Cyber risk comes in many forms
The percentage of the population that had heard of CrowdStrike before Friday, July 19, 2024, was probably limited to individuals that work in the IT and cyber security industries. A day later, pretty much the whole world had heard of it, especially those who had medical procedures, financial transactions or travel plans interrupted.
On July 19, CrowdStrike released a flawed software configuration file update to Falcon Sensor, a vulnerability scanner that detects system intrusions and hacking attempts. The update disrupted millions of computers worldwide that used the Windows operating system.
But before we get into the impact that the incident had on the aviation sector, we should first touch upon who and what CrowdStrike is. Based in Austin, Texas, CrowdStrike is a cyber security company that provides threat intelligence and cyber-attack response services to a great many companies worldwide, from small vendors to large conglomerate corporations. Formed in 2011, it focused on the endpoint protection market, the area of a network that includes desktops, laptops and mobile devices. The company flourished because data storage and processing were in the process of migrating to the cloud and endpoint protection was becoming a key focus of IT security.
The company’s reputation was enhanced in 2016 when it revealed that it had identified attempts to hack various U.S. government entities, including the White House, the State Department and the Joint Chiefs of Staff, by two hacking groups with alleged links to the intelligence agencies of an allegedly hostile government.
Growth accelerated further in 2023 when the Securities & Exchange Commission, the primary financial markets regulator in the U.S., announced that publicly listed companies would be required to disclose both their cyber-security incidents and their cyber-security risk management, strategy and governance.[1]
By 2024 CrowdStrike had cornered nearly 25% of the endpoint security market share and was one of the best performing companies in the S&P 500 index.
So what went wrong? The July update appears to have contained some errors in the logic computers use which created issues when the affected computers were booted up. The notorious “blue screen of death” was just one of the symptoms.
The glitch hit fewer than 1% of Windows-based computers, but this still translated to around 8.5 million devices worldwide.[2] In a blog post cited by the Reuters news agency, Microsoft stated “While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.”[3]
The outage hit numerous companies worldwide, with aviation, health care and the financial services sector among the hardest hit.
In the case of the aviation sector, thousands of flights were cancelled worldwide, but operating models in the U.S. airlines meant they were particular susceptible to the outage. The “hub and spoke” method favoured by several major U.S. airlines, funnels passengers into hubs where they can connect to ongoing flights to their ultimate destination. It’s an operating model that relies on a finely tuned, integrated system to ensure the connections can be made and thus the outage hit hard. One airline is said to have cancelled around 5,000 flights between July 19 and 25, at a cost of about $500 million. Elsewhere in the world airlines tend to operate a more “point to point” system which made the knock-on effects of the outage less severe.
With so many processes reliant upon computer systems to aid speed, accuracy and efficiency, the glitch hit the systems that the airlines rely upon for many processes including ticket reservations, flight scheduling, crew scheduling and aircraft maintenance. A problem in any one of these systems would automatically have a knock-on effect to the operation of the airline but having all the systems go down simultaneously created serious challenges for several airlines.
Compounding the issue was the fact that it wasn’t just the airlines that were affected. Airlines outsource a great many services, and these service providers were also impacted. This meant that getting people to the right place at the right time to perform functions such as cabin cleaning and gate security became very difficult and added to the flight delays and cancellations.[4]
Generally, recovery was possible, but could be a painstaking and time consuming. In some cases it was also expensive, because not every employee either had administration rights or the skill-set to perform the recovery process.
It is important to recognize that the outage was not due to cyber security being compromised. It should also be noted that flight safety appears to have remained unaffected because aircraft flight control systems have purpose built, embedded, systems.
What the incident did do however was highlight the potential ramifications of a supply chain cyber-attack, with potential losses and business disruptions that could far exceed this incident where a swift solution was implemented.
Supply chain vulnerabilities may be an inherent risk in doing business in a complex, global sector, but the resulting financial losses don’t have to be inevitable. To reduce the operational and financial impact of a similar future event, organizations need to take steps to ensure that they have a thorough understanding of potential cyber threat scenarios and how they could impact their value chain. It is also important to have a good understanding of cyber maturity, attain the appropriate cyber insurance and mitigate any gaps.
Many organisations think of “cyber” and “cyber insurance” as being concerned only with cyber-attacks and cyber security. In reality, and while different cyber policy wordings will respond differently (care needs to be taken in ensuring the appropriate coverage is negotiated), the majority of airlines who purchased cyber insurance would have been covered for the resulting business interruption losses and other exposures arising from this non-malicious cyber event. If this is achieved, it puts organizations in a strong position to recover quickly and efficiently in the event of future events of this nature.
Many organizations are dipping their toes into quantifying cyber risk scenarios, enabling them to proactively recognize the potential pain points, and organizations who have accomplished these first steps are already ahead of the threat.
The estimated cost of the CrowdStrike incident varies between $1 billion and $10 billion to the global economy. This variation highlights the challenge in quantifying the insured loss value. It’s been a reminder to many sectors including aviation of both how impressive our global supply chains are, but also how potentially fragile.
WTW works with clients of all kinds across the aviation supply chain. Our range of tools and services help organizations meticulously identify and quantify cyber risk scenarios, taking a probabilistic view that leverages our expertise in actuarial and data science, forensic accounting, cyber threat intelligence, crisis management and the insurance claims data.
.jpg?modified=20240614115139&imgeng=meta_true&h=150&w=150&la=en-CA&hash=02528118CDF7D056B48A4EA3D7FC6085)
