Risk and NIS CAF
In their recent Post-Implementation Review (PIR) of NIS, May 2020, the Department of Digital, Culture, Media and Sport summarise the regulations are requiring Operators of Essential Services, which include Train Operating Companies to:
- Take appropriate and proportionate measures to ensure the security of the network and information systems used to provide their essential services, both by managing risk and by minimising impact of any disruption.
- Notify their Competent Authority about any incident which has an adverse effect on the security of the network and information systems used to provide their essential services, according to criteria set out in incident reporting thresholds.
The first of these emphasises a point – not that GTR must be compliant with every IOGP in the NCSC NIS CAF, but that the measures should be appropriate and proportionate based on risk. However, in the body, Page 12, it acknowledges the CA responsibility in determining what IGPs are required which could be the full CAF. The second does not discriminate about whether the NIS used to provide essential services are shore or train based.
In my mind the NIS Regulations relate, by the second point to rolling stock as well as on-shore IT systems. Whether this view is adopted by every TOC or other OES, it is worth convincing the Competent Authority of the value of the risk-based approach.
Two years ago, I entered into a contract with GTR to look at their candidacy for NS compliance. Having previously spent over 20 years working in central government as a information assurance and risk analyst, I am now dedicated to supporting cyber security in the rail industry. I have promoted this both within my own consultancy company, IL7 Security and by sponsoring the transportcyber.com community web site.
All cyber practitioners working for Operators of Essential Services (OES) are aware of the requirement to comply with the NIS Regulations which came into force in May 2018. The DFT, as the competent authority (CA) has published the Cyber Assurance Framework, a spreadsheet of good practices drawn up by the National Cyber Security Centre to show how an OES should operate its Information and Communications Technology (ICT). ICT is the underlying technology and infrastructure that allows transport companies to run their businesses effectively and efficiently. NIS refers to them as the Network and Information Systems and the trick is to determine which of these systems is critical to the success of running the essential services in question. Take Train Operating Companies (TOC), as these are what I am most familiar with. Critical systems will include all those involved in planning, managing, and maintaining train services. This will include all the rolling stock, station staff, drivers, guards, and maintainers being in the right place at the right time to make journeys possible. Equally important, some might say, are the information services and passenger comfort systems that enhance the customer experience. All these need to comply with the outcomes described in the NCSC Cyber Assurance Framework, known as the CAF.
The CAF contains 4 principle objectives pertaining to Managing Security Risk, Protecting Against Cyber Attack, Detecting Cyber Security Events and Minimising the Impact of Cyber Incidents. Within these four objectives are some 39 separate Indicators of Good Practice and to “achieve” these (see the right-hand green column) the OES has to meet some 176 listed outcomes. This compares with ISO 27002’s 35 Control Objectives and 114 control objectives. There are many overlaps and consistencies, though its fair to say that the NIS CAF provides a comprehensive and especially useful checklist of controls to be welcomed and embraced by the transport industry. One might ask however, “Is every control appropriate or applicable to your delivery of each essential service?” For example, is supplier management that important when dealing with an insider threat? Certainly, reducing supplier-side vulnerabilities helps, but it probably is not the most important control t o consider. Only risk assessment allows identification, appropriateness and prioritisation.
From my conversations with other train companies it would seem that few have engaged serious or experienced risk analysts. Military and central governments have long used risk analysis to determine the appropriate solutions. The ‘not one shoe fits all’ adage is the key to good security management and selecting the most applicable controls and thereby avoiding unnecessary expense and wasted resource. Risk Management is central to ISO 27001 and is called for right at the start (A2) of the CAF. ISO/IEC 27005 – Information Security Risk Management was updated in 2018 and sets out the guidance for good risk management; it collates many different techniques, methodologies as they are stuffily called – as not one size of risk analysis fits all.
Having spent almost twenty years as a risk analyst with the Police, with MOD and with Central Government, I have experienced many methods of assessing and evaluating risk. The standards require setting the context, the assets in question, judging the impact of a compromise to the asset, followed by assessing the probability of this compromise. I have conducted risk assessments behind closed doors, in small groups or with workshops. The key is to determine what assets are being threatened, where the threat is coming from and which vulnerabilities is the threat able to exploit. We then prioritise those assets and seek to protect our most precious, in our world, the most critical, systems. To be honest, if the systems are not critical, if we have easy manual workarounds, why spend lots of cash protecting them?
