Discovery of 'white powders'
A 'white powder incident' is a phrase often applied to the discovery of a substance (solid or liquid) where the finder cannot eliminate the possible presence of a chemical or biological hazard. (Not all such hazards are white, or powders). An example of the concern is the series of Anthrax attacks in the US in 2001. That event caused a small number of deaths and large-scale disruption (because of the need for extensive decontamination).
The majority of white powder incidents in the rail environment (and elsewhere) have related to benign substances and were not accompanied by any kind of threat information. Examples of risk aversion have included concerns about spilt flour (from a shopping bag); spilt plaster (dropped by a builder); salt (spilt on a canteen table); liquid soap (found under a soap dispenser in a staff bathroom); white powder (found after the discharge of a powder fire extinguisher). In the absence of a specific threat, or any other credible reason to believe such discoveries are suspicious, the scenario should be dealt with under normal housekeeping arrangements.
Where the discovery is believed to be malicious (e.g. a threatening letter, observed suspicious behaviour, a face-to-face threat received by staff or passengers), it should be investigated by police, who will also give specific risk management advice. In the unlikely event of people having been exposed to a genuine hazard, any uncoordinated evacuation will spread the hazard further, contaminate more people and delay effective medical intervention. In the absence of people becoming unwell, evacuation should be limited to adjacent rooms/carriages and people kept near the scene. In the event of a small scale contamination, the blue light services (police first point of contact) should be called. If the substance is deemed toxic, the police will launch an initial operational response, drawing in colleagues from the other emergency services as appropriate.
Any electronic or cyber incident, which affects any critical engineering assets or engineering assets that perform a safety function should be reported to the Department for Transport (TICB@dft.gsi.gov.uk Telephone 020 7744 2870) and Office for Rail Regulation (Telephone 020 7282 3910), in a timely manner. Incidents reaching the threshold of 'Level 0 - Exceptional Occurrence' as defined in the Centre for Cyber Assessment (CCA) Cyber Incident Coordination Plan (CICP) should be reported immediately to CERT-UK by telephoning 01242 709311 or by emailing (Unclassified to: email@example.com ; and Restricted / Official Sensitive to: firstname.lastname@example.org ).
This does not preclude you from consulting the CERT-UK were you unable to manage the consequences of an attack alone.
Incidents that should be notified:
Deliberate or accidental destruction, alteration, disruption, or disclosure of asset software or data, resulting from device connections;
Successful unauthorised access or alterations to assets. (Unsuccessful attempts should be recorded locally for audit purposes and only notified if they are repeated or persistent);
Malware infection of assets. (Blocked infection attempts, e.g. detected and blocked by anti-virus software and procedural controls, should be recorded locally for audit purposes and only notified if they are repeated or persistent);
Theft of assets and asset data (including disclosure by social engineering) that may be used to further compromise the asset base, including engineering laptops, engineering asset user account credentials, engineering documentation. (Unsuccessful attempts should be recorded locally for audit purposes and only notified if they are repeated or persistent).
What does not constitute an electronic or cyber Incident:
Random hardware failure of asset;
Design flaw or design error (failure of intention to implement the correct design);
Installation or manufacturing flaw or error (failure of intention to install or build the correct design).
The Modes of Attack
Cyber systems used on UK railways may be subject to unauthorised access through various means:
Remotely, via the internet, or open non-secure telecom networks.
At close hand through direct contact with infrastructure (e.g. through a USB port).
Locally, through unauthorised access to physical infrastructure, or insider threat (infiltration).
Use of unauthorised devices
Use of unauthorised software
Unsecured configurations for hardware and software
Lack of vulnerability assessment and remediation
Lack of malware controls, or controls that are poor quality or obsolete
Poor control of application software security
Poor control of wireless devices.
Poor data recovery capability.
Lack of skilled employees.
Unsecured configurations for network devices.
Ineffective limitation and control of network ports, protocols, and services.
Poor control of administrative privileges.
Poor boundary defence.
Poor maintenance, monitoring, and analysis of security audit logs.
Poor access control.
Insufficient account monitoring and control.
Inability to effectively prevent data loss.
Insufficient incident response capability.
Unsecure secure network engineering.
Lack of security system testing.
Investigating persons should look for one or more of the following:
Coincidence with another security breach, perhaps physical
Records indicating the connection of an unauthorised media or data storage device
Instructions issued from unexpected sources internally
Instructions issued from unknown or suspicious sources externally
Abnormal, illogical or otherwise obviously suspicious instructions being issued from any source.
Recently imported data
Recent activation of unknown software or script
Unauthorised disabling of firewalls, or security software
Unauthorised deletion or alteration of data
Drops in light levels in fibre-optic cables