Disasters are inevitable occurrences in day to day life in society. They occur in the form of cyber crimes and attacks such as watering hole attacks, SQL injection, spear phishing, brute force attacks and advanced persistent threats. Physical disasters such as fire breakouts, oil spillage, floods and other catastrophes are inevitable. It, therefore, calls for a disaster mitigation, preparedness, response and recovery strategies.
A recent disaster at the Jomo Kenyatta International Airport (JKIA) in East Africa’s country’s commercial hub Nairobi Kenya is a case in point.
Kenya’s main airport arrival terminal was razed down following a dawn fire on Wednesday August 7th. The fire broke out at around 5 am and caused a halt to operations. This lead to a closure of the airport on the same day as chief operations was brought down to a halt. According to a communication and security officer at the airport, the fire was enormous that it overwhelmed the efforts of the fire brigade team. After almost five hours of firefighting, smoke was still seen billowing from the terminal. Fig. 1 INFERNO AT THE JKIA AIRPORT
JKIA’s emergency and security program was rolled out immediately to guide the evacuation of personnel, facilitate the operation of emergency services from military personnel, fire brigade, Kenya Red cross and the county personnel.
The fire impacted on key operations of the airport. Thousands of passengers were stranded as clearance was made to allow for emergency landings. The airport was cordoned, and passengers were advised to stay away from the airport until they were advised on the way forward. As a result of the fire, five flights were diverted to other airports while stranded passengers were booked in hotels for the time of the disruption.
In handling emergency operations in an airport, an all inclusive disaster recovery, and business continuity plan is desired to safeguard the company against the identified risks. The plan should encompass both technological, process and people solutions. Technological solutions include backup and restore programs while processes involve policy procedures and standards of engagement. People-based solutions involve such activities such as awareness, controls and access rights and privileges.
This paper is going to evaluate and analyze disaster management strategies of the airport in respect to
- Disaster mitigation
- Disaster preparedness
- Disaster response
- Disaster recovery
Disaster mitigation
In order to execute a business contingency and disaster recovery plan, several processes and steps must be followed to develop a comprehensive policy document that fits to a business. This includes;
- Development of a contingency planning policy
- Business impact analysis
- Identification of preventive controls
- Creation of contingency strategies
- Development of contingency plan
- Plan testing and exercise
- Plan maintenance
Prior to the fire disaster, the airport had implemented mitigation strategies that aid in the prevention and control of disasters. This includes among others;
An operational 24 hour call centre that gathers for emergency calls and alerts. The centre ensures that all the human, technological and operational functionalities are liaised together to perform quick response and mitigation of all disasters. Communication is the strategic part of a business that ensures proper relations with the clients even in times of disasters. The call centre team through communication groups will develop constant contact will all concerned to access and report the state of affairs. This may include 24 hour incident response team and incident communication procedures. In addition, virtual meeting rooms may be designed to bring, together, all the required personnel with regular status update.
DISASTER PREPAREDNESS
Disaster preparedness is the act of marshalling all the resources in an organization to effectively and timely respond to a disaster and mitigate it in the shortest time possible. A contingency plan is a must for the airport in response to disaster and calamities. JKIA had a comprehensive contingency plan that defines the actions and responsibilities of its staff, customers and all other parties in the airport. The plan comprises of a contingency planning policy that is in accordance with FIPS 199 impact level. It is also in accordance to contingency control and Kenyan Government Emergency Planning and Response Act. The policy elements comprise the following aspects
- Roles and responsibilities for business recovery and continuity
- Scope of the plan as applicable to common IT platform types such as telecommunication, machinery, electronics and hardware, personnel among others.
- Resource requirements and deployment in the airport
- Training requirements for emergency response team
- Exercise and training essentials for emergency and response team
- Plan maintenance schedule which was updated every six months
- Backup and storage media of the information systems and all the data in relation with the airport operation.
