Cyber Risk -NIS and HS2

Critical Systems are used to deliver Essential Services. For transport systems this means the applications and equipment, the use of which is necessary to get the means of transport to the customer at the published time. For railways this means train planning and train maintenance software and the computers and communications that allow these applications to be used. It also includes the rostering systems that get drivers, guards, station staff and maintenance crew to the right place at the right time.
The trains themselves use information systems to operate. So why isn’t the software on the train that receives signalling covered by NIS.

What are ‘network and information systems’?
Regulation 1 of NIS defines a ‘network and information system’ as:

• an electronic communications network within the meaning of section 32(1) of the Communications Act 2003 i.e. a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description.

• any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data.

• digital data stored, processed, retrieved or transmitted by elements covered under point (a) or (b) for the purposes of their operation, use, protection and maintenance.

This is basically any computer system used to process ‘digital data’. Digital data is any information stored in digital form on a network and information system.

What is meant by ‘security of network and information systems’?
Regulation 1 of NIS defines this as:

• the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

In essence, this refers to the concept of ‘information security’. You must have appropriate security measures to ensure that your systems, and the data within them, are not compromised.

This aligns closely with established standards such as ISO/IEC 27000:2018 and well-known guidelines including the US National Institute of Standards and Technology (NIST) Special Publication 800-53. Examples
The ISO/IEC 27000:2018 standard defines information security as:
‘preservation of confidentiality, integrity and availability of information’
NIST SP 800-53 defines information security (PDF) as:
‘the protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.’

The terms ‘confidentiality, integrity and availability’ are collectively known as the ‘CIA triad’, and they are well-established information security concepts. They are present in the GDPR and are therefore relevant in terms of the technical and organisational measures that you are required to have in place under that legislation. NIS adds ‘authenticity’ to these three.

This means that most of the NIS requirements in practice relate to cybersecurity measures. However, information security also encompasses physical and environmental factors as well, e.g. where such factors may pose a risk of compromising your systems.

Therefore, ERTMS is relevant to NIS.

What is an ‘operator of essential services’ (OES)?

Essential services are services that are critical to the national infrastructure (eg water, energy, transport) or significantly important to the economy and wider society like health services and digital infrastructure.
Regulation 1 of NIS defines an essential service as:
• ‘a service which is essential for the maintenance of critical societal or economic activities’

An ‘operator of essential services’ (OES) is an organisation that provides an essential service, where:

• the service provision depends on network and information systems; and
• any incident would have ‘significant disruptive effects’ on that service

All rail services that employ ERTMS including HS2 are subject to NIS. Is this the responsibility of Network Rail or the TOCs?

The bidders for HS2 Rolling Stock must recognise the need for their bullet trains, operating at up to 350mph should not rely on a ERTMS that relies on 1990s mobile telephony with 1990s encryption. Or do they? What is happening to make ERTMS safer? DfT have recently sought to tender for experts that recognise the cyber risks to the industry. It should be patently apparent.