OPINION: Legacy systems leave critical public infrastructure vulnerable to the dark side of the Internet
For years the industry, and indeed Silicon, have been warning that an attack on our critical infrastructure was coming. On Friday it happened. And it could have been worse.
Cybersecurity has long been seen as a drag – something that organisations believe has to be endured rather than invested in. It’s not just technical capabilities, its culture too.
Threats are only going to multiply as we move more processes online and the world becomes increasingly connected. The Internet of Things (IoT) is evidence of that.
But in the end it wasn’t even this new world of innovation which caused the problems. It was a non-targeted attack aimed at vulnerable Windows systems that hadn’t been patched or were no longer supported.
Initial research suggests WannaCry targeted an SMB vulnerability disclosed in the ShadowBroker leak of bugs known to the NSA. It was patched by Microsoft in March – two months ago – and only for supported Windows operating systems.
Any regular reader of Silicon will have been aware that support for Windows XP ended in 2014 and only organisations who purchased extended updates would be covered. The NHS reached a £5.5 million deal in 2014 for 12 months of additional updates but this was not renewed in 2015.
Back in December, it was reported that of 70 NHS trusts contacted, 48 were still using Windows XP. NHS Digital puts the figure at 4.7 percent of all systems in the NHS technological ecosystem.
This means several NHS Trusts have not applied updates or are still too reliant on XP. As many as 48 Trusts in England were impacted by WannaCry as well as 13 in Scotland.
Other organisations, such as Telefonica, will also have to address their security measures but as a public body and provider of an essential service, the NHS will be held to scrutiny. As will the government.
In its defence, the NHS says the number of Windows XP systems continues to fall and that some systems, such as MRI scanners, cannot be upgraded immediately. It also stresses that NHS Trusts will isolate vulnerable systems from the rest of the network and that so far there is no evidence that patient data has been compromised. Possibly because it has been encrypted?
But even still, if hundreds of thousands of NHS systems are still using XP – not matter how rapidly the figure falls – why on Earth was the government’s support agreement with Microsoft not extended?
Surely the cost of the incident has exceeded the £5.5 million it would have taken to arrange more support. After all, operations were cancelled, ambulances were redirected and staff were reduced to using pen and paper.
So much for the paperless NHS that is perpetually envisaged by ministers.
Home Secretary Amber Rudd has said most of the NHS is now “working normally”, that she hoped Trusts had backed up data and that the incident would encourage hospitals to upgrade to a new platform.
Rudd also pointed out the government’s £1.9 billion cybersecurity pledge but there needs to be action alongside rhetoric.
Funding has to be given to an NHS facing so many other problems and budget cuts and there has to be an acknowledgement among the organisation that the issue of cybersecurity cannot be ignored – no matter how pressed a Trust is.
The technology and cybersecurity industries can be accused of hyperbole, but Friday showed that its warnings cannot be ignored. And there may be worse to come.