Stuart Codack, Information Security Manager and Steve Roberts, Head of IT at West Midlands Trains (WMT), gave an inside look into working with SureCloud’s cyber security team.
As an operator of essential services and part of the critical national infrastructure, West Midlands Trains (WMT) are constantly reviewing the service that they provide and the supporting processes to ensure that they are giving customers the very best service. WMT will routinely carry over 200,000 passengers over any of the 1300 services per day, operating from London to Liverpool and predominately in the West Midlands area.
Aligning to business objectives
Whilst providing the best service possible, the business is responsible for making upgrades
Whilst providing the best service possible, the business is responsible for making upgrades, as part of their commitment to the Department for Transport and agreed set of objectives defined within the organisation’s committed obligations.
These could range from large projects to developing stations, such as Wolverhampton, upgrading and enhancing the trains’ capacity, or providing more technical solutions to allow customers to purchase tickets and view train services online.
Key cyber security challenges
Understanding the emerging and constantly evolving threats to the rail is critical to ensure that WMT provide an efficient and responsive technical solution for the services operated. They operate within a number of frameworks, most significantly the Network Information Systems (Directive) provided to Operators of Essential Services (OES), and also feed in elements of both ISO27001 and NIST.
The Department for Transport, in conjunction with the National Cyber Security Centre, encourages a mature cyber security posture, and closely monitor and assess assurance levels. This approach challenges WMT constantly and places high demands on the enterprise to deliver and maintain a strong cyber security posture.
Understanding where any actual or potential weaknesses are helps in directly applying resources to protect systems and maintain confidentiality, integrity and availability. Often overlooked, recognising where WMT have achieved success has also helped to justify continued and future spending to senior management, by assuring them that a proactive cyber security strategy is worth the investment.
SureCloud cloud-based platform
Chosen for their professionalism during the tender stage, SureCloud comfortably convinced the decision makers of their technical capability, flexibility and willing attitude to join the business on their journey, as opposed to other vendors providing the essentials with hidden costs introduced as additional extras.
The SureCloud platform provided WMT with clear visibility of testing outcomes
Another key benefit that helped SureCloud stand out from the rest was the technology-enabled services approach, which utilises SureCloud’s platform to underpin the service delivery. The cloud-based platform has provided a forum for WMT, in which work streams can be identified and allocated to third-party vendors. The business allows remediation work to be assigned and worked on concurrently.
The SureCloud platform provided WMT with clear visibility of testing outcomes and helped to establish the evidence and patterns of work that supports the various questions across the frameworks that call for continual service improvement, whilst demonstrating a proactive response to aspects of ISMS has been invaluable.
Benefits of the Cyber security-as-a-Service package
Support was measured against the requirements of the organisation and was provided on-demand and willingly offered up throughout all stages of the agreement, with no signs of wavering support on completion of any of the work packages.
The penetration testing has provided a great deal of insight and visibility into areas that needed improvement while assuring other areas where the business had demonstrated some good practices. The results were well presented via the platform with the context that allowed the team to define the risk, and if any action would be needed to mitigate or reduce those risks. The level of expertise was fantastic, with identified areas supported by impacts and potential solutions.
Effective cyber security program
Overall, West Midlands Trains are very satisfied with their investment in the SureCloud tech-enabled services, and have already recommended SureCloud to a number of partners based on the work conducted. West Midlands Trains are passionate about managing an effective cyber security program and the business will continue to work with SureCloud in the future.