Signalling Centre Control Panel. Cyber Security Strategy

Transcription

1 Signalling Centre Control Panel Cyber Security Strategy September 2013

2 Table of Contents Executive Summary... 3 Introduction... 4 Relevance to Network Rail... 6 Our Cyber Security Goals... 7 Our Strategy... 7 Review & Validation Cyber Security Strategy 2

3 Executive Summary Network Rail owns and operates the rail infrastructure in Great Britain, with the aim of delivering outstanding value to the UK Taxpayer. Our business activities range from planning and delivering train paths through operational signalling systems, maintaining the physical infrastructure assets that make up the railway, managing a significant property portfolio and a plethora of back office functions that help us to administer our business and support our employees, customers and stakeholders. To deliver an excellent rail service, we make great use of information technologies and automated computer systems. These systems control train movement, deliver power to the network, support our timetabling and operational planning processes, schedule work activities across our maintenance teams, manage and pay our suppliers and our people, and allow them to communicate effectively. Every part of every business activity in Network Rail relies in some way on computerised systems and information technologies. Technology is critical to our business and rail infrastructure operations. programme. The groups carrying out these "cyber" attacks have also changed from teenage hackers in universities to organised criminal groups, activists and foreign nation state sponsored attackers with a strong political motive. The UK Government has added cyber activity to its list of Tier One threats to the UK, alongside terrorism, war and global pandemic. According to a Cabinet Office report, Cybercrime cost the UK economy 27bn in 2011 BAE Systems Detica, The Cost of Cyber Crime, Feb 2012 European Train Control System Driver Machine Interface These systems, upon which we rely, are under constant and growing threat. Computer security threats have advanced significantly from early viruses such as Anna Kournikova and Melissa, which caused widespread disruption of systems at the turn of the century, to sophisticated "digital weapons" such as the Stuxnet virus responsible damaging centrifuges supporting the Iranian nuclear enrichment Protecting Network Rail from the effects of a Cyber attack is a key priority. As part of the UK's Critical National Infrastructure with high levels of public visibility, a growing commercial presence and a large, at times transitory, workforce, there are many reasons we may be targeted. Protestors and activists may seek to disrupt our planned work, foreign intelligence services may wish to gain access to control systems or strategic plans, private businesses may attempt to gain commercial advantage and disgruntled individuals may damage our systems or steal our information for financial gain. We need to be better. To date our response has been effective; we have experienced few cyber related incidents with little obvious impact on our operations. However, as the threat grows, our systems become more connected and our reliance on them increases, our defences need to evolve. Cyber Security Strategy 3

4 Cyber Security Strategy 4

5 Introduction This publication details Network Rail s strategy to manage the risk of cyber attacks against our organisation and describes how the strategy will be delivered. It is fully aligned with the Network Rail and Industry Strategic Business Plans and further informed by the government s UK Cyber Security Strategy. What is Cyber Security? Cyber security is the protection of networked electronic systems from attack or misuse. It includes elements of physical, personnel and information security. Cyber attacks could lead to the compromise of sensitive information, denial of access to computing services or degradation/loss of control of systems. The sophistication and pervasiveness of cyber attacks is constantly growing, driven partly by technological progress, profitable applications in organised crime and state sponsored innovation. We must continue to develop and use modern, business enabling technologies to meet the needs of our customers and other stakeholders. In doing so, we should ensure that we are adequately protected from the prospect of those technologies being exploited in ways that could damage us. Cyber threats can originate from multiple sources, as illustrated in Figure 1. TERRORISTS FOREIGN INTELLIGENCE SERVICES INVESTIGATIVE JOURNALISTS THREATS ORGANISED CRIMINALS HACKTIVISTS CONTROLS INDUSTRIAL SPIES INSIDERS (ACCIDENTAL / MALICIOUS) EXPLOITABLE ASSETS? VULNERABILITIES TRAFFIC MANAGEMENT REMOTELY MANAGEABLE INFRASTRUCTURE CONFIDENTIAL & SAFETY INFORMATION CORPORATE INTRANET EXTERNAL WEBSITES TELEPHONY PASSENGER INFORMATION PERFORMANCE INDICATION BILLING & DELAY ATTRIBUTION PROCUREMENT SYSTEMS Figure 1 - Cyber Security Threats & Vulnerabilities Cyber Security Strategy 5

