British Airways IT Issues


The media coverage of the recent major systems outage at British Airways is some of the worst I can recall reading. Essentially a national institution working in an industry synonymous with resilience, safety and preparation is making a drama out of a crisis and many technical practitioners are still trying to understand what happened. 

In the most recent reports, it sounds like a contractor accidentally switched off the power in their datacenter and with it, toppled the first domino in a series which lead to 750,000 passengers being unable to fly and an as yet to be calculated compensation bill. 

"It was not an IT issue, it was a power issue" - British Airways 

Nothing in the information they’ve released so far really explains how this course of events came to transpire nor does it provide any confidence or assurance around BA’s approach to business continuity planning (BCP) or disaster recovery (DR). Essentially, someone was able to gain access to and then press a button which tore the entire organisation offline in such a way that they were unable to recover in a suitable timeframe. This also managed to happen at a peak period for the business, a bank holiday weekend, and one which the media had reported would see record travel figures given the abundance of good weather in the UK. We now have a lot of questions about change control, BCP/DR, personnel management, system residence, architectural practices, Governance, risk and compliance and so far no real answers. 

BCP/DR aren’t easy but nothing worth doing is. Over the years, I’ve seen shining examples of how to prepare for the worst and unthinkable. On the other hand, I’ve seen how not to do it. As a consultant, you can often get a feel for how seriously an organisation takes BCP/DR with a few well placed questions around hosting and infrastructure. If you’re met with a wry, nervous smile when you ask you can bet the situation isn’t going to be great. 

Those organisations that really were ready all had the same thing in common - they were expecting OR had needed to handle the worst in recent history, and this had made it certain that BCP/DR remained an active consideration in every aspect of how the company operated, how it tracked and cared for it’s people and how it provisioned central services. I recall one client in particular, not just because how much they impressed me with their preparations but because of how integral preparation and resilience was to their day-to-day business. It came as no surprise then when this client went on to detail their plans for New Zealand and Japan and then go on to show how they had managed the earthquakes in Christchurch and Fukushima in 2011. It focuses the mind when you consider IT availability issues within the context of human life.  Being able to support your employees livelihoods during a major recovery effort is a major part of an employer’s duty of care. 

Hopefully, this current media backlash the inquiry to follow will provide the leadership team there with the support and investment they need to prevent anything like this from happening again. Hopefully, this scrutiny will extend organisation wide and highlight any other weaknesses or gaps in both how BA operates and in the systems they employ.


Links
https://www.thetimes.co.uk/article/ba-power-fiasco-blamed-on-staff-blunder-tbfhxwsw2
https://www.theguardian.com/business/2017/jun/02/ba-shutdown-caused-by-contractor-who-switched-off-power-reports-claim
https://www.theregister.co.uk/2017/06/02/british_airways_data_centre_configuration 

Popular posts from this blog

PCI-DSS: Your CDE may be getting bigger

Image
In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words: “Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.” The guidance goes on to visualise a scoping process, considering each category of system in turn: I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems” . These are cases where the: System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity). System component can connect
Read more

Tools & Techniques - Cloud Firewalls (DigitalOcean)

Image
My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices.  I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent. They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc.  Initial Impressions - Pros, Cons and Limitations Pros No Cost (free!!) - Cloud Firewalls are available at no additional cost. Availability - Cloud Firewalls are available in ever region DigitalOcean operate.
Read more

Splunk Security Cheat Sheet

Image
Apart from being a source of all too frequent and embarrassing typos, Splunk is a big data platform which allows you to interrogate data and present results is a variety of contexts and visualisations. I've been using it for a little over 12 months, self teaching or Googleing as I go, predominantly to sift through the terabytes of logs from various applications and appliances that get generated in my 9-5 every day.  You can use Splunk to build dashboards which are typically better than the ones that come with the product ( full size )  I've started to pull together all the searches, notes and bits of code into a sort of security cheat sheet which I thought would be a good thing to share as well as providing some real world examples of how you might use Splunk in a security context.  Cheat Sheet I'm actively working back through my notes and adding to this all the time so it might be a good thing to reference via the URL or re-visit from time to time. I'll t
Read more