James Barrett, Senior Director EMEA at Endace, explains why GWR should not be derailed following data breach
The value of the UK’s rail industry has been a source of national debate since the system was built as a patchwork of local links operated by small private railway companies in the late 18th century. For some, it represents everything good about our industrial heritage, a manifestation of a world defining movement that has stood the test of time.
For others, it is an unreliable, expensive and archaic network unfit for today’s socially-driven way-of-life. Yet, like it or not, it’s ours and, alongside the road network, is the entire system through which the lifeblood of UK plc. flows.
Little surprise then that something so fundamental to our national livelihood has emerged as a target for global cybercriminals. For the sinister and disruptive, the opportunity to cripple an entire country is too good to resist and targeting national critical infrastructure is how they’ll do it.
The potential for damage in the rail industry alone is enormous – cost to the economy, the interception of sensitive information and individual safety for passengers. Make no mistake, a major breach could bring the UK to its knees.
The greatest threat
In order to best prepare for an attack we need to have some idea as to where it is going to come from.
If we look further afield there are obvious potential threats. Recently, with tensions between Russia and the wider world continuing to escalate, UK intelligence services, the FBI and US Department of Homeland Security took the unprecedented step of publicly issuing a joint warning about a massive cyber campaign by Russian-backed hackers.
But is this a surprise? For more tha a decade now, Putin’s regime has been associated with an increasing weaponisation of the Internet. Russia is not drinking alone in the bar of disrepute. For some years we’ve been seeing attacks such as the Shamoon attack on Saudi’s Aramco and Qatar’s Rasgas in 2012 which was suspected to have originated in Iran. And there is ample evidence of signficant state-sponsored hacking by countries including China, Syria, Iran and North Korea too. The sad truth of today is that attacks can originate from anywhere.
Nor are targeted attacks by nation-state backed hackers the only danger to critical infrastructure. News of GWR’s breach comes less than a month before the anniversary of the WannaCry attack on May 12 2017 which, though not specifically targeted at the NHS, caused severe disruption there. More than a third of England’s NHS trusts were disrupted, with more than 6,900 NHS appointments cancelled. This graphically illustrates the chaos that can ensue from attacks on critical infrastructure and services.
In the case of WannaCry, the disruption was an accidental byproduct of activity from attackers intent on other objectives. Similarly, the objective of the NotPetya virus originators of last year, which impacted parts of Ukraine’s infrastructure and damaged computers at banks and shipping firms, among others across the globe, was to obtain money by extorting money from its victims.
In short, threats to critical infrastructure companies come from all angles. Detecting and defusing these threats is critical to protecting against the chaos that can ensue from a successful attack – whether deliberate and targeted, or accidental.
GWR: the poster child of data breach defense and response
Unlike other high profile and well reported cases, where hackers have gained entry via outdated security systems or poorly chosen passwords, in the case of GWR the hackers took username and password combinations leaked from other hacked websites and services and used them to log into GWR.com accounts where the user had reused those same credentials. This is a common attack known as credential stuffing.
A huge problem that many infrastructure companies face, which often makes them less effective in fighting against cybercrime, is that they are often dependent on legacy technology with complex dependencies. It is only in recent years that old manual systems have been ‘digitised’ and interconnected.
Many of these systems were designed before the concept of a connected internet even existed and were certainly never designed with cybersecurity in mind. Critical infrastructure companies have mostly focused far more on physical security than cybersecurity. Which means they are often a long way behind companies in industries such as banking and retail when it comes to securing their systems from cyber-attack.
And that is what makes GWR’s response to this breach more impressive. Only around one thousand accounts out of a possible one million were ‘directly affected’ by the attack. For the sake of clarity, that’s 0.1 per cent of GWR’s customers.
This is because GWR was quick to recognise the fact that there was an automated login system trying out different passwords on its network. This is an example of high-quality security technology in action – i.e. just enough activity to sound the alarm, which gets identified, investigated and the attack is shut down immediately. While not privy to the security solutions GWR is using, it seems likely it might include an AI-based system.
