The Network & Information Systems Regulation
In their recent Post-Implementation Review (PIR) of the Network & Information Systems (NIS), May 2020, the Department of Digital, Culture, Media and Sport summarises the regulations that require operators of essential services, which include train operating companies (TOCs), to do the following:
- Take appropriate and proportionate measures to ensure the security of the network and information systems used to provide their essential services, both by managing risk and by minimising impact of any disruption.
- Notify the relevant competent authority about any incident that has an adverse effect on the security of the network and information systems used to provide the essential services, according to criteria set out in incident reporting thresholds.
Train Operating Companies as Operators of Essential Service
The first of these emphasises a point – not that TOCs must be compliant with every indicator of good practice (IGP) laid down in NIS, but that the measures should be appropriate and proportionate based on risk. However, in the body (p.12) it acknowledges that the competent authorities have responsibility in determining what IGPs are required which could be the full Cyber Assurance Framework drawn up by the NCSC.
The second does not discriminate about whether the Cyber Assurance Framework covers network and information systems on board the trains as well as those used in planning the journeys and scheduling the trains and crew. In my mind the NIS Regulations relate, by the second point to rolling stock as well as office-based IT systems or those housed in data centres. Whether this view is adopted by every TOC or other OES, it is worth convincing the competent authority of the value of the risk-based approach.
In August there was call for views on the PIR with an approach being made in November to change the NIS Regulations, in how they are imposed and some of the thresholds used, but not in the nature of the cyber good practice called for. I would like to look at these in more detail.
Cyber Security & Rail
Two years ago, I entered into a contract with GTR to look at their candidacy for NIS compliance. Having previously spent over 20 years working in central government as an information assurance and risk analyst, I offer that experience to support cyber security in the rail industry. I have promoted this both within my own consultancy company, IL7 Security, and by sponsoring the transportcyber.com community website.
Cyber Assurance Framework, the NCSC and the DfT as a Competent Authority
All cyber practitioners working for operators of essential services (OES) are aware of the requirement to comply with the NIS Regulations which came into force in May 2018. The DfT, as the competent authority (CA) for rail, has published the Cyber Assurance Framework (CAF), a spreadsheet of good practices drawn up by the National Cyber Security Centre to show how an OES should operate its information and communications technology (ICT). ICT is the underlying technology and infrastructure that allows transport companies to run their businesses effectively and efficiently. NIS refers to them as the network and information systems and the trick is to determine which of these systems is critical to the success of running the essential services in question. Take train operating companies (TOC), as these are what I am most familiar with. Critical systems will include all those involved in planning, managing and maintaining train services. This will include all the rolling stock, station staff, drivers, guards and maintainers being in the right place at the right time to make journeys possible. Equally important, some might say, are the information services and passenger comfort systems that enhance the customer experience. All these need to comply with the outcomes described in the NCSC CAF.
Managing Security Risk – Protecting Against Cyber Attack
The CAF contains four principal objectives pertaining to managing security risk, protecting against cyber attack, detecting cyber security events and minimising the impact of cyber incidents. Within these four objectives are some 39 separate indicators of good practice and to “achieve” these an OES has to meet some 176 listed outcomes. This compares with ISO 27002’s 35 control objectives and 114 outcomes. There are many overlaps and consistencies, though it is fair to say that the NIS CAF provides a comprehensive and especially useful checklist of controls to be welcomed and embraced by the transport industry. One might ask however, “Is every control appropriate or applicable to your delivery of each essential service?” For example, is supplier management so important when dealing with an insider threat? Certainly, reducing supplier-side vulnerabilities helps, but it probably is not the most important control to consider. Only risk assessment allows identification, appropriateness and prioritisation.
Risk Management
The NIS CAF states, in Principle A2 Risk Management, the indicators of good practice required to assess risks in IT systems. Risks are to be:
- Identified, analysed, prioritised and managed
- Focused on the possibility of disruption to your essential service
- Based on a clearly understood set of threat assumptions
- Informed by an understanding of the vulnerabilities
- Managed by a process in line with your organisational approach to security
- Communicated to key security decision-makers and accountable individuals
- Subject to re-assessment when there is a significant change to the system, its use or to the threat level
- Reviewed periodically, and improvements made as required
From my conversations with other train companies it would seem that few have engaged with serious or experienced risk analysts. Military and central governments have long used risk analysis to determine appropriate solutions. The ‘not one shoe fits all’ adage is the key to good security management and selecting the most applicable controls and thereby avoiding unnecessary expense and wasted resource. Risk management is central to ISO 27001 and is called for right at the start (A2) of the CAF. ISO/IEC 27005 – Information Security Risk Management was updated in 2018 and sets out the guidance for good risk management; it collates many different techniques, methodologies as they are stuffily called – as not one size of risk analysis fits all.
