Computers & Security, 8 (1989) 581-586

Computer-Related Fire Problems Revisited Belden Menkus Hillsboro, TN, U.S.A.

A

May 30 fire that involved Penn Mutual Life nsurance illustrates several aspects of the

impact of fire on a large data processing facility. The fire was ignited as an apparently premeditated act; it did not begin spontaneously. The fire itself was not aimed at the data center directly. However, dispersion of combustion products from the fire and the process of extin uishing it did damage installed computing and ii te ecommunications hard- ware. The fire was not extinguished easily and the responding fire-fighting units had only limited means for dealing with the blaze.

However, this incident also demonstrates that a well-rehearsed data processing disaster recovery plan will work when an emer ency occurs, if the responsible managers and staf f members respond promptly. The fire was in the Philadelphia office building that housed the Penn Mutual data center. Forty-eight hours were required to extinguish the blaze. The Penn Mutual data processing staff was able to save 20000 reels of tape while the fire was in progress but it proved to be impossible to save much of the installed computing hardware. It has been reported that two LBM 3081 mainframes, 11 DASD strings, and an undetermined amount of microcomputers and peripherals were lost as a result of the conflagration. The overall loss, largely a result of water damage experienced in extinguishing the fire, might total $8 million.

0 1989, Belden Menkus.

Penn Mutual is a major U.S. insurer; assets of more than $4 billion place it 5 1 st among 1500 U.S.-based life insurance companies. Penn Mutual’s corporate headquarters, which were not affected by the fire, are in Horsham, a Philadelphia suburb. The Philadelphia building is Penn Mutual’s original headquarters site. The structure faces Independ- ence Hall, whcrc the U.S. Declaration of Independ- cnce was signed, and is topped by an observation tower that offers an exceptional view of the Independence Mall National Historical Site and is itself a major tourist attraction. The Penn Mutual structure now is shared with other tenants and houses, among other activities, the insurer’s in- formation systems and telecommunications opera- tions, and records storage arca.

A source with one of the other tenants in the building has reported that these organizations were not included in the Penn Mutual disaster recovery plan and had to handle the fire on their own. Most of these organizations, apparently, did not have formal plans. Their recovery efforts were described by this source as being very disorganized; the situa- tion was described as camping out. “The one positive outcome of the fire,” this source indicated, “was that it has made our senior management much more concerned about preparing to deal with future data processing disasters in a well-organized fashion.”

The fire did not begin in the Penn Mutual data center. It started in the organization’s records

0167-4048/89/$3.50 0 1989, Elsevier Science Publishers Ltd. 581

B. MenkuslComputer-related Fire Problems Revisited

storage area-a windowless 172000 square foot room two floors above the data center. The room was filled with cartons of printouts and other paper records. The lack of windows in a records storage area reduces an exposure to possible vandalism of the site and its contents. This also eases the expense of controlling humidity and temperature within the storage site. Unfortunately, failing to include windows in such an area also makes fighting a fire that occurs within much more difficult than it might be otherwise. Fire fighters reportedly were forced to break through the records storage area ceiling in order to give their hose streams access to the actual fire. All employees in the building were evacuated safely, but 121 fire fighters reported receiving injuries. Most of the latter were eye irritations, apparently caused by smoke from chemically treated computer paper.

The Fire Scenario

The fire began shortly before the end of the work day on Tuesday. (The fire was set deliberately, according to some unconfirmed accounts, by a dis- gruntlcd Penn Mutual employee. However, no charges dealing with responsibility for the fire have been placed against anyone) Tuesday evening Penn Mutual data center employees moved the tapes to a disaster recovery hot site maintained by SunGard Data Systems, a commercial data processing dis- aster recovery service, at Wayne, PA. Clients of a service such as this arc permitted under contract to test their disaster rccovcry plans periodically on the recovery site’s computing hardware and to use that equipment for regular processing during an actual post disaster recovery period.

