How the British Library attack is shocking the public arts into action

Royal Ballet and Opera’s IT lead Keith Nolan on security and network unification

The devastating attack on the British Library by the Rhysida ransomware gang shook the public arts establishment to its core, according to Keith Nolan, head of technology delivery at the Royal Ballet and Opera (RBO). “Everybody in the sector is very concerned about how secure we are, or think we are,” he said.

Rhysida gained entry to the British Library's network in 2023 via a terminal server intended to facilitate access for trusted external providers and internal IT administrators. While it was protected by firewalls and anti-malware software, this server did not use MFA. It is believed the attackers gained access to the server via compromised privileged account credentials obtained via phishing or brute force.

The gang stole 600GB of files, including personal data of Library users and staff, and dumped them on the dark web. They also destroyed a number of servers, hampering the Library's efforts to restore digital collections and metadata. The Library's infrastructure, characterised by a complex mix of legacy and modern systems, contributed to the severity of the impact.

Security centre stage

Security has been at the forefront of the RBO’s considerations as it has consolidated and rationalised its IT infrastructure, aided by value added reseller ET Works, said Nolan. It’s all about considering what might come next.

“We’ve taken a very forward-thinking approach at RBO. We've worked with key partners, Cisco, AWS, Nutanix and also Telstra, one of our comms partners, about how do we ensure that we're architecting in a secure and manageable way?”

The British Library attackers were able to gain a foothold due to inadequate access control. But locking everything down is rarely a practical solution. At the RBO, the teams that design and operate lighting, stream live performances around the world, manage audio and video and digital data archives need to be able to work independently and with some flexibility.

“So, it's not that we don't trust you guys, we do trust you, but we want to trust you with limits. It’s about how to apply those architectural limits. How do we offer a self-service kind of scale-up on-premise or in cloud without risking a cyberattack?”

For the most part, these technicians are not cybersecurity specialists; they are video and lighting experts, technical creatives. Instead, cyber is the responsibility of the core IT team, with network segmentation and access control important elements of the overall architectural design.

Pointe-to-pointe analysis

As part of a multi-year programme to build as unified architecture, consolidating three data centres into one, Nolan’s team undertook an extensive root and branch review of the RBO’s entire infrastructure, digging into the service catalogue to find out exactly what is connecting to what.

Nolan professed himself to be a big fan of the ITIL framework, which has gone out of fashion somewhat as Agile has come to the fore, but which still provides valuable lessons in operational rigour.

“There's some good takeaways from that framework still today,” he said.

“We've gone back to some of those core tenets. We map all our VMs across the service, and we map all our software across the service, and all our entry points across the network as well, and we're doing a whole review of who has access to every component of that service.”

He continued: “It's about looking at the Cisco network, looking at the FortiGate firewalls; it’s about looking at the processes in your Active Directory around how people gain an account, whether those security groups fit.”

Dancing with danger

Every sector faces its own unique challenges when it comes to architecting and managing its IT infrastructure with efficiency and security. For the RBO, a non-profit partially funded by the taxpayer, costs inevitably play a major part. Then there’s the requirement for low latency streaming, which means the cloud-only option is out, making a hybrid cloud setup the preferred option.

Theatres are home to some unusual kit too, including industrial automated switchgear.

“We're talking about industrial switches, not Cisco switches,” Nolan explained.

“You have engineers from that side come onto the site. They're plugging their devices into those industrial switches and they don't have the same level of security. The software hasn't evolved in the last 30 years, so it's not actually very secure.”

This industrial technology “controls some pretty powerful stuff” like hydraulic stage lifts. It’s been designed to be safe from a mechanical point of view, but not so much from a cyber perspective. And of course it’s networked.

“One of my fears, which is one reason why do bag searches, is that someone could bring in a small device and interact with that technology, and we wouldn't even be aware of it from an IT perspective, because it's come from an industrial manufacturer.

“So there’s the whole piece all the way from third party supply chain security to manufacturing. There's a lot of work to cover in our sector.”

However, he said he was confident about continuing to make progress as his team pulls the infrastructure together under one control pane. While the British Library attack was a clarion call to the sector, not everyone has been able to respond as quickly as the RBO.

“I'm proud to say we're one of the first theatres in the UK that's actually unified those disparate networks with a very high level of security,” said Nolan.

Keith Nolan was speaking during a press briefing at a Nutanix event in London last week.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.