earlier in the day with New Jersey Gov. Chris Christie, New York Gov. Andrew Cuomo and New York City Mayor Michael Bloomberg. "I want to praise them for the extraordinary work that they have done," Obama said during a visit to the headquarters of the American Red Cross in Washington. "Sadly, we are getting more experience with these kinds of big-impact storms along the East Coast. And the preparation shows."
The Storm's Impact
Sandy has been destructive. More than 7 million people in 15 states from Maine to South Carolina were without electricity a day after the storm hit. The number of deaths caused by Sandy reached 33 in the U.S., 100 overall, by late Oct. 30, according to CNN.
Sandy will be costly. The risk assessment consultancy EQECAT estimates losses from the storm could reach $20 billion, with insurance losses approaching $10 billion.
The storm came ashore near Atlantic City, N.J., but its impact was felt throughout the entire Eastern seaboard, including Delaware, which experienced hurricane-force winds, heavy rains, flooding and power outages. But state Chief Security Officer Elayne Starkey reported midday Oct. 30 that all government information systems were up and operational.
"We're still dealing with power outages, including power being restored only to go down again," Starkey said, adding that the state's IT emergency plan worked as expected. "There were no major surprises. There are always some lessons learned and we use them to fine-tune the plan. Over the next weeks, we will use this experience to highlight the importance of COOP (continuity of operations plans) and DR (disaster recovery) planning. There is no better time to get the attention of senior leadership and decision makers."
On Oct. 29, surging water flooded lower Manhattan, not far from the financial marketplaces, which remained closed on Oct. 30 for the second straight day. The NASDAQ Stock Market and New York Stock Exchange both expected to re-open Oct. 31.
Not far away from Wall Street, a failed backup generator forced New York University Langone Medical Center to evacuate 260 patients, including 20 babies from the neonatal intensive care unit. More than 100 hospitals - mostly in New Jersey and New York - had problems with backup generators, in some cases resulting in evacuations, said Deborah Kobza, chief executive of the National Health Information Sharing and Analysis Center, which was colloborating with others to help affected hospitals.
Memorial Sloan-Kettering Cancer Center in Manhattan accepted 19 cancer patients from NYU Langone. The cancer center had continuous power throughout the storm and adequate staff, a spokeswoman said.
Other hosptals in the region also were lending a helping hand to their neighbors. For example, Christ Hospital in Jersey City, N.J., which was operating on emergency power Oct. 30, nevertheless accepted 46 transfer patients from sister hospital, Hoboken University Medical Center.
Banks Closed
Thousands of bank branches remained shuttered for a second day Oct. 30. But some offices were scheduled to reopen midday in areas spared the worst of Sandy, including branches of Capital One Financial in parts of Virginia, Maryland and Washington, D.C., spokeswoman Amanda Landers said.
Landers said Capital One was closely monitoring ATMs for electricity and connectivity outages, as well as cash replenishment concerns.
Matthew Speare, who oversees security for Buffalo, N.Y.-based M&T Bancorp., said cash replenishment could be an issue for most ATMs because of closed roadways.
Wells Fargo monitored road conditions to keep an eye on ATM availability. Accessibility challenges for armored carriers, where cash replenishment is concerned, is the biggest worry for now, said spokeswoman Sara Hawkins.
Several banks, including Capital One and JPMorgan Chase, said they were waiving ATM fees in storm-ravaged areas to ensure affected customers have account access until those branches reopen. "We are monitoring our ATM network, both for technology and to keep them stocked with cash," JPMorgan Chase spokesman Thomas Kelly said.
A Helping Hand
Federal regulators and industry groups have activated programs to help members maintain secure operations of all systems.
Late in the day on Oct. 30, the Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency and Board of Governors of the Federal Reserve System combined to issue guidance to banking institutions impacted by the storm. The guidance addresses the need for temporary banking facilities and, regarding loans, urges institutions to work "constructively" with borrowers in affected communities. "The agencies encourage institutions in the affected areas to meet the financial services needs of their communities."
Also on Oct. 30, the National Credit Union Administration activated its disaster relief policy and hurricane hotline to answer financial questions related to emergency-issued advisories. The NCUA also launched a hurricane resources guide, accessible from its homepage, for updates about Sandy and hurricane recovery advice.
To help healthcare organizations, the National Health Information Sharing and Analysis Center activated the National Healthcare and Public Health Cyber Response System. Healthcare providers that have been affected by the hurricane can use the system to tap resources that can help them in their business and disaster recovery efforts.
Moving forward, IT security staff will need extra vigilance, including being on the watch for cyberattacks and fraudulent e-mails about recovery help. "Someone out there might think this is a great opportunity for a DDoS attack" on vulnerable organizations going back online, said NH-ISAC's Kobza.
The Financial Services-Information Sharing Analysis Center reminds member financial institutions to be on the lookout for phishing and other socially engineered schemes aimed at compromising bank employees and customers. "That is always a worry during any disaster," FS-ISAC President Bill Nelson says.
Learning Lessons
In the wake of the storm, organizations are encouraged to learn from their experiences keeping their systems and businesses functioning, just as many organization's did following last year's Tropical Storm Irene [see Irene Prepares State to Confront Sandy].
"The lesson we learned from Irene is preparation does help," Disaster Recovery Institute's Berman says. "We're trying to lessen what the effects are going to be. We're worried about water; we're worried about the aftermath ... and we're worried about what the long-term effects are going to be and what the infrastructure effects are going to be."
(Marianne Kolbasuk McGee, Tracy Kitten and Tom Field contributed to this story.)