6 Relevance to Network Rail As an organisation, we are wholly reliant on technology to conduct our business operations, whether it is the delivery of front-line rail infrastructure operations or back office corporate support. We are also a category 2 provider of critical national infrastructure, as set out in the Civil Contingencies Act As such, we are obligated by law to cooperate with relevant authorities in order to protect the services we provide, which are crucial for the UK s continued political and economic well-being. As a provider of critical national infrastructure, we may be targeted by groups with political or ideological differences to the UK at large, in addition to attacks from amateur hackers, organised criminals, industrial spies, or disgruntled employees. All of these to one degree or another may have the motivation and an increasing technical capability to exploit vulnerable systems. The Network Rail Executive Board recognises the risk posed by cyber attack and has assigned a score of 8 in the corporate risk register (Probability 3/5+ Impact 5/5) Although the short-term risk to our business from cyber attacks can be considered relatively low in comparison to other critical infrastructure providers, the exposure of our systems and information will increase significantly during Control Period 5 as we adopt and become increasingly dependent on more networked technologies. An increasing commercial focus in our business activities will also increase the motivation for industrial espionage against us. These events are occurring against a backdrop where malware is becoming increasingly sophisticated and ubiquitous, and where the segregation of the business into semi-autonomous units could increase the risk of inconsistencies and incompatibilities in security controls. Overhead line electrification near London Euston Cyber Security Strategy 6

7 Our Cyber Security Vision Our vision is that Network Rail continues to embrace modern, business-enabling technologies in the interconnected world, while adopting suitable processes and controls to protect itself, staff, customers and suppliers, as far as practicable, from cyber attack. Our Cyber Security Goals To achieve this vision, we will adopt a common set of security goals based on the threats that we face. These are: 1. Our cyber security defences operate consistently across all technology domains; 2. We recognise malicious activity and can act swiftly to limit the damage; 3. We understand the extent of our exposure to attack; 4. Our systems are developed and maintained to keep step with evolving threats; 5. Our people recognise the cyber security risk and act with due care. Our Strategy To realise our vision and security goals, we will deliver and maintain a range of proportionate, risk-based cyber security capabilities that are applied consistently across the entire Network Rail Group. Our strategy encompasses people, organisational structures, business processes and technology, and it will be delivered on the basis of a clear understanding of what it is we are protecting and where our most critical vulnerabilities are. The aims and principles of our strategy are detailed in the following pages. Proportionate Security Controls We will establish and maintain proportionate cyber security controls and not waste resources by delivering best of breed defences where none are required. We will not commit resources to mitigate risks that are many years from maturing, will not bury non-critical systems and information behind layers of onerous security controls, and we will not impose unnecessary restrictions on our workforce that impede productivity. Instead we will tailor our security controls in response to the prevailing risks (illustrated in Figure 2). Security Controls Risk Exposure Time Figure 2 - Security Controls vs. Risk Cyber Security Strategy 7

