Introduction

In 2019 Crossrail appointed a new and dedicated Chief Information Security Officer (CISO), who set about the creation of a Cyber Security delivery and assurance team, with a clear objective of electronically securing the UK’s first digital railway.

The CISO was recruited from within TfL, who already had significant Telecoms, Signalling, rail systems and Cyber Security leadership experience delivering other smaller railway project and programmes.

The first activity was to implement a Cyber Security transformation programme, called ‘Cyber Security fit for the first all-digital railway’ and which had the 3 key areas of focus.

• People – recruitment of cyber security experts, plus graduates and junior engineers that were keen to help and learn
• Requirements – with a focus on better definition and simplicity of what was required. Also, a clear plan of how to assure the railway from a Cyber Security perspective
• Structure and Leadership – restarting of the Cyber Security steering group and weekly team meetings. Embedding collaboration and a clear escalation path for technical issues.

This new and dedicated Cyber Security team was made up of a mixture of experienced IT Cyber Security professionals from the supply chain, but also graduates and junior engineers wanting to learn and gain experience of delivering Cyber Security on a major railway programme.

History

Prior to 2019, there were only a few individuals in the Crossrail programme working part time on Cyber Security with a narrow focus on the Signalling and Telecoms contracts. These individuals took on Cyber Security in addition to their normal discipline activities. The other systems and main construction contracts had little or no Cyber Security focus and attention.

Cyber Security activities were treated as an adjunct to other activities and not given dedicated attention and focus.

There was also a general lack of understanding of Cyber Security and its importance to a railway system, resulting in:

• no specific budget,
• no risk provision,
• insufficient technical resources,
• insufficient technical and executive leadership.

Post 2019 the priority changed, and Cyber Security was given more prominence.

In summary it was recognised that a step-change in activity on cyber security was urgently required to ensure the railway was as electronically secure as it needed to be. 

Secure by design

Cyber Security is the technique of protecting electronic devices, networks, software and data from unauthorised access or attacks and on a programme like Crossrail there are many different systems and sub-systems that use networks, data, and software, which will need securing individually and collectively as a railway system.

As some of those railway systems are safety critical and safety related, it was imperative that security and safety assurance were linked together, ensuring that a safe and assured system is also a secure system.

As Crossrail was the first UK digital railway it was essential that the delivery organisation maintained a big picture view of managing the delivery and Cyber Security assurance of a truly digital railway system.

Therefore, a specific Cyber Security objective was defined by the CISO, which was used as a goal for each delivery element and for the complete railway system.

Goal – The enabled and integrated digital railway system is acceptably electronically secure, and organisational arrangements are in place to continuously manage the operational Cyber Security risk throughout the systems in-service life.

Cyber Security Requirements

To ensure that an electronically secure railway system was delivered eight Cyber Security requirements were created. All affected parts of the Crossrail programme had to follow these and adopt them into their contracts.

8 Cyber Security Requirements

1. 1. Cyber Asset List
   2. Cyber Asset Configuration Management
   3. Backup Management
   4. Policies, Processes, Procedure and Manual
   5. Cyber Asset Hardening
   6. Account and Password Management
   7. Virus and Malware Control
   8. Vulnerability Management

Whilst these eight Cyber Security requirements were specific to Crossrail, they were in addition to the requirements defined in IEC62443, TfL, RfLI and governmental standards, guidance, policies, and procedures for Cyber Security.

It’s worth noting that neither NIS regulations, nor the NCSC Cyber Assessment Framework existed when Crossrail was established as a programme, but where possible and practical these were adopted and embedded in the works.

These Cyber Security requirements were issued and instructed to all the Delivery teams and Tier 1 Contractors. However they were seen by some as extra work and major scope change, which would impact cost and schedule, so it was a challenge from day one to get them delivered. The challenges of implementing this change was varied, and can be summarised below.

1. Budget – Additional funding was needed for this work, which required justification and approval at the highest level
2. Time – The work needed to be implemented without impacting an already time constrained programme
3. Contract completion – some contracts were near completion or had completed, so implementing this work was a major and disruptive change of scope for the contractors
4. Understanding – not everyone on the project or in the supply chain understood why Cyber Security was an essential part of a railway system delivery and operation
5. Outcomes – embedding Cyber Security requirements late in a project lifecycle, resulted in significant design changes and rework on some system contracts

Whilst most contractors didn’t appreciate the late change, some of the system contractors understood and welcomed the changes, as they could see the importance and benefit of implementing Cyber Security on such an important railway programme.

Cyber Security design approach

In addition to establishing the Cyber Security requirements, there was also a need to define the systems and railway system boundaries and internal and external interfaces, to that end a layered Network Operational Technology diagram was created.

