TOCs Depend on Cloud
The railway industry is increasing cloud dependent. Cisco estimate that £24 Billion will be spent on Internet of Things projects by the railway industry in the next 5 years. We are using Software as a Service, or SaaS, for applications throughout the delivery spectrum and downsizing our on-premises capability. In this two-part precis we, IL7 Security, aim to show that TOC management – Operators of Essential Services – need to be cloud-savvy – to know what brakes they need to operate, what doors they need to shut and what bells they need to whistle – to ensure that delegation to cloud maintains delivery of a prompt, safe and comfortable service to customers.
Not only is it Office 365 for our mail, Azure for our documents, and Teams for conferencing, it is all those business applications that make everyday life easier. Google and Amazon have joined Microsoft as the tech giants that over the last ten years have revolutionised where we process and how we store our data. It’s not just IT but operational technology (OT) that is increasing outsourced to the cloud for monitoring and efficiency. SaaS providers offer combined status information from diverse on-board public assets such as toilets, food chillers and ovens, presented alongside current positional information and can improve the customer experience and reduce penalties associated with having these out of service. Cloud offers cost savings, resilience and work-anywhere capabilities. But it also places security responsibility outside of ‘our people’ and represents grave danger if or when it all goes wrong, when those nation state cyber adversaries and criminal gangs realise transport is critical to UK business and target rail information and operational systems. When we are hit with phishing attacks, Man In the Middle attacks, Denial or Service or Ransomware – when the bottom line rests with the Board of Directors there is a definite ‘need-to-know’.
The “techies” in the Train Operating Company’s (TOC) IT department know all about cloud, but do senior managers and directors, those responsible for the performance, safety and paying the fines when things go wrong, know the potential for those things to go wrong? Do they recognise the complexity of the responsibility they place of their technical people or those that procure their cloud services? This article seeks to explore and expose these complexities to senior management.
Hope and Faith – Reliance on Outsiders
When we put our faith in planning software, billing software and business applications hosted in the cloud, it must not be based on blind faith, hope and optimism. Considered, appropriate partnership with capable suppliers is mandatory. Even when we outsource a relatively unimportant facility such as rewards management or collaborative white boarding, we are potentially endangering our sensitive and personal information, giving outsiders unnecessary access to data that might allow criminals the means of attack. Ransomware is becoming prevalent and targeting both our information and our operational technology. We must not give attackers the keys to our house. I have advised on cloud services for many years and have provided assurance and policy about SaaS for train companies. I have recently provided policy documents to the Department for Transport the Home Office and the Ministry of Defence. In this article I am only repeating advice I gave to them but now with a specific emphasis on our rail industry as a contribution to Cyber Transport capability and security across the UK. I recognise a special need for transport rail in particular. I have conducted risk assessments on in-house IT and OT delivery. I recognise the need to manage risk when delivery is outsourced, All directors have a responsibility to share this risk and ensure delivery of IT and OT is subject to due diligence and governance. And that authority over delivery remains with the TOC.363
The Obligation to Protect
SaaS delegates to the service provider much of the obligation to protect data. While SaaS is defined as a delivery model for providing licensed software on a subscription basis, it has evolved to the degree where the application and the processing are on the vendor’s site or more realistically in the cloud, a physical or virtual space rented by the SaaS provider from a host. This host in turn is responsible for providing Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) and the security around these services. There is then a mixture of owned, shared, and delegated security responsibilities and obligations. While the threats to data increase, Project Managers and System Owners need to ensure that all parties recognise their responsibilities and fulfil the obligations placed upon them. The objective of this article is to ensure all SaaS procured for consumption by the transport industry are fit for purpose and protect the confidentiality, integrity, and availability of sensitive information (business and commercial) and Personal Identifiable Information (PII).
Risk Based SaaS Procurement
Firstly, buying cloud services should be subject to a risk assessment. Many cloud-based services are beneficial to productivity and business, but implementation varies, and they need to be assessed for suitability from a risk perspective. With SaaS the end user gets access to the applications they need, which the provider hosts on infrastructure and platforms in the cloud.
Client-Side Responsibility
TOC Service Owners, Procurers, and Projects, TOC clients, must ensure they examine any inherent risks associated with the service they are provisioning and introduce client-side precautions accordingly. As service procurers, TOC clients should assess whether a service can be accessed from non-company devices over the internet as this adds risk of data leakage. TOC clients must ensure:
- User SyOps are in place which cover confidentiality and acceptable use and reflect the impact of data leakage.
- Controls are used within the application to enforce identification and authentication of all users. Can these be integrated with company ID and Access Management – Federated Active Directory Services come to mind.
- Use of non-company devices is subject to policy (Bring Your Own Device).
- Usage monitoring and recording are used as a deterrent as well as enforcement with appropriate levels of recourse for non-compliance.
Client Authority
The TOC client must have access to a customer interface where they can address performance, extra functionality, and security issues. While in some instances the SaaS providers might appoint a Single Point of Contact (SPOC) the client needs to be able to escalate issues if the SPOC cannot be contacted or satisfaction is not delivered. TOC clients must ensure providers furnish clients with a matrix of service management functions and point of contact.
SaaS Providers
For SaaS providers to provision security controls that are appropriate and proportionate, they will need to calculate their residual risk based on the value of their assets and the impact of a security breach. TOC clients must ensure providers have a risk management process that includes clearly communicating risks between contributing providers (Infrastructure, Platform, and Software providers) and the client. The SaaS provider must have a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program. This ERM is to include policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks. SaaS providers offer themselves as custodians of customer data and must demonstrate a security posture that flows from board-level to the most junior employee. The SaaS provider must have policies and procedures that demonstrate compliance with International Standards*.
* ISO/IEC 27001:2013 and/or NIST Special Publication 800-53 Revision 5
RACI
Roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs must be defined and documented. This matrix or RACI should clearly indicate responsibilities, contacts, deputies, and an escalation path with phone numbers.
Coming up in Part Two
In the accompanying article I will examine some real and tangible ways for the TOC to enforce compliance with best practice of its Cloud / SaaS suppliers – we will cover data protection, incident handling, disaster recovery, protective monitoring and encryption. It is a real guide to TOCs on what they should expect and SaaS providers on what and how to deliver.
In the meantime, please register with www.transportcyber.com where I and other cyber rail professionals will try to provide news, best practice advice across the transport spectrum with a focus on cyber, the environment and the future.
Joe Ferguson has over 40 years’ experience in IT, starting as a developer and project manager and has run his own consultancy businesses for over twenty years. He can be contacted on [email protected], www.linkedin.com/in/joe-ferguson-529842122 or visit www.il7security.com. IL7 is a major sponsor of www.transportcyber.com.
This article was originally published by IL7 Security Consultants.
