Interview: Network Rail Head of Information Security Peter Gibbons

Track automation is one area the organisation is looking at

With a turnover of £8bn and 36,500 employees on its books, Network Rail is one of the UK’s largest and best known organisations. This year, it has set itself a target of ensuring that a minimum of 92.6 per cent of trains reach their destination on time, a figure that the company had actually surpassed – it was 95 per cent – on the day Computing met the company’s Head of Information Security, Peter Gibbons.

He explained how investment in security IT has helped Network Rail reverse the fortunes of UK’s rail infrastructure.

The company took over the running of Britain’s rail infrastructure in 2002, and since then has invested between £70m and £90m every year in new technology, or upgrades to existing technology. It has one of the largest Oracle ERP deployments in Europe too. Despite that, there is still a lot of legacy infrastructure in place, and its main operating systems in the mainframe have been running successfully since the 1960s.

Where the company is different from more traditional private companies is that it doesn’t have any shareholders, and therefore profits are ploughed back into the firm. So as Gibbons explains, his justification for expenditure on IT is “somewhat different from many chiefs”.

The ultimate measure of his return on investment is in the number of trains that turn up on time, which means he has to work out which technology will be most likely to make this happen.

Furthermore, the government has given Network Rail tougher targets to meet in terms of cost cutting and Gibbons said that he intends to make this happen by limiting security failures – such as an unchecked virus or Trojan attacks – which can cost the company money in lost business or customer information.

“We need to manage costs that might come about as a result of risk. So we have a fairly mature risk organisation, it assesses risk at a strategic level as well as in operations and information management – we just have to ensure that risk is kept at a tolerable level,” he said.

“Information must be made available to those that need it – but kept secure from those that don’t – for example engineers must have access to the information they need or the service won’t run effectively and efficiently.

"So managing the information, for me, is where the benefit is. But the returns have to be demonstrable, and money’s tight – as it is for everyone – so we have to be very careful about the spending we undertake.”

Gibbons said three projects have been implemented to help mitigate the risk of information being compromised: a new Gateway solution; a virtual private network (VPN) upgrade; and a disk encryption project.

Gateway

The company has installed a new external gateway solution, with the help of system integrator Atos Origin. It has upgraded the gateway solution so that all connectivity to the internet and email, and all use of internet-based services, such as the way that the company logs incidents on the railway, are dealt with more securely.

“We’ve got a long history of working with Atos Origin, they used to have our mid-range estate in their datacentres which were moved across to [IT solutions and outsourcing provider] CSC a couple of years ago,” said Gibbons.

Atos Origin also manages the mainframe on behalf of all of the UK’s train operators.

“For this project in particular, we took something that is quite big, difficult and complex and by really integrating the two teams [Network Rail and Atos Origin], we managed to get a project delivery in about four months, from start to finish.”

Gibbons explained that when the company upgraded its previous gateway solution almost five years ago, the project took 12 months to complete.

“So we’ve done something more complex, with greater reach and more impact on the business and we’ve done it in a third of the time,” he added

VPN

The bulk of the VPN project, which includes a VPN upgrade and an email security upgrade, has been completed and the company is now putting the final touches to it.

“The VPN solution that we had in place was looking a bit dated,” Gibbons explained. “It wasn’t as flexible as I wanted it to be, so we’ve replaced it with a more up-to-date service meaning we can publish software or applications for use onto the network giving us a better way of collaborating with our partners and suppliers."

He added that the VPN offers a more secure way of distributing information to its workforce so that no matter where they are and what they’re doing, they each have access to the resources that they need to provide a high-quality train service. “That’s just going live as we speak,” he said.

Disk encryption

Another undertaking that has been keeping Gibbons busy has been the implementation of a disk encryption project. The company went through a traditional tendering exercise and selected disk encryption vendor PGP for its solution for mobile encryption.

“Mostly it’s been a pretty well managed project. We’ve encrypted around 12,000 laptops over four to six months from project start to completion.

“We did have some issues though,” he admitted. “We had to upgrade from Windows XP to Vista – we had some issues with the upgrade [with regard to integration of the disk encryption technology] on our laptops and some issues with testing applications.”