Northern Rail Hit By Ransomware

Whilst Complete Cyber continue to promote the need for Cybersecurity in every sector, our Director, having a background in Railway's, continues to highlight the growing need for Cybersecurity in Rail. Northern Rail, a Train Operating Company (TOC) has confirmed that a number of its self-serving ticketing machines have been offline for approx. a week with information coming to light regarding the downtime as being associated with Ransomware.

The impact from ransomware is that you have very limited options to address the situation. The initial steps should be to invoke your Cyber incident management plan and if you don't have the required support, contact the National Cyber Security Centre (NCSC) who can provide some support in remediation activities.

Ransomware outcomes leave companies with little option, since ransomware is a targeted crime (in most cases) and is often attributed to criminal gangs after a crypto or financial payout, with little or no guarantees that your data and systems will come back online if you pay the ransom.

How Do You Prevent Ransomware Attacks?

An often question asked, is how do you prevent ransomware? We often only associate ransomware with attacks on our IT systems, but forget in the Railways, a majority of systems are either IT mixed with Operational Technology. In effect, an extension of IT but with higher operational demand times and reliability required.

The truth is no one can be fully protected from ransomware since everyone is prone. Some companies can implement the best security practices only for the weakest link to allow for a file to download onto our network and then propagate into our systems causing mayhem.

Some simple steps to protect yourself against ransomware are given below, and this is a typical checklist of what we do at Complete Cyber with our Clients, including those who work or are associated with the Railway:

• Invest in Endpoint Detection Response (EDR) tooling. This is often better than your traditional anti-virus since it uses machine learning to analyze patterns to detect for odd patterns on your IT and can often restrict or contain malware and hence ransomware

• Evaluate your asset infrastructure. Whether this is your companies systems or your ticketing systems. It may seem simple having some boxes with computers running Windows 10, but are you updating them (patching). And if so, how are you restricting traffic from good and bad sources (network security)?

• Ensure the software you have built and deployed is thoroughly tested. Software is often neglected and potentially contains many vulnerabilities if not assessed using security tooling such as static code analysis and third-party library dependency checks

• Risk evaluate the system. Similar to understanding your asset infrastructure. Determine your systems and how they connect to each other and identify the weaknesses in your system or design. This can be done early before anything is built using threat modelling

• Ensure you have a backup procedure otherwise known as continuity plan. When system fails and you identify it as being a Cyber attack, invoke this plan. This plan should be written before hand to eliminate remediation steps so you are not left panicking when attacks occur

• Consider Cyber insurance. Use a good broker to ensure you have digital forensic cover and ransomware support in the insurance contract. If you don't mind paying for something to give a little comfort, the bill to pay these types of people without insurance can be quite high

• As the above, if you don't want to pay for an insurance, ensure you have a supplier capable of providing the above services and agree a rate plan so you don't end up paying over the odds instead of Googling for a service last minute on a Friday evening, as those prices will suddenly be much higher

• Continually assess your systems. With ticketing machines, there may be alternatives such as online or the ticket booth but the purpose of self-serving ticketing machines is to save operational costs by running 24/7. Therefore, consider implementing either vulnerability scanning against your systems or implementing monitoring for potential malcious activity. A costly investment, but spread that number across all of your systems and you'll soon see a return on your investment

Finally, whilst its always easier to highlight steps to put in place to try to prevent ransomware, the reality is this is a difficult subject and can be costly and why we recommend you always consult with a team that understands how to protect your infrastructure.

Complete Cyber will always promote Cyber within the Rail industry and will continue to highlight the growing risk that should be on everyone's risk register at board level and in your suppliers supporting the Regional routes in maintaining a regular train service. The above is applicable to any industry and not just Rail.

For more information in how Complete Cyber can help protect and evaluate your system weaknesses from potential Cyber attacks, please contact us to find out more or pop a message in to find out how Cyber and Rail have more in common than you think.