1 / 9

Cyber Security – Client View Peter Gibbons | H ead of Cyber Security, Group Business Services

Cyber Security – Client View Peter Gibbons | H ead of Cyber Security, Group Business Services. Suppliers’ Summer Conference. 15/07/2015. Protecting our railway in a connected world - Digital Railway Supplier Conference. Peter Gibbons B.E.M. Professional Head (Cyber Security)

erita
Télécharger la présentation

Cyber Security – Client View Peter Gibbons | H ead of Cyber Security, Group Business Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015

  2. Protecting our railway in a connected world - Digital Railway Supplier Conference Peter Gibbons B.E.M. Professional Head (Cyber Security) Network Rail July 15th 2015

  3. AGENDA • What is Cyber security and how might it impact our railway? • How are we managing risks to Cyber security? • What should you be doing? • Conclusion

  4. What is Cyber Security? • The government point of view … • “our increasing dependence on cyberspace has brought new risks, risks that key data and systems on which we now rely can be compromised or damaged, in ways that are hard to detect or defend against” • Rt. Hon. Francis Maude MP - The UK Cyber Security Strategy November 2011 • What is Cyber Security and what does it mean to us? • Cyber security is concerned with the security of cyberspace, which encompasses all forms of networked, digital activities; this includes the content of and actions conducted through digital networks • All our systems and connected, computerised technology from our railway cyberspace. That includes Databases, signalling systems, level crossing, RCM, CCTV and the underpinning infrastructure and telecommunication networks they rely on Keeping our railway safe and secure

  5. How might cyber attacks impact our railway? To provide appropriate protection, we have to understand the threat As we introduce more digital technologies, we increase the opportunity for cyber attack Balance most likely with worst credible case

  6. How are we managing cyber security risks? LEAD THREAT ACTOR MOTIVE MEANS (THREAT) • Supplier • Researcher • Journalist • Organised Crime • Competitor • Terrorist • Activist • Foreign State • Hacker • Employee • Curiosity • Intellectual challenge • Mischief • Spread propaganda • Act of war • Disrupt commerce • Cause civil unrest • Financial gain • Retribution • Harm NR reputation • Political advantage • Cause loss of life/harm • Create fear • Hacking services • Watering holes • Botnets • Ransomware • Exploit kits • Rootkit • Trojans • Phishing • Virus • Unauthorised security tools • Unauthorised physical access • Social Engineering • C2 Services • Malware DETER PREVENT PROTECT PROACTIVE CAPABILITY DETECT OPPORTUNITY (VULNERABILITY) RESPOND RECOVER IMPACT (CONSEQUENCE) RESULT ASSETS • Access • Connectivity • System Functionality • Technology • Train delay, disruption, derailment • Unplanned cost • Reputational damage • Lost productivity • Asset damage • Regulator sanction • Legal breach • Financial loss • Harm • Denial of Service • Data theft • Data loss • Data change • System interruption • Unauthorised access • Unauthorised operations REACTIVE CAPABILITY UNDERSTAND

  7. What should you be doing? • Securing technical railway products • Clear security requirements • Coding standards • Control testing • Zoning and segmentation • Managing security of operational services • Vulnerability discovery, disclosure and patching • Incident reporting • Develop and follow common good practice • Securing your business • Data loss prevention • Access control • Protect your services and your supply chain • Accreditation and compliance • Cyber Essentials • PAS555 • OWASP • Common Criteria • ISO27001 Network Rail Procurements Standards for High Risk suppliers 9. The Supplier shall be certified to the government’s Cyber Essentials Scheme as a minimum requirement and shall provide evidence of its certification. Alternatively, proof of certification against ISO 27001 is acceptable, providing that the certification covers the part of the organisation that is delivering the Services. 10. The Supplier shall, as far as is reasonably practicable, categorize Assets according to the potential impact to Network Rail of their loss of confidentiality, integrity and availability (‘Categorization’); those with significant potential impact shall be notified to Network Rail.

  8. Conclusion • Cyber attack is a real threat to our Railway • Rail infrastructure systems have been attacked and compromised • Effective cyber security is a condition of entry • for digitisation of the railway • Our needs are not unique, as critical national infrastructure our standards must be high • 3. We’re in it together • We’re all a target and we’re all part of the solution

  9. Please visit the Cyber Security stand in room E1for more information Thank you

More Related