By Wednesday morning more than 25 members of the Penn Mutual data processing staff had relocated to the Wayne facility. Shortly before noon that day-some 20 hours after the fire began and more than 28 hours before it would bc extinguished the first Penn Mutual system was brought up on an IBM 3090, Model 200E, at the SunGard site. (It was a CICS application used in insurance policy underwriting.) Penn Mutual claimed that most of its policy holders and agents

realized that processing had been interrupted for several hours but were unaware of the relocation of the organization’s data processing activities.

Penn Mutual’s information systems staff was reported to be working fulltime at the Wayne facility where they could remain for as long as six months, under the corporation’s contract with SunGard. Credit for successful relocation and restoration of Penn Mutual’s data processing operations was given to the organization’s practice of testing its disaster recovery plan regularly. The last test, reportedly, had been held just two weeks before the fire.

The Fire Extinguishment Problem

Applying large quantities of water to extinguish a fire in a data processing environment is not desir- able, but it is a better approach than to have no response capability. And, unfortunately, the use of water in this way is often the only feasible response to such a threat. One data processing disaster recovery authority has asked why the Penn Mutual fire took 48 hours to extinguish. He noted that a supply of combustion suppressing foam, used in controlling aircraft fires, was available at the Philadelphia International Airport, and that it could have been replenished easily if it had been diverted to use on this building fire. However, the Philadelphia Municipal Fire Department is like most fire-fighting organizations in the U.S.; it does not have the foam dispersing equipment needed to fight a fire in this fashion. And, even if it did, the bud

P et constraints that plague it and most other

pub ic fire-fighting forces in the U.S. would preclude the use of large quantities of expensive foam in fighting any type of fire.

Water is used liberally in fire fighting because it is effective in most instances, readily available at most fire sites, and relatively inexpensive. Most fire officials have little or no experience in fighting what might be termed non-conventional ftres- which includes those involving computing and tclccommunication equipment. And, fire officials

582

Computers and Security, Vol. 8, No. 7

are comfortable in using water to fight most of the fires that they encounter-primarily involving rcsidenccs, off&s, and small retail establishments.

One U.S. data processing executive has told of meeting with a senior fire official to explain the need for exercising care when fighting a !&e in his organization’s data processing facility. The fire official replied, “I’m sure that you mean well, but when we respond to a fire in a site like this WC have no other choice but to open all of the doors into the place and to flush it with as much water as pos- sible. Cleaning up this place-and, for that matter, protecting it against any possible water damage associated with putting out a fir-c-is your rcspon- sibility not ours!”

The USC of carbon dioxide as a fire extinguishing agent in a flooding system comparable with that employed with Halon 1301 is feasible in a data processing environment. However, carbon dioxide is harmful to human beings to an extent that Halon 1301 is not. Thus, it is preferable to limit carbon dioxide use to under a computer room raised floor or in the enclosed plenum air handling space above the data processing area. Activation of a carbon dioxide system after a fire is detected should bc delayed for a reasonable amount of time to permit employees to evacuate the threatened arca safely. And, provision should be made for automated exhaustion of both smoke and combustion pro- ducts from the arca to the outside. Such a system should include the under floor and other areas where cabling has been drawn and where toxic combustion products may accumulate. The U.S. Factory Mutual Association recommends an exhaustion rate of three cubic feet of air per minute in a data processing area and four cubic feet of air per minute in tape libraries, vaults, and similar areas where air circulation from the outside may be limited.

extinguish a data processing facility fire, other ways to deal with the basic cxposurc need to be found. One is tof&proofthe site, that is, to modify or eliminate those data center design fcaturcs which may facilitate ignition or spread of a fire. Another way to reduce the data center fire exposure in some measure is to sensitize the individuals who work there to that exposure and to prepare them to deal effectively with a fire when it occurs.

Fireproofng a data processing center calls for iden- tifying and altering or removing those aspects of the site’s layout and decor that may contribute to a fire. It is possible unintentionally to create an environment that can bc described as J;‘re prone. It also is possible, incidentally, for a site to be so designed as to limit the ability of frrc fighters to respond to the threats posed by a fire. For instance, while trying to handle a June 30 office building fire that ultimately cost five lives, Atlanta GA fire fighters were unable to move an aerial ladder truck into position to rescue trapped individuals. The building rested on an underground parking garage and it could not be determined if the ceiling of the below ground area could support the weight of this extremely heavy vehicle.

