“At the DfT, we aim to understand, mitigate, respond and promote. This involves trying to understand the cyber threat and the vulnerabilities for the transport sector, mitigate cyber risks and take appropriate action to protect key assets.”
With a remit that includes rail, roads, maritime, aviation, freight and logistics and cycling, the Department for Transport (DfT) is responsible for transport matters in England and un-devolved areas of Great Britain’s network. Established in 1919, when it was then called the Ministry of Transport, the organisation has evolved hugely since those days – exemplified by one of its four key objectives: strengthening the safety and security of transport.
One individual at the front line of this mission is Natasha Maksymowski, rail cyber security advisor at the DfT. Natasha speaks with Dave Songer for this week’s SmartRail World 5 Minutes With… offering an insight into what motivates her, the DfT’s approach to cyber security and why the West Coast Main Line is her favourite train journey in the world.
Dave Songer (DS): What does your role at the DfT rail cyber security advisor entail?
Natasha Maksymowski (NM): My role as a rail cyber security advisor involves working with colleagues within DfT and other government departments, as well as individuals in the rail industry. I assist in taking forward cyber security policy developments in the rail sector, including identifying and leading modal projects. My role requires a lot of cross-government and industry engagement, so I’m always out and about!
(DS): What do you most enjoy about it?
(NM): I enjoy the variety – some days I’m in the office, or meeting with industry to discuss various work streams, while other days I’m attending conferences and networking. It really varies, and I’ve really enjoyed learning more about cyber in the rail environment. Working with industry means that we can get the views and opinions of those essentially on the front line, and we’re happy to take their views on board when it comes to taking forward policy developments.
(DS): What is the biggest professional challenge you’ve faced?
(NM): I’d probably say, at least in my current role, not having come from a cyber background. It’s been a steep learning curve and in the beginning it was difficult to follow some of the technical discussion I had to sit in on, but I’m slowly getting there. I feel with the ever-evolving nature of cyber security there is always more to learn, and as soon as you think you are up to date something new comes along.
(DS): What are the DfT’s key priorities around cyber security in the future? Can you provide an overview of its work in the rail sector?
(NM): At the DfT, we aim to understand, mitigate, respond and promote. This involves trying to understand the cyber threat and the vulnerabilities for the transport sector, mitigate cyber risks and take appropriate action to protect key assets. We also respond to cyber incidents effectively and ensure that lessons are learnt, and promote cultural change, raise awareness and build cyber capability. In the last two years since the DfT cyber team was established, we’ve been very much in the understand space, but we are now beginning to branch out in order to work towards our other aims.
Some of the work we have carried out includes carrying out cyber security assurance work of various industry partner’s approaches to cyber security, running cyber exercises in order to test cross-government and industry response to disruptive cyber incidents and raising general awareness and engaging with industry partners and external organisations.
Over the next year we’ll be continuing our work to provide cyber security assurance on major rail projects, carrying out a critical systems review, and carrying out research into the psychological impact of cyber incidents in the transport industry.
(DS): What about the NIS Directive the DfT is implementing, can you tell me about that?
(NM): The European Directive on Security of Network and Information Systems (the NIS Directive) requires operators of essential services to manage risks to network and information systems on which an essential service depends, and report serious incidents affecting the continuity of essential services to the Competent Authority.
The DfT is due to issue its sector-specific guidance at the end of March, which will include how the NIS Directive fits in with existing rail regulations, as well as incident reporting thresholds. A Cyber Assessment Framework (CAF) will follow this guidance, which operators will use as a self-assessment tool in the first instance.
(DS): How do you think protecting against cyber security could change in the future?
(NM): I can’t predict the future, but I would hope that there would be a more joined-up approach across the sector. Industry is often sceptical about reporting cyber incidents, and although the NIS Directive will place a legal obligation on industry to report incidents meeting specific thresholds, it’s useful for others to understand the threat that organisations face and learn lessons from those who have suffered from a cyber-attack that may not have reached the NIS threshold.
(DS): You’re going to be speaking at SmartRail. What are most looking forward to at the show?
(NM): I’m looking forward to networking with a wide range of people from all over the world. I find it very interesting to get the perspective of others on how to deal with cyber issues, and I think it’s important that we all share best practice and learn lessons in order to ensure the rail sector is secure from cyber-attacks.
As I am sitting on the panel on Wednesday morning, I’ll be very much led by the moderator and audience, but I’m hoping that I’ll have a chance to discuss the DfT’s approach to cyber security and some of the work we have done, as well as the NIS Directive.
(DS): What’s your favourite rail journey – wherever that may be in the world – and why?
(NM): I’d probably say the London to Manchester train journey in the UK as it holds a lot of meaning for me; my family live in Manchester and I live in London so travelling on those trains means I get to visit them. It’s also a pleasant journey and, if it’s light outside and you can get a window seat, the further north you get the more green you see, which if you’ve ever been to London you’ll know there isn’t much of that there!
Last week's 5 minutes with… Larry Jordan, president of Wi-Tronix.
Would you like to get involved in 5 minutes with…? This fun, informative feature gives our readership the chance to get to know more about the personalities behind the industry, what it is that inspires them and where they see the industry heading. Get in touch with Dave Songer: firstname.lastname@example.org to find out more.