Aecom Limited have a managed services framework agreement with Network Rail. We were subcontracted via Egis Rail to provide cyber security capability. We were asked to provide a maturity assessment on security approaches across Network Rail’s signalling infrastructure.
This case study is an example of Egis working within complex business partnerships and supporting critical transport infrastructure in the UK.
Under contract to Network Rail (NR) via Aecom and Egis Rail, we were asked to review and update a set of CAF (Cyber Assessment Framework) assessments and recommend practical remediations where necessary to the Signalling and E&P (Electrification and Plant) Systems.
Role of Egis
Each of the identified critical systems within the Signalling and E&P (Electrification and Plant) groups was assessed for CAF (Cyber Assessment Framework) objectives, using the following sources of information:
- Published documentation provided by Network Rail and suppliers
- Interviews with internal Network Rail System owners and experts
- Interviews/questionnaires with system suppliers.
The approach to the CAF assessments was to provide a technical document-based review of each system, based on available documentation, policies and procedures, which was then supplemented by input from operational staff who have working knowledge of the system ‘as operated’. This provides valuable insight into the system and a more realistic view of the system’s vulnerability to cyber threats. It also provides valuable insight into organisational and cultural factors that can be critical factors in the effectiveness of human defences against cyber threats.
We produced a detailed report covering our assessment of critical E&P (Electrification and Plant) and Signalling systems against the Department for Transport CAF (Cyber Assessment framework). The report also included remediation recommendations resulting from the assessment.
Alongside detailed system-specific remediation recommendations, the final report identified a number of general themes which provided insights into suitable approaches and activities which could further increase the effectiveness of Network Rail’s defences against cyber-attack and ransomware. These common themes provided an opportunity to implement a more central solution to provide compliance benefits across multiple systems. We provided both general remediations and system-specific remediations in the final report. The remediation plans focus on the following aspects
- Opportunities to further enhance physical and access security arrangements to defend against unauthorised and inadvertent changes to systems
- Identification of system segmentation opportunities to limit the spread of viruses or ransomware
- Development of metrics to effectively evaluate and monitor identified cyber-risks
- Steps to control portable and removable devices in the context of operational systems
- Establishing frameworks and processes which collect evidence needed for future assessments and to demonstrate continued compliance to regulation
- To make future CAF assessments more straightforward, Egis also offered additional recommendations to improve the security management processes, based on the lessons learned in this work.