MEETING:
RSSB Board Meeting
DATE:
12 November 2015
SUBJECT:
Development of a cross-industry cyber security strategy
SPONSOR:
Mark Phillips
AUTHORS:
Maria Grazia Vigliotti, Tom Lee and Eleanor Brewer
1.
Purpose
1.1. This paper requests the board to approve the development of a cross-industry cyber security strategy and to remit the executive to identify appropriate funding options.
2.
Background
2.1. At the meeting in July 2015, the board sought further information on the scope of the strategy, on the costs to deliver the strategy, and on the risks of undertaking this work.
2.2. To respond to the board’s request, RSSB developed a plan to facilitate the creation of a cross-industry cyber security strategy and consulted with the cross-industry through a questionnaire, one-to-one meetings, a technical workshop and briefings to industry groups, including:
a) The Technical Strategy Leadership Group (TSLG) b) The System Safety Review Group (SSRG)
c) High Integrity Systems Group (HISG)
d) The Vehicle Train Control and Communications System Interface Committee (V/T C&C SIC)
e) The Information Management Group held by the Railway Industry Association (RIA) f) The Chief Information Officers (CIO) Forum
2.3. The consultation took place from the beginning of August to mid-October 2015. A consultation map is shown in Annex A.
2.4. The majority of organisations consulted supported RSSB leading development of a cyber security strategy.
3.
Cyber security strategy’s scope
3.1. Within scope: The evidence from consultation suggests that technical systems used to run the railway, such as systems for control and communications, systems at stations, systems on trains, systems on the infrastructure, and some crucial backbone systems should be considered.
3.2. Out of Scope: The evidence also concluded that systems used to run the commercial side of the business, such as emails, payroll software etc. should be excluded.
3.3. The statistical supporting data for the statements above are set out in Annex B section c).
4.
Future implementation of the strategy
A summary of the activities mentioned by the majority of organisations is set out below: a) Develop training activities / programme for cyber security for all levels across the
industry
b) Develop assurance principles and / or guidance related to cyber security for third-party suppliers that provide and develop software
c) Produce standards identifying requirements to manage cyber security d) Develop principles to harmonise safety and security
e) Develop a cross-industry intelligence sharing partnership centre for the railway f) Delivery of a joint risk assessment on critical shared systems
4.2. Activities a) – f) will require RSSB to establish permanent expertise in this new area, in addition to its current remit. It is proposed the strategy sets out a recommendation on the scope of this work and resource requirement, which will increase the core funding requirement from members.
4.3. It is likely that the scope of the cyber security implementation work will increase further and that the resource requirement will grow rapidly by the end of CP5.
4.4. The strategy should be subject to appropriate scrutiny and governance and it is proposed to remit this to the Data and Risk Strategy Group, a subcommittee of System Safety Risk Group.
5.
Risks and benefits
5.1. The risks to RSSB are set out in the table below, together with the appropriate mitigations.
Risk Mitigation
Reputational risk: during the consultation process RSSB may have built an expectation among members that RSSB is going to facilitate the plan for a cross-industry strategy.
Develop a communication plan to inform consultees of the board’s decision within one week of the meeting.
Risk of late delivery or failure to deliver, due to tight funding and scope creep.
Develop a robust plan with adequate funding and resources. Use security intelligence from the DfT to achieve clear timescales and focus work towards well-understood priorities.
Risk of not delivering an adequate strategy: the industry has a limited number of competent resources in cyber security.
Work with universities and independent consultants to bolster expertise where required. Risk of the scope being unclear: scope of the
strategy is broad and therefore difficult to prioritise.
Work with industry to narrow scope and priorities, and with technical experts to validate that these priorities can be met.
Risk of being inefficient: several cross-industry groups are working in an uncoordinated way on cyber security and the strategy could duplicate work.
Review work carried out by cross-industry groups and work with industry to ensure no duplication of effort.
6.
Benefits
6.1. Delivering the cross-industry strategy will achieve a safer and more reliable railway because the risk of cyber-attacks causing disruption will have been mitigated.
6.2. Delivering the cross-industry strategy will help both RSSB and the industry to mitigate the reputational risks in case of an attack reaching the media.
