By Dr Sandra Bell, Head of BC & ISDG Consulting (Europe), Sungard Availability Services
Not a week goes by without a cyber-incident hitting the press. TalkTalk, Carphone Warehouse and Ashley Maddison are the most recent but unless the response is handled correctly they will end up costing the victim far more than the perpetrator initially intended. The principles of responding to cyber incidents are no different to responding to any emergency or crisis but there are a few “gotcha’s” to look out for and a few simple steps organisations can take to ensure that their response is effective.
Gotcha 1 – It is not always obvious that you have been attacked
If your building has been broken into or your basement is flooded it is fairly quick and easy to spot that something has happened. However, cyber incidents are often harder to recognise and it is not uncommon for them to have been going on under the radar for months before anyone notices. For example research by Arbor Networks in May 2015 reported that retail organisations were taking an average of 197 days to identify breaches and, whilst financial services organisations were better, they were still taking 98 days.
Whilst these numbers may at first sight seem unbelievable they make perfect sense when you consider that cyber criminals habitually take maximum advantage of the facts that: the anonymity of the cyber world means that the chances of detection is low; and that conventional security regimes are tailored to detecting and punishing large scale incidents.
Therefore, rather than carry out one successful heist for £50m, where the probability of being caught is higher and the associated punishment more severe, the cyber criminal’s cost benefit analysis points to 50 million heists of £1 where their activity can go largely undetected and, even if they are caught, the punishment is minor.
Repeated incursions for small amounts of data are therefore much more common. However, this slow burn brings with it two major problems with respect to incident management.
The first is that the early symptoms of cyber incidents are often wrongly classified as technical glitches and consigned to the IT department for long term management and resolution. This means that cyber-attacks are often not identified in sufficient time to launch an effective response because the wider impacts, such as reputational damage and legal implications, are not addressed until the incident has reached critical mass.
The second is that, because the wider business believes that the symptoms are being managed by the IT Department, they turn a blind eye to them and it is often external agencies, such as the press, that first join the dots together and recognise them as cyber incidents.
If this happens then the organisation can find itself firmly on the backfoot and share prices can literally plummet as they are forced to choose between “trial by twitter” if they decide to say nothing until they have investigated thoroughly or publish unanalysed details that are then taken out of context and speculated upon by a world-wide team of experts.
The trick therefore is to make sure that: IT systems are continuously monitored, all anomalies are reported to a central point, and a team that represents the wider business regularly reviews them to ensure that the organisation spots cyber-attacks before the press, customers or other stakeholders.
Doing this would mean that they would often find that they could contain and eradicate the attack before it does too much damage or attracts external attention and, should the incident come to light, they are in good position to provide sufficient information to give confidence that they are in control of the situation.
Gotcha 2 – Not knowing what has been compromised
Even if an organisation spots an attack early it is not always easy to work out what has been compromised. Most organisations IT systems have evolved over time. They frequently started life all neat and tidy and the IT Director could hand on heart say where all the information was held, transmitted and processed. However, they are now frequently complex behemoths who have taken on a whole life of their own and under-resourced IT departments have all too often been forced to regress from the architects and controllers of the systems to the people who just keep the complex IT beast fed and watered on behalf of the company.
Whilst the complexity offers agility, cost-effectiveness and resilience, it also makes it harder to work out what has gone wrong and what information may have been compromised. This is borne out by research by Sungard AS pointing out the Jekyll & Hyde nature of Hybrid IT (http://www.sungardas.co.uk/Documents/Jekyll-and-Hyde-Whitepaper.pdf) and the Arbor Networks research mentioned above that found that retailers and financial services organisations took an average of 39 and 26 days respectively to investigate, contain and eradicate data breaches.
As cybercrime increases so do people’s expectations with respect to the security of their personal data. Likewise, regulators and law makers across the globe are increasingly forcing organisations to know where the information they are holding is at any one time. Organisations that cannot do this will find it increasingly difficult to trade on the world market and savvy consumers will vote with their feet if organisations cannot give them a straight answer about their data within hours of a breach happening.
