Category: Articles

Tornados, Necessity, and the Evolution of Mitigating Controls

According to the National Oceanic and Atmospheric Administration (NOAA), a tornado (also called a twister, whirlwind, or cyclone) is a violently rotating column of air that extends from a thunderstorm and comes into contact with the ground. Tornado intensity is measured by the enhanced Fujita (EF) scale from 0 through 5, based on the amount and type of wind damage to a wide variety of structures ranging from trees to shopping malls.

The United States experiences more tornadoes than any other country in the world, especially in those states East of the Rocky Mountains. As a child, I always found myself wondering why people didn’t just move if they knew they were at risk of getting hit by a tornado. Of course, at the time, I had no sense of money, career, or family obligation to know that some people didn’t have the means to relocate. Without having a way to escape the danger, these people had to adapt their lifestyles to account for the unpredictable, and potentially devastating, weather.

This data alone makes me reconsider moving to an area constantly stricken by tornadoes.

  • In an average year, about 1,000 tornadoes are reported across the United States, according to NOAA.
  • The 2017 total was the highest since 2011, when there were 1,691 tornadoes, including two spring events that resulted in more than USD 14 billion in losses when they occurred.[1]
  • According to NOAA, there were 10 direct fatalities from tornadoes in 2018, compared with 35 in 2017.
  • The most “extreme” tornado in recorded history (an F5) was the Tri-State Tornado, which spread through parts of Missouri, Illinois and Indiana on 18 March 1925.[2]
  • The deadliest tornado in world history was the Daulatpur–Saturia tornado in Bangladesh on 26 April 1989, which killed approximately 1,300 people and left more than 80,000 people homeless.[3]
  • The most extensive tornado outbreak on record, the 2011 Super Outbreak, resulted in 360 tornadoes, 324 tornadic fatalities and cost upwards of USD 11 billion in damages.
  • Cordell, KS was hit by tornadoes three years in a row, on the same day, May 20th, disproving the myth that a tornado only strikes the same place once.

Yet, there are people who want to help us better understand tornados, so that we can better prepare for them. In 1887, the first book on tornadoes was written by John Park Finley, a US Army Signal Service officer and pioneer in the field of tornado research. Finley’s book introduced the concept of a “tornado cave” that instructed readers to “get into it with your family and your treasures before the storm reaches you.” Furthermore, the book showed readers the plans for building their own “prize tornado cave” throughout several pages. The instructions included detailed architectural diagrams and even cost breakdowns for labor and materialsroughly USD 300 dollars, in case you were wondering.

While it was a revolutionary book containing many breakthrough ideas, it contained a few ideas which have since been proven false. One example that Finley wrote, “a tornado travels from southwest to northeast,” and, “if it is going to the right of you, run to the left” and vice versa. Based on his research at the time, this may have been accurate. Further research shows that tornadoes do not always travel from southwest to northeast.

While Finley was in the middle of his tornado research, the U.S. Army Signal Service banned the word “tornado” because they were concerned that word would cause panic. So, for more than half of a century, the weather reports ignored the word “tornado” and used the euphemisms – more on that later. One of Finley’s supporters, Edward S. Holden, tried to implement a tornado warning system using telegraph poles. But it was overshadowed by a report by Henry A. Hazen, a civilian employee of the corps, who deemed that because tornadoes were “exceedingly rare” and very localized, it was impossible to pinpoint forecasts.

From 1887 up until 1950, American weathermen were strictly forbidden to use the word “tornado” in the weather report. Back then, when science was still struggling to find a proper scientific explanation, they were considered a dark and mysterious force. In addition to upholding the “tornado” ban for decades, the Weather Bureau (which assumed jurisdiction from the Signal Corps in 1890) remained skeptical of the value and accuracy of tornado forecasts. It took until 1943 for experimental warning systems to be implemented; a public outcry in 1952 (after a severe outbreak that killed over 200 people) finally helped form the U.S. tornado research and forecasts.

Over the years, the storm cellar became the standard underground bunker design to protect the occupants from violent severe weather, such as tornadoes. The average storm cellar for a single-family was built close enough to the home to allow instant access in an emergency, but not so close that the house could tumble on the door during a storm, trapping the occupants inside. This was also the reason the main door on most storm cellars were mounted at an angle rather than perpendicular with the ground. An angled door allowed for debris to blow up and over the door, or sand to slide off, without blocking it, and the angle also reduced the force necessary to open the door if rubble had piled up on top.

