TfL’s internal cybersecurity team often “engaged after the application/system has gone live or been procured” causing delays when vulnerabilities are belatedly found
Transport for London (TfL), the local government body responsible for billions of journeys annually across London, is seeking a partner to help it deliver a pan-TfL penetration testing and IT health check service across its sprawling estate.
Hinting that its existing cybersecurity team, the TfL Cyber Security and Incident Response Team (CSIRT), is spread thin, TfL said CSIRT is often engaged too late within the lifecycle of a project that needs a pen test, causing project delays.
A pen test is defined by the NCSC as “a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might. In short, it’s a simulated attack, designed to shore up an organisation’s security.
TfL Penetration Testing
Transport for London wrote on a European tenders page: “There are varying requirements for various business units and as such penetration testing can be split into distinct areas. These engagements can be via, large contracts with single providers or smaller contracts with companies engaged through project activity.”
See also: The Bug Bounty Bonanza
The company added: “In many cases… CSIRT are engaged late within the lifecycle of a project which requires a penetration test. When CSIRT are engaged after the application/system has gone live or been procured, and there has not been an independent penetration test, the project cannot go-live therefore delaying the project.”
TfL concluded: “Issues are also encountered when projects engage companies without determining the scope/methodology to address specific risks to TfL. This lack of scoping potentially leads to a lower quality service provided to TfL, delaying the overall project and increasing the overall project cost due to re testing/independent verification.”
New Pen Testing Framework Needed
TfL wants to “create a framework to address many of these issues” and will host a series of market engagement events through till November 2018 at which “participating organisations will be engaged to elaborate upon their thinking.”
Charl van der Walt, Chief Security Strategy Officer at SensePost, told Computer Business Review: “I find TfL’s approach to this fascinating. I haven’t seen a security challenge tackled through open engagement like this before. To me it speaks to maturity in their thinking and work which is pretty uncommon.
TfL is responsible for Crossrail, the tube and “surface transport” across London. The latter includes buses (which last year supported 2.24 billion journeys across the capital), trams, river services, cycling, roads and more.
The organisation drives over 85 percent of its revenue from passenger income and last year was forced to tighten its belt [pdf] as it faced its first financial year without a direct operational grant from the government, meaning the loss of more than £700 million in funding. TfL has “consolidated” head office accommodation as a result, vacating older buildings and co-locating staff to a new hub in Stratford.