The new normal
What makes the GWR case so interesting is its timeliness with respect to GDPR, which comes into force this month. As part of its response, GWR notified the information commissioner’s office and was proactive in notifying its customers by sending out an email – a tactic that has since been mistaken, somewhat ironically, as phishing. I guess sometimes, you’re damned if you do and you’re damned if you don’t.
GWR clearly used this opportunity to road test its GDPR response, which can only stand it, and its customers, in good stead moving forward. The fact still remains that despite being open, honest, and having not been at fault in this case, GWR is now in the public record as having suffered a breach, which will be the new normal for companies. Soon, consumer trust in businesses won’t be based on those that have been hacked versus those that haven’t. It will instead be driven by which companies best handled their response to an attack.
Case for the defence
What this means for the rest of the UK’s infrastructure is clear. There’s no way to block every potential threat at the perimeter. Trying to do so will just result in security analysts becoming overwhelmed by the sheer volume of monitoring systems they need to deploy and floods of false positive alerts that mask real issues. This means there is an urgent need for an early warning system that can actively feed on intelligence sources and systematically, in an automated fashion, carry out measures to reduce the risk of intrusion and the chaos that could result. Today, organisations must accept that traditional defences like firewalls and anti-virus software are simply not enough.
Emphasis needs to shift from focusing on trying to block attackers to recognising protection simply can’t always be one hundred percent effective. What’s needed is intelligent and rapid detection, containment and mitigation that starts as soon as an attack begins.
That means having first class, automated threat and security intelligence capabilities that can manage the deluge of potential problems – sorting real threats from the background noise of systems and network operation; freeing up security analysts to deal with the real problems as quickly and efficiently as possible. It is also critical to collect and analyse the data that security teams need to accurately detect, investigate and respond to attacks. One of the most valuable sources of data comes from ‘packet capture’ – namely intercepting data that is crossing or moving over a specific computer network.
Many organisations use packet capture in an ad-hoc manner, initiating packet capture after an event – such as a network slowdown or some suspicious activity – has happened. The hope is that this will capture further evidence of what has taken place. But in a security context that’s simply not sufficient. In a smash-and-grab attack, the attacker can be long gone before packet capture is set up.
Ensuring that the packets relating to an event are captured as that event happens requires what is known as ‘full’, or ‘continuous’, packet capture. With full packet capture in place on the network, organisations effectively have a black box recorder for their network.
Should a breach occur, that black box data can provide insight into when it occurred, how it happened, where the attackers broke in and what they took. Having visibility into, and understanding of, this type of information is also critical in closing down any network vulnerabilities and preventing further damage in the future. After all, how rail companies update defences quickly to meet new threats will be one of the key weapons in the fight against cybercrime.
One of the reasons our infrastructure is so at risk is a lack of qualified security personnel and historic underinvestment. Within two years there will be more than one and a half million security jobs unfilled globally, meaning that there simply aren’t enough resources in the UK to cope with the growing threats facing our critical infrastructure. Before the digital era, it was relatively simple to prevent and stop attacks, but now it’s much harder. Especially so given the volume and variety of threats.
Are we on track to protect our rail infrastructure?
The politicisation and weaponisation of cyberspace has been inevitable. While a concerted national strategy to ensure resilience is underway, we cannot escape the fact that our lives are now so dependent on digital systems of all kinds that a successful cyber attack could pose a significant risk of disruption and damage.
And this is where the rail industry can write itself a new chapter in its history. It’s safe to say an attack is coming. The industry can prepare by putting in place intelligent defences to contain the threat, minimise damage and prevent repeat attacks in the future. Or, it can be caught flat-footed, facing the prospect of rectifying massive damage and disruption.
Once again, the image of UK’s rail industry can be a symbol of national pride or just another failing for those doubting the capability of the industry to evolve and embrace change.
James Barrett is Senior Director EMEA at Endace