back to article Why are only moneymen doing cyber resilience testing?

Although Chancellor George Osborne recently spoke of the National Grid, hospitals and air traffic control as being potential targets of online attacks in a recent high-profile speech at GCHQ, only the financial services sector runs comprehensive stress tests. The lack of exercises designed to hone defences raised serious …

  1. Bc1609

    Herd immunity

    "...true cybersecurity will take a large dose of herd immunity...".

    "Herd immunity" is not a term I've heard used in connection with "cyber" security before, and it's interesting to try and concoct a scenario in which it might exist. In its original sense, herd immunity refers to the idea that if enough members of a group are immune to a particular disease, even those who are not immune can enjoy a degree of protection due to the reduced avenues for infection.

    This sort of makes sense if one is talking about certain types of self-propagating malware (the "I love you" virus, for example), where an infected business could infect another, but my understanding is that the threats faced by large organizations are usually in the form of spear-phishing, social engineering and other, more targeted attacks that are unlikely to spread from one business to another because they are being instigated by the attacker and tailored to the company in question. This would, one supposes, be especially true of attacks against infrastructure targets, which often have rather idiosyncratic systems.

    I suppose it is possible that someone wishing to attack the infrastructure of the Grid, say, might go about it by infecting the systems of a supplier or contractor with whom they have regular contact, and so trick a Grid employee into opening an infected file which they think is from a trusted source, but I'm not sure that's what the article is driving at.

    Can anyone think how the quote above might be true? The only other thing I can think of that remotely relates to "herd immunity" is stuff like Macs being (supposedly) less prone to malware because of the smaller number of people using them - but that's because the potential reward for writing Mac malware is lower than that when writing for Windows, and isn't really the same thing at all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Herd immunity

      I think somebody thought it sounded nice, and used it regardless of its (lack of) actual relevance.

      I'll be delighted to be proved wrong.

    2. Tom 13

      Re: Herd immunity

      Reading that entire paragraph, I think what we have here is a Buzz Word Bingo player. Or to mangle Inigo Montoya: "I do not think that phrase means what he thinks it means."

      Honestly with sophisticated malware being what it is today, I don't think you'll get herd immunity effects even for opportunistic stuff. It's too easy to have a C&C that scans for vulnerabilities once the initial payload reports in.

    3. Anonymous Coward
      Anonymous Coward

      Re: Herd immunity

      I think the concept of herd immunity can apply in this context. Most malware re-uses kits or techniques, and the less targets that will fall to a particular technique, the less productive developing a kit around it would be.

      If most organisations have good patching routines and strong "cyber security" policies in place, the less fruitful these types of attacks will be, and so less attacks will happen (because the people developing the attacks, whether criminals or state actors, are better off using their resources persuing other avenues towards the same goals, either by having girls in short skirts hanging around outside the air traffic control tower, or mugging old ladies when they collect their pension).

      1. Anonymous Coward
        Anonymous Coward

        Re: Herd immunity

        And with shared attack and mitigation information, the fewer successful attacks by any one or few targets. That's the idea in theory. In practice I am of the belief that the low signal to noise ratio will preclude detection until well beyond effective mitigation. It's in the nature of the beast and has as its purest example the NSA & FBI. {Shrug} They won't learn so I, for one, will wait to greet our new post-apocalyptic overlords.

      2. werdsmith Silver badge

        Re: Herd immunity

        If there are 30 houses in my street, 20 have prominent burglar alarms and other physical security measures, and 10 don't, then which houses are going to be targeted. Herd immunity won't help here.

        Or a herd of antelope, most of them are fit and healthy and can run fast, a few are weak. Which get preyed upon?

        same will apply where hackers go looking for a victim, they will seek out and find the vulnerable, and herds won't help them at all.

        The scenario where herd immunity might help is by reducing the number of nodes that can take part in a DDOS attack.

        1. Bc1609

          Re: Herd immunity

          Or a herd of antelope... Which get preyed upon?

          That's it, I think - the analogy is not one of disease and infection, but of predation. Well done.

        2. Tomato42 Silver badge

          Re: Herd immunity

          > If there are 30 houses in my street, 20 have prominent burglar alarms and other physical

          > security measures, and 10 don't, then which houses are going to be targeted.

