West Midlands Trains Uses SureCloud’s Cybersecurity Services
October 2020 by Marc Jacob
Stuart Codack, Information Security Manager and Steve Roberts, Head of IT at WMT, gave us an inside look into working with SureCloud’s cybersecurity team.
About West Midlands Trains
As an operator of essential services and part of our critical national infrastructure, West Midlands Trains are constantly reviewing the service that we provide and the supporting processes to ensure that we are giving our customers the very best service. WMT will routinely carry over 200,000 passengers over any of our 1300 services per day, operating from London to Liverpool and predominately in the West Midlands area.
Aligning to our business objectives
Whilst providing the best service possible, the business is responsible for making upgrades as part of our commitment to the Department for Transport and agreed set of objectives defined within our committed obligations. These could range from large projects to developing stations such as Wolverhampton, upgrading and enhancing our trains’ capacity, or providing more technical solutions to allow our customers to purchase tickets and view our services online.
Our key cybersecurity challenges
Understanding the emerging and constantly evolving threats to the rail is critical to ensure that we provide an efficient and responsive technical solution for the services we operate. We operate within a number of frameworks, most significantly the Network Information Systems (Directive) provided to Operators of Essential Services (OES), and we also feed in elements of both ISO27001 and NIST. The Department for Transport, in conjunction with the National Cyber Security Centre, encourages a mature cybersecurity posture, and closely monitor and assess our assurance levels.
This approach challenges us constantly and places high demands on our enterprise to deliver and maintain a strong cybersecurity posture. Understanding where any actual or potential weaknesses are, helps directly apply our resources to protect our systems and maintain confidentiality, integrity and availability. Often overlooked, recognizing where we have achieved success has also helped to justify continued and future spending to senior management by assuring them that a proactive cybersecurity strategy is worth the investment.
Why we chose SureCloud
Chosen for their professionalism during the tender stage, SureCloud comfortably convinced the decision-makers of their technical capability, flexibility and willing attitude to join the business on their journey, as opposed to other vendors providing the essentials with hidden costs introduced as additional extras.
Another key benefit that helped SureCloud stand out from the rest was the technology-enabled services approach utilizing SureCloud’s Platform to underpin the service delivery. The cloud-based Platform has provided a forum for us in which workstreams can be identified and allocated to third-party vendors. The business allows remediation work to be assigned and worked on concurrently. The Platform provided us with clear visibility of our testing outcomes and helped us to establish the evidence and patterns of work that supports the various questions across the frameworks that call for continual service improvement, whilst demonstrating a proactive response to aspects of an ISMS has been invaluable.
The benefits of the Cybersecurity-as-a-Service package
Support was measured against the requirements of the organization, it was provided ondemand and willingly offered up throughout all stages of the agreement, with no signs of wavering support on completion of any of the work packages.
The penetration testing has provided a great deal of insight and visibility into areas that needed improvement while assuring other areas where the business had demonstrated some good practices. The results were well presented via the Platform with the context that allowed the team to define the risk, and if any action would be needed to mitigate or reduce those risks. The level of expertise was fantastic, with identified areas supported by impacts and potential solutions.
Overall, West Midlands Trains are very satisfied with their investment in the SureCloud tech-enabled services, and have already recommended SureCloud to a number of partners based on the work conducted. West Midlands Trains are passionate about managing an effective cybersecurity program and the business will continue to work with SureCloud in the future.