Dedicated to the discussion of Infrastructure vulnerabilities to improve defense
Ed Purvis of Ed Purvis Consultants is our guest editor for this issue of the CIWARS Intelligence Report. The Y2k problem is ultimately an infrastructure problem, and we have dedicated this entire issue to Y2k reports. We have placed these articles in an unrestricted URL and you may circulate this issue without restrictions.
CIWARS Guest Editorial
The Y2K Problem, Who, What, When, Where, Why, How.
Edward E. Purvis III, Ed Purvis, Consultants
This is an overview of the Y2K problem. There is not one Y2K problem. There are many. Many of these constitute serious threats to infrastructures and create major risks from external events and opportunistic activities. Some see Y2K as a major problem, some claim it is only a minor problem. Others see it as an opportunity to make money and, maybe to cause problems. Most respond to it to protect enlightened self interest. Even the best of preparations, if successful, will only deal with specific concerns that appear to be applicable to the specific organization.
You can be certain of an increasing number of news reports on Y2K problems, reports of increased attention to Y2K, reports of computer problems some identified as Y2K and some as not Y2K. There will be reports of actions by state and local governments in the US and Y2K - even if the Federal government fixes problems interfaces with state and local governments can cause the problems to persist. There will be stories of some countries starting to address the problem and of the impacts of the late starts. There will be increasing stories on how to prepare.
This issue gives references and information concerning Y2K being a major problem, as well as information from those who consider it to be minor. The number of people and organizations who consider Y2K to be a major problem are rapidly increasing, as evidenced by the increasing amounts of money being spent to mitigate the impact.
The major problem is that even if organizations deal with their internal problems they will be hit by interface problems.
Continued with complete document….
Focus--UN Meeting Report
U.N. Meeting Is Warned About Perils Of Y2K Bug
Coordination Sought 'To Contain' Damage
By John M. Goshko
Washington Post Staff Writer
Saturday, December 12, 1998; Page A06
UNITED NATIONS, Dec. 11—Delegates from more than 120 countries met here today to discuss the "Year 2000 Bug" and were warned repeatedly that not all of the anticipated computer problems will be fixed in time to prevent substantial economic and humanitarian damage in many parts of the world.
"It will not be possible for us to stop the clock at midnight on Dec. 31, 1999," said Ahmad Kamal, Pakistan's ambassador to the United Nations and chairman of the U.N. committee coordinating work on the problem.
"We all know we are in a race against time and must do all we can to contain the damage."
The problem, known as Y2K or "the millennium bug," stems from the use in many computers of a two-digit dating system that assumes the first two digits of the year are "19." On Jan. 1, 2000, these computers could read "00" as 1900 instead of 2000 and shut down or malfunction.
The conference here was the first attempt to take a global look at the problem. It was organized after Rep. Stephen Horn (R-Calif.), who chairs a House committee on Y2K, wrote to Secretary General Kofi Annan. The secretary general designated Kamal to be the point man for the undertaking in collaboration with John A. Koskinen, chairman of the U.S. presidential council on Y2K.
Continued with complete document …..
Focus--A GLOBAL VIEW (PARTIAL) OF THE YEAR 2000 CRISIS
Dr. Howard A. Rubin, Chair, Department of Computer Science, Hunter College of the City University of NY; CEO, Rubin Systems Inc.; and Research Fellow, Meta Group
It is virtually impossible to create an accurate worldwide picture of the state of nations, businesses, and society in general with regard to the Year 2000 computer problem. Although facts and figures related to worldwide readiness are widely published in reports and quoted in the media, many of them are contradictory and unauthenticated.
However, from a global "qualitative" vantage point, it is apparent that no government, commercial institution, or society stands alone and is immune to the potential Year 2000 effects on the disruption of information flows and business transactions as they move around the world. The source of such disruptions may be a result of Year 2000-related problems in specific sectors (e.g. finance, military, transportation) or the disruptions may be caused by failures in the infrastructure systems that supply power, water, communications, or any of the core social or business services
Furthermore, the Year 2000 computer problem has both direct and indirect economic consequences for society and business. The direct consequences have to do with the ability of organizations and society to function effectively as the millennium approaches and is eventually upon us, subject to the disruption sources previously mentioned. The indirect consequences are what might be considered “second order” effects — these have to do with the impact on government, business, and society of the diversion of resources to work on the Year 2000 problem itself, in this era in which technology, business, and society are all tightly intertwined.
Therefore, whether or not any institution, commercial or otherwise, believes Year 2000-related computer problems will impact it internally, it is imperative that, in the context of its own safety and that of the global community, it assess its Year 2000-related risks and act to abate any identified.
Continued with complete document …
Focus--FOURTH QUARTER 1998 YEAR 2000 SURVEY
Dr. Howard A. Rubin, Cap Gemini and Chair, Department of Computer Science, Hunter College of the City University of NY; CEO, Rubin Systems Inc.