          > Herd immunity won't help here.

          but if 29 have, yours might simply get overlooked

          remember, if it's hard to find "in the wild" vulnerable systems it is also hard to develop probes for them

          and as you rightfully pointed out, having less vulnerable systems on the 'net also means it is harder to round them up to significant sizes for a big DDOS attack

  2. Known Hero

    Hey !!! I have a great Idea

    The stakes could hardly be higher – if our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost,” he added.

    Lets put a load of smart meters out there that can't be replaced !!!

    *Just found out that my smart electric meter that developed a glitch cannot be repaired or replaced. They will have to replace the entire smart meter, Oh and replace the Gas meter whilst they are at it so I am told!

    Only 2 years in and already obsolete :(

    1. dcluley

      Re: Hey !!! I have a great Idea

      I had a long correspondence with my local electricity board last year when they wanted to put in a smart meter. I think I shot down every single reason they put up for installing it; but I suspect the killer was that at the time the British Standard for these things had not yet been agreed. They admitted that there was a possibility that the then current design might not comply with the standard when it was eventually agreed. Since then I haven't checked to see whether one has yet been agreed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hey !!! I have a great Idea@dcluley

        Officially the answer is that it isn't a British Standard, it is the DECC SMETS standards. SMETS2 is supposedly the defintitive version and was ISTR finally agreed about November 2014. Some non-compliant meters can be upgraded in firmware, some can't, and all those will need to be upgraded to, or replaced with SMETS2 compliant meters.

        Even with a compliant meter, they can't force you to have one operating in smart meter mode. They can in theory (since it is their meter) replace the asset without your consent and run it in dumb mode, although even that is next to impossible because safety rules mean they have to have access to the consumer side electrics, and if you're not willing to be in, or not willing to have supply interrupted then they can't do it.

        Eventually the bureaucrats at DECC will have you on a smart meter, whether you like it or not, because you don't have an option to have a pre-existing meter removed or deactivated. Most of the population will take the pill and swallow it, and when the anti-smart meter types move house their chances of avoiding a meter are greatly reduced.

        1. dcluley

          Re: Hey !!! I have a great Idea@dcluley

          Yes - I was using a bit of shorthand when I referred to a British Standard. Sorry - I should have checked to get the right one; but the principle is still the same. Either way the concept is flawed. They say it is designed to cut down on usage to save generating capacity. But the times of peak demand coincide with family meal times and program breaks in TV programs and no amount of smart meter installation in domestic premises is going to make any difference to that. There is a case for smart meters for industrial/business users who can be more flexible.

          Other problems are the reliance on wireless communication for meter reading which I suspect is highly susceptible to hacking and that is a whole unwanted dish of works.

    2. Charles Manning

      "developed a glitch"

      Do you mean it had a hardware failure or that the software stopped working due to the infrastructure it communicates with changing?

      Smart Meters are a great wheeze. Get the numptie government to push them through at huge expense.

      When they fail to deliver promised benefits, show them V2 which really is so mush better. Fit those.

      Rinse and repeat with V3, V4, ...

      1. Known Hero

        Re: "developed a glitch"

        @charles, The display unit throws a wobbly and reports massive electricity use and sounds off alarms. this causes people to wake up in the middle of the night :(

        they cannot replace it as it isn't made any more, and to repair it, they need to replace all our meters :/

  3. Anonymous Coward
    Anonymous Coward

    Why are these systems even on the internet?

    1. Paul Crawford Silver badge

      A very good question and the answer is usually one or more of three options:

      1) Cost savings

      2) Convenience

      3) Trendy, as everyone else is apparently doing it

      Sadly there has been nothing serious to place responsibility on those in charge to do it properly. And by that I mean to consider security from the very beginning: How it is protected, how it is partitioned to control damage, how it is tested, how it is patched [repeat from start]. Dangle serious fines and jail time over managers and things will then be done, otherwise its business as usual until the shit hits the fan...

    2. PaulyV

      This was going to be my question as I have little knowledge regards such systems.

      There must have been a logical rationale for having, say, air traffic control linked to 'the internet' in some manner, but I cannot understand what it would be.

      Can anyone shed light on this for me?

      1. Vic

        There must have been a logical rationale for having, say, air traffic control linked to 'the internet' in some manner, but I cannot understand what it would be.

        ATC is a dispersed operation; it runs from controllers in larger airfields. Having those controllers get data updates from neighbouring areas makes a lot of sense - flight plans (and changes thereto) get updated automagically all along the flightpath. This reduces the number of unnecessary search & rescue operations.

