Get Yourself Some Whiteboard Markers … You Might Just Need Them

Bristol Airport Systems Go Down for over 50 hours
Sky News: Here

Get Yourself Some Whiteboard Markers … You Might Just Need Them

Bristol Airport Systems Go Down for over 50 hours

BBC Source: Here

As so Bristol Airport’s customer information systems were down from 3pm on Friday 14 September to 6am on Sunday 16 September.

Staff had to get out their whiteboard markers, and write-down the arrival and departure times of flights. Luckily, no flights were actually delayed, but it could have been much worse. The problem thus did not propagate to flight control systems, or into the rest of the airport infrastructure in the UK.

Within the EU NIS directive, organisations involved within critical national infrastructure — of which transport is a core part — can be fined, for the same levels as GDPR — for system downtimes.

With this type of problem there are typically three main causes:

  • DDoS (Distributed Denial of Service). This is where systems are targeted for a DoS attack, and where internal systems can be brought down or where the bandwidth of the network is throttled.
  • Spear phishing credential stealing. This normally involves a spear phishing email and where a person in the organisation, clicks on a link to an external system and mistakenly enters their credentials. An intruder can then gain a foothold, and then look to bring systems down (or steal data).
  • Spear phishing malware/ransomware attack. This normally involves a spear phishing email and where a person in the organisation, clicks on a link to an external system and mistakenly runs an attachment which runs a script which scans their system, and encrypts files on the system. A ransom note is then displayed, and other systems in the network are then targeted.

In this case it looks like it could have been a ransomware attack, and where systems were infected within the flight information systems infrastructure. A typical mitigation for most companies is to roll-back their systems to a time before the infection. The timeline involved would certainly point towards a staged recovery of the internal systems, and where key parts of the infrastructure were reverted back to a time before the infection.

Fragile systems

Along with cyber attacks, organisations involved in critical infrastructure need to have plans in place for mitigation against internal and external systems failing. For this, there should be the minimum downtime of services, and where the switch-over is hardly even noticeable.

We are, though, seeing many system failures due to network and power issues. In August 2018, a broken fibre optic cable caused chaos at Gatwick Airport, and where staff had to use white board markers to keep customers up-to-date on flight arrivals and departures.

In May 2017, British Airways systems were down for several days due to a power surge on their systems. This caused a global IT system failure across the company, and led to many flights being cancelled in Heathrow and Gatwick. Also in May 2017, Capita caused an outage of many days on many public sector sites when a power failure at one of the sites caused systems to be unavailable for a range of their customers, for several days. This included NHS and Council web sites.

Ransomware

In their report, Trend Micro surveyed over 300 IT decision makers in the UK, and have found that 44% of UK businesses have been affected by ransomware over the last two years, and have found 79 new ransomware families already this year. This is an increase of 179% increase over the whole of 2015.

Figure 1: Trend Micro graphic on infections

This is a great worry to many companies, and 69% of the companies polled thought that they would be a target over the next 12 months. The impact on those affected by the infection can be costly in terms of loss of fixing the problem, with an average of 33 person hours taken to fix the problem (and where an average of around 30% of the users of a network were affected).

In around 20% of the cases, £1,000 was requested, and with an overall average of £540. But for many companies this is the tip of the iceberg as it can be costly for a company in terms of reputation and in the thought that data could have been damaged or leaked (and they the malware may still exist on the network).

Perhaps the most frightening statistic that Trend Micro found was that in 1-in-5 cases, even when the company paid the ransom, they were unable to recover their important files — indicating that the ransomware service is not quite as robust as it should be. Demands for ransom, such as for large organisations, have reached as much as £1m.

Figure 2: Trend Micro graphic on paying ransom

Protection

In terms of protection, Trend Micro focus on five things:

  • Education. The most common attack vector for ransomware is a phishing attack where a user in a company clicks on a file attachment which contains the malware, and which encrypts their files, and spreads through the network. Users thus need to be educated in spotting malicious emails, as the phisher often knows how to by-pass a filtering system (such as using an encrypted email).
  • Back-ups. It is important to have backups, but to also make sure they are off-site, so that an on-site infection does not end up encrypting or corrupting the on-site backs. Trend Micro recommend a 3–2–1 rule: at least three copies, in two different formats, with one copy off site/offline.
  • Layered protection. A key part of any type of network defence is to have layers of security to defend against attack, including both network sensors and end-point security.
  • Network segmentation. As much as possible, the network should be segmented up, so that different areas of the network are isolated from others. In this way the infection can be constrained.
  • Application control. Rather than having a black list of programs which are not allowed to run on a computer, increasingly companies operate a white-listing policy, where only applications that are approved can run on devices. This means that malware programs will not have the rights to run or access system files.

Conclusions

For a cyber criminal, ransomware provides an opportunity for financial gain with a high chance of success, so companies must stay vigilant. While large companies often have the IT infrastructure to cope with an infection, the effect it can have on small businesses can be devastating. We need to concentrate on making our system resilient and secure.

I stress any organisation involved in the delivery of critical infrastructure services to invest in … Education (don’t click on this spear phishing links!) … Backups (be ready to roll-back at any time without loss of service) … Layered Protection (detect and respond at many different parts of the infrastructure) … Network Segmentation (stop the malware by spreading and contain it) … and Application Control (only allow a white-listing policy).