A fire-prone environment is illustrated by a telc- communications switching center operated in Chicago’s Hinsdalc suburb by Illinois Bell, one of the companies spun off by American Telephone and Telegraph (AT&T) in 1984. The structure and its contents were destroyed by fire in May 1988. That loss left tens of thousands of customers .with- out telecommunications service for some 21 to 23 days. Among those affected wcrc several hundred units of a Chicago area automated teller system and the regional reservation processing system of a national motel chain.

The Hinsdale site serviced some 166 thousand local and long distance telephone circuits and housed 60 minicomputers used in switching these circuits. The building had been built in 1979 prior to deregulation of the U.S. telecommunications

“Fire Proofing” The Data Center

Since it does not appear to be feasible to prevent the use of large amounts of water in an attempt to

583

B. MenkuslComputer-related Fire Problems Revisited

industry. In accordance with an AT&T cost con- tainment policy that was in force in 1979, the structure was dcsigncd without interior fire walls. This was done to ease the cost of air conditioning the half-block long building by optimizing air movement to dissipate the heat generated by the minicomputers. This also, unfortunately, optimized the spread of combustion when the fire occurred.

The Hinsdalc facility was being operated under remote monitoring at the time of the fire. There were no Illinois Bell cmployces in the structure when it began to burn. The delay that followed in notifying the remote monitoring site that a fire was in progress and dispatching human beings to the site contributed materially to the difficulty experi- enced in extinguishing this fire. Incidents like this suggest two things:

l Tclecomunications facilities that are not operated under direct human surveillance are much more vulnerable to fire and other service disrupting threats than most of those responsible for computer security may real&.

l Proponents of the currently fashionable concept of highly automated unattended so-called lights out operation of data processing facilities need urgently to rethink the fire and other security exposures that this practice may create.

There is evidence that the May 1988 Hinsdale f&c developed in an overhead wiring structure known as a trtiy. The unit contained electrical as well as telecommunications cables. The electrical wiring served the building’s lighting, intrusion alarm, and heating and air conditioning systems. Routine work on the telecommunications cables appears to have damaged the electrical cables, which arced and probably ignited the insulation on the tele- communications wiring.

The practice of placing electrical and telecom- munications cables in the same overhead structure is common in some buildings. The two types of cables should be separated physically. Where this is

not feasible, it would be advisable to replace already installed cabling with wiring in flame- retardant insulation. The U.S. Factory Mutual Engineering and Research Corporation has con- ducted tests designed to classify various cabling insulation types by their firelretardant properties. The results of this study reportedly are due to be issued in early 1990.

Electrical power remained on in the Hinsdale building after the fire developed because the con- ventional fuses that had been installed did not blow. These devices had been designed to respond to an excessive amount of electrical current that was sustained for an extended period of time. The fuses did not recognize the presence of essentially intermittent electrical circuit arcing. Where such a situation exists it is advisable to replace the installed conventional fuses with some form of highly sensitive circuit breaker.

An unpublished U.S. telecommunications industry study of the Hinsdale fire, interestingly, recom- mends that automatic electrical shutdown pro- cedures not be used in such a situation, as they may be initiated inadvertently by various types of what amount to false alarms. This same study, reportedly, has recommended that fire fighters responding to a blaze in electronic equipment be encouraged to use fog nozzles rather than regular stream hose nozzles, to reduce the amount of water dispersed on the fire. In some instances water poured on a fire involving electronic equipment has done more damage to it than the fire.

Preparing Employees

The data center fire exposure can be reduced also in some measure by sensitizing the individuals who work in it to that exposure and preparing them to deal effectively with a fire when it occurs. A con- tinuing program for maintaining employee security awareness should be established. Particular emphasis should be placed on avoiding the accumulation of paper trash or other combustibles, and there should be a prohibition of smoking in

584

Computers and Security, Vol. 8, No. 7

any form in the data center. This prohibition should be extended to vendor maintenance people and other contractor employees. A number of data center fires have been traced to discarded cigarette, cigar, or pipe ash that smoldered undetected for hours in a paper filled trash container before flam- ing up.