        It should all be running atop a seriously hardened VPN, though. I have no knowledge as to whether or not it is.


    3. Tom 13

      Re: Why are these systems even on the internet?

      Because proper planning and testing for these systems runs 5-20 years and computer tech doubles in power rather more quickly than that. Back in '99 I did a stint visiting various US airports for Y2K scans. Some of the places were still running 386 desktops. So their refresh cycles are slow.

      Remember, all these systems were set up decades before the arrival of the internet. Initially they were setup as separated systems. Air gap firewalls were automatic. Building connections was expensive and data transfer was slow. When the internet became widely and cheaply available it was too efficient at transferring data to NOT use it. But the implementations don't take into account the risks associated with it.

      1. phil dude

        Re: Why are these systems even on the internet?

        How about point-to-point VPNs (choose your flavour) and impose a secure network topology?

        Surely in this day and age of COTS a retro fit might cost *money* but is a long way from "new"?


        1. Tomato42 Silver badge

          Re: Why are these systems even on the internet?

          @phil dude: ask Iran how their airgapped systems are working

          by making the network larger you're only making it easier to find the idiot that sticks a pendrive he found on the street into the work computer and infects the whole network

  4. Mr_Pitiful

    Paris is worse

    Air traffic control is still being run on windows 3.1 machines

    1. Tom 13

      Re: Paris is worse

      Ironically these days that might actually make them safer than the ones running Win7 or later.

    2. Anonymous Coward
      Anonymous Coward

      Re: Paris is worse

      Yep, and I still can maintain it. Then again I can recall calling my Mom on how to diagnose and repair a TACAN (VORTAC) from when she wore the uniform. So having W 3.x around, among other packages, 5.25/3.5" drives around, well I keep it ready. Come to think of it, putting all my most secret stuff on 3.5" disks would be diabolical.

    3. Steve Todd

      Re: Paris is worse

      To be fair it's not the ATC system that is running Windows 3.1, it's the box that was used to get weather data from their met office. You could have pretty much done that on an 8 bit machine.

  5. Paul Crawford Silver badge


    "We see from this place every day the malign scope of our adversaries’ advertisers' goals"

  6. Anonymous Coward
    Anonymous Coward

    Why would they - they are PRIVATE companies.....

    The Tory government sold off lots of things and the Labour government sold off NATS.....

    As a private company - if you dont have to spend money - why bother!

    1. Primus Secundus Tertius

      Re: Why would they - they are PRIVATE companies.....

      But they are not supposed to be negligent, whatever they are.

      1. Will Godfrey Silver badge

        Re: Why would they - they are PRIVATE companies.....

        When did 'supposed' have anything to do with ripoff business decisions?

    2. Anonymous Coward
      Anonymous Coward

      Re: Why would they - they are PRIVATE companies.....

      Oh why the thumbs down ???

      This is the truth - NATS is a private company these days.....not owned by the government - but a consortium of airlines who were appalled at trying to make money from safety ......

      Get with the plan..... understand that even not for profit private companies cannot just spend money they dont have - and when its a company who cannot really make money from selling anything - where is that money coming from ?

      The airports get the main amount of money from the landing fees.....

      The government made the decision to both sell off BAA and then decided that BAA was too big once Ferovial bought now we have money grabbing companies like GIP trying to squeeze every single penny they can from passengers and airlines what are they doing about paying NATS.....???

      1. Bronek Kozicki Silver badge

        Re: Why would they - they are PRIVATE companies.....

        Banks are private companies and they actually care (although not enough) about security. Why? Because the only unique selling point they have is customers' trust. Lose it and you lose the business, as many banks proved few years ago.

        On the other hand, as experience tells me, government driven "enterprises" do not give a shi* because their unique selling point is that you have no choice. Just fuck off and be thankful they provide any services at all, secure or not.

  7. Stevie Silver badge


    Squirrels? Get real. MBAs are the real danger.

    The biggest failure of the power grid to date in the USA is pretty much founded in the power company solely at fault firing everyone who had any experience of running a power generation and distribution network and replacing them with IT professionals and meter readers.

    The results, as explained in the official report, were an almost purpose-built grid crasher employing a highly redundant design of military grade. Viz:

    Closing down the most important of seven power generation facilities for maintenance during its heaviest load season.

