MEETING: RSSB Board Meeting DATE: 03 November 2016 SUBJECT: Rail Industry Cyber Security Strategy SPONSOR: Mark Phillips AUTHOR: Tom Lee

Transcription

1 MEETING: RSSB Board Meeting DATE: 03 November 2016 SUBJECT: Rail Industry Cyber Security Strategy SPONSOR: Mark Phillips AUTHOR: Tom Lee 1. Purpose of the paper 1.1 The purpose of this paper is to seek agreement of the board to remit the draft Rail Industry Cyber Security Strategy to RDG in line with the new way of working recently agreed with industry bodies. 2. Background 2.1 Following requests from the Centre for Protection of National Infrastructure and the Department for Transport for RSSB to develop a Rail Industry Cyber Security Strategy, RSSB consulted with industry to seek support and in November 2015 the board approved development of a cyber security strategy. 2.2 RSSB mobilised and developed a strategy overseen by a representative group established for this purpose the Cyber Security Advisory Group (CSAG, see Annex A). CSAG included leading experts in the field from Network Rail, train operators, RoSCos, Police, Government, the security services and academia. 2.3 The draft Strategy has been subject to industry consultation during September/October, supplemented by briefing sessions to key stakeholder groups. The Strategy has been welcomed and detailed comments have been addressed. 3. The Strategy 3.1 Content The Strategy has five chapters: a b c d e Introduction, setting out the target audience and roles and responsibilities. The approach is explained (understand, detect, protect, respond) and context is provided to help the rai industry understand threats and impacts Achieving our Vision which presents a vision (the end game) with an associated mission (how we get there) with a set of five objectives (what we need to achieve to get to the vision). The chapter includes challenges and information on forthcoming legislation. Actions, the key content of the Strategy with ten actions to achieve the five objectives. Assessing the impact, where governance, maturity assessment, monitoring, and review of the Strategy are presented. Conclusion which presents recommendations linked to the ten actions. RSSB Board Meeting Final: 03 November 2016 Page 1 of 2

2 3.1.2 Actions are written as pledges, demonstrating an industry commitment to deliver the intent of the Strategy. This commitment has been supported by the CSAG and tested through consultation. 3.2 Industry support The draft Strategy was consulted with industry. 767 individual requests were sent to 227 organisations, in addition the material was shared with various stakeholder groups; 21 people responded from 18 organisations with a total of 264 detailed comments and 56 sets of answers to more general questions on governance, assessment, monitoring, review and omissions. Views on implementation were also sought which elicited 13 sets of comments All of the consultees provided positive responses, but there were some challenges too. The vast majority have resulted in changes to the Strategy, a handful were not supported as they were contrary to prior agreements made with CSAG. Detailed responses are being prepared to every comment and these will be returned to consultees. A summary of the comments is included in Annex B Endorsement of the Strategy by CSAG is being sought ahead of the board meeting on 3 November. 4. Next steps 4.1 Since commencing work on the Strategy, there has been an evolution in RSSB s position in the industry and increased clarity in the role of RDG and RSG. 4.2 Using the model developed as part of the ORR Review, the Strategy is an example of discretionary work undertaken by RSSB. 4.3 Given the above, it is proposed that the board remits the Strategy to RDG along with the detailed responses to the industry consultation. 5. Recommendations 5.1 The RSSB board is requested to REMIT the draft Rail Industry Cyber Security Strategy to RDG, including the detailed responses to the industry consultation. RSSB Board Meeting Final: 03 November 2016 Page 2 of 2

3 Annex A Cyber Security Advisory Group A.1 Membership A.1.1 The membership of the cyber security advisory group was drawn from duty holders, RoSCos, security services and governmental organisations. Members were selected by their employers or other representative groups, such as the Chief Information Officers Forum. A.1.2 Members included: Abellio, Arriva, ATOC, BTP, CPNI, Imperial College London, Colas Rail, Crossrail, DfT, GB Railfreight, GWR, Go-Ahead Group, London Midland, Network Rail, ORR, Porterbrook and Stagecoach. A.2 Meetings A.2.1 CSAG met nine times between February and July 2016, with a final meeting by telephone in October The group has now been disbanded as it has fulfilled its purpose. A.2.2 CSAG has helped shape the development of the strategy, with members providing material and reviewing draft content. To inform development, presentations were received from dutyholders, government bodies and academia. Content was drafted by RSSB, supported by PA Consulting. A.3 Conclusion A.3.1 The final position from CSAG will be confirmed at the 3 November Board meeting, due to the last CSAG meeting being after the close of this paper. RSSB Board Meeting Final: 03 November 2016 Page 1 of 4