8 Risk Intelligence To support a risk-based approach, we will build a more comprehensive knowledge of our cyber risk exposure so that we understand and deliver the right controls at the right time. We will conduct a thorough risk assessment across the organisation, cataloguing and assessing all IP-enabled assets and associated operating procedures. The assessment will also extend to key work areas within the business and the potential susceptibility of personnel to social engineering attacks. With a better understanding of our risk exposure, we will be able to target our subsequent actions in the most appropriate ways. We will also put into place the means to continuously assess our risk exposure and tailor our treatment over an extended period of time. Although our approach to mitigating cyber security risks will be a pragmatic and proportionate one, it is imperative that we not tolerate genuine, very high impact risks (i.e. those that may have safety implications or threaten our organisation s existence), irrespective of their perceived probability. Events in the banking world, terrorism, natural disasters and the industry s own experience all show that freak events can occur and we should not assume that, left untended, they will not occur again. This is illustrated in the weighted risk matrix in Figure 3, where impact is assigned a higher relative value than probability to account for extreme events. Some example (non-prescriptive) treatment options are shown in Figure 4. Business Support Our approach to cyber security must be supportive of the business, not a hinderance to it. The flow of open data that enhances value and improves the customer experience must be maintained. Similarly, we must continue to be transparent over the running of our business to meet key strategic objectives and commitments to our stakeholders. Rather than being contrary to these aims, strong cyber security is complimentary. Protecting the integrity and availability of our information will help to ensure that the correct information is available to our staff and customers at the time they require it. Confidentiality allows us to control the flow of information into the public domain so to not disappoint or confuse our stakeholders by accidentally leaking immature information at inappropriate moments. Figure 3 Weighted Risk Matrix Figure 4 Example Risk Treatment Options Cyber Security Strategy 8

9 External Engagement Providing rail services to Great Britain is a collaborative effort. Every day we work with train and freight operating companies, engineering contractors, regulators and others to deliver a reliable and efficient service for the benefit of the public and UK at large. This requires close partnerships and information sharing, exemplified by our strategic alliances with train operators. This situation must continue and the flow of open data, as already stated, must not be disrupted by the need to secure our systems and information. To ensure that this remains to be the case, we will extend our successful business relationships into the security arena. We will share appropriate threat intelligence with our rail partners and seek to collaboratively realise the capabilities that are necessary to protect the industry from attack. We must also act in the recognition that Network Rail is a unique organisation within the rail industry. Our civil engineering pedigree and provision of services that are more akin to the utilities sector means that we would be welladvised to also look outside of the rail industry for additional strategic partnerships and information sharing. To that end, we will seek a forum with other organisations outside of the rail industry that face a similar range of business and cyber security challenges to our own. We will make full use of government sponsored information exchanges wherever possible and beneficial, but will also be prepared to take a proactive lead in engaging with wider industry whenever required. Source: Cyber Security Strategy 9

10 Supply Chain Assurance In delivering and operating Great Britain s rail infrastructure, we are highly dependent on external suppliers for various products and services. However strong our own security controls may be, there remains a possibility that they could be subverted by inadvertent vulnerabilities coming through the supply chain. To counter this we will ensure that our procurement standards and processes help to minimise the risk as far as possible by placing security specific requirements on suppliers. We will strengthen our ability to assure the security of externally sourced products and services and work with suppliers so that they understand our needs and ensure that their own assurance efforts are suitably aligned. Organisation Our approach to cyber security will change from one that varies according to technology domain (encompassing business, operational, asset management and telecoms systems), to one that is consistent across the group. To support this we will establish clear lines of authority, responsibility and accountability. A senior executive risk owner and group-level governance will drive consistency of cyber security controls from the top of the organisation down. Individual business units will be responsible for maintaining cyber security controls that are both aligned to the central strategy and relevant to their technology domain and strategic objectives. People The achievement of effective cyber security is not a task that is limited to the delivery of improved technical security controls and business processes. Ultimately our defences are defined by our people. We are seeing a shift away from the isolated electro-mechical rail control systems of old towards new IP-enabled, computer controlled systems that require a different technical and security philosophy to successfully deliver and operate. We will therefore ensure that our engineering workforce is suitably equipped and supported to identify and mitigate cyber security risks that apply to the latest, and future, generations of systems. With regards to our non-engineering personnel, we must become better at educating and supporting a workforce that, with the rest of society, is becoming increasingly exposed to cyber security threats. We will cultivate a more security aware culture at Network Rail so that our staff manage information and systems securely and can recognise and respond appropriately to both opportunistic and targeted cyber attacks, for their personal benefit as well as for the business as a whole. Finally we will ensure that our specialist security personnel possess and maintain the professional skills needed to deliver effective cyber security capabilities and support for the rest of the organisation. As a result of the new professional development opportunities offered by our organisation, we will become a destination of choice for cyber security professionals. Rail signalling centre Cyber Security Strategy 10

