AGENDA ITEM: B2. RSSB Board Meeting Final: 08 May 2014 Page 1 of 3. November 2011



Similar documents
How To Write A Cross Industry Cyber Security Strategy

ESKISP Conducts vulnerability assessment under supervision

A GOOD PRACTICE GUIDE FOR EMPLOYERS

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

Risks and uncertainties

SPEAR PHISHING UNDERSTANDING THE THREAT

Committees Date: Subject: Public Report of: For Information Summary

How to Exercise a Business Continuity Plan (BCP)

A global infrastructure to safeguard your business_

ISO27032 Guidelines for Cyber Security

THE HUMAN COMPONENT OF CYBER SECURITY

Who s next after TalkTalk?

Cyber Adversary Characterization. Know thy enemy!

ESKISP Conduct security testing, under supervision

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

EU Directive on Network and Information Security SWD(2013) 31 & SWD(2013) 32. A call for views and evidence

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Overview TECHIS Carry out security testing activities

Cyber security Building confidence in your digital future

Introduction. Clarification of terminology

ESKISP Direct security architecture development

IRIS International Railway Industry Standard

Principal risks and uncertainties

Customer requirements. Asset management planning Inspection and assessment Route asset planning Annual work plans Contracting strategy

How To Protect The Railway From Attack

How To Manage Risk On A Scada System

How To Protect Your Business From A Cyber Attack

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBER LIABILITY RISKS SEMINAR Programme overview. THURSDAY 1 OCTOBER am 1.00pm Green Park Conference Centre, Reading

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Seamus Reilly Director EY Information Security Cyber Security

Technology and Cyber Resilience Benchmarking Report December 2013

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

Protecting Malaysia in the Connected world

Cyber Security Evolved

The UK cyber security strategy: Landscape review. Cross-government

How To Manage A Business Continuity Strategy

Securing Industrial Control Systems Secure. Vigilant. Resilient. May 2015

idata Improving Defences Against Targeted Attack

G-Cloud Definition of Services Security Penetration Testing

National Cyber Security Policy -2013

SYMANTEC CYBERV ASSESSMENT SERVICE OVER THE HORIZON VISIBILITY INTO YOUR CYBER RESILIENCE MORE FOCUS, LESS RISK.

Cyber Security for Railway Signalling

ESTABLISHING A NATIONAL CYBERSECURITY SYSTEM IN THE CONTEXT OF NATIONAL SECURITY AND DEFENCE SECTOR REFORM

CBEST FAQ February 2015

External Supplier Control Requirements

Cyber Security solutions

DRAFT Revised Guide to the National CDEM Plan 2015 July 2015

Position Description. Assistant Director Cyber Security UNCLASSIFIED. Deputy Director, Information Assurance and Cyber Security Directorate

Guidelines for the Application of Asset Management in Railway Infrastructure Organisations

A Guide to the Cyber Essentials Scheme

Business continuity management

Business Plan 2012/13

TRUST POLICY FOR EMERGENCY PLANNING

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

POLICIES TO MITIGATE CYBER RISK

ESKISP Assist security testing, under supervision

Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

How To Cover A Data Breach In The European Market

University Emergency Management Plan

Managing work related stress in the rail industry

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Confident in our Future, Risk Management Policy Statement and Strategy

HMG Security Policy Framework

Asset Management Policy March 2014

CYBERSECURITY RISK RESEARCH CENTRE (832)

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

CYBER SECURITY AND CYBER DEFENCE IN THE EUROPEAN UNION OPPORTUNITIES, SYNERGIES AND CHALLENGES

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Cyber Risks October

The internet and digital technologies play an integral part

CGI Cyber Risk Advisory and Management Services for Insurers

Cyber security organisational standards: call for evidence

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

OECD PROJECT ON CYBER RISK INSURANCE

CYBER SECURITY TRAINING SAFE AND SECURE

London 2012 Olympic Safety and Security Strategic Risk. Mitigation Process summary Version 2 (January 2011) Updated to reflect recent developments

Great Britain s Rail Safety Performance and Trends in 2013/14

Cybersecurity on a Global Scale

CYBER SECURITY Audit, Test & Compliance

The Human Component of Cyber Security

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Attachment G.18. SAPN_PUBLIC_IT Enterprise Information Security Business Case Step Change. 03 July, 2015

INTELLIGENCE. RISK MITIGATION. RESPONSE. CONSULTANCY.

Business Continuity Management

Cyber security Building confidence in your digital future

Automotive Suppliers and Cybersecurity

In partnership with. Food & Drink A fresh approach to risk management

Aon Risk Solutions Aon Crisis Management. Crisis Management Consulting Terrorism Probable Maximum Loss (PML) Studies

Business Continuity Policy. Version 1.0

CYBER-ATTACKS THE GLOBAL RESPONSE

Cybersecurity and the Threat to Your Company

National Approach to Information Assurance

Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

Business Continuity Planning for Risk Reduction

Transcription:

