Bristol Airport’s quick isolation of key systems was key to preventing ransomware spreading, says Databarracks

The airport’s steps in handling the cyber-attack set a positive example for other organisations to follow

Recently, Bristol Airport’s administration systems were infected by ransomware. The airport was forced to take a cautious approach and shut down applications including its digital flight information displays, forcing staff to use whiteboards to keep passengers updated on flight information.

In the wake of this incident, Peter Groucutt, managing director of business continuity and disaster recovery firm Databarracks has said: “We applaud Bristol Airport’s efforts in handling the incident. Although it might look a ‘low-tech’ approach to have staff use whiteboards to update information, it was a simple, manual work-around that kept the airport operating without any cancellations.

“The key to dealing with cyber incidents like ransomware infections is early detection, followed by decisive action. The airport’s decision to quickly isolate key systems was brave and consequently prevented the spread of the infection. The small disruption they suffered is far better than the potential consequences and impact on the organisation if it had escalated into a more significant attack.”

Groucutt continues: “Speed of response is critical to success in dealing with these kinds of incident and so in order to act quickly, it is vital to have a cyber incident response plan in place.

“The plan provides a systematic approach to the response with pre-agreed actions including whether or not to isolate systems.

“A response plan should map out all of the actions that are required to recover from any types of incidents. This would include: 

• Identify – the initial notification of an incident is likely to come from an automated alert or user notification. An incident must then be verified and then logged and categorised. The team-members logging and categorising an incident should have clear definitions to work from and directions regarding how to respond and escalate.
• Isolate & contain – isolation and containment is critical to limiting impact. Fast action at this stage reduces the amount of remedial work needed later for eradication and recovery.
• Rectify – when the threat has been contained, you can begin dealing with the incident, first by eradicating the threat and then recovering systems to make the organisation operational again.
• Communicate – there are several different stakeholders that you may need to communicate the incident to. As well as internal notifications this will also include customers, your insurance company and regulators.
• Review – finally, every incident must be reviewed, ideally as soon as is possible after the breach. Take the lessons learned from the incident to make improvements to defensive measures as well as to the cyber incident response process itself.

“Bristol Airport displayed all of the signs of an organisation with a solid response plan in place. The infection was identified and action was taken to isolate and contain it.  At this point – with some systems down, including the digital signage their Business Continuity Plan was enacted. They broke-out the whiteboards and switched over to manual methods to keep the airport operating. Theycommunicated to their customers that they were dealing with a problem and advised passengers to arrive at the airport with more time before their flight.

“Choosing to take systems offline as a preventative measure can be a difficult decision and will understandably attract some criticism. Ultimately, when dealing with an incident like this, your aim is to maintain continuity of operations and prevent data loss. Bristol Airport’s actions ensured they achieved both,” Groucutt concluded.