Data center employees should be helped to under- stand the importance of prompt reporting of a fire, orderly shut down of operations and evacuation of the site. And, they should be trained at least twice a year in the correct operation of the portable fire extinguishers and breathing apparatus that have been installed in the center. Ideally this equipment should be installed at all entrances to the data pro- cessing area and within 50 feet of every place within the area to which an employee is assigned regularly. Preferably this training should be con- ducted under the supervision of a local fire preven- tion official and should require the employee actually to extinguish a fire. One approach to con- ducting this training is to ignite a paper-filled office waste container in the employee parking arca and have individual employees use the extinguisher actually installed near their work location to put the fire out.

This effort should ensure that the employee is suf- ficiently familiar with the use of the device to avoid panic when the nitrogen gas used to propel the extinguisher’s contents is released. T

!p ically,

this will create a loud noise and will form rost on the extinguisher’s discharge horn. In some instances, employees unfamiliar with the operation of such a device have been known, after activating it, to drop the extinguisher and run believing that the unit was about to explode due to the heat.

The Problem of Microcomputers

The continuing dispersal of intelligent data entry terminals and microcomputers presents a special

fire extinguishing problem. In most instances, these units have been placed in conventional office environments where little or no fire prevention or extinguishing provisions of any sort have been made. Both terminals and microcomputers, typic- ally, generate a remarkable amount of heat in normal operation, and their use generates signifi- cant volumes of paper. An unpublished study of microcomputer fires in the U.S. indicates that almost all of them were confined to the inside of the device and caused little damage to the sur- rounding area. However, a report [l] of the results of a computer simulation of a major U.S. high rise office building fire makes it clear that a small fire that started after normal office hours in a micro- computer-based work station was capable of deve- loping into a major blaze.

As greater intelligence is supplied to these devices, their role in the survival of the larger data process- ing and communication entity becomes increas- ingly more important. Thus it will prove advisable to extend the security awareness effort mentioned earlier to the individuals using these devices. Limit- ations on smoking and paper trash accumulation in the work area should be applied to these indivi- duals as well. Fire extinguishers should also be placed in every work area where a terminal or microcomputers are in use. And, the individuals who work with these devices should be included in the periodic fire extinguisher use training mentioned earlier.

References

[‘I H. Nelson, An Engineering View of the Fire of May 4, 1988 in the First Interstate Bank Building, Los Angelex, CA, U.S.

National Institute of Standards and Technology Rep. 89- 496 1, March 1989. The blaze seriously damaged four inter-

mediate floors of a 64-floor office building, took one life,

and required several hours to extinguish.

585

B. MenkuslComputer-rela ted Fire Problems Rev/sited

Belden Menkus has been helping management improve information

handling techniques and operational

security practices. From 1953 to 1968 he

occupied progressively more responsible

staff positions with various organiza-

tions. Since 1968 hc has been a full-time

consultant to management. He has been

accrcditcd by the Society of Professional Management Consultants and has been

certified as an Information Systems Auditor, a Systems Profes-

sional, an Office Automation Professional, and a Records

Manager.

Mr. Mcnkus writes and lectures extensively on various aspects of business management. Hc has been for many years Executive

Editor of i%rjourna/ of.Syrtems Management He also is Editor in

Chief of EDPACS: EDPAudit, Conlro/ and Security and an Asso-

ciate Editor of Computers G&wriry. In addition, he writes regu-

larly for both Accounfin~ Today and Modern O&e Techno/o~y.

He is a Fellow of both the British Institute for Administrative

Management and the American Association of Criminology. In

addition, hc has been named an Associate of the British In-

stitute for Reprographic Technology. Hc has received the Jesse

H. Neal Award of the Association of Business Publishers and

twice has been honored with the silver medallion of the

American Management Association. In addition, he has

rcccived distinguished service citations from the National

Micrographics Association, the Association of I<ecords Execu- tivcs and Administrators, the Association for Systems Manage-

ment, the Institute of Internal Auditors, and the New York

Chamber of Commerce and Industry. He has been named a life

honorary member of the faculty of the Federal Emergency Management Institute.

586