6.3. It will be more efficient to have one cross-industry strategy that coordinated activity, thus avoiding duplication.
6.4. The strategy will facilitate a change in the cyber security culture across the industry.
7.
Costs and funding
7.1. The consultation highlighted that a way to reduce cost would be to evaluate existing cyber security strategies, and ways that the problem has been tackled in other industries.
7.2. The evidence from the consultation does not provide a unified view on the priorities for the strategy, hence, an accurate cost estimate is difficult at this stage.
7.3. The industry has offered as resource in kind a total of 273 days, which would fully support running the Advisory Group and some drafting work.
7.4. The costs for developing the strategy can be broken down as follows: Redacted for publication
7.5. The academic will provide independent and impartial advice to the Advisory Group. The independent consultant will support the writing of the strategy and provide technical advice to the Advisory Group on specific matters. RSSB will provide its internal resources as contribution in kind to the project.
7.6. Four options are being explored to fund the cyber security strategy project:
a) Reaching agreement with the DfT to classify the work as research and funding it through the direct grant
b) A direct grant from the Cabinet Office cyber security programme
c) Funding this project from the current budget through stopping work on other projects such as Wi-Fi on trains or Human Factor activities relating to fatigue management and safety incident investigation, and delaying guidance on the Electro-Magnetic Fields Directive
7.7. The Director of Research and Standards is engaging with the DfT to ascertain whether funding will be available from the Cabinet Office or whether some elements of the strategy can be categorised as research and funded through the direct grant. If neither option is available, it is proposed to approach members for a small increase in the levy to fund the initial strategy work and ongoing maintenance activity. It is not considered appropriate to stop work on existing commitments to members.
7.8. Subject to board approval, it is anticipated that drafting of the strategy will commence in Q1 of 2016 and take approximately six months. It will be followed by communication and launch activities.
8.
Recommendations
8.1. The RSSB board is asked to:a) NOTE the content of this paper.
b) APPROVE the development of the cyber security strategy, subject to securing sufficient funding.
c) APPROVE governance of the strategy be remitted to the Data and Risk Strategy Group. Note: the development of a cyber security strategy will most probably lead to ongoing additional work outside RSSB’s current scope of activity, which will lead to an increase in the core funding requirement.
Annex A: Consultation notes
a) RSSB succeeded in engaging with each member group, through 1-1 meetings and / or at the technical workshop.
b) 81% of the member TOCs responded to the questionnaire, and 1-1 meetings were also held with three of the seven member FOCs.
c) 1-1 meetings were held with five of the seven owning groups, and questionnaire responses were received from four.
d) RSSB had 1-1 meetings with two rolling stock companies (Angel Trains and Porterbrook). e) We engaged with all infrastructure managers, and questionnaire responses were received
from Network Rail and Crossrail.
Annex B: Consultation statistics
The following provides an outline of some of the questionnaire responses. a) Which one of the following describes you in your professional role?
I am the professional lead on cyber security in my organisation 35% I am not a professional lead but I am responsible for contributing at a senior level to how my organisation addresses cyber security
50% I am in part responsible for the way my organisation manages cyber security 15% I have an interest in the issues surrounding cyber security 0%
b) Please indicate the project goals you feel are most important to the successful delivery of a cyber security strategy for the railway.
Least important Most important Goal 1 - Ensure that the railway is resilient to
intentional and unintentional breaches to the digital infrastructure
5% 5% 0% 10% 80%
Goal 2 - Establishing a cyber security culture across
the industry 0% 0% 10% 40% 50%
Goal 3 - Reduction and avoidance of duplicated
cyber security efforts 0% 15% 20% 30% 35%
c) Please rank on a scale from 1 to 5 the relative importance of the systems to be included in the scope of the cyber security strategy.
Least important Most important A. Technology infrastructure systems
(telecommunications and systems management) 0% 0% 0% 31.6% 68.4% B. Systems that control train and train movement
(infrastructure and vehicle control systems) 0% 0% 0% 0% 100% C. Systems that allow the movement of goods and
people (such as ticketing, CCTV, and staff rostering) 0% 0% 21% 47.4% 31.6% D. Systems that manage and organise our
businesses (including back office, billing, email, and asset management, website)