CASCADING SYSTEM FAILURE
Global infrastructure networks are the Achilles heal of the great powers. They form the basis of our wealth and our daily function yet remain extremely vulnerable. It's then little wonder that next generation terrorists, in the form of global guerrillas, will focus their efforts on the destruction of this global infrastructure. In previous posts we explored the vulnerability of scale free networks. This analysis showed that the removal of a few highly connected nodes can cause a network to fail (by dividing the network into isolated islands of connectivity). However, the analysis of dynamic networks indicates that there may be an even easier way to collapse infrastructure networks: cascading failure.
Dynamic Networks and Cascading Failures
Static maps of a network's connectivity (like a scale free network topology) don't provide a true picture of an infrastructure network's operation. Infrastructures are dynamic. There are flows of information, power, and substances constantly coursing through them. This dynamism creates a new set of vulnerabilities that can be exploited by global guerrillas. Here's how cascading network failures occur in dynamic networks when they lose high-load nodes (the loss of even a single high-load node can result in system-wide cascading failure):
- Load redistribution. In most infrastructure networks, the loads carried by each node on the network are dynamically redistributed. If a network node is lost, due to accident or attack, the load that node carries is rapidly distributed to the other nodes on the network.
- Hi-load nodes and failure. If a high-load node is removed from the network, the loads it carries are redistributed to other nodes on the network. This increased flow causes less capable nodes to exceed their capacity. To protect these nodes from damage, many networks will automatically force the overloaded node to fail-over (shut down). In other networks, the increased congestion will cause the overloaded node to become inefficient (bog down). Regardless, the result is a series of shut-downs or slow-downs that "cascade" through the network as the excess load is pushed to the next available node. The end result is total network failure.
- Heterogeneous networks. Cascading failures only occur in heterogeneous networks where there are a few nodes that have the capacity for high-loads and many with the capacity only for low-loads. Homogeneous networks, where all the nodes handle an equal load do not suffer cascading failure. Unfortunately, all infrastructure networks are heterogeneous by design.
NOTE: Cascading failures do not cleanly apply to terrorist "social" networks. In social networks, the network nodes are people and the flow is information/knowledge/etc. When a high-load node is removed, the remaining nodes will not fail due to an increase in load. People can adapt dynamically. For example: they can prioritize the new loads they inherit which mitigates the impact of a high-load node loss to the network.
Global Guerrilla Attack Planning
The vulnerability of dynamic networks to attacks on hi-load nodes is straight forward. However, planning attacks on these dynamic networks isn't. Here's how global guerrillas will plan attacks to create cascading failures within dynamic networks:
- High-load node identification. There is a high level of correlation between the number of connections a node has and the amount of load it carries. Additionally, many infrastructure networks (oil, gas, electricity, etc.)concentrate production of the flow that travels through the network. In these networks, high-load nodes can be identified as those nodes that are immediately downstream from production facilities. In other networks high-load nodes are the most central (communication networks).
- Connections instead of nodes. A non obvious approach to node failure is to attack the connections radiating from high-load nodes. The result of an attack on the connections between nodes will be the redistribution of the load carried by the damaged connection to the remaining connections. This will result in the failure of a high-load node when the remaining connections fail due to overloading (see diagram).
- Network suppliers. Some networks are vulnerable to undersupply (gas, electricity, and water). In these networks, an attack on a supply facility or connections from a supply facility will produce network failure as undersupplied nodes pull resources from the rest of the network (see diagram).
Source: Motter, Lai "Cascade-based attacks on Complex Networks" (PDF)
Microsoft had an advertising campaign touting their software for creating "one-degree of separation" between suppliers and consumers. Is "one-degree of separation" really a good thing? Building out just-in-time supply systems with everything closely connected at the software level invites just the type of cascading system failure that you describe. There are no buffers, no slack, no margin for error in these modern logistics systems.
Posted by: dutch | Wednesday, 26 May 2004 at 12:28 PM
Exactly. I am going to do a post on the disruption of Just In Time (JIT) systems.
Posted by: John Robb | Wednesday, 26 May 2004 at 01:35 PM
Not all disruption to Critical National Infrastructures is equal.
http://www.niscc.gov.uk/cni/index.htm
Would there really be gnashing of teeth if the Tax Collection system (usually rated as Critical by Governments) were to be disrupted for a few hours or days ?
The whole question of the frequency of cascade failures and the available recovery and repair capacity needs to be thought about when considering such scenarios.
