The famous “blue screen of death,” witnessed with horror by 8.5 million Microsoft Windows users worldwide as a result of the ongoing CrowdStrike outage, may soon become a far more familiar sight across a wide range of sectors.
While there is no evidence that the widespread Microsoft Windows outage caused by the CrowdStrike upgrade was anything but accidental, many in the cybersecurity industry are seeing the past week’s experience as a dummy run for a full-fledged cyber-attack aimed at crippling critical infrastructure. As the current media pictures of people sleeping in airports testify, some sectors appear to be faring better than others.
According to Tim Grieveson, Senior VP of Global Cyber Risk at cybersecurity company BitSight: “It is essential that large organizations such as airlines carry out regular scenario-testing to gauge their resilience to a concerted cyber-attack or major outage such as the one we are currently experiencing. The banking sector does this, but it doesn’t feel as if the airline sector was adequately prepared this time.”
Even in the case of a glitch by CrowdStrike rather than a concerted cyber-attack by a hostile nation-state, it seems that some sectors are getting off lighter than they deserve. However, the major alarm bell now being sounded is the West’s reliance on widespread and ubiquitous software such as Microsoft Windows OS.
According to Pankit Desai, CEO of cybersecurity firm Sequretek: “Microsoft Windows OS is widely used and I was surprised to see no impact on critical infrastructure such as water treatment systems, power supplies or communications during the current outage…The widespread use of Microsoft’s Windows OS means that a significant breach would have very far-reaching and widespread consequences.”
“Organizations should try to adopt a good mix of front-end systems, rather than just relying on the Windows tech eco-system. I do, however, understand that, once the memory of the current outage starts to fade, it will be difficult to convince company board members to finance the adoption of new operating systems and proprietorial software,” adds Desai.
Sectors such as energy, telecoms and water treatment usually rely on operational technology (OT), some decades old, that was never designed to be connected to the internet and can, therefore, be hacked.
“The motto of the OT world is: ‘If it ain’t broke, don’t fix it.’ As these older OT systems are increasingly going online and many of them had not had a security in patch in years, this makes sectors such as telecoms that rely on OSS and BSS OT systems to run their office operations very vulnerable,” says Desai.
The countries mainly affected by the CrowdStrike outage, the US, UK, and India, have now revealed a gaping vulnerability in their defenses that potentially hostile nation states will be quick to exploit. Over the last two years, hacking techniques have been developed and used to successfully attack and disable critical infrastructure in locations such as the Middle East and Ukraine.
Not a question of ‘if’ but ‘when’ critical infrastructure will be taken down
“The ongoing conflict in the Ukraine has seen concerted cyber-attacks on critical infrastructure. When the conflict ends, the cyber-gangs responsible will find new targets in countries such as the US and the UK. It is now no longer a question of if but when a concerted cyber-attack will take out critical infrastructure in a major Western economy,” says Desai.
Other lessons from this week’s dummy run include the knowledge that it can take days, if not weeks, to try to get systems up and running once the Microsoft “blue screen of death,” once a familiar sight in the days of dial-up, starts appearing on screens across the West.
Shawn Waldman: CEO and Founder of cybersecurity firm Secure Cyber, says: “The current CrowdStrike outage impacting organizations worldwide is far more complex than it may appear. While CrowdStrike has issued a fix, the challenge lies in the application of this fix across vast networks. Many global agencies and large organizations have tens to hundreds of thousands of devices spread out across the globe.”
A final lesson currently being learned from the current Windows outage is not to relinquish the ability to carry out transactions manually in the event of a major outage. The general public and its elected representatives are also taking heed that the West’s rush to become a cashless society may not be the best approach after all. In the UK, for example, almost half of all UK adults were living largely cashless lives throughout 2023, according to UK Finance, with cash representing just 12 percent of all 48.1 billion payments recorded last year.
“Public-facing organizations in sectors such as retailing, aviation, and retail banking should now ensure that they can operate tills and ticketing manually in the event of another outage or, worse, a concrete cyber-attack,” says Desai.
Until Western organizations are prepared to reduce their addiction to linking every possible device or facility to the internet and until organizations start to use more varied software, it looks as if the best we can all do is put some cash under the mattress and expect the worst.