    Failure to properly maintain the grid infrastructure (i.e. not trimming trees).

    Ignoring field reports of shorts and fires because the computer generated instrumentation was not agreeing with eyewitness statements.

    A clueless IT team who at no stage of the diagnoses and fixing of the underlying problem causing those instruments to disagree with the field reports showed any awareness that their job *wasn't* just to keep some servers running and therefore had no situational awareness of their own contribution to the building fiasco.

    A complete failure to recognize the consequences of a local power shortage problem and remediate it before it caused a massive overload of the whole network because no-one at the desk knew jack about how power stations must work in a national context and what a local network must never do.

    And my personal favorite: Once the problems were acknowledged and recognized for what they were (a disaster in the making), working the problem solution playbook (a replacement for actual people who knew what they were doing) from the wrong failover scenario because the down-for-maintenance power generation facility had already put them in a "class one failover" and no-one realized it.

    The importance of squirrels when placed in the context of this sort of Long Range Directorial Uckfup is, I submit, so small as to be negligible.

    1. Bronek Kozicki Silver badge

      Re: Bah!

      From your description I would say that in said company, squirrels are in charge.

  8. Anonymous Coward
    Anonymous Coward


    Luckily, for our spider-security protection purposes , the number of actual (non false-flag) infrastructural attackers is still close to zero (+/- a few percent)

    Hence why they are referred to as spider-attacking unicorns

    (For management: cyber-attacking jihadis in CESG speak)

    Of course, I do suggest that we urgently improve the spider-defences of our infrastructural blocks

  9. drewf74

    Accidental connections

    Unfortunately there are many instances of facilities which are run by people who don't believe they are connected to the internet, but since other people have been careless, or have added unauthorised bits of kit, they just happen to gain this connectivity.

    Another slight problem - critical pieces of equipment which are being leased on a photocopier-style business plan, and the owners remotely VPN/dial-in (sometimes really dial-in on a modem) for maintenance and to read the meter. When there's the potential for plant-wide connectivity from that kit, securing that access point can be tricky. The bean-counters are not generally the same people as are responsible for security. Money saved at one end, could cost the entire corporation at the other.

    Many of the industrial plants are believed to be secure since they are air-gapped. Worked a treat with Stuxnet though, didn't it? Since so many places are still running on XP (and will continue to do so for years, since it's not as easy as you might imagine to simply replace/upgrade equipment), getting a piece of malware to take root is not too hard. Patches? Not usually. A/V? Not usually... Will the engineer download something at home onto a laptop and take it inside the control network? Yep...

    Big industry players are certainly aware of the issues, and plenty have programs to deal with it. Could be many years before most of those programs are really effective though.

    1. Will Godfrey Silver badge

      Re: Accidental connections

      "The bean-counters are not generally the sane people ..."


    2. Bob Dole (tm)

      Re: Accidental connections

      >>Could be many years before most of those programs are really effective though.

      I'd hazard a guess that the *only* way those systems will get a real security overhaul is after one or more plants are taken off line by a verifiable attack. Then the governments will actually demand the owners fix the problems.

  10. Cynic_999 Silver badge

    Nuclear power stations

    The new nuclear plants being built in the UK are bound to be secure from cyber attacks because they will be made by China, which can be trusted with such matters.

  11. Disgruntled of TW

    Credentials ...

    I'm sorry, but why should we listen to anything Osborne says about information systems security?

    It's as if getting voted in suddenly endows politicians with years of experience and knowledge that they didn't have before they won an election.

    Get some experts involved, not mouth puppets.

  12. Trixr Bronze badge

    The US != the entire world

    Just because the US doesn't do basic testing doesn't mean nowhere else in the world does. Whether they act appropriately on such testing is something else.

  13. Alan Bourke

    Always loved that NORAD display.

    ... and I always wondered why Grand Forks looked like buying the farm first in 'War Games'. Granted, Grand Forks AFB is there but I always wondered if it was an in-joke from someone involved in the film.

  14. Anonymous Coward
    Anonymous Coward

    Bank of England

    Cyber resilience tests are currently mandatory for the financial sector, and this is enforced by the bank of England.

    Ahh, The BoE have been busy working out what computers are. That could explain why they were asleep in the run up to the financial crisis, and why they've done nothing to make the banks learn the lessons since, and UK household debt is now a larger share of GDP than before the crisis, and house prices average five times earnings.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019