Critical Systems
Having spent almost twenty years as a risk analyst with the police, with MOD and with central government, I have experienced many methods of assessing and evaluating risk. The standards require setting the context, the assets in question, judging the impact of a compromise to the asset, followed by assessing the probability of this compromise. I have conducted risk assessments behind closed doors, in small groups or with workshops. The key is to determine what assets are being threatened, where the threat is coming from and which vulnerabilities is the threat able to exploit. We then prioritise those assets and seek to protect our most precious, in our world, the most critical, systems. To be honest, if the systems are not critical, if we have easy manual workarounds, why spend lots of cash protecting them?
Risk Workshops and Governance
But how does this help with the CAF? Firstly, any good risk assessment sets up the context, involving the stakeholders and those who need to be informed of the outcome. This allows one to identify the governance (CAF A1) structure required and name responsible individuals and risk owners. To help with the context it is always best to include some user input. With the stakeholders, users and risk owners attending an on-site or virtual workshop, lessons learnt, incidents from the past, real fears and worries can be put in the melting-pot and risks can be prioritised. This covers the last part of the CAF, D2. The outcomes between A2 and D2 involve controls. Choosing, selecting and investing in controls will follow analysis of lessons learnt in the risk assessment. The risk workshop can give a sense of priority, which are the real concerns can be targeted and equally one can identify the ‘low hanging fruit’, those quick wins, low cost achievements that will show progress and drive momentum. It also provides a view of the opportunity risk – the business opportunities to be exploited, why some actions are followed and some are not, which risks can be tolerated for the greater business good – what is the risk appetite? The risk workshop should look at any system vulnerabilities and discuss who or what has the opportunity, capability, and reason to exploit those vulnerabilities. This helps to decide whether, or in what proportion, defence is required against the disgruntled insider threat or the external cyber hacker. The potential that the external cyber hacker can exploit the insider and force the insider to be the attacker, through no wish of their own should be discussed. Maybe a whaling or phishing attack, maybe ransomware, causes the insider to deviate, make a mistake, let in an attack or even to deliberately, having been compromised, contribute to an attack? Where we decide in the workshop that these hybrid attacks have happened, could happen and at what impact, then we need to prioritise, both against the insider and the cyber-attack. As part of the exercise, it is time to proceed to risk management. The risk management documentation must come out with the applicable controls to counter prioritised threats, making an argued security case that with controls introduced result in a small residual risk that fits within the corporate risk appetite.
Using Teams, Google, Skype and Zoom
In the current, isolation-centric conditions, the risk workshop fits well. It can be preceded with the ‘Delphi’ technique (see ISO 27005:2018) where the coordinator sends out pre-prepared questionnaires to invited users and stakeholders. The answers give context and allow the workshop to be structured. It can be done by video link, using Skype, Google or if you are lucky, Microsoft Teams, even Zoom! Considerations should be given to the security – the confidentiality and thought given to maximum participations. Perhaps the key word is ‘structured’ as in SWIFT (see ISO 27005:2018) which stands for ‘structured what-if technique’. Give the workshop an agenda, a medium for demonstrating (whiteboarding?) ideas and recording these. Keeping a record is essential as the findings become evidence to support decisions of prioritisation in selecting appropriate, applicable controls from the NIS CAF. Remember that the CAF is about outcomes and there are many ways perhaps of achieving the same outcome. There are physical, personal, procedural, and technical controls to choose from and many different suppliers offering to help – with various degrees of help and quite extreme differences in investment required. Remember also that senior stakeholders, those with responsibility for security but also the resources (and cash) to commit, need to be convinced that their investment will reduce their risk, their potential bottom line.
Compliance and Continual Improvement
Of course. to comply with the NIS CAF there are mandatory conditions/outcomes to be achieved. Access to critical systems has to be controlled and information assets in these systems need to be effectively managed. Anomaly detection and protective monitoring have to be put in place to detect, deter and defend against insider and cyber-attack. A security awareness programme is essential if you are to prevent enemies exploiting your internal resources and an incident response and back-up plan need to be enforced. But how these outcomes are achieved is up to the individual operating company and the best way to map these, in context and driven by the business is with the structured discussion in a SWIFT workshop. But this is not the end. The final outcome of the NIS CAF – Lessons Leant – fits well with the ISO/IEC 27001:2013 for continual improvement. The SWIFT workshop can fulfil the ISO command to PLAN, DO, CHECK, ACT. Part of the governance should be to continually review progress, not just in complying with the CAF but in defeating the cyber threat. Monthly security working groups are required and annual risk assessments, helped by SWIFT should become the norm.
By Joe Ferguson, NCSC Certified Cyber Practitioner and Senior Information Risk Analyst
