What’s your IT Disaster Recovery Plan in the event of a cyberattack?

What would you do if your organization’s Information Technology (IT) systems stopped working for more than 4 weeks?

Well, this happened on Tuesday 27th June 2017 when a cyberattack was unleashed, initially displayed as part of the payload for the original version of Petya Ransomware attack, now known as “NotPetya”, leading to a significant disruption on a global scale.

This NotPetya cyberattack took 45 seconds to bring down the network of a large Ukrainian bank, and a portion of one major Ukrainian transit hub which become fully infected within 16 seconds.

On a national scale, NotPetya was eating Ukraine’s computers alive. It had hit at least four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency. According to reports, at least 300 companies were hit, and one senior Ukrainian government official estimated that 10 percent of all computers in the country were “wiped”. The attack even shut down the computers used by scientists at the Chernobyl clean-up site, 60 miles north of Kiev.

And for companies such as FedEx, Merck, Mondelez International, WPP, as well as many others, they were all affected by the NotPetya cyberattack. In the case of AP Moller-Maersk it saw infections in part of its corporate network that paralyzed some systems in its container business and prevented customers from receiving quotes and booking ships, in an industry where some 90 percent of world trade is transported by sea.

Several port terminals run by a Maersk division, including in the United States, India, Spain, the Netherlands, found themselves struggling to revert to normal operations, and such IT glitches can create significant disruptions for complex logistic supply chains.

It took Maersk just 10 days for the company to rebuild its entire network of 4,000 servers and 45,000 PCs. Full recovery took far longer: after working day and night for close to two months to rebuild Maersk’s software setup. The company suffered only a 20 percent reduction in total shipping volume during its NotPetya outage, thanks to its quick efforts and manual workarounds. But aside from the company’s lost business and downtime, as well as the cost of rebuilding an entire network, Maersk also reimbursed many of its customers for the expense of rerouting or storing their marooned cargo. NotPetya is estimated to have cost Maersk between $250 million and $300 million.

This global cyberattack was certainly among the biggest-ever events to hit global shipping, as well as other business operations and critical supply chains, and for certain organizations the effects continue today!

What caused the cyberattack to happen?

The NotPetya cyberattack looked for administrative credentials left readable on a server or other machine, then used them to bore deeper into a corporate network. Often the attack software used common administrative tools available in Microsoft Corp.’s Windows environments, even though Microsoft had issued patches for some vulnerabilities that were exploited.

Why do we need a combination of Information Technology (IT) Disaster Recovery (DR) Planning, Business Continuity Planning (BCP) and Crisis Management to create readiness for a Cyberattack?

In the case of NotPetya all three of the above training courseware, in the main, were found to be needed, some effectively, and some not due to a lack of “readiness”!

NotPetya should therefore be a wake-up call for all organizations, and that they need to “expect the unexpected” and ensure that they have a state of readiness for such events.

So, how can you plan accordingly for the unexpected, whilst creating a state of readiness for “significant disruptions and physically damaging” events, such that they are “proportionate” to the threats, risks & impacts that your organization faces?

Part of the answer lies in “joining-the-dots” between various responding elements within your organization, to ensure that “incidents” are firstly recognized, and then that the necessary escalation process has been invoked. This needs support of a range of templates, processes & procedures, and of course staff training.

PLUS Specialty Training is offers training in Certificate in IT Disaster Recovery Planning that identifies the key components in ISO/IEC 27031 for ICT Readiness in Business Continuity and ISO/IEC 27035 for Information Security Incident Management, covering a range of service management requirements as laid down in IS0/IEC 20000, to name but a few.

In addition to the above, key requirements that were found missing during the response to NotPetya were how best to keep the business running and respond to reputational issues arising from the cyberattack. Both missing areas can be found in PLUS Specialty Training’s Business Continuity Management, and Certified Crisis Management Professional training courses, that are benchmarked against International Standards benchmarking, as well as NCEMA 7000-2015. Steve Yates, FBCI, CBCP, FICPEM, MEPS delivers all three of the above training courses, having had operational experience in these areas and worked in a range of public & private sector organizations.

All of the above training courses are delivered in English, and provide a range of plan templates and supporting processes & procedures, with MPC certified exams for both Certificate in IT Disaster Recovery Planning and Certified Crisis Management Professional.

About the Author

Steve Yates

Steve has been involved in both Commercial & Public sector organizations, as well as having served in the Military. He is currently working as an Independent Resilience Consultant, in delivery of Resilience Solutions to organizations.

His main claim to fame was when he worked for the Olympic Delivery Authority (ODA) as Head of Business Continuity & Crisis Management during the London 2012 Olympic & Paralympic Games where he established and led delivery of the Risk & Continuity roadmap throughout the construction, fitting-out and event delivery phases, having additional responsibility for Emergency Planning and ICT Disaster Recovery.

As a Fellow of both the Business Continuity Institute (FBCI) and Institute of Civil Protection & Emergency Management (FICPEM), Member of the Emergency Planning Society (MEPS) and BSI trained ISO 22301-2012 Societal Security; Business Continuity Management System (BCMS) Lead Auditor, he has been involved in the development of Industry standards, as well as in the delivery of Projects & Programs to major institutions and global brands.

He has written many articles about Resilience, Business Continuity Management, Crisis Management, Major Incidents, Disaster Recovery and Emergency Planning, having developed & delivered training courses, workshops and spoken at conferences both nationally and internationally.

Some of his best accolades have ranged from being honored in:

• 1995 with “Freedom of the City of London” for work in Disaster Recovery
• 2004 elevated to being the first "Brit" to enter the USA's Continuity Planning Management's "Hall of Fame" as "Practitioner of the Year"
• 2010 presented with the BANG (Business And National Government) "Best Contribution to the Profession" by his Industry Peers, and
• 2011 presented with "Public Sector Business Continuity Manager by his BCI Industry Peers