Resilient journeys: Part 1

15 May 2018

The transport industry is experiencing disruption from a range of digitalisation and automation technologies, with some sub-sectors transforming more rapidly than others. The industry as a whole, faces two imperatives; be confident in the digital transformation of their enterprise and ensure their operational IT environment remains resilient and safe.

Increased interconnectivity within and between operational and corporate systems not only creates increased opportunities for cyber incidents to occur, it also potentially makes them more damaging. Organisations now engage with a broader range of suppliers and exchange higher volumes of (often) commercially sensitive or regulated data as part of routine business as usual activities. Indeed, PwC’s recent Global State of Information Security Survey shows that there has been a rise in security incidents attributed to third parties in the past year.

Transport executives are accustomed to managing high-risk business environments; safety programmes have been maintained at such a high standard that other industries have attempted to emulate them. Moreover, past records of safety management lead many across the transport sector to presume that their systems are immune from cyber-attacks. However, as safety management often discounts malicious activity, this may not always be the case. The need for linking the safety consequences of cyber security vulnerabilities is of growing importance, in order to ensure sufficient and proportionate measures are in place to obtain and sustain passenger confidence. ‘Trust takes a lifetime to gain and a moment to be taken away.’

National and international regulators are therefore increasingly concerned with the safety consequences of cyber incidents and are drawing up policies, standards and best practice guidance. If the transport industry does not consistently and coherently address the linkages between safety and cyber security, the successful ‘go-live’ of the next generation train, ship, car or plane may well be put at risk.

Organisations need to be able to link cyber security risk with safety risk assessment processes in order to quantify the safety consequences of a cyber threat or vulnerability. Therefore, support is required to assist organisations in prioritising the mitigation of risks in order to fulfil formal safety obligations.

PwC supports regulators, public and private transport organisations alike in addressing the challenges of realising the maximum business benefit from digital disrupters, whilst at the same time being confident in the transformation. Only through being secure and private by design and assuring for safety will you obtain and sustain passenger and customer confidence.

In terms of regulatory governance and guidance, the US, Europe, and the USA have launched top-down initiatives to address the lack of standards and ability to share threat intelligence, but they are not being filtered down in a collegiate way. Similarly, many industry bodies have produced or come together to produce bottom-up industry-led guidance, standards and platforms. Both approaches are valid, but historically, there has been no coherence or consistency. Sometimes too much can be more damaging than not enough.

Domestically, regulatory bodies have struggled to provide the required cyber security certification criteria, methods and toolsets. This is often due to digital disruption outpacing doctrine and policy. Without a common framework in place, substantiating the safety and security of future transport platforms will remain extremely difficult, if not dangerous.

The Network and Information Systems Directive (NIS) will make significant strides in addressing this, requiring Operators of Essential Services (OES) to demonstrate a defensible position as to their cyber security compliance and their ability to report cyber incidents to their Competent Authorities (CAs). The NCSC has released a Cyber Assurance Framework, which is intended to be a systematic method for assessing the extent to which operators of essential services (OES) are achieving the outcomes specified by the 14 NIS principles. This cross-sector guidance will be complemented with sector-specific guidance that is being defined by the Competent Authorities. OESs and CAs should already be collaborating to ensure that industry leading practice is enshrined in sector-specific guidance. Similarly to GDPR, organisations will need to have established a defensible position, which is subtly different from certification or general compliance. We have experience defining defensible positions, so please get in touch if you need assistance.

Our public sector transport cyber security team has produced a new blog series called “Resilient Journeys.” It will explore the specific issues affecting each mode of transport and how organisations can take action to become more confident in their digitalisation journeys. Look out for the following blogs as part of this series over the coming weeks:

  • Resilient Skies” by Abigail Wilson
  • Resilient Rail” by Rebecca Taylor
  • Drones & autonomous vehicle security” by Mark Baker


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.