John Murray, CTO at virtualDCS, calls for the strengthening of disaster recovery plans at digital infrastructure organisations worldwide.

The ongoing effects of the cyber incident impacting Transport for London (TfL) serves as a stark reminder of the vulnerability of national infrastructure to cyberattacks. In an increasingly digital world, where cities like London depend on interconnected systems to keep essential services running smoothly, the ramifications of such an attack can be significant. 

The potential disruption of public transport services alone can bring daily operations to a halt, affecting millions of commuters, businesses, and the broader economy. Fortunately, law enforcement haven’t detected any damage to data. Nevertheless, this incident highlights the urgent need for a comprehensive and effective Disaster Recovery (DR) plan, tailored to manage both traditional disasters and modern cyber risks.

The evolving threat landscape

Historically, DR planning for organisations like TfL focused on physical threats – floods, fires, and power outages for example – but the landscape of risk has evolved enormously. 

Cyber threats, including data exfiltration, ransomware, phishing, and denial-of-service (DDoS) attacks, have become more sophisticated, capable of compromising critical infrastructure in ways that were previously unimaginable. The recent situation at TfL is a clear example of this shift, where attackers can potentially compromise a city’s transport system infrastructure, leading to widespread disruptions.

The lesson here is clear: DR and containment plans must evolve in tandem with these new threats. They must address both traditional risks and cyber risks in a way that ensures continuity of services even when technology is compromised. A cyberattack affecting national infrastructure can no longer be treated as a niche threat – it must be considered a mainstream risk with serious consequences.

The central role of communication in incident response

A crucial lesson to emerge from the TfL incident is the central role that communication plays in responding to such an event. In any large-scale cyberattack, the ability to communicate effectively and rapidly across different levels of the organisation and with external stakeholders can significantly shape the success of the response.

While TfL’s recent cyber incident did not cause any downtime of public services, primarily affecting internal systems, it serves as a reminder that future attacks could have more severe consequences. 

Ensuring a communication strategy is in place for potential service disruptions is essential for minimising public impact and maintaining operational continuity in the face of future threats.

To that end, a robust communication strategy must be a core component of any DR plan. It should account for multiple scenarios, including the potential failure of primary communication systems due to the cyberattack itself. This is particularly important for organisations like TfL, where clear communication is essential for managing both internal response efforts and external public expectations.

1. Establishing communication redundancies 

    One of the first steps to ensuring effective communication during a disaster is building redundancy into the system. Security teams must put alternative methods – such as secure messaging apps, satellite phones, or third-party platforms – in place to secure the flow of critical information, even when primary channels are compromised. 

    For instance, where internal networks may be taken down or compromised during a cyber attack, having a backup communication method ensures key personnel can still coordinate responses, share updates, and make informed decisions in real-time.

    2. Engaging stakeholders quickly and transparently

      A clear protocol for promptly notifying all relevant stakeholders – both internal and external – is essential. Internal teams, including IT, operations, and management, need to be informed immediately to coordinate the technical response, containment, and recovery efforts. Externally, law enforcement agencies, cybersecurity experts, insurance companies, and business partners must be brought into the loop to ensure compliance with legal obligations, expedite recovery, and manage financial repercussions. 

      In the case of public services like TfL, this level of coordination is vital, both for restoring disrupted services but also for maintaining trust with the public and stakeholders.

      3. Public communication: managing perception and behaviour

        In incidents involving public services like TfL, the ability to communicate clearly with the public is crucial. Providing accurate, timely, and transparent updates can help manage expectations, reduce panic, and guide public behaviour during potential disruptions. Clear messaging allows TfL to inform commuters about the nature of the incident, any expected downtime, and available alternatives. This reduces frustration and confusion, ultimately helping maintain public trust in the organisation.

        However, the nature of a cyberattack, which may include elements of uncertainty or ongoing investigation, adds complexity to public communications. TfL must balance transparency with caution. They must ensure that public statements do not inadvertently worsen the situation, such as by sharing details that could aid attackers. 

        Establishing a pre-defined communication plan that outlines how to handle public relations during a cyberattack can provide a framework for managing these delicate situations.

        The importance of a well-tested DR plan

        The TfL incident also emphasises the need for regular testing and updates to DR plans. A DR plan is only as effective as its implementation during a crisis. Conducting regular “fire drill” exercises that simulate cyberattacks allows organisations to identify weaknesses in their plan and ensure that all stakeholders know their roles and responsibilities.

        Simulated incidents help to refine both the technical aspects of the DR plan – such as isolating compromised systems and restoring backups – and the softer elements, such as communication protocols and leadership response. In the case of cyberattacks, where rapid containment is often critical, these drills can significantly improve response times and minimise the damage caused by the attack.

        Additionally, post-incident reviews are essential for learning and improvement. Following the TfL incident, a detailed analysis of what went well and what failed during the response will provide invaluable insights for future preparedness. Lessons learned from real-world incidents allow organisations to continuously evolve their DR strategies to remain resilient in the face of emerging threats.

        Developing a secure recovery strategy

        When dealing with cyber incidents, particularly ransomware, it is not enough to simply restore services from backups. 

        By restoring data directly to its original environment, security teams risk reinfection if theyhaven’t fully eradicated the malware. Instead, recovery should occur in a secure, isolated environment: a “clean room”. Here, security teams can analyse and neutralise the attack vector before they restore any systems or data.

        This careful approach ensures that organisations avoid the costly mistake of reintroducing malware into their networks, which could lead to repeated attacks. Incorporating these steps into a DR plan ensures that recovery is not only fast but also secure and complete.

        A call to action for strengthening infrastructure resilience 

        The cyberattack on TfL serves as a wake-up call for national infrastructure organisations worldwide. 

        The lessons learned from this incident highlight the need for a modern, comprehensive DR plan that addresses the full spectrum of risks – from traditional disasters to complex cyber threats. Central to this is a robust communication strategy, regular testing, and secure recovery processes. 

        By taking these lessons on board, organisations can better protect their infrastructure, maintain public trust, and ensure resilience in the face of an increasingly dangerous cyber threat landscape.

        • Cybersecurity

        Related Stories

        We believe in a personal approach

        By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.