But how does this help with the CAF? Firstly, any good risk assessment sets up the context, involving the stakeholders and those who need to be informed of the outcome. This allows one to identify the Governance (CAF A1) structure required and name responsible individuals and risk owners. To help with the context it is always best to include some user input. With the stakeholders, users and risk owners attending an on-site or virtual workshop, lessons learnt, incidents from the past, real fears and worries can be put in the melting-pot and risks can be prioritised. This covers the last part of the CAF, D2. The outcomes between A2 and D2 involve controls. Choosing, selecting and investing in controls will follow analysis of lessons learnt in the risk assessment. The risk workshop can give a sense of priority, which are the real concerns can be targeted and equally one can identify the ‘low hanging fruit’, those quick wins, low cost achievements that will show progress and drive momentum. It also provides a view of the opportunity risk – the business opportunities to be exploited, why some actions are followed sand some are not, which risks can be tolerated for the greater business good – what is the risk appetite? The risk workshop should look at any system vulnerabilities and discuss who or what has the opportunity, capability, and reason to exploit those vulnerabilities. This helps to decide whether, or in what proportion, defence is required against the disgruntled insider threat or the external cyber hacker. The potential that the external cyber hacker can exploit the insider and force the insider to be the attacker, through no wish of their own should be discussed. Maybe a whaling or phishing attack, maybe ransomware, causes the insider to deviate, make a mistake, let in an attack or even to deliberately, having been compromised, contribute to an attack? Where we decide in the workshop that these hybrid attacks, have happened, could happen and at what impact, then we need to prioritise, both against the insider and the cyber-attack. As part of the exercise, it is time to proceed to risk management. The risk management documentation must come out with the applicable controls to counter prioritised threats, making an argued security case that with controls introduced result in a small residual risk that fits within the corporate risk appetite.
In the current isolation centric conditions, the risk workshop fits well. It can be preceded with the ‘Delphi’ technique (see ISO 27005:2018) where the prosecutor sends out pre-prepared questionnaires to invited users and stakeholders. The answers give context and allow the workshop to be structed. It can be done by video link, using Skype or if you are lucky, Microsoft Teams, even Zoom! Considerations should be given to the security – the confidentiality and thought given to maximum participations. Perhaps the key word is ‘structured’ as in SWIFT (see ISO 27005:2018) which stands for Structured What If Technique. Give the workshop an agenda, a medium for demonstrating (whiteboarding?) ideas and recording these. Keeping a record is essential as the findings become evidence to support decisions of prioritisation in selecting appropriate, applicable controls from the NIS CAF. Remember that the CAF is about outcomes and there are many ways perhaps of achieving the same outcome. There are physical, personal, procedural, and technical controls to choose from and many different suppliers offering to help – with various degrees of help and quite extreme differences in investment required. Remember that senior stakeholders, those with responsibility for security but also the resources (and cash) to commit, need to be convinced that their investment will reduce their risk, their potential bottom line.
Of course. to comply with the NIS CAF there are mandatory conditions/outcomes to be achieved. Access to critical systems has to be controlled and information assets in these systems need to be effectively managed. Anomaly Detection and Protective Monitoring have to be put in place to detect, deter and defend against insider and cyber-attack. A security awareness programme is essential if you are to prevent enemies exploiting your internal resources and an incident response and back up plan need to be enforced. But how these outcomes are achieved is up to the individual operating company and the best way to map these, in context and driven by the business is with the structured discussion in a SWIFT workshop. But this is not the end. The final outcome of the NIS CAF – Lessons Leant – fits well with the ISO/IEC 27001:2013 for continual improvement. The SWIFT workshop can fulfil the ISO command to PLAN, DO, CHECK, ACT. Part of the governance should be to continually review progress, not just in complying with the CAF but in defeating the cyber threat. Monthly Security Working Groups are required and annual Risk Assessments, helped by SWIFT should become the norm.