The latest Year 2000 survey results have been compiled. The demographics of the survey cover:
A profile of responses of 110 Fortune 500 organizations on Year 2000 issues
A profile of responses of 12 Government agencies on Year 2000 issues
I also included a mechanism to get more anecdotal information this time. The key findings and headlines are as follows:
Key 4Q1998 Headlines
? Most companies have underestimated the need for and resources required to support contingency planning.
? Business engagement is still a difficult area -- the level of concern for Year 2000 being a business priority is not readily evident
? IT organizations are now aware of the need for renovation validation -- a step most have not planned for.
? The amount of work being pushed into 1999 as the result of mounting schedule slippage and contingency planning is on the rise.
? There is increased awareness of issues relating to defect introduction during the remediation process, the need to validate that the mission critical systems identified as part of the triage process are actually the "right ones", and the need for business level monitoring.
Continued with complete document…
Focus--THE YEAR 2000 PROBLEM: IMPACTS AND ACTIONS
OECD, PUMA Policy Brief No. 6, Public Management Service, October I998
This OECD Report responds to an urgent request by Ministers at their April 1998 meeting. The report, "The Year 2000 Problem: Impacts and Actions" was developed jointly by the Directorate for Science, Technology and Industry and the Public Management Service in co-operation with Member countries, to consolidate information on the potential global economic and sectoral impacts of the problem, and on the role and actions of governments to address it. Its key findings are:
While awareness is increasing, the amount of remediation still required is daunting. The problem continues to be underestimated, and full-scale actions to address it are only recently beginning in many countries. Preparedness among the health care industry, small businesses and some parts of government appears to be particularly worrisome.
Significant negative economic impacts are likely in the short term, though there is much uncertainty regarding the extent of disruptions that the Year 2000 problem will cause.
Governments face a major public management challenge, requiring acceleration of their own preparations and a stronger leadership role to increase awareness and understanding of the problem, and to promote action to address it economy-wide.
Stronger international co-operation is essential, particularly in relation to cross-border testing, given global economic interdependence and the particular interconnections in such areas as energy, telecommunications, transport and international financial transactions.
Continued with complete document
Focus--Y2K and Telecommunications
The following extract from a report by the Texas Public Utility Commission provides a good overview of how things stand with telecommunications. Telecommunications are truly global. All events are external to some interfaces. Reliance on satellite communication and computer technology dependent fiber optic systems, and couplings with older copper systems create many fertile ground for many opportunities. Since much of the essential information is proprietary of “business confidential” a clear picture cannot be provided.
“Telecommunication Entities’ Responses to Y2K Survey
Y2K surveys were sent to a total of 373 telecommunications entities. These telecommunication entities include incumbent local exchange carriers (ILECs), competitive local exchange carriers (CLECs), and inter exchange carriers (IXCs). Of this varied group of survey recipients, 62 responded to the survey by returning a completed questionnaire. Eleven others responded to the survey, although those responses came generally in the form of a detailed narrative regarding Y2K plans. A total of 73, or 20%, of the telecommunication entities surveyed responded.
Incumbent Local Exchange Carriers (ILECs)
Incumbent Local Exchange Carriers (ILECs) are the core group of participants of the telecommunication industry in Texas. While ILECs focus on providing local phone service in Texas, their importance with regard to Y2K lies in the fact that many other services, such as long distance, would be unavailable to the vast majority of Texas if ILECs systems were to fail. Thus, any action on the part of ILECs in tackling Y2K-related problems may very well have the most influential effect on the well being of the telephone network as the turn of the century nears.
Texans are served by a wide variety of ILECs, which total 59 statewide. This number of ILECs can be further divided into two categories: investor owned utilities (IOUs) or co-ops. Although co-ops outnumber IOUs, as far as the number of entities is concerned, IOUs serve the vast majority of telecommunications access lines in Texas. In fact, as shown below, the six largest phone companies in Texas, all of which are IOUs, serve approximately 99% of all access lines in the state. Two in particular, Southwestern Bell and GTE, serve over 90% of access lines in Texas.
Continued with complete document
Focus--Countries with Potential Y2K Initiated Grid Stability Problems
No country can be said to not have potential grid stability problems. However, many countries have meaningful programs to address these problems. For the purpose of this study, it is assumed that countries which have established significant efforts to mitigate the Y2K problems impact on grid stability will be successful. This study is restricted to those countries with operating nuclear power plants. Newly independent states
of the former Soviet Union and nations in eastern Europe are not included because they have been addressed separately in an earlier paper(Horak, Purvis, September, 1998) . The figure below shows the nations considered and the number of reactors in operation at the end of 1997. There were 425 nuclear power plants in operation in thirty-one nations.
The identified countries where significant concerns exist are:
India’s grid has numerous problems and continues to need to be upgraded and modernized to handle routine demands. Problems with transfers between States and “load losses” exacerbate difficulties with transmission and dispatch. Pakistan may also have major problems. It has an electrical system with technical problems, coupled with internal economic problems.