11 Principles The principles that we will adhere to in our execution of the strategy are: We will immediately address issues that are recognised to be affecting our ability to detect and respond to threatening cyber activity; We will operate in an assumed state of compromise, that is there will not be a presumption that our network boundaries, internal and external, are invulnerable; We will develop and maintain a detailed understanding of our risk exposure to inform cyber defence All information and systems will have identified owners. and business change activities; We will create a culture in which the security of technological systems, information and processes is assessed and verified from the point of inception through to delivery, use and disposal; We will seek to manage rather than avoid all risk so that we and our people can continue to benefit from opportunities in cyberspace; We will develop our people s knowledge and skills, recruit appropriately, and invest in technology where required to maintain an effective cyber defence; We will organise and operate across Network Rail functional boundaries and business units to meet the cyber threat effectively and minimise duplication; We will make use of expert guidance when appropriate and collaborate with government and industry to benefit from tried and tested approaches, knowledge and experience; Cyber Security Strategy 11

12 Review & Validation This strategy document will be reviewed annually to check its continuing relevance and the progress we have made against our strategic goals. The initial review will be commissioned on the first anniversary of publication and this document will be updated accordingly. Measuring the success of the strategy will not be a straightforward task. Until we have thoroughly assessed the risk and established an accurate moving picture of the vulnerabilities of our organisation and systems, it is impossible to determine what good enough is. Our efforts to cultivate a more security aware culture throughout the organisation will mean that many cyber risks that would otherwise have had an impact will be simply avoided. In the meantime, the external threats and attack surface of our business will likely increase, resulting in a moving baseline that makes analysis and trend identification difficult. Adequate cyber security is not a point condition. We must maintain an awareness of our risk exposure and deploy the controls that are appropriate at the given time to ensure we are not left unnecessarily exposed to attack or waste valuable resources investing in security controls that are not required. We will therefore asses the success of the strategy through largely qualitative means rather than predetermining specific levels of cyber security maturity based on widely recognised models and control frameworks, such as those published by the World Economic Forum and SANS Institute. We will however use these models and frameworks as a comparative means to track our progress. Generally speaking, we will expect to see a positive trend with regards to our cyber security maturity, although negative trends may be permissible provided they correlate to a reduction of threat or risk exposure. This is the essence of our risk-based approach and the analysis of our maturity levels will be conducted as part of the annual Cyber Security Strategy review. Although the assessment of our strategy as a whole will be largely qualitative, our programme of delivery and each constituent project will be based upon robust business cases, including demonstrable benefits arising from each individual piece of work. Every project will be justified separately and a mechanism for demonstrating eventual benefits and value for money, either as a direct contributor or enabler, will be designed into each one. Cyber Security Strategy 12

13 Addressing the cyber security threats to business operations is a growing concern for governments, private enterprises and other commercial organisations. As a fast moving environment, the types of attack we might face, the people carrying them out, and the potential harm to our business is not fully understood and will change rapidly over time. Delivering our five strategic cyber security goals will put Network Rail in a far stronger position to meet whatever cyber threat we experience head on. With an assured approach to cyber security, Network Rail can continue to embrace business enabling technologies in the modern, interconnected world, whilst protecting our customers, stakeholders and people from avoidable risk. Cyber Security Strategy 13

14 Network Rail Kings Place 90 York Way London N1 9AG Tel: