The NCSC Cyber Team Framework
The CAF is the means to demonstrate assurance to the Competent Authority that the operating company is applying ‘applicable’ best practice in a proportionate and appropriate manner. It is not a check-list but a series of principles that need to be addressed in a way that best suits the business while satisfying the CA that due attention is being made to the cyber threat at large. The CAF as a whole is an “indicator” of cyber health and maturity and allows a judgement to be made.
It is worth noting that the 14 principles presented in the CAF address the top-level descriptors of cyber-defence, namely Security Management, Threat Protection, Threat Detection and Response. Below the principles are some 30 aspired “outcomes and within these are spread some 177 indicators of ‘good practice’. Not all the indicators need to be satisfied, only those that are applicable and where the targeted threat is not mitigated elsewhere. The 14 principles are divided accordingly:
Security Management, Governance, Risk, Assets and Supply Chain Management
Threat Protection:Services, Access, Data, Systems, Resilience, Users
Threat Detection, Protective Monitoring, Event & Anomaly Detection
Response Incident Management, Lessons Learnt
The CAF, as described, in guidance not just a check list for compliance. The check list approach is good for auditors and the quick and easy approach is to target those items that are easiest – “the low hanging fruit”, the so-called easy controls such as acceptable use policies or introducing complex passwords. But there are no easily achieved outcomes, they all require planning, implementation and documentation. If serious about cyber security and combatting the threats, best target the “crocodiles nearest the canoe – if legacy applications exist or servers are unpatched, these are vulnerable and need protecting. Locking down platforms, introducing intrusion prevention, firewalls and event monitoring are primary foci if not already addressed. And then back to the checklist. The CA is responsible for issuing a checklist of CAF based indicators of best practice and these can be used for a gap analysis.
Unless the margin in the gap analysis is small, a plan will be needed – this is the only way to get management buy-in and the necessary resource. Start with the buy-in as principle A1 requires Governance and while this involves presentations, Board level sponsorship and activity are pre-requisite. Buy-in will see signatures against all the NIS based policies that will need to be written. The plan should involve writing the policies based on the outcomes required in the CAF then executing the activities that will achieve these outcomes. Some activities will be longer and more complex than others, so for instance if currently there is no protective monitoring, a Security Incident & Event Management (SIEM) system will need to be procured to satisfy principles C1 and C2 – all procurement exercises take time and implementing a SIEM with corresponding resources and procedures is a comparatively challenging exercise. Similarly, a corporate Cyber Awareness Programme (CAP) is going to be a resource demanding challenge if it is to satisfy principle B6. Through planning, measures necessary to counter the cyber threat, and being able to review these, getting approval from the operating board, an auditable, acceptable, NIS compliant cyber security platform, can be achieved.
Response, that is, principles D1 and D2, Incident Handling and Lessons Learn are best achieved if one embraces the ‘continuous improvement’ manta from ISO 27001. Common to all ISO standards 27001 incorporates the Plan-Do-Check-Act model. To follow this advice, it is best to align oneself completely to the standard. Due to legacy conditions of railways it may be impossible to achieve certifiable compliance across the TOC, but the scope may be limited to the ICT department. This would be the ‘scope’ of the Information Security Management System (ISMS). It would include the Personal, Procedural, Physical and Technical (P3T) controls needed to counter cyber threat and the project organisation to implement and maintain the veracity and legitimacy of these controls. Implementation and maintenance could be governed by a Cyber Security Working Group (CSWG), convened of stakeholders and implementers. These would deliberate upon and manage change as well as response to incidents, learning and remedial action. Changes would be based on applicability, appropriateness and proportionality. ISO 27001 itself comes with a checklist in Annex A with some 121 controls with considerable if not total overlap to the CAF outcomes and indicators of good practice. The CSWG should manage the CAF based gap analysis and a risk register of cyber issues to be addressed.
Train Operating Companies are under threat of cyber-attack. Across the railway industry we rely on constant internet access, and connectivity has become vital to many core business functions. What’s more, with the growth of the Internet of Things, more devices than ever are at risk of malicious attacks. In the railway industry there are also the specific challenges of remote and small-scale networks – for example on rolling stock itself – that are difficult to secure. Hackers are continually finding new systems that lack sufficient security, and as the San Francisco incident demonstrates, it is just a matter of time before an unsecure system is exploited – and sometimes at great cost ; many companies across the transport industry are unprepared for the cyber security challenges of today.
The need for TOC ICT infrastructure to be secure from cyber-attack is now apparent to all. The need to implement measures leading to the outcomes and able to demonstrate positive indicators of good practice is not only achievable but auditable and even more significantly law. The guidance given by NCSC should be consumed voraciously and with alacrity if we TOCs are going to avoid cyber incursion and/or major incident.
DfT guidance and the subsequent protection to essential services must be extended beyond the boundaries of the terrestrial ICT real-estate and onto the rolling stock itself. This will require collaboration with the suppliers, Rosco’s and operators as well as the authorities. There are physical means of protecting ICT assets on board the train. There is resilience and encryption as measures to protect the CIA of data processed and transmitted throughout the train. This however does not fulfil the needs of the NISC CAF which calls for monitoring, event detection and response. To satisfy these needs TOCS need to adopt in-flight intrusion detection and recording.