Vulnerability Management

Confocal instrastructural vulnerabilities and their effect on business


Recently I was walking down one of the canal streets in Utrecht, Netherlands.

Construction was everywhere; some derricks taller than the typical four-story Dutch canal house.

Two of the derricks, about 100 feet apart, were jointly holding a jumble of cables I guessed to have been over 3 feet in diameter. So I edged closer to get a better look.

In one sense I was merely intrigued. Several large power cables were labeled high voltage with the proper international warning signs. Amid the visual cacophony were a number of obvious 2,048 pair telephone cables.

Then, twisted throughout the multihelix strands were dozens of smaller black, white, gray and assorted colored and named shielded and insulated wires.

It was obvious that this bundle, which ran under the streets and through the canals of Utrecht, carried power and communications lines, including perhaps separate emergency and first responder circuits.

Then I got to thinking and looking deeper: Where was the backup jumble of cables? This was an immense hole in the street, and it became readily apparent that if there were backup power or data or phone lines, they were, too, intertwined in that single suspended morass.

It reminded me a bit of the Newark Airport fiasco in the 1990s. During construction, a jackhammer penetrated and severed the primary power feed conduit that also happened to carry the backup trunks. They were severed, too.

Defining the problem

We all know what a vulnerability is. No need to define. Infrastructure is power, water, communications, transportation and so on. Confocal means located at the same physical point.

A confocal infrastructural vulnerability is the physical concentration of many different critical infrastructures in a small area.

The national and global economic concerns are obvious. But the parallels are clear at the corporate level, too. So a confocal infrastructural vulnerability means that poor design can have dramatic cascade effects on other portions of your business.

In the Newark Airport example, why in the world would they lay the backup power service in the same conduit? It is definitely cheaper. But I doubt their risk model included the use of an aggressive jackhammer or misguided backhoe. The initial error should have, in a well designed system, shut down the primary power feed and triggered a remediation and boot of the backup system. Epic failure.

A brief history

With the hammering of a single golden spike during the summer of 1869 in the mountainous beauty of Utah, the first American transcontinental infrastructure was completed: the railroad.

Then in 1876, Western Union entered the transcontinental infrastructure business with the telegraph.

Where did they place all of those poles stringing thousands of miles of wire? Next to the railroad tracks of course.

It made good financial sense: The land was cleared, it was owned by people who wanted to make a few cents for each pole hole dug, and besides, the railroads themselves could really use the service.

Then along came AT&T with that infernal talking machine, and customers wanted to talk coast to coast, too. So the company rented a 2-by-4 on the existing poles and saved a ton of money and time in the process. Smart move. Or was it?

Fast forward to today.

Where does much of gas and power distribution exist? Right! Near the railroad tracks. Now, where do a lot of the new high speed fiber optic cables get placed so we can all talk faster with pin-dropping clarity? Get this: inside the gas pipes and next to the power lines and the rail lines.

Why? Because the power and communications companies are buddy-buddy, there is an existing right-of-way and – the best reason of all – it is cheaper!

The business risk

I hope by now you are wondering about your own organization's confocal infrastructural vulnerabilities. Many of them are the result of poor design, while some are from poor implementation, pure laziness, oversight, ignorance and then, of course, some in the quest to shave a few dollars off of doing a job right.

But, considering the alternatives, risk management staffs need to take a healthy look at the repercussions of confocal failures.

Here is a short – albeit incomplete - list of the sorts of things you need to look at within the enterprise environment.

  1. Are your voice and data network cables grouped or banded together in the ceilings, walls and conduits? If one cable gets cut, do they all tend to get cut, too?
  2. Are the power lines and communications lines run right next to each other? Again, the confocal risk is higher than if they were run separately.
  3. Is your data/voice network hub co-located at a main power distribution point? It might save space, it might be easier and cheaper…until something goes wrong.
  4. Many organizations run backup wires in case something goes wrong. Are they confocal…or not? I think I made that point.
  5. Same thing with backup servers and equipment. Be more risk aware where you put them. Do they sit in the same basement room, which, if flooded (fire, etc.) means everything goes down, and the whole point of the backup is moot? How physically far away is right for your risk tolerance?
  6. If you run an e-commerce site, do you have truly redundant data lines to your servers, so if one fails, you can quickly switch over? Or, do you run them in the same conduit so the rats eat through both? (Hey, it has happened!)

Take a real good look at the physical layout and distribution of power, communications (voice/data), power and e-communication services.

See where they overlap, such as in rooms, ceilings, exits, high traffic areas or unsecured locations. Then apply your company's usual risk analysis models.

Your design includes backup and redundancy, but has that backup been designed so that it will likely fail in the event of a serious problem? If you find overlap, or confocal vulnerabilities, you will then need to decide what to do about them.

Do you add another backup in another physical location? Or, do you accept the increased risk or even forget about the backup altogether?

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.