UK Yellowhammer No-Deal Brexit – Worst Case Scenario Revealed

When the UK ceases to be a member of the EU in October 2019 all rights and reciprocal arrangements with the EU end.

The UK reverts fully to ‘third country’ status. The relationship between the UK and the EU as a whole is unsympathetic, with many MS (under pressure from the Commission) unwilling to engage bilaterally and implementing protections unilaterally, though some MS may be more understanding.

No bilateral deals have been concluded with individual member states with the exception of the reciprocal agreement on social security coordination with Ireland. EU Citizens living in the UK can retain broadly all rights and status that they were entitled to prior to exit from the EU, at the point of exit.

Public and business readiness for a no-deal will remain at a low level, and will decrease to lower levels, because the absence of a clear decision on the form of EU Exit (customs union, no deal etc) does not provide a concrete situation for third parties to prepare for. Readiness will be further limited by increasing EU Exit fatigue, due to the second extension of Article 50, which will limit the effective impact of current preparedness communication. [To be reviewed]

Business readiness will not be uniform – in general larger businesses across sectors are more likely to have better developed contingency plans than small and medium sized businesses. Business readiness will be compounded by seasonal effects, impacting on factors such as warehouse availability.

Concurrent risks associated with autumn and winter such as severe weather, flooding and seasonal flu could exacerbate a number of impacts and stretch resources of partners and responders.

Private sector companies’ behaviour will be governed by commercial considerations, unless influenced otherwise.

HMG will act lawfully and in accordance with the rule of law, including by identifying the powers it is using to take specific actions.

Key planning assumptions

1. For the purpose of freight flow and traffic· management as 31 October is a Thursday, day 1 of exit is now on a Friday rather than the weekend which is not to our advantage. Exit day may coincide with end of October half term school holidays, which vary across the UK. (CCS/DExEU)

2. In a small number of instances where the impacts of Brexit would be felt negatively in the EU as well as in the UK, Member States may act in way which could also benefit the UK (e.g. energy for Ireland). (CCS/DExEU)

3. France will impose EU mandatory controls on UK goods on Day 1 No Deal (D1 ND) and have built infrastructure and IT system to manage and process customs declarations and support a risk based control regime. On D1 ND, between 50-85% of HGVs travelling via the short Channel Straits may not be ready for French customs. The lack of trader readiness combined with 1.imited space in French ports to hold “unready” HGVs could reduce the flow rate to 40-60% of current levels within one day as unready HGVs will fill the ports and block flow. The worst disruption to the short Channel Straits might last for up to 3 months before it improves by a significant level to around 50-70% (due to more traders getting prepared), although there could continue to be some disruption for significantly longer. In the event of serious disruption, the French might act to ensure some flow through the short Channel crossings. Disruption to flow across the short Channel Straits would also cause significant queues in Kent and delays to HGVs attempting to use the routes to travel to France. In a reasonable worst case scenario, HGVs ·could face maximum delays of 1.5-2.5 days before being able to cross the border. HGVs that are caught up in congestion in the UK will be unable to return to the EU to collect another load and a proportion of logistics firms may decide to avoid the route should there be significant and prolonged disruption. Analysis to date has suggested a low risk of significant sustained queues at ports outside of Kent which have high volumes of EU traffic, but BDG will continue to work directly with stakeholders at those ports to support planning readiness (BDG/DfT)

4. UK citizens travelling to and from the EU may be subject to increased immigration checks at EU border posts. This may lead to passenger delays at St Pancras, Cheriton (Channel Tunnel) and Dover where juxtaposed controls are in place. Dependent on the plans EU Member States put in place to cope with these in.creased immigration checks it is likely that delays will occur for UK arrivals and departures at EU airports and ports. This could cause some disruption on transport services. TraveUers may decide to use alternative routes to complete their journey. (BDG/FCO/HO/DfT)

5. Demand for energy will be met and there will be no disruption to electricity or gas interconnectors. In NI there will be not be immediate disruption to electricity supply on Day 1. A rapid SEM split could occur months or years after E~ Exit. In this event, there would not be security of supply issues. However, there will likely be significant electricity price increases for consumers (business and domestic), with associated wider economic and political impacts. Some participants could exit the market, thereby exacerbating the economic and political impacts. (BEIS)

FBI Cyber Research revealed

The FBI identified incidents over the past few months in which cyber actors scanned for and sought to exploit audio and visual communication devices on networks to identify vulnerabilities which could later be used to gain access and unlawfully acquire information about the organization. In addition to targeting corporate information, vulnerable devices may be targeted for compromise for use in botnets or other criminal activities. The types of devices targeted include: Voice over Internet Protocol (VoIP) phones, video conferencing equipment, conference phones, VoIP routers, and cloud-based communication systems. While cyber actors have targeted VoIP and other communication devices in the past, the FBI continues to see these devices scanned by cyber actors for vulnerabilities.

Threat

Specifically, the FBI observed cyber actors identifying and probing communication devices by issuing HTTP GET requestsa to a business server or network to retrieve device configuration files. Information contained in configuration files often reveals IP addresses, usernames, passwords, system management URLs, and assigned phone numbers – all of which could be used by cyber actors for malicious purposes. Many of the requests are specific to particular brands of devices. Victims will often receive several GET requests in succession with the actors scanning for multiple brands of devices.

In addition, cyber actors retrieve IP addresses for further exploitation by using businesses’ customer service VoIP hyperlinks, which are traditionally made available for customers to use in contacting the business. Once those hyperlinked calls are answered, the actor retrieves the IP address belonging to the phone which answered the call. Once the IP address is retrieved, an actor could send a large volume of packets to the IP address, overloading it and taking the service offline for the targeted business and its legitimate customers.

In addition to the above techniques, cyber actors target devices with brute-force attacks, attempting unauthorized access through the use of common usernames and passwords. Open source scanning tools can also be used to identify vulnerable communication devices and any associated ports.

All of the information obtained through scans and other methods are likely used for specific targeting efforts by cyber actors. This includes leveraging access to compromised audio and video devices to eavesdrop on meetings or conference calls, placing fraudulent international phone calls, leveraging the compromised device for use in botnets, and conducting man-in-the-middle attacks to redirect corporate network traffic.

Recommendations

The following recommendations may limit the success of these types of attacks:

Conduct daily server log reviews to identify unusual activity, including GET and POST requests from external IP addresses.

Work with the communication device/system providers to ensure servers are patched and updated regularly.

Consider restricting access to configuration files or configuring firewalls to block traffic from unauthorized IP addresses.

Restrict communication devices/systems to only non-sensitive business networks.

Conduct regular penetration testing exercises on communication devices to identify and address vulnerabilities in a timely matter.

Enable encryption on teleconference programs and applications and consider disabling auto-answer capabilities.

Password protect configuration files, if possible.

Regularly review and update users with access to administrative accounts.

Segment configuration files on the network. Be sure to protect configuration and other device-related files after getting the device out of the box. Don’t just plug and play.