As the Cyber Security requirements were developed after the systems design had commenced, the approach taken was to bolt on and adapt the systems to best meet the requirements, however this had time and commercial impacts and wasn’t always a welcome change to the delivery teams.

Where possible the Cyber Security system design took a standard approach, using defence in depth and Zones & Conduits and other such techniques to enhance the systems security.

Risk management

Where possible Cyber Security Risk & Threat assessments were carried out on each of the element systems, the output of which fed into updates of the system designs, again this wasn’t always a welcome change to the delivery teams.

The focus of the risk assessments was mostly on system access, especially on external & temporary connections to these systems and how people will accidentally or deliberately connect to these systems.

An overarching risk register and residual works tracker was created to manage the closing of the risks and where applicable to facilitate the transfer of any risks to the system operator and maintainer.

Crossrail was delivered over a long period of time and the systems will be used for many years to come, so it was vital to ensure the Cyber Security risk would be continually managed throughout the life of the system.

Vulnerability Scanning and Penetration testing

It is essential to scan and penetration test any new systems and Crossrail was no exception. Numerous tests of the individual systems were undertaken, as well as systemwide, cross boundary and external penetration tests, to prove beyond reasonable doubt that the railway system was acceptably electronically secure.

As part of the planning for scan and penetration testing, we developed clear scope & requirements, including coverage and an objective and success criteria for the outcomes.

The outcomes of the testing were then triaged, mitigated, resolved and managed accordingly.

Assurance

Once the requirements were established, it was easier to manage the assurance of each system, as there was a benchmark to assess each system against. However, as Cyber Security assurance was a late change to most contracts, it was always seen as a bolt on and additional task the contractors had to do to complete the works, so it was a challenge to get Stations, Shafts, Portals and Routeway contractors to deliver the required assurance for their system.

There was a mix of contractors working on Crossrail, with a range of cyber security experience, from none to expert level. The routeway and systemwide contractors generally had sufficient technical capability and resources, however the Stations, Shafts and Portals construction contractors had very limited or no cyber security experience.

For construction contractors, Cyber Security was largely new to them. As a result Crossrail had to provide significant levels of support, including engagement with their Tier 2 and Tier 3 supply chains, in order that necessary actions to ensure security were undertaken and appropriate verification and assurance evidence was provided.

To manage the Cyber Security assurance delivery for each individual element, a RAG status tracker was created, not just to track the status, but also to understand the top critical issues, the level of risk and what was being done to manage the risk.

To assist the delivery of each element’s Cyber Security assurance lessons learned were regularly shared with all Station, Shafts and Portal Elements and Routeway Chapters. Process improvement opportunities were identified to make the activity more efficient and repeatable.

Cyber Security was made a consideration at any major delivery and assurance gate, making Cyber Security a discipline that required sign off by a competent Cyber Security professional.

Railway assurance pyramid

A bottom-up approach was taken to Cyber Security assurance, starting with the lowest level systems and slowing building up to the complete railway system, using a pyramid approach. This approach ensured that each system and each system’s internal and external interface, or ‘hot spot’, was captured. This ensured the complete railway system was assessed and assured as a whole.

Figure 1 –

Objective achieved

The objective was achieved…

The enabled and integrated digital railway system was acceptably electronically secure, and organisational arrangements are in place to continuously manage the operational Cyber Security risk throughout the systems’ in-service life.

However, it was a challenging journey and lots of experience was gained and lessons learned from the process.

Lessons learned

There are many lessons from Crossrail on Cyber Security, below are several of the key ones:

• Appoint a Cyber Security lead (CISO) and establish a dedicated team to manage the Cyber Security assurance,
• Start Cyber Security activities early, don’t leave it too late to define what is required
• Embed Cyber Security requirements in procurement contracts and technical scopes of work
• Raise the profile of Cyber Security at an executive and board level and ensure adequate resource and budget is provided
• Have a strategy and plan for managing Security updates, upgrades and patching during the project and system life
• Understand that software is also an asset, that requires management and control through the project and system life
• Have a strategy and plan for Vulnerability Scanning and Penetration Testing, including how the outcomes of any testing will be managed
• Continuous management of the cyber security risk is required through the project and asset life
• Not everyone will understand the importance of Cyber Security, so educate and train non-Cyber Security professionals, especially the designers and delivery contractors.

A must for any new project

Our advice to any new railway major programme, or any railway project, is to include the following four items as a minimum in your or your contractors’ scopes of work:

• Production of a Cyber Security Management Plan and Network Architecture Diagram
• Undertaking of a Risk and Threat Risk Assessment, including any specific requirements to address vulnerabilities
• Undertaking of Penetration Testing, both system and railway system level, including all interfaces, especially external
• Production of a Cyber Security Compliance and Assurance Case, based on a Verification and Validation process