In 1950, Congress simultaneously launched a system of nuclear bomb shelters and disaster relief for victims of natural disasters. It was then that the families living in tornado alley realized that these bomb shelters could serve a double purpose.

Research into improving buildings for resisting extreme winds began with the 1970 tornado in Lubbock, Texas. Twenty-six people were killed and about 1/3 of the city of 160,000 people was heavily damaged or destroyed. Texas Tech researchers produced a comprehensive documentary of building damage, the first of its kind. The concept of the above-ground storm shelter was presented in Civil Engineering magazine in 1974 by Texas Tech faculty member Dr. Ernst Kiesling and by Graduate Student David Goolsby. Intermittent development continued as available personnel and funding permitted.

As time passed, people started to ease up on their worry of being bombed, but the threat of tornadoes remained as common as the changing seasons. Since then, storm cellars or storm shelters have become a necessary part of life in many parts of the United States, and most people who do not own one are in search of one to go to during tornado season.

The total devastation of a small subdivision outside of Jarrell, TX in 1997 received national attention and news coverage, as did the widespread devastation of the Oklahoma City area on 3 May 1999. Many regional and local television companies and newspapers subsequently featured the above-ground storm shelter concept after severe storms struck this area.

Personnel of the Federal Emergency Management Agency (FEMA) observed the high level of interest in storm shelters among the public and published a prescriptive design booklet entitled, Taking Shelter from the Storm. The first edition was published in October 1998, the Second Edition in August 1999. After the events in Oklahoma City, FEMA and the state of Oklahoma put in place incentives for building storm shelters in houses that were being built or rebuilt after the tornado.

It wasn’t until June 2008 that a standard for the design and construction of storm shelters was approved.

In facing a life-threatening issue, we humans researched the problem, assessed the risk, and created mitigating controls to make the dangers of living in a tornado-rich environment tolerable. As time progressed, our ideas for mitigating controls spread to the masses and required additional research, guidance and eventually certification and accreditation to ensure the safety of its users.

Be safe out there and remember the words of comedian Ron White: “It’s not that the wind is blowing. It’s what the wind is blowing.”




Do You Suffer From Breach Optimism Bias?

If you’ve been in the information security field for at least a year, you’ve undoubtedly heard your organization defend the lack of investment in, change to or optimization of a cybersecurity policy, mitigating control or organizational belief. This “It hasn’t happened to us so it likely won’t happen” mentality is called optimism bias, and it’s an issue in our field that predates the field itself.

Read my full article over at

Security Beyond The Perimeter

Whether we like it or not, the way we architect, utilize, and secure the networks and systems under our control has changed. When servers were safely tucked away behind corporate firewalls and perimeter-deployed intrusion prevention controls, organizations became complacent and dependent on their host security. Unfortunately, inadequately architected security controls that rely solely on broad network-based protection can make the migration of an organization’s systems to private, public, and hybrid cloud hosting even more exposed to attackers than they were before.

Everyone has heard the “defense in depth” analogy relating security to a medieval castle with controlled access to different locations of the castle and a defensive moat around the perimeter. This “hard outside” and “soft inside” model was designed to make it as difficult as possible to get past the perimeter. However, once inside the walls, the trusted individual had elevated access to resources within the network.

Unsurprisingly, the medieval defense analogy has lost much of its relevance in a world where systems and users move effortlessly from within the confines of a walled corporation, to a local coffee shop, and perhaps even to a different country as part of normal business operations.

Securing the next generation of hosting platforms requires a new approach that not every organization is ready for. Some industry analyst firms promote the idea of a “cloud first strategy” for all technology deployments. Though not a bad idea, per se, this doesn’t mean that forklifting your entire architecture into cloud or containerized environments should be your number one priority – especially if you’re being forced to choose between a new architecture and the traditional security controls that you depend upon.

Thankfully, technology has evolved to allow for more seamless security in environments that need to span traditional datacenters, virtualization, and cloud environments. This has allowed organizations to grow their capabilities without the need to choose between having security and having new technology stacks.

So how do we, as security professionals and business owners, decide what mitigating controls should be deployed to future-proof our security? It’s actually much easier than it sounds. To learn more about how to perform security beyond the perimeter please read my full post on

Scroll to top