Interview: Network Rail Head of Information Security Peter Gibbons
The rail operator has implemented a range on new security technologies in a bid to keep service performance on track
Track automation is one area the organisation is looking at
With a turnover of £8bn and 36,500 employees on its books, Network Rail is one of the UK’s largest and best known organisations. This year, it has set itself a target of ensuring that a minimum of 92.6 per cent of trains reach their destination on time, a figure that the company had actually surpassed – it was 95 per cent – on the day Computing met the company’s Head of Information Security, Peter Gibbons.
He explained how investment in security IT has helped Network Rail reverse the fortunes of UK’s rail infrastructure.
The company took over the running of Britain’s rail infrastructure in 2002, and since then has invested between £70m and £90m every year in new technology, or upgrades to existing technology. It has one of the largest Oracle ERP deployments in Europe too. Despite that, there is still a lot of legacy infrastructure in place, and its main operating systems in the mainframe have been running successfully since the 1960s.
Where the company is different from more traditional private companies is that it doesn’t have any shareholders, and therefore profits are ploughed back into the firm. So as Gibbons explains, his justification for expenditure on IT is “somewhat different from many chiefs”.
The ultimate measure of his return on investment is in the number of trains that turn up on time, which means he has to work out which technology will be most likely to make this happen.
Furthermore, the government has given Network Rail tougher targets to meet in terms of cost cutting and Gibbons said that he intends to make this happen by limiting security failures – such as an unchecked virus or Trojan attacks – which can cost the company money in lost business or customer information.
“We need to manage costs that might come about as a result of risk. So we have a fairly mature risk organisation, it assesses risk at a strategic level as well as in operations and information management – we just have to ensure that risk is kept at a tolerable level,” he said.
“Information must be made available to those that need it – but kept secure from those that don’t – for example engineers must have access to the information they need or the service won’t run effectively and efficiently.
"So managing the information, for me, is where the benefit is. But the returns have to be demonstrable, and money’s tight – as it is for everyone – so we have to be very careful about the spending we undertake.”
Gibbons said three projects have been implemented to help mitigate the risk of information being compromised: a new Gateway solution; a virtual private network (VPN) upgrade; and a disk encryption project.
Gateway
The company has installed a new external gateway solution, with the help of system integrator Atos Origin. It has upgraded the gateway solution so that all connectivity to the internet and email, and all use of internet-based services, such as the way that the company logs incidents on the railway, are dealt with more securely.
“We’ve got a long history of working with Atos Origin, they used to have our mid-range estate in their datacentres which were moved across to [IT solutions and outsourcing provider] CSC a couple of years ago,” said Gibbons.
Atos Origin also manages the mainframe on behalf of all of the UK’s train operators.
“For this project in particular, we took something that is quite big, difficult and complex and by really integrating the two teams [Network Rail and Atos Origin], we managed to get a project delivery in about four months, from start to finish.”
Gibbons explained that when the company upgraded its previous gateway solution almost five years ago, the project took 12 months to complete.
“So we’ve done something more complex, with greater reach and more impact on the business and we’ve done it in a third of the time,” he added
VPN
The bulk of the VPN project, which includes a VPN upgrade and an email security upgrade, has been completed and the company is now putting the final touches to it.
“The VPN solution that we had in place was looking a bit dated,” Gibbons explained. “It wasn’t as flexible as I wanted it to be, so we’ve replaced it with a more up-to-date service meaning we can publish software or applications for use onto the network giving us a better way of collaborating with our partners and suppliers."
He added that the VPN offers a more secure way of distributing information to its workforce so that no matter where they are and what they’re doing, they each have access to the resources that they need to provide a high-quality train service. “That’s just going live as we speak,” he said.
Disk encryption
Another undertaking that has been keeping Gibbons busy has been the implementation of a disk encryption project. The company went through a traditional tendering exercise and selected disk encryption vendor PGP for its solution for mobile encryption.
“Mostly it’s been a pretty well managed project. We’ve encrypted around 12,000 laptops over four to six months from project start to completion.
“We did have some issues though,” he admitted. “We had to upgrade from Windows XP to Vista – we had some issues with the upgrade [with regard to integration of the disk encryption technology] on our laptops and some issues with testing applications.”
Interview: Network Rail Head of Information Security Peter Gibbons
The rail operator has implemented a range on new security technologies in a bid to keep service performance on track
He added that one of the most fundamental issues the company faced was with the services support side of the project, in particular the difficulty the company had with getting adequate support for resetting passwords.
“In Windows, password reset is easy but if you’ve got a disk encryption product that’s linked in to your directory authentication, you also need a way of changing your PGP authentication.
“It’s a 23-25 character password, and just adding that extra layer of authentication added a greater complexity. Rolling this technology out wasn’t quite as straightforward as it seemed at first.”
Automation in future
In terms of plans for the future at Network Rail’s IT department, Gibbons’ ideas are quite straightforward: more automation.
“There are parts of our business that we know we can make more efficient by using technologies to support various processes,” he explained.
He said that one area the company is currently looking into is the concept of taking remote devices on the track to capture information about the condition of the track, such as temperature and the electric traction.
By collating information about the mechanics of the railway and gathering it centrally, Gibbons hopes to be able to display that information to engineers in a way that they can analyse and use to predict when things are going to change.
“It would be better than sitting there and waiting for things to fail and then have a dozen trains just sitting there not getting to their destination,” he said.
He also indicated that Network Rail is looking into an array of systems around automating traffic movement on the railway. “There are a lot of European forums looking at how to use new technology to improve signalling – but that’s something for the future,” he added.