Transcript Cyber Security - Digital Railway

Cyber Security – Client View
Peter Gibbons | Head of Cyber Security, Group Business Services
15/07/2015
Suppliers’ Summer Conference
Protecting our railway in a connected world Digital Railway Supplier Conference
Peter Gibbons B.E.M.
Professional Head (Cyber Security)
Network Rail
July 15th 2015
/
AGENDA
•
What is Cyber security and how might it impact our railway?
•
How are we managing risks to Cyber security?
•
What should you be doing?
•
Conclusion
/
What is Cyber Security?
The government point of view …
• “our increasing dependence on cyberspace has brought new risks, risks that
key data and systems on which we now rely can be compromised or damaged,
in ways that are hard to detect or defend against”
Rt. Hon. Francis Maude MP - The UK Cyber Security Strategy November 2011
What is Cyber Security and what does it mean to us?
• Cyber security is concerned with the security of cyberspace, which
encompasses all forms of networked, digital activities; this includes the content
of and actions conducted through digital networks
• All our systems and connected, computerised technology from our railway
cyberspace. That includes Databases, signalling systems, level crossing, RCM,
CCTV and the underpinning infrastructure and telecommunication networks they
rely on
Keeping our railway safe and secure
/
How might cyber attacks impact our railway?
• To provide appropriate protection,
we have to understand the threat
• As we introduce more digital
technologies, we increase the
opportunity for cyber attack
• Balance most likely with worst
credible case
/
How are we managing cyber security risks?
MOTIVE
LEAD
THREAT ACTOR
•
Terrorist
•
Supplier
•
Activist
•
Researcher
•
Foreign State
•
Journalist
•
Hacker
•
Organised Crime
•
Employee
•
Competitor
DETER
•
•
Financial gain
•
Curiosity
•
Phishing
•
Hacking services
Retribution
•
Intellectual
challenge
•
Virus
•
Watering holes
•
Unauthorised
security tools
•
Botnets
PROACTIVE CAPABILITY
• Mischief
•
Harm NR
reputation
•
Ransomware
•
Political
advantage
•
Spread
propaganda
•
Unauthorised
physical access
•
Exploit kits
•
Cause loss of
life/harm
•
Act of war
•
•
Rootkit
Social Engineering
•
Disrupt commerce
•
•
Trojans
C2 Services
Create fear
•
Cause civil unrest
•
Malware
•
PREVENT
OPPORTUNITY
(VULNERABILITY)
•
Access
•
Connectivity
•
System Functionality
•
Technology
DETECT
MEANS (THREAT)
PROTECT
IMPACT
RESULT
ASSETS
RESPOND
•
Denial of Service
•
Data theft
•
Data loss
• Data change
REACTIVE CAPABILITY
(CONSEQUENCE)
RECOVER
•
Train delay, disruption, derailment
•
Unplanned cost
•
Reputational damage
•
Lost productivity
•
System interruption
•
Asset damage
•
Unauthorised access
•
Regulator sanction
Unauthorised operations
•
Legal breach
•
Financial loss
•
Harm
•
UNDERSTAND
/
What should you be doing?
•
Securing technical railway products
•
•
•
•
•
Managing security of operational services
•
•
•
•
Vulnerability discovery, disclosure and patching
Incident reporting
Develop and follow common good practice
Securing your business
•
•
•
•
Clear security requirements
Coding standards
Control testing
Zoning and segmentation
Data loss prevention
Access control
Protect your services and your supply chain
Accreditation and compliance
•
•
•
•
•
Cyber Essentials
PAS555
OWASP
Common Criteria
ISO27001
Network Rail Procurements Standards for High Risk suppliers
9. The Supplier shall be certified to the government’s Cyber Essentials Scheme as a
minimum requirement and shall provide evidence of its certification. Alternatively, proof
of certification against ISO 27001 is acceptable, providing that the certification covers
the part of the organisation that is delivering the Services.
10. The Supplier shall, as far as is reasonably practicable, categorize Assets according
to the potential impact to Network Rail of their loss of confidentiality, integrity and
availability (‘Categorization’); those with significant potential impact shall be notified to
Network Rail.
/
Conclusion
1. Cyber attack is a real threat to our Railway
•
Rail infrastructure systems have been attacked
and compromised
2. Effective cyber security is a condition of entry
for digitisation of the railway
•
Our needs are not unique, as critical national
infrastructure our standards must be high
3. We’re in it together
•
We’re all a target and we’re all part of the solution
/
Please visit the Cyber Security stand in room E1
for more information
Thank you
/