Cyber  Updates












 Thames Tideway






 cyber-attack exercise







 Following an increase in global ransomware attacks   individuals belonging to an organisation can use
 and the UK National Cyber Security Centre’s warnings   their knowledge of the organisation’s security and
 of hostile actors targeting infrastructure providers,   information practices to orchestrate or develop the
 Tideway decided to gauge its preparedness for such   cyber-attack.
 an event. In November 2019, in collaboration with
 London Resilience Group, Tideway conducted a   The shock and confusion among staff was clear.
 crisis-management exercise aimed to test, validate   The information systems department was soon
 and provide opportunities to develop Tideway’s   overwhelmed and just as shocked by the speed of
 cyber-security defence capabilities. The ransomware   the initial attack. Crisis-management teams were
 scenario was a hybrid minimal-notice exercise.  subsequently able to use structured processes to
 understand the situation, agree priorities and set a
 Meticulous planning ensured that any associated   strategic direction.   W
 risks were mitigated to minimise disruption to the
 business. A Tideway service provider for threat   The key learning themes identified were that the
 monitoring (ThreatSpike Labs) supported the delivery   business had limited understanding of a ransomware
 of this exercise, using its software to target individual   attack and its impact on systems and business
 employees and generate fake ransomware, thus   continuity. The true impact, financial cost and
 replicating a real-time cyber-attack. The scenario   recovery timescales of such an attack were also
 started with a “spear-phishing” campaign, with   misunderstood. The exercise drove discussions
 targeted emails sent to individuals. This was delivered   on disclosure, how the ransom request should be
 by procuring a domain name that closely matched   handled, and which partner agencies to involve.
 the Tideway email address that was used to send   Colleagues from UK Central Government and the
 health and safety alerts.  Metropolitan Police Service’s Cyber Crime Unit also
 observed the exercise and were able to provide
 Once the email and attachment were opened,   valuable feedback and advice based on real incidents.
 ThreatSpike used a pre-agreed employee list to
 deny staff access to the network by “blue-screening”   Although organisations can never fully protect
 their laptops. As more members of staff opened   themselves against cyber-crime, Tideway’s
 the email, confusion and panic set in. Information   commitment to enhancing staff awareness with
 display screens housed on the fifth and sixth floors   the existence of robust and practised procedures
 of the headquarters building began to display a   ensures that the organisation is in the best position
 ransomware message demanding £15 million in   to respond to cyber-attacks.
 Bitcoin in return for releasing Tideway systems.
 The exercise demonstrated that shared
 After the initial spear-phishing element, the   understanding and organisational preparedness for
 ransomware injection provided a focus on the very   such incidents is vital in reducing the recovery time.
 real threat that organisations face. To improve
 organisational learning, the ransomware attack was    - Charles Frank CSyP MSyI
 combined with an “insider threat”, a less understood
 risk closely associated with cyber-crime, where


 46