Why we continue to fail: lessons learned from the Atlanta Airport fiasco

The recent Atlanta airport FIASCO paints a clear picture of how to screw up EVERYTHING! As an information security professional (with more than 15 years’ experience on the battlefield, literally), I was dumbfounded by the lack of adherence to the most basic best business practices related to business continuity and disaster recovery operations.

Five basic failures happened that make the Atlanta airport a softer target for future attack.

1. Lack of a coherent, acceptable, and tested business continuity/disaster recovery plan

It would appear that airport and city officials only planned for a best-case scenario. They co-located or used same channel connections to both primary and alternate power sources. While air traffic control was able to issue a ground stop and divert flights, those already on the ground were stuck for hours on the tarmac or at the gate. It took at least five hours before passengers stranded on the tarmac deplaned. 

The fact that Air Traffic Control maintained power suggests a lack of coordination between city agencies, federal agencies, Georgia Power, and Delta. If ATC can maintain power, common sense, suggests it was possible to have a third emergency power source. Furthermore, the amount of time it took for airport and airline employees to react and provide support to passengers inside the airport provides even greater proof that officials failed to plan.

Solution: When devising any business continuity/disaster recovery strategy remember the acronym P.A.C.E. – Primary, Alternate, Contingency, Emergency.

2. Train as you fight

As a young Soldier, this was drilled into me from day 1. While we expect a certain amount of chaos during an incident our staffs should be executing plans that have been devised, tested, revised, and retested. Every employee working in that airport should have had a predefined role to execute during the incident. Instead the widespread perception is that employees were hard to find. This suggests that they were looking for management, so they could be told what to do.

Solution: BCP/DRP plans must be developed, tested in real time, revised, and executed in real time again.

3. Communication

Preparing the world’s largest airport for a potential disaster requires clear, coordinated, real time, out of band communication across several agencies. Earlier I suggested a P.A.C.E. plan when developing your BCP/DRP. This also applies to communications. Once the power goes out you cannot send emails, charge batteries for walkie-talkies, charge batteries for cell phones, or use VOIP phones for communications. Subsequently, we have to revert to face to face and good old copper wire telephone communications. It appears that ATL officials also failed in this respect.

Solution: establish an emergency coordination and command cell that stands up immediately in a declared emergency. Automatically route all calls to this control center so they can exercise command and control over the emergency. It should be staffed with representatives from all agencies and businesses vital to airport operations.

4. Delayed reaction time

According to media reports, it took anywhere from 5-11 hours before passengers stranded on the tarmac were deplaned. Why? Obviously, officials were trying to figure out how to communicate, how to deliver resources and where to get them, and probably figuring out who was in charge. These factors are a dream for any potential terrorist. While everyone is figuring out what to do and how to respond they will execute their attack. They will also have time to further delay first responders by executing additional attacks.

Solution: All employees must have clearly defined roles, responsibilities, and action they take when an emergency is declared.

5.  Infrastructure upgrade

Points 1 thru 4 naturally lead to investing in an upgraded infrastructure. Atlanta is one of our nation’s premiere cities, the largest metropolitan area in the deep south, and home to the world’s busiest airport. Yet last Sunday it was a scene we would expect to see in a third world country lead by a dictator who maintains control by terrorizing people with random power outages. Investing in a solution that seamlessly and naturally implements all the above is needed. If city and state officials can raise money to upgrade infrastructure for the Summer Olympics then sure city, state, federal, and a multi-billion-dollar corporation can invest in much needed infrastructure upgrades.

Solution: Acquire and implement updated infrastructure that support your BCP/DRP requirements. 

Conclusion

Last Sunday’s blackout at the Atlanta airport was leadership amateur hour at the city, state, federal, and corporate level (Delta Airlines). It was an across the board failure that represents a significant and present danger to the security of the airport but our national security as well. It is time for us to demand an accountability from our elected leaders regarding such debacles. We should also demand accountability from businesses such as Delta by choosing to spend our money elsewhere until they get it together.