China’s problems are complicated due to China’s large size, the age of some parts of the electric power system, the large demand, and the number of interconnections with adjacent nations. It is not apparent if China could be best addressed as a region that includes some adjacent countries, or as several regions. In any event, there will be numerous interconnections that require consideration.
South Africa should be able to mitigate problems with timely action, however, due to interconnections with systems not under South African control, maintaining grid stability may require it to trip from all interconnections, including some that are internal. While this may alleviate the problems in South Africa, it will increase problems in adjacent nations. This appears to be most appropriately considered as a regional problem. The problem is that due to local geographical factors the region may be most of Sub Saharan Africa, and not just nations near South Africa.
Argentina and Brazil should be able to mitigate problems with timely action. No information was found, however indicating that such action is under way. This should be considered as a regional problem. Due to Mexico’s proximity to, and interconnections with, NERC Regions some actions are apparently being taken. Concerns with Mexico’s ability to cope with this problem could not be eliminated due to regional factors.
There was not sufficient information available to make a judgment concerning Spain, so further review is required. In addition, due to strong interfaces with Russia, Finland and Sweden may not be able to avoid grid stability problems.
Focus--Y2K Preparations for Nuclear Safety
The US NRC, Russia, and many experts have agreed that the Y2K problem will not cause an accident in Nuclear Power Plants. This finding appears to be sound since the safety related controls and systems do not rely on date sensitive equipment.
The problems are that Y2K can cause problems through external events and through items that are not considered to be safety related. If the operators allow the unit to shutdown as designed, and if the shutdown heat removal system works, and if nobody does the wrong thing, then there should be no problem. The systems to shutdown the reactor are safety related and reliable. The shutdown heat removal system requires an ample supply of diesel fuel to provide emergency power (since the grid may not be supplying electricity). The operations and maintenance people must be able to get to work for shift changes. Certain equipment, that is not considered to be safety related, such as computer systems that display safety information (safety parameter display systems), could fail or provide operators erroneous information causing mistakes.
The concerns are common sense. Most nations and utilities are taking actions. The actions differ, but address the same concerns. Testing is one element, both to find out what happens and for readiness training. Bulgaria has performed such tests intentionally. Sweden has found problems and may shutdown all nuclear units when the year 2000 rollover happens. (See Reuters article below) The Czech Republic has about 150 people working the problem.
The US NRC has just issued a DRAFT “Contingency Plan for the Year 2000 Issue in the Nuclear Industry”. The bottom line is that the NRC will check to make sure needed preparedness actions have been taken, or the NRC might cause the plant to be shut down. This plan can be found at
http://www.nrc.gov/NRC/COMMISSION/COMS/com1998-036/y2kcplan.html. The UK has issued guide lines for preparations. These document, “Health and Safety and the Year 2000 Problem - Guidance on year 2000 issues as they affect safety-related control systems”, can be found at http://www.open.gov.uk/howto/acroread.htm .
The problems with these are that there seems to be the implicit assumption that the only date to be worried about is the Y2K rollover date, midnight December 31, 1999. The problems could happen earlier, with no preparations. Another major concern is that events impact nuclear power plants will be external events and not under the control of the regulatory authorities or nuclear plant operators. US NRC Commissioner Kenneth Rogers addressed this concern most eloquently in a meeting of the NRC to examine concerns with electric grid:
Well, I'm troubled by the whole way this thing is being discussed because it seems to me that our responsibilities and our licensees' responsibilities are between the two of us, and now we're talking about a grid that's out there, and it seems to me that what we have a responsibility for is to see that the licensee can function safely in the event that something happens on the grid but we can't control that grid.
And so we're talking about -- you know, we keep talking about grid stability considerations as if we can control the grid through some licensing action of our own, and to me that -- you know, that's never-never land. We don't do that. --- But that's not a requirement on the grid because the grid's out there and it's whatever it is. And so, you know, I think that the issue which we've been ducking here, I think, is that things are changing or could change out in that grid that are different from the way the historical record will show. That's what we're concerned about. And what are the implications of that with respect to our requirements on our licensees? --- We can talk until the cows come home about what the reliability councils have to do. We don't control the reliability councils.
Continued with complete article..
Focus--Where is the Y2K money coming from?
From the December 1998 issue of Network Magazine “Balancing Y2K Compliance with NT 5.0 Compliance”, by David Lafferty email@example.com -- “Chances are, your department has implemented a freeze period, halting all new development efforts until Y2K testing is complete.”
“It all boils down to budgets and resources.” Louis Marrcoccio, the Gartner Group, “Many companies, Especially smaller ones, are suspending other IT initiatives to focus on Y2K. Ninety-three percent of companies rely primarily on their internal people to do Y2K work, but three to fourteen percent supplement their staff with outside people.”
Published by the Centre for Infrastructural Warfare Studies and the Journal of Infrastructure Warfare
760 Market Street Suite 1036
San Francisco, CA 94102
Managing Editor—Latin America
Rose De Sena