The UK is proposing to modify existing legislation to include MSPs and the reporting of near misses, but does not expect to cover other sectors, physical security or certification. There is also something in there about cost recovery – does that mean operators will be charged for their regulation? Policy development will continue throughout 2023 with changes to the legislation coming in 2024. The forthcoming election that year may even delay matters further.
When NIS came into force in UK, May 2018, it was open to many questions, to which most of the answers came in the NCSC Cyber Assessment Framework (CAF). This laid out Indicators of Good Practice (IoGP) in categories of Risk Management, Protection against Cyber Attack, Detecting Cyber Security Events, and Minimising the Impact of Cyber Security Incidents. As such it reflected the USA NIST Cyber Security Framework with its five pillars of Identify, Protect, Detect, Respond and Recover. NIST is more detailed in its prescription. Whilst involved in re-writing MOD JSP 440 & JSP 604 last year MOD adopted NIST as the guideline for its cyber security policies. While the transport industry need not be so prescriptive, the NIS regulation has under its 4 Objectives, some 39 separate principles and over 150 indicators of good practice. It has been proposed by the Cabinet Office that central government departments all adopt compliance with NIS as opposed to the otherwise ‘Minimum Cyber Security Standards’. All US government agencies need to align themselves with NIS and this involves inspection for compliance. The principal difference between NIS and NIST is the way the latter is enforced, audited and certified by suitably qualified, experienced professionals. The Department for Digital Culture, Media, and Sport (DCMS) are responsible for NIS policy and changes. The legislation named the Department for Transport (DfT) as the ‘Competent Authority’ for determining whether Rail, Road and Maritime OES’ complied with the NIS regulations. The legislation does not include any mention of the NCSC NIS CAF. However, DfT have adopted it as a measure and Rail Operators must submit a CAF spreadsheet attesting compliance with the indicators of good practice NCSC has included. Compliance spreadsheets are then submitted to the DfT for inspection. After the first spreadsheet, comes commentary, dialogue and ‘improvement plans’. The improvement plans are somehow tied to the Train Operating Company’s contract, though it is difficult to see how this would become enforceable. Timescales for inspection, feedback and appraisal is subject to the availability of competent resource within the department. It is not a subjective observation that the DfT is similar to many other government departments, that when their staff are suitably trained, qualified and experienced they become candidates both for promotion and recruitment to better paid private industry. The observation that unless policing NIS is outsourced to professional auditors, it will always be so constrained. This is perhaps why UK’s modest plans to update NIS in 2024 include some element of cost recovery, maybe to meet the cost of engaging external professional auditors. If Cabinet Office extend NIS to central government, the number of external auditors might be considerable. And an attractive ‘gravy train’ for consultants.
Then there is the question of Train Operating Companies (TOCs) paying for the audit. What do they get back if there is no ‘kite-mark’, no logo to display on their web site or for peer-group recognition? TOC’s are no longer in charge of their own destiny when waiting for the detail of how Great British Railway, the outcome of the Williams report, their funding. Not to mention strikes.
Govia Thameslink Railway (GTR) found itself in mid-2022 largely compliant with the indicators of good practice in the NIS CAF and, while waiting the response to their Improvement Plan from DfT, in a sort of limbo. The Board, on the recommendation of Head of IT, decided to pursue certification to the international cyber security standard, ISO 27001 and at the same time embark on the journey to certification to Cyber Essentials Plus (CE+), a national standard, like NIS, promoted by the NCSC. Both are recognised as best practice, audited and certified by qualified consultants on an annual basis. These represent the kite-mark of quality in cyber security that GTR thought it deserved through all the effort, procurement and recruitment put in the satisfy the NIS CAF.
Is it necessary to have all three compliances, ISO 27001, CE+ and NIS? The difference between ISO 27001 and CE+ is that the former is risk based and while security best practice needs to be demonstrated, some rules are more applicable that others. There is a Statement of Applicability (SoA) which is used to apply the best practice in the context of the organisation and there is a need is to show a governance backed Information Security Management Plan (ISMS). Continuous Improvement is fundamental to all ISO standards. CE+ involves a questionnaire and is more prescriptive – the rules are fairly black and white. It is also backed up by penetration tests that provide evidence of vulnerability and patch management, malware protection, defences against malware and identity and access control. The latter checks for the use of multi-factor authentication and the final test is for proof of account separation. The rigour of CE+ might not suit government departments with large legacy ICT environments and scoping might require professional external advice.
Is it necessary to have all three? There is already a whole industry surrounding cyber security accreditation and further certification of the NIS CAF would only add to this. There is an argument that only one accreditation is required to satisfy NIS. It could be the NCSC NIS CAF, or certification to either ISO or CE+. What suits one organisation may not suit another and the relevant accreditation and the scope of that accreditation may be the all-important negotiation that would save time and money both for the DfT and the OES.
Rather than certification of NIS by an external body, an expensive consultancy, would it not be better to have internally sourced, suitably qualified and experienced, professional. In times past each government body, whether it was a ministry, department or police force, had an ‘Accreditor’. Each IT system had to be risk assessed and accredited. Perhaps, especially if NIS is extended to all public authorities, as NIST is in the USA, NCSC could resurrect this formula. The accreditation process was exploited in the past with risk assessments taking too much time and paperwork and became far too expensive. By using the NIS CAF attested to by an internal accreditor, trained and certified by NCSC, or outsourced to the NCC or the CIIS, risk assessment could be a lot shorter backed up by the NIS CAF certification. If all the TOCs followed suit, in fact the formula could be extended to all industries and organisations where NIS was applicable, then there would be no need to agonise over ISO 27001 or CE+ – the NIS CAF certificate would serve as the requisite kite-mark.
CCP (NCSC Certified Practitioner), MCIIS, SIRA, BA, MA (Oxon)
Certified ISO 27001 Implementor and Auditor
07817 689 081
<img src=”/Users/joefe/AppData/Local/Temp/msohtmlclip1/01/clip_image001.png” alt=”A picture containing text, electronics, compact disk
Description automatically generated” width=”220″ height=”220″ />
please visit me on www.il7security.com
IL7 is a major sponsor of www.transportcyber.com