The Lessons of Fukushima Daiichi for Cybersecurity

By Michael Lines on December, 2 2016

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Michael Lines

wave-11061.jpg"We were not able to prevent the accident from happening because we stopped thinking," said Yuichi Okamura, a Tepco company spokesman. 

"We were not able to think beyond a certain point, such as that a tsunami might be higher and what would happen to the plant if that scenario did occur. We didn't think what would happen if the safety equipment did not function as it was meant to."

The Telegraph article on the Fukushima disaster, March 2016


The Fukushima Daiichi nuclear disaster occurred five years ago, following the tsunami that was triggered by the Tōhoku earthquake on 11 March 2011. The damage caused by the tsunami produced equipment failures at the nuclear power plant that lead to a loss of coolant and subsequent meltdown of three reactors. It is the largest nuclear disaster since the Chernobyl disaster of 1986 and the second disaster (after Chernobyl) to be given the Level 7 event classification of the International Nuclear Event Scale. Radiation leakage is still ongoing as are cleanup efforts, which are estimated to eventually cost tens of billions of dollars and could last 30 to 40 years (or longer as technology to address some of the cleanup issues does not even currently exist). 

Many valuable lessons from the Fukushima Daiichi disaster can be applied to the cybersecurity of your organization. When your defenses are breached will you be prepared? Are you dependent on every line of defense working perfectly or do you have a true layered defense such that each layer provides a backstop to the others in case of partial breaches? 

Most importantly, have you conducted a true risk analysis of the threats to your business and data that includes a realistic and self-aware appraisal of your vulnerabilities and the true state of any controls you have in place? Putting your faith in countermeasures that are not fully deployed, properly configured, or adequately managed is a failing I have seen time and again, and one which is surprisingly hard to counter due to the normalcy bias I have written about previously. 

To truly be prepared for the worst, you need to step outside conventional risk thinking to a more layered approach to risk and countermeasures. In conventional thinking, if defenses "A" fail, we may have a moderate breach of "X" impact. If defenses "A" and "B" fail, we may have a more severe breach of "Y" impact. And finally, if "A", "B", and "C" fail, we have a company impacting "Z" level impact. However, since the probability of "A","B", and "C" failing together are calculated to be so remote, there is little need to worry about such an event or prepare for its eventuality. As the raft of continuing breach reports show, there is a flaw in this thinking.

To begin, the assumptions above presume that all the defenses are fully deployed, properly configured, properly managed, and maintained. Needless to say, this is a highly optimistic assumption in most companies. Second, there is an assumption that if "A" fails, "B" will catch it. This is true if the environment is configured so that it is a true layered architecture such that "B" is a backstop to "A". If, however, the defenses are in parallel as opposed to series, if "A" fails, "B" will do you little good in terms of mitigating the breach, see Fukushima's failure in situating the backup generators such that they are vulnerable to flooding in the event that would most likely cause flooding the first place. Finally, there is an unstated assumption that defenses "A" through "C" are all that are needed to counter the threats facing the enterprise. In today's environment with its rapid evolution of threats, technologies, and vulnerabilities, new attack vectors and vulnerabilities are being created and exploited daily for which no defenses currently exist. How do you prepare for that?

You do so by assuming the worst. Assume that you have been breached or will be soon. Focus on detective controls and not just preventative ones, and test them constantly to ensure that they work. Understand what "normal" looks like in your environment and ensure you have the ability to detect deviations from "normal".

If the worst happened tomorrow, what would you do? These are the questions you need to be asking in reviewing your company's information security program and risk assessment. 


This piece was originally posted on LinkedIn Pulse and is reposted here with the permission of Michael Lines.


Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here

Submit a Comment

Get latest articles directly in your inbox, stay up to date