Remove this if sending to pagerunnerr Page Title Light Rail Security Recommended Best Practice

Download 261.16 Kb.
Size261.16 Kb.
1   2   3   4   5   6   7   8   9   ...   17

Discovery of 'white powders'

A 'white powder incident' is a phrase often applied to the discovery of a substance (solid or liquid) where the finder cannot eliminate the possible presence of a chemical or biological hazard. (Not all such hazards are white, or powders). An example of the concern is the series of Anthrax attacks in the US in 2001. That event caused a small number of deaths and large-scale disruption (because of the need for extensive decontamination).

The majority of white powder incidents in the rail environment (and elsewhere) have related to benign substances and were not accompanied by any kind of threat information. Examples of risk aversion have included concerns about spilt flour (from a shopping bag); spilt plaster (dropped by a builder); salt (spilt on a canteen table); liquid soap (found under a soap dispenser in a staff bathroom); white powder (found after the discharge of a powder fire extinguisher). In the absence of a specific threat, or any other credible reason to believe such discoveries are suspicious, the scenario should be dealt with under normal housekeeping arrangements.

Where the discovery is believed to be malicious (e.g. a threatening letter, observed suspicious behaviour, a face-to-face threat received by staff or passengers), it should be investigated by police, who will also give specific risk management advice. In the unlikely event of people having been exposed to a genuine hazard, any uncoordinated evacuation will spread the hazard further, contaminate more people and delay effective medical intervention. In the absence of people becoming unwell, evacuation should be limited to adjacent rooms/carriages and people kept near the scene. In the event of a small scale contamination, the blue light services (police first point of contact) should be called. If the substance is deemed toxic, the police will launch an initial operational response, drawing in colleagues from the other emergency services as appropriate.

Responding to a cyber incident

Any electronic or cyber incident, which affects any critical engineering assets or engineering assets that perform a safety function should be reported to the Department for Transport ( Telephone 020 7744 2870) and Office for Rail Regulation (Telephone 020 7282 3910), in a timely manner. Incidents reaching the threshold of 'Level 0 - Exceptional Occurrence' as defined in the Centre for Cyber Assessment (CCA) Cyber Incident Coordination Plan (CICP) should be reported immediately to CERT-UK by telephoning 01242 709311 or by emailing (Unclassified to: ; and Restricted / Official Sensitive to: ).

This does not preclude you from consulting the CERT-UK were you unable to manage the consequences of an attack alone.

Incidents that should be notified:

Deliberate or accidental destruction, alteration, disruption, or disclosure of asset software or data, resulting from device connections;

Successful unauthorised access or alterations to assets. (Unsuccessful attempts should be recorded locally for audit purposes and only notified if they are repeated or persistent);

Malware infection of assets. (Blocked infection attempts, e.g. detected and blocked by anti-virus software and procedural controls, should be recorded locally for audit purposes and only notified if they are repeated or persistent);

Theft of assets and asset data (including disclosure by social engineering) that may be used to further compromise the asset base, including engineering laptops, engineering asset user account credentials, engineering documentation. (Unsuccessful attempts should be recorded locally for audit purposes and only notified if they are repeated or persistent).

What does not constitute an electronic or cyber Incident:

Random hardware failure of asset;

Design flaw or design error (failure of intention to implement the correct design);

Installation or manufacturing flaw or error (failure of intention to install or build the correct design).

The Modes of Attack

Cyber systems used on UK railways may be subject to unauthorised access through various means:
Remotely, via the internet, or open non-secure telecom networks.

At close hand through direct contact with infrastructure (e.g. through a USB port).

Locally, through unauthorised access to physical infrastructure, or insider threat (infiltration).

The Vulnerabilities

Use of unauthorised devices

Use of unauthorised software

Unsecured configurations for hardware and software

Lack of vulnerability assessment and remediation

Lack of malware controls, or controls that are poor quality or obsolete

Poor control of application software security

Poor control of wireless devices.

Poor data recovery capability.

Lack of skilled employees.

Unsecured configurations for network devices.

Ineffective limitation and control of network ports, protocols, and services.

Poor control of administrative privileges.

Poor boundary defence.

Poor maintenance, monitoring, and analysis of security audit logs.

Poor access control.

Insufficient account monitoring and control.

Inability to effectively prevent data loss.

Insufficient incident response capability.

Unsecure secure network engineering.

Lack of security system testing.

Investigating persons should look for one or more of the following:

Coincidence with another security breach, perhaps physical

Records indicating the connection of an unauthorised media or data storage device

Instructions issued from unexpected sources internally

Instructions issued from unknown or suspicious sources externally

Abnormal, illogical or otherwise obviously suspicious instructions being issued from any source.

Recently imported data

Recent activation of unknown software or script

Unauthorised disabling of firewalls, or security software

Unauthorised deletion or alteration of data

Drops in light levels in fibre-optic cables

Directory: government -> uploads -> system -> uploads -> attachment data -> file
file -> 8 Section 1 : Sport
file -> Notice of exercise of additional powers of seizure under Sections 50 or 51 of the Criminal Justice and Police Act 2001
file -> Home office circular 004/2014 Powers to search for and seize invalid travel documents in Schedule 8 to the Anti-social Behaviour, Crime and Policing Act 2014
file -> Consultation on the Royal Parks and Other Open Spaces (Amendment) (No. 2) Regulations 2012
file -> Crown copyright 2012
file -> This is the Report to Government by the Film Policy Review Panel The brief
file -> Impact Assessment (IA)
file -> Dcms/Wolfson Museums and Galleries Improvement Fund a public-Private Partnership (2002-2010)
file -> Hms victory 1744: options for the management of the wreck site

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   17

The database is protected by copyright © 2020
send message

    Main page