Defining these Essential Services is key to the focus an OES might lend to gaining compliance to NIS. For a TOC, essential services are those that ensure operational delivery targets are met, that trains run to schedule, within the defined safety and quality parameters, and that disruption and unnecessary delays are avoided. There are certain thresholds now given by the DfT for TOCs running more than 500 services a day which roughly equate to a 20% of these being disrupted requiring notification and reasons reported within 72 hours. Investigating the incident that occurred on July 5th. There was a loss of signalling between Selhurst and Balham which had a substantial impact on train services that day which was reported on BBC News. GTR (mainly on Southern) had 978 full cancellations and 248 part cancellations and was therefore in breach of NIS. DfT say both Network Rail and GTR should have reported this as an incident but neither did. Obviously signalling is a critical component to train management but was there a failure of another system that contributed to the outage? And was this a failure in technology, procedure or a breach of physical or personal security. Subsequent investigations into timetable and signal failures do not dig deep enough into the critical components underlying essential services.
One could interpret DfT guidance to mean that only services, the absence of which might cause a 20% outage in a day, should be protected. This would ignore common sense. There are a host of complimentary services that bring train operations together. One could suggest that the only service to cause a 20% outage would be a failure of the train or a failure of signalling. Signalling might be thought of as out of control of the TOC, being the responsibility of Network Rail. But the failure to receive the signal or act correctly might be regarded as the responsibility of the TOC.
All trains have management systems and means of communications to the “shore” -its not just the signalling. Once a train has signal – movement authority – it must transfer this to the propulsion, traction, brakes, and yes, the opening and locking of doora. These are controlled by the Train Control Management System (TCMS). The TCMS often taken for granted and overlooked is a critical part of train management. Because it’s taken for granted one might pause here to consider how vulnerable it is to physical intrusion – every coach has a server to support TCMS functionality and these are accessible via the ‘t-key’ – and they also have open service ports. They are all connected via a communications bus. There is also the Main Communications Gateway (MCG) through which the train communicates to the outside world. An attacker could disable train operations through these. One can see there are many in-flight essential services.
Bearing this in mind, and the TOC’s responsibility for operations and delivery as well as compliance, cyber security is aimed at the management of risk in the face of an increasing threat and there are many ways a third party might attack service. The financial risks a TOC faces are to its business; its income flow and the penalty fines it might occur (outside of NIS compliance) for delays and disruption or cancellations. There is the knock-on operational risk of having to re-schedule, re-roster staff and rolling-stock and all the resources this takes. Added to this are the reputational risks, the adverse reports in the papers and how this is interpreted in the press and social media. There are many reasons for defining services as “essential’ outside of just those that cause “reportable incidents” in the eyes of NIS.
There is also the question of the impact of those risks or the target of the threats. A little diversion to GDPR as these regulations coincided with NIS and in some ways have been treated with similar distinction – hence the fines and reporting allowance which are not entirely equivocal. GDPR is about the protection of personal data and its availability to the citizen. Confidentiality is prime with integrity and availability important but maybe not critical issues. With essential services, Availability becomes prime. However, Confidentiality cannot be ignored as access to detail on how a service is provided, technical detail on how it works, could make it vulnerable to attack. Similarly, customer information services might be attacked subtlety – not obviously as this would result in immediate reaction – enough to cause disruption. This might not result in a 20% NIS threshold being breached but might have significant reputational impact. On a sliding scale therefore, of the panoply of services the TOC delivers, it is obliged to protect not only Availability but also Confidentiality and Integrity.
The most important service, the one that if successfully attacked, might lead to delay and disruption is the movement authority, train regulation, so stop, start and speed. All these are safety related as well as able to cause disruption and are reliant on cooperation and collaboration between the TOCs and Network Rail. Similarly, the tactical management of train movement during the day is essential to performance and is a collaborative effort utilising applications and information sources from various interfaces. Allied to train management is station and platform management and there are a number of contributing services to the on-going administration of a station.
One of the most frequent causes of individual train delay is crew non-availability. Crew rostering is absolutely vital to consistent delivery of service. While crew planning can be seen as a background task, substitutions on the fly are necessary if trains are not to be taken out of service.
Underlying these critical services are important ones whose absence would cause disruption, the severity of which would be dependent on the length of outage, how long the service was not available. These include train planning, train maintenance and HR services. These could realistically be determined “important” rather than “critical”. Another differentiator between important and critical is whether one medium of information exchange might be substituted for another. This might be in terms of radio / telephone rather than an email or signal. CCTV imagery for station management might be substituted by extra manpower – however there have been many occasions when stations have been closed because of the CCTV not working, so should CCTV be regarded as essential? Similarly, the original advice from DfT as to how to interpret “essential” was to exclude business systems, ICT, and to concentrate on the IT systems (applications) that supported front-line services. But then one hears of drivers refusing to commence a journey because they have no hard copy of the ‘train plan’ because of an IT/printer failure. Similarly, the underlying infrastructure, the hardware platforms, operating systems and communications media, be it video, Wi-Fi, LAN or WAN need to be regarded as ‘essential’ and downgraded from ‘critical’ to ‘important’ by providing resilience and alternatives.
There are two distinctions that are to be made. Critical services are vital to operational performance and the absence of ICT to support them needs to be avoided by compliance with NIS guidance. Important services become critical over time through aggregation and aggravation as well as depletion of alternatives. Key words in NIS guidance are ‘proportionate’ and ‘appropriate’. NIS guidance to protect these critical and important services is to apply the applicable controls in a proportionate and appropriate manner. To make judgements, the Competent Authorities and Operators of Essential Services have received guidance from the UK Cyber Technical Authority, NCSC.