MEETING: RSSB Board Meeting DATE: 08 May 2014 SUBJECT: Cyber security SPONSORS: Anson Jack and Gareth Llewellyn AUTHORS: Tom Lee and Peter Gibbons 1. Purpose 1.1 This paper has been prepared jointly by RSSB and Network Rail and is intended to inform discussion concerning a proposed new activity for RSSB in relation to cyber security of the railway. 2. Background 2.1 Cyber security is the security of cyberspace. The Cabinet Office UK Cyber Security Strategy defines cyberspace as an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the internet, but also the other information systems that support our businesses, infrastructure and services. 1 2.2 The Department for Transport (DfT) has asked RSSB to establish an information portal on existing RSSB websites to raise awareness of cyber issues across the rail industry and publish useful information and related links. 2.3 Further to this, RSSB is requested to work with the industry to assess the need for rail-specific standards and guidance on cyber security to inform the agreement with industry of a standards development programme. 2.4 This is a new function for RSSB under the Constitution which has resource and funding implications for the company. 2.5 The draft request from the DfT is attached as Annex A to this paper. 3. Risks to the railway 3.1 The Government s 2010 National Security Strategy rated cyber-attacks a Tier One threat alongside, Terrorism, War and Pandemic disease. Reports of cyber-attacks in the media are growing and the UK Intelligence Agencies are reporting a high degree of risk to UK and European transport infrastructure including rail. 3.2 Cyber security is relevant to the railway in various technology domains, including rail control systems, asset management systems, business systems, telecommunication networks and embedded software, both in fixed infrastructure and on trains. 1 The UK Cyber Security Strategy, Protecting and promoting the UK in a digital world, Cabinet Office, November 2011 RSSB Board Meeting Final: 08 May 2014 Page 1 of 3

3.3 The current risk to the railway is still emerging as advances in technology are exploited by all parts of the sector to improve performance, safety and value. This includes a shift from legacy systems using proprietary systems to greater use of standardised technologies, protocols and operating systems. Interconnectivity between systems greatly improves their value, but also increases their susceptibility to cyber-attack. 3.4 Loss of security of a system does not equate to an unsafe condition, however there is a close relationship between security and safety. Compromised security could lead to unsafe events, both directly and indirectly. 3.5 The traditional approach of operational railway systems failing safe mitigates some risk, but the consequential impact of this and continued degraded operation of the railway introduces new risks. Increasingly, as these systems become more complex, reliably achieving failsafe conditions is more difficult, especially when subject to a cyber-attack. 3.6 Risks are not limited to safety. Cyber security has the potential to affect the whole supply chain and rail businesses need to take into account not just their own arrangements, but also consider the resilience of key suppliers. Failures in the supply chain, especially those that may persist for a few days, can quickly have a direct operational impact. 3.7 There is reputational and commercial risk, especially where attacks affect passengers and freight customers, for example as a result of operational failures, or failure of ticketing and revenue systems. 3.8 Media interest in cyber security has the potential to give wide exposure to relatively minor incidents. The industry s response to a cyber-attack against the railway will be played out in public and will have a high impact on passenger trust in the system. 4. Mitigation 4.1 To aid mitigation of this risk, DfT has asked RSSB to raise awareness of cyber issues across the rail industry by promoting information and links on RSSB websites and work with the industry to assess the need for railspecific standards and guidance to inform industry agreement on a standards development programme. 4.2 The standards development programme is not necessarily limited to RSSBproduced material and could include contributions from other organisations, including Network Rail, with RSSB providing a coordination and facilitation role. 4.3 A growing number of non-specific standards for cyber security already exist or are in development, which will need to be taken in the context of the railway. 4.4 There are parallels with the management of safety; security needs to be designed in as part of systems and processes and be part of the culture that drives risk aware behaviours. 4.5 RSSB has significant experience in supporting and improving the industry s management of safety including providing standards, tools and other material; this approach could be used for cyber security matters, but this will be starting from a lower level of industry understanding. RSSB Board Meeting Final: 08 May 2014 Page 2 of 3

4.6 The High Integrity Software Group, under the System Safety Risk Group, has shown a strong interest in cyber security and RSSB has supported cyber security initiatives as part of work supporting the ERTMS Programme. 4.7 This work will support the Industry s strategic objectives for security and will also contribute to safety, performance and wider business sustainability in the knowledge that existing systems are unlikely to be sufficiently resilient in the future. 5. Implications for RSSB 5.1 Resourcing 5.1.1 RSSB will need to develop expertise and is likely to need to increase resource to undertake this additional work. 5.2 HSE impact 5.2.1 There are no specific health, safety or environmental issues for RSSB as a result of this work. 5.3 Legal 5.3.1 It is likely that output from this work will, by design, be made widely available. However, in developing and managing the work it is possible that there will be a need to restrict some information. Systems and processes will need to be adapted to accommodate this and there is a possible requirement for some personnel to have appropriate security clearance. 5.3.2 Liabilities are anticipated to be similar to other aspects of standards production, subject to a possible increase in resource dependent on the extent to which RSSB undertakes this work. 5.3.3 The intellectual property is likely to be documented in publically available material, but the development of this material and associated intellectual property is possibly a marketable capability in its own right. 5.4 Finance 5.4.1 As this is potentially a new area of activity the expenditure and possible income are unknown at this stage. If supported, for the 2014/5 financial year the cost is expected to be approximately 100k, but this could rise in subsequent years depending on the scope of work and the extent to which other industry partners produce relevant material. 6. Recommendations 6.1 The board is asked to: DISCUSS the issues around cyber security and whether RSSB should equip itself to meet DfT request DECIDE whether to take it on, and if so pass a RESERVED RESOLUTION to adopt the function of developing a programme for cross-industry standards for cyber security RSSB Board Meeting Final: 08 May 2014 Page 3 of 3

Annex A: Draft letter from DfT RSSB Board Meeting Final: 08 May 2014 Page 1 of 2

RSSB Board Meeting Final: 08 May 2014 Page 2 of 2

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information