It is therefore essential for organisations to keep track of their information systems and information assets so that, should the worst happen, they can respond.
Gotcha 3 – Leaving the response to the techies
As mentioned previously the responsibility to identify cyber incidents often rests solely in the IT department due to a combination of the tendency to use impenetrable language to describe the symptoms and the slow burn of the events themselves.
Whilst the failure to involve the wider organisation can cause delays in attack identification, leaving the response to the techies can also cause problems.
Effective incident management requires teamwork, task work and high levels of personal competencies such as empathy and diplomacy to ensure the achievement of group goals (Hayes and Omodei, 2011). Researchers have also found that Extraverted-iNtuitive-Thinking-Judging (ENTJ) MBTI Test Personality types are well suited to such roles (Hammer 1996) as they exhibit high degrees of empathy, organisation, analytical thinking and decision making, enjoy being in charge and can visualise systemic or long-term changes they would like to see. Conversely, techies are often Introverted-iNtuitive-Thinking-Perceiving (INTP) personality types who, whilst able to build conceptual models to understand complex problems and are adaptable and have the metal agility to respond to changing environments, often struggle to work in teams and are uncomfortable with time pressures.
Therefore, whilst it is absolutely essential to have deep technical expertise to investigate, contain, eradicate and recover the affected IT system the response team must reach across every discipline within an organisation and be coordinated and led someone who competency set matched that of an emergency manager.
That is not to day that only certain MBTI personality types are able to manage incidents effectively but that other types may often to be playing to their weaker suits.
Gotcha 4 – Bluntness of the technical fix
To a layman a compromised IT system often looks much the same as an un-compromised system. Therefore, whilst all can see and understand the disruption associated with a flood or a fire, there is frequently an expectation that an IT system will be fixed and up and running within hours of a cyber-attack.
However, recovering from a cyber-attack takes time and involves expert resources. The typical steps required to contain a cyber-attack include: block (and log) unauthorised access; block malware sources (e.g. email addresses and websites); close particular ports and mail servers; change system administrator passwords where compromise is suspected; firewall filtering, relocate website home pages, and isolate systems.
Likewise, once the attack is contained the systems cannot be returned to their users until: the infected systems are rebuilt; compromised files are replaced with clean versions; temporary constraints imposed during the containment period are removed; passwords on compromised accounts are reset; patches installed; perimeter security strengthened; and the end to end system checked for functionality.
It is therefore it is highly recommended that alternative working arrangements and backups are in place!
Gotcha 5 – Underestimating liabilities
Finally, even if the organisation successfully navigates the recognition, response and recovery from a cyber-attack many fall at the last hurdle by underestimating their liabilities. Most organisations focus on lost time and damaged reputation. However, there are a whole host of additional liabilities that organisations often overlook when carrying out the cost benefit analysis of cyber security and cyber-attack response measures.
In addition to direct theft and information corruption other direct liabilities include Blackmail attempts and Ransomware. These threats are on the rise and as example McAfee Labs 2015 Threats Report showed that there was a 165% increase in Ransomware in the first quarter of 2015 alone.
Other costs include regulatory liabilities: both wide reaching and sector specific. For example the Current EU law requires organisations to have in place appropriate technical and organisational security measures to protect personal data and the new Data Protection Regulation is proposing fines of €100 million or 5% of the organisation’s annual worldwide turnover, whichever is the greater. Likewise some industry sectors can be heavily penalised for data loss. For example within the UK financial services sector, the regulator has historically levied greater fines for security breaches than the Information Commissioner.
Additional liabilities may also include: Breach of Statutory Obligations: Breach of Contract; Breach of Equitable Duties and Negligence.
The final word of advice is therefore take all liabilities into account when deciding to invest in either security measures to prevent the likelihood of an attack or response measures to mitigate the effects.
Airbus CEO urges trade war ceasefire, easing of COVID travel bans
By Tim Hepher
PARIS (Reuters) – The head of European planemaker Airbus called on Saturday for a “ceasefire” in a transatlantic trade war over aircraft subsidies, saying tit-for-tat tariffs on planes and other goods had aggravated damage from the COVID-19 crisis.
Washington progressively imposed import duties of 15% on Airbus jets from 2019 after a prolonged dispute at the World Trade Organization, and the EU responded with matching tariffs on Boeing jets a year later. Wine, whisky and other goods are also affected.
“This dispute, which is now an old dispute, has put us in a lose-lose situation,” Airbus Chief Executive Guillaume Faury said in a radio interview.
“We have ended up in a situation where wisdom would normally dictate that we have a ceasefire and resolve this conflict,” he told France Inter.
Boeing was not immediately available for comment.
Brazil, which has waged separate battles with Canada over subsidies for smaller regional jets, on Thursday dropped its own complaint against Ottawa and called for a global peace deal between producing nations on support for aerospace.
Faury said the dispute with Boeing was particularly damaging during the COVID-19 pandemic, which has badly hit air travel and led to travel restrictions or border closures. He expressed particular concern about widening bans within Europe.
“We are extremely frustrated by the barriers that restrict personal movement and it is almost impossible today to travel in Europe by plane, even domestically,” he said.
“The priority no. 1 for countries in general is to reopen frontiers and allow people to travel on the basis of tests and then eventually vaccinations.”
The comments come as businesses increase pressure on governments to reopen economies as coronavirus vaccine roll-outs gather pace across Europe.
France has defended recently introduced border restrictions, saying they will help the government avoid a new lockdown and stay in force until at least the end of February.
Germany installed border controls with the Czech Republic and Austria last Sunday, drawing protest from Austria and concerns about supply-chain disruptions.
Berlin calls the move a temporary measure of last resort.
Poland said on Saturday it had not ruled out imposing restrictions at the country’s borders with Slovakia and the Czech Republic due to rising COVID-19 cases.
(Reporting by Tim Hepher; Editing by Kirsten Donovan)
Why a predictable cold snap crippled the Texas power grid
By Tim McLaughlin and Stephanie Kelly
(Reuters) – As Texans cranked up their heaters early Monday to combat plunging temperatures, a record surge of electricity demand set off a disastrous chain reaction in the state’s power grid.
Wind turbines in the state’s northern Panhandle locked up. Natural gas plants shut down when frozen pipes and components shut off fuel flow. A South Texas nuclear reactor went dark after a five-foot section of uninsulated pipe seized up. Power outages quickly spread statewide – leaving millions shivering in their homes for days, with deadly consequences.
It could have been far worse: Before dawn on Monday, the state’s grid operator was “seconds and minutes” away from an uncontrolled blackout for its 26 million customers, its CEO has said. Such a collapse occurs when operators lose the ability to manage the crisis through rolling blackouts; in such cases, it can take weeks or months to fully restore power to customers.
Monday was one of the state’s coldest days in more than a century – but the unprecedented power crisis was hardly unpredictable after Texas had experienced a similar, though less severe, disruption during a 2011 cold snap. Still, Texas power producers failed to adequately winter-proof their systems. And the state’s grid operator underestimated its need for reserve power capacity before the crisis, then moved too slowly to tell utilities to institute rolling blackouts to protect against a grid meltdown, energy analysts, traders and economists said.
Early signs of trouble came long before the forced outages. Two days earlier, for example, the grid suddenly lost 539 megawatts (MW) of power, or enough electricity for nearly 108,000 homes, according to operational messages disclosed by the state’s primary grid operator, the Electric Reliability Council of Texas (ERCOT).
The crisis stemmed from a unique confluence of weaknesses in the state’s power system.
Texas is the only state in the continental United States with an independent and isolated grid. That allows the state to avoid federal regulation – but also severely limits its ability to draw emergency power from other grids. ERCOT also operates the only major U.S. grid that does not have a capacity market – a system that provides payments to operators to be on standby to supply power during severe weather events.
After more than 3 million ERCOT customers lost power in a February 2011 freeze, federal regulators recommended that ERCOT prepare for winter with the same urgency as it does the peak summer season. They also said that, while ERCOT’s reserve power capacity looked good on paper, it did not take into account that many generation units could get knocked offline by freezing weather.
“There were prior severe cold weather events in the Southwest in 1983, 1989, 2003, 2006, 2008, and 2010,” Federal Energy Regulatory Commission and North American Electric Reliability Corp staff summarized after investigating the state’s 2011 rolling blackouts. “Extensive generator failures overwhelmed ERCOT’s reserves, which eventually dropped below the level of safe operation.”
ERCOT spokeswoman Leslie Sopko did not comment in detail about the causes of the power crisis but said the grid’s leadership plans to re-evaluate the assumptions that go into its forecasts.
The freeze was easy to see coming, said Jay Apt, co-director of the Carnegie Mellon Electricity Industry Center.
“When I read that this was a black-swan event, I just have to wonder whether the folks who are saying that have been in this business long enough that they forgot everything, or just came into it,” Apt said. “People need to recognize that this sort of weather is pretty common.”
This week’s cold snap left 4.5 million ERCOT customers without power. More than 14.5 million Texans endured a related water-supply crisis as pipes froze and burst. About 65,000 customers remained without power as of Saturday afternoon, even as temperatures started to rise, according to website PowerOutage.US.
State health officials have linked more than two dozen deaths to the power crisis. Some died from hypothermia or possible carbon monoxide poisoning caused by portable generators running in basements and garages without enough ventilation. Officials say they suspect the death count will rise as more bodies are discovered.
THIN POWER RESERVE
In the central Texas city of Austin, the state capital, the minimum February temperature usually falls between 42 and 48 degrees Fahrenheit (5 to 9 degrees Celsius). This past week, temperatures fell as low as 6 degrees Fahrenheit (-14 degrees Celsius).
In November, ERCOT assured that the grid was prepared to handle such a dire scenario.
“We studied a range of potential risks under both normal and extreme conditions, and believe there is sufficient generation to adequately serve our customers,” said ERCOT’s manager of resource adequacy, Pete Warnken, in a report that month.
Warnken could not be reached for comment on Saturday.
Under normal winter conditions, ERCOT forecast it would have about 16,200 MW of power reserves. But under extreme conditions, it predicted a reserve cushion of only about 1,350 MW. That assumed only 23,500 MW of generation outages. During the peak of this week’s crisis, more than 30,000 MW was forced off the grid.
Other U.S. grid operators maintain a capacity market to supply extra power in extreme conditions – paying operators on an ongoing basis, whether they produce power or not. Capacity market auctions determine, three years in advance, the price that power generators receive in exchange for being on emergency standby.
Instead, ERCOT relies on a wholesale electricity market, where free market pricing provides incentives for generators to provide daily power and to make investments to ensure reliability in peak periods, according to economists. The system relied on the theory that power plants should make high profits when energy demand and prices soar – providing them ample money to make investments in, for example, winterization. The Texas legislature restructured the state’s electric market in 1999.
Since 2010, ERCOT’s reserve margin – the buffer between generation capacity versus forecasted demand – has dropped to about 10% from about 20%. This has put pressure on generators during demand spikes, making the grid less flexible, according to North American Electric Reliability Corporation (NERC), a nonprofit regulator.
That thin margin for error set off alarms early Monday morning among energy traders and analysts as they watched a sudden drop in the electrical frequency of the Texas grid. One analyst compared it to watching the pulse of a hospital patient drop to life-threatening levels.
Too much of a drop is catastrophic because it would trigger automatic relay switches to disconnect power sources from the grid, setting off uncontrolled blackouts statewide. Dan Jones, an energy analyst at Monterey LLC, watched from his home office in Delaware as the grid’s frequency dropped quickly toward the point that would trigger the automatic shutdowns.
“If you’re not in control, and you are letting the equipment do it, that’s just chaos,” Jones said.
By Sunday afternoon about 3:15 p.m. (CST), ERCOT’s control room signaled it had run out of options to boost electric generation to match the soaring demand. Operators issued a warning that there was “no market solution” for the projected shortage, according to control room messages published by ERCOT on its website.
Adam Sinn, president of Houston-based energy trading firm Aspire Commodities, said ERCOT waited far too long to start telling utilities to cut customers’ power to guard against a grid meltdown. The problems, he said, were readily apparent several days before Monday.
“ERCOT was letting the system get weaker and weaker and weaker,” Sinn said in an interview. “I was thinking: Holy shit, what is this grid operator doing? He has to cut load.”
Sinn said he started texting his friends on Sunday night, warning them to expect widespread outages.
‘SECONDS AND MINUTES’
Early Monday morning, one of the largest sources of electricity in the state – the unit 1 reactor at the South Texas Nuclear Generating Station – stopped producing power after the small section of pipe froze in temperatures that averaged 17 degrees Fahrenheit (9 degrees Celsius). The grid lost access to 1,350 MW of nuclear power – enough to power about 270,000 homes – after automatic sensors detected the frozen pipe and protectively shut down the reactor, said Victor Dricks, a spokesman for the U.S. Nuclear Regulatory Commission.
About 2:30 a.m. (CST), the South Plains Electric Cooperative in Lubbock said it received a phone call from ERCOT to cut power to its customers. Inside the ERCOT control room, staff members scrambled to call utilities and cooperatives statewide to tell them to do the same, according to operational messages disclosed by the grid operator.
Three days later, ERCOT Chief Executive Bill Magness acknowledged that the grid operator had only narrowly avoided the calamity of uncontrolled blackouts.
“If we hadn’t taken action,” he said on Thursday, “it was seconds and minutes (away), given the amount of generation that was coming off the system at the same time that the demand was still going up.”
(Reporting by Tim McLaughlin and Stephanie Kelly; additional reporting by Nichola Groom; editing by Simon Webb and Brian Thevenot)
UK could declare Brexit ‘water wars’ – The Telegraph
(Reuters) – Britain could restrict imports of European mineral water and several food products under retaliatory measures being considered by ministers over Brussels’ refusal to end its blockade on British shellfish, the Telegraph reported.
Senior government sources pointed to potential restrictions on the importing of mineral water and seed potatoes, the report said.
(Reporting by Maria Ponnezhath in Bengaluru; Editing by Daniel Wallis)
Former Bank of England Governor Carney joins board of digital payments company Stripe
By Kanishka Singh (Reuters) – Mark Carney, former head of the UK and Canadian central banks, has joined the board...
Airbus CEO urges trade war ceasefire, easing of COVID travel bans
By Tim Hepher PARIS (Reuters) – The head of European planemaker Airbus called on Saturday for a “ceasefire” in a...
Why a predictable cold snap crippled the Texas power grid
By Tim McLaughlin and Stephanie Kelly (Reuters) – As Texans cranked up their heaters early Monday to combat plunging temperatures,...
UK could declare Brexit ‘water wars’ – The Telegraph
(Reuters) – Britain could restrict imports of European mineral water and several food products under retaliatory measures being considered by...
Commerzbank to lose 1.7 million clients by 2024 – Welt am Sonntag
FRANKFURT (Reuters) – Commerzbank expects to lose 1.7 million customers by 2024 as part of its current restructuring, resulting in...
Bitcoin and ethereum prices ‘seem high,’ says Musk
(Reuters) – Billionaire CEO Elon Musk said on Saturday the price of bitcoin and ethereum seemed high, at a time...
Sunak to raise business tax to pay for COVID-19 support – The Sunday Times
(Reuters) – British finance minister Rishi Sunak is set to increase a tax on business to pay for an extension...
FTSE Russell to include 11 stocks from China’s STAR Market in global benchmarks
SHANGHAI (Reuters) – Index provider FTSE Russell will add 11 stocks from China’s STAR Market to its global benchmarks, according...
Foxconn chairman says expects “limited impact” from chip shortage on clients
TAIPEI (Reuters) – The chairman of Apple Inc supplier Foxconn said on Saturday he expects his company and its clients...
Bitcoin, ether hit fresh highs
SINGAPORE (Reuters) – Bitcoin hit a fresh high in Asian trading on Saturday, extending a two-month rally that saw its...