4 Annex B Summary of consultation responses A.4 Introduction A.4.1 Consultees were requested to answer five questions. The first identified their role and the capacity in which they were responding. The second concerned any general views on governance, assessment, monitoring and review of the strategy. Question three requested detailed comments on the strategy and the fourth question asked for any omissions in the strategy. The fifth question sought views on implementation. A.4.2 A.4.3 A.4.4 Most respondents were replying on behalf of their organisation and were responsible for contributing at a senior level on cyber security, some were the professional leads for cyber security. Only responses to questions three and four materially affect the strategy document. The vast majority of the 264 detailed comments have been accepted and revisions made. The few that have not been accepted have been considered carefully, but have not been addressed as they generally contradict other comments or agreements and direction from the CSAG. A detailed response to each comment has been prepared. Responses to the other questions, summarised below, need to be taken into account in the future development of the strategy and in particular, implementation. Overall, the comments were positive, supportive and constructive. A.5 Governance, assessment, monitoring and review of the strategy A.5.1 There was very strong support for the development of an assessment framework and a related cyber-informed procurement process. Benchmarking between companies/suppliers was seen as important including non-rail companies, for comparison purposes. There was support for this to be independent and external to an organisation whilst the industry is relatively immature. A.5.2 A.5.3 A.5.4 A.5.5 Raising industry awareness was considered important and general competency was seen as an area of weakness, with a competency framework recommended and many requests for further support. One correspondent summed up the views of many by stating the biggest challenge is behavioural change. In implementing the strategy, there were requests for alignment to industry standards (in particular ISO27001 Information security management and IEC62443 Industrial communication networks Network and system security, in draft) and the government s Cyber Essentials and National Rail Security Plan. The strategy is intended to achieve this, at the level that it is written. There were written comments and feedback at stakeholder meetings requesting greater regulation. These reflect concerns that there is too much dependence on self-assessment and commitment rather than compulsion. There was a perception that organisations that adopted the strategy could be undermined, technically and commercially, by those that had not. There were also comments that the strategy was too dependent on trust and goodwill between industry partners. There were many comments about needing to have clarity on roles and responsibilities. The strategy was criticised for stopping short of implementation and the resourcing, both people and financial, that implementation will require. RSSB Board Meeting Final: 03 November 2016 Page 2 of 4

5 A.5.6 A.5.7 A.5.8 For governance of the strategy, there was general support for RSSB having a role with a group, such as the High Integrity Systems Group, recommended as a sensible arrangement for governance. A counter proposal was that the DfT should execute governance, particularly because of their current engagement in cyber security. The need for continual monitoring of implementation was noted, with one respondent stressing that intermittent monitoring was insufficient. Help and support for monitoring was requested by several respondents. There were very few specific comments on future reviews of the strategy, but one respondent urged that advances in technology need to be taken into account. A.6 Omissions A.6.1 There were few comments (eleven) about omissions and two comments praising the strategy on its completeness. It is considered that many of these are best addressed through implementation. A request was made for comparison to other industries. A.6.2 A.6.3 A.6.4 A.6.5 The lack of an overall system authority was highlighted as need for system-wide detection and the response to manage whole system risk was considered weak. One commentator expressed concern that the strategy didn t adequately recognise the criminal aspects of cyber security and the need for criminal investigations. The internal threat was felt not to sufficiently recognised and it was felt that there needed to be greater distinction between organisation security and system security (which the respondent defined as the difference between the overall security and the security of individual equipment). The adequacy of self-assessment and the need for a supplier assurance framework were raised as omissions in addition to comments made in response to the other questions. A closer alignment with DfT guidance, particularly in respect of intelligent defence and protection was requested and, also similar to comments to other questions, the imperative (or compulsion to act) was felt to be not strong enough. More detail on a multi-layered approach, security-informed safety cases and measures for detection/monitoring and prevention was requested. Addressing legacy systems and management of obsolescence was also felt to be inadequate. One respondent requested that ticketing, revenue systems and other commercial transactions should be included. It was felt that there was insufficient consideration of protection of customer data and relationship with other legislation, such as the Data Protection Act. This contradicts the original agreed scope of the work. A.7 Implementation A.7.1 Many comments on implementation were embedded in other comments (some of which are summarised above). There were significant calls for support for implementation and concern that the existing industry frameworks are not set up for this. The concept of an overall railway system authority came up repeatedly and respondents started to identify roles and responsibilities for this notional body. In the absence of a single system authority, clear definitions of systems, boundaries and roles and responsibilities was seen as very important. RSSB Board Meeting Final: 03 November 2016 Page 3 of 4

6 A.7.2 A.7.3 A.7.4 A.7.5 Further comments were made on the challenge of staff engagement and the need for common assurance and assessment processes was stressed again. One suggestion was to use similar accreditation schemes as used for military or nuclear suppliers. Greater regulation and enforcement was requested with the need for appropriate remedies for failure to implement. Industry compliance was noted as a massive task and a request was made for an industry impact assessment. The strategy positioned rail as leading the way on cyber security but one correspondent considered that this contradicted a proportionate and appropriate response as advocated by the strategy. Others didn t comment on this. The draft strategy proposed a monitoring and review role for RSSB, overseen by the Board. There were no adverse comments to this principle and some respondents specifically noted agreement. However, this has been removed as it prejudges how RDG may wish to handle the strategy subsequent to the repositioning of RSSB. A suggestion was made for RSSB to fund pilot projects to develop best practice and guidance. One comment summed up many quite well: UK Rail needs to understand the enormity of the challenge and take the appropriate remedial action as soon as possible, by engaging with the appropriate agencies that can provide direction and also provide the controls framework for third parties, suppliers, contract staff. Attachment: draft Rail Industry Cyber Security Strategy RSSB Board Meeting Final: 03 November 2016 Page 4 of 4