DRBC policy is an influential document that must be availed to all employees and participants in a company. The lack of distribution and awareness of the policy tends to compromise its adherence. It is difficult for employees to adhere to what they do not know. The copy of the policy was available in all the airport establishments and the Kenya Airports Authority website. This is in line with the regulations that require maximum knowledge and awareness of the policy through publications and circulation all over the airport.
The policy recommended the maximum recovery time to be less than 48 hours in case of a fire tragedy. RTO is the time the business is expected to be back to its normal operation. The team determines the RTO in respect to particular scenarios and operations was normalized after 24 hours.
The RTO determined which resources need to be availed or purchased. This included offsite work stations and backups. In determining a given RTO questions of what constitutes unacceptable downtime are answered. JKIA is located at the country’s capital and is a significant economic hub in the East African region. The airport acts as a transport corridor for passengers from Europe, Asia, Latin America and other parts of the world. Its economic significance cannot be underrated and as such the acceptable RTO cannot exceed 24 hours.
There was thorough training of personnel, and resources tested to determine their operational efficiency. Training involved functional exercises that included the testing of equipment. This was achieved by using real-life simulation exercises. The table below shows the extent and range of exercise.
DISASTER RESPONSE
When the fire tragedy was reported, a contingent of disaster recovery team was called to the site. The team reacted swiftly and evacuated staff and passengers at the terminal. The cause of the inferno was not known at the moment, but the teams responded by marshalling water tanks and firefighting equipment at the site. The response was swift from the fire station though personnel had to be called from far. According to an investigative report, the shortage of personnel impacted on the fire fighting process. Finally, with collaboration from Red Cross, the military and council personnel, the fire was successfully put off after four hours.
An emergency operation center was immediately set up and manned, on a 24-hour shift, to ensure continued operation. Flights had to be diverted to neighboring countries and Mombasa airports due to poor visibility at the site.
An incident command system was set up to provide integrated response. ICS comprised of personnel from security, health, intelligence, communication, logistic and public relation personnel.
RECOVERY PROCESS
Information systems are essential components of an organization that ensures the management of customer, assets, resources and workforce. As a result of the inferno, all the information resources were disrupted. In order to restore them to normalcy, various strategies were put in place. These involve among others one or more of the following approaches to restoration of disrupted services.
- Restoration of information systems using alternate requirements
- Conducting some or all of the disrupted services using alternate means or processes for short term periods until the main systems are up and operational.
- Recovery of alternate information systems at alternate locations for long-term disruptions or those that physically impacts the facility.
- Implementing appropriate contingency planning controls based on the information system’s security impacts at the appropriate level.
The recovery team deployed various tactful strategies such as utilization of offsite operation centers, use of backups and evacuation of persons when the inferno was detected. Since the terminal was fully destroyed in the fire, the airport used backup generators and additional electric lines to connect the temporary site. Likewise, it utilized the strained resources to develop a network and internet connectivity to operationalize the various information systems such as custom, clearing and ticketing departments. The computer systems were destroyed in the inferno. However, the company used remote backup sites to bring back the operations to normalcy.
The next responsibility is the implementation of the recovery process in the airport. This is done, with utmost care, to ensure that the problem is not escalated, and damage to personnel and property is minimized as much as possible. The airport developed a temporary customs and call centre to clear incoming and outgoing traffic as well as guide the stranded passengers on the way forward. A sound and formal protocol and the procedure was adhered to in relation to incident resolution and recovery.
After recovery, the plan must be maintained and updated continuously to reflect a state of readiness at all times in its procedures, organizational structure and policies. The information system must undergo frequent changes to accommodate shifting business needs. A plan review is carried out for accuracy and completeness of the plan at a business level frequency any time changes are made to any element of the plan. The frequency is given as 6 months.
References
Mark W. Huber, C. A. (2008). Information Systems: Creating Business Value. Wiley.
Martin J. Wieczorek, U. N. (2002). Business Continuity: It Risk Management for International Corporations. Springer .
Nation, D. (2013, August 7). JKIA FIRE. Daily Nation .