Environmental risk in the ICT context

Indice

In the landscape of cyber risks, it is correct to make appropriate distinctions because risk classification and risk management is one of the most interesting topics to investigate. Among the various risk classifications there is also that of environmental risk, which should be examined because it concerns us closely.

What is environmental risk

Environmental risk is a type of risk arising from the environment and the events that characterise it, and belongs to the risks of an accidental nature. This type of risk is often overlooked during inspections by consultants, technicians, experts, but the damage caused by environmental phenomena can be worrying, to say the least, if not devastating.

Types of environmental risk

ISO27005 presents environmental risk by describing five possible scenarios related to natural events:

  • Climate phenomena.
  • Seismic phenomena.
  • Volcanic phenomena.
  • Meteorological phenomena.
  • Floods/flooding.

In these five phenomena, a concatenation can also be seen: a seismic phenomenon in the sea can cause a flood (tsunami). A strong meteorological event can give rise to flooding. A volcanic phenomenon can have seismic consequences. These phenomena should not be seen ‘in isolation’ but also as ’cause-effect’ in a more complex phenomenal picture. Although these are accidental hazards, the ability to detect them must be put in place so as not to sin by negligence: building a data centre in an area at high risk of earthquakes is probably not the best idea, nor is building it near a river that is habitually prone to flooding.

Italy and environmental analysis

May 2023, from the early hours of the morning in Ravenna it is a bustle of special vehicles. In the Bassette area, something seems to be happening at any moment. In fact something has already happened: a helicopter crashed a few hours earlier due to bad weather. But there is something in Bassette that absolutely must be protected from the water: Lepida’s data centre. Technicians scramble to install a flood barrier.

Flood in Ravenna, the barrier erected at Bassette to protect the Lepida servers (photo Corelli)

And while 16 per cent of the territory is evacuated to ensure that it withstands the extreme natural fury, some vehicles go right to the epicentre of the crisis to spread the huge inflatable and prevent water from entering the data centre. The operation succeeded, but in those hours many technicians followed with interest and apprehension a natural risk management procedure that, without a doubt, could not be ignored.

Over the last twenty years, we have come to know our country much better and have realised that its Apennine ridge and seismic zones can be extremely dangerous and worrying. Lately, however, well-known problems are being compounded by lesser-known ones: the very heavy rainfall in Emilia Romagna in 2023, together with the river floods in cities such as Genoa, suggest that environmental risk has long since assumed, and will increasingly assume, an important element of consideration. It is therefore impossible to disregard environmental analysis during an ICT risk assessment, especially when one is in areas that are disturbed by natural events with seasonal regularity.

Map of Italian Seismic Zones

If we were to consider Italy as a nation divided into blocks, where each block is the most frequent natural event, it would be possible to draw a very unattractive but very useful map. We are learning that by now, at every change of season, there are very intense natural phenomena, mostly related to meteorological aspects, that raise the guard level and should be anticipated by actions of land care. This article will not go into the merits of politics and the role and responsibilities of local administrators, but there is no doubt that many disastrous events could have been mitigated with serious and responsible prevention on the ground. Tackling environmental risk is possible thanks, above all, to a process called data delocalisation . Moving data to infrastructures that are located in another geographical area, less impacted by adverse natural events and with a more stable condition is therefore advisable. However, the relocation of this data sets off many ‘warning lights’: firstly, the compliance of the destination data centre with regulations such as the GDPR, and secondly, the adequate respect of service levels and basic file criteria(confidentiality, integrity, accessibility) by the operator.

Multi-national companies can set up a private cloud in which to distribute and relocate data, but how can companies without branches handle this? The cloud comes to the rescue, but it is good to remember that the provider to whom information is entrusted must be serious and must use it responsibly. Natural events, to date, represent the most serious case study that can happen to an organisation. The need to protect one’s data from natural events requires a study of them, which should lead to the creation of alternative infrastructures and solutions. It is no coincidence that atmospheric events, now occurring every six months, mark one of the most significant risk management capabilities required of many experts in the field.