A telco or ISP might recover from an accidental or deliberate software induced cascade failure e.g. a routing storm, in a few minutes or hours.
The quick recovery of the Wall Street market operations after the collapse of the World Trade Center buildings destroyed a major telephone exchange and many telecommunciations cables, is another example.
The effects of Eastern Seaboard poweline cascade failures in the USA and Canada
https://reports.energy.gov/
(N.B. this is an SSL/TLS encrypted https:// webpage, presumably to aid in tracking the IP addresses of those who download the report. Interesting that both Typepad and Moveable Type stumble over https:// URLs)
and the ones in Italy and part of London, in 2003 were all very temporary.
In London the power cut only lasted half an hour or so, but since part of the Underground Railway network was affected, and passengers were possibly wandering about through the tunnels, bringing the restored electricity supply back to the Tube safely took several hours.
However, compare this with the failure in 1998 of the 110KV high voltage pressurised oil and gas filled cables which connected the city of Auckland in New Zealand to their electricity grid, which took over 6 months to replace,
http://www.med.govt.nz/inquiry/final_report/
or the foiled attempt in 1997 by Irish terrorists to target 6 electricity sub-station transformers serving London, each with a manufacturing lead time of 6 to 9 months.
Do electricty supply grids actually count as "Global infrastructure networks" ? There are a few which load share with neighbouring countries.
e.g. USA/Canada, Italy/Switzerland, UK/France, but this is not "Global"
The natural gas pipelines from Siberia cross several soveriegn states, and also increasingly supply electricity generating power stations, but this is not really "Global" either.
Despite obvious choke points, like the Panama Canal, the Suez Canal, the Straits of Hormuz, the Malacca Strait, the English Channel etc. which could be closed by mines or CNRB warfare contamination, closing such "high-load nodes" would not bring the Global Infrastructure of sea transport to a halt. Although transport costs would increase due to longer routes or higher insurance premiums, global sea (or , for that matter air) transport could never be disrupted for an extended period, unless full scale nation state military forces are involved,
rather than "Global Guerrillas"
So does that leave the global telecomms network as the only "global infrastructure" ? Isn't this more at risk from mismangement and corruption by the likes of Worldcon and other bankrupt carriers, than from "Global Guerillas" ?
Posted by: Watching Them, Watching Us | Wednesday, 26 May 2004 at 06:29 PM
Global infrastructure is interconnected through tightly coupled systems. You need to examine their interrelationships (as we will in this weblog soon) within the context of cascading failure and scale free vulnerabilities to uncover the "choke" points.
Posted by: John Robb | Wednesday, 26 May 2004 at 10:47 PM
mismanagement and corruption at Worldcom has never affected network performance...however, mismanagement and corruption in the U.S. government, now there's a legitimate concern.
Posted by: Bruce | Tuesday, 01 June 2004 at 09:12 AM
I think that in addition to the possibility directly causing system wide problems from doing something like launching dozens of mortars into each and every one of the oil refineries around Houston on the same night, you can trigger system wide problems from an over reaction. For example you could send a US embassy and several news organizations a box. Inside the box is a note and another smaller box. Inside the small box is a vial marked biohazard. The note reads : " You killed my mother and my sister, I will kill you. I have made several GPS activated bio-bombs and I will be sending them to you via package delivery services and on container ships this year." You might even be able to bluff the system into an " allergic reaction" if what was in the vial was credible enough.
* note* I just came upon this site today, all I can say is WOW. Although, I am still a little concerned about discussing this site's topics in an open forum. I hope the advantages of being open outweigh the costs of being open. I think that my understanding of terrorism has been increased / transformed.
Posted by: jim moore | Thursday, 13 January 2005 at 12:04 AM
This was a very informative description of how supply networks can be vulnerable to terrorist attacks. I really appreciated it because it seems that the world we live in today looks at complexity as being the best way to emplain problems. This provided myself and other readers with a very simplistic diagram of the issue. Thank you
Posted by: Kevin W. | Monday, 17 January 2005 at 10:29 PM
Manual trackback:
http://www.xanga.com/item.aspx?user=edg176&tab=weblogs&uid=324008525
Posted by: tim fong | Wednesday, 10 August 2005 at 08:21 PM
Excellent article and comments.
http://www.1-satellite-tv-facts.com
Posted by: docsharp01 | Wednesday, 26 March 2008 at 10:44 PM