Common use of Technical Facilities Clause in Contracts

Technical Facilities. Database and communications for holding and sharing security information. • Collect from known threat databases and add new events and experiences. • MISP is commonly used for the above functions and to link different work groups within rail companies, and so fulfils a few needs (should be considered). • MISP can have multiple instances, allowing for a centralised reference instance, plus installed instances within participating IM/RUs. • MISP allows for a rule-based filter to select what is required from feeds. This facility can be used within rail partners to target their analysis and can be used in a central instance to ensure selection of relevant information. • This model would need a. technical support, and b. threat analyst – this could then support a network of primary contacts in railways (IM/RU) shaped as SOC, CSIRT or other team form. • MISP clusters can even be coordinated within a company, and some railway actors are doing this, so coordination between companies would be made easier by following this model. • Adopting MISP would require support for smaller companies to adopt (e.g. via ENISA). • MISP allows automated usage of outputs, and so can be well integrated with company systems / processes. • The platform must be secure and tested to ensure control of data. • Cross organisational is not necessarily a big problem, so it should be kept simple but secure.

Technical Facilities. Database and communications for holding and sharing security information. • Collect from known threat databases and add new events and experiences. • MISP is commonly used for the above functions and to link different work groups within rail companies, and so fulfils a few needs (should be considered). • MISP can have multiple instances, allowing for a centralised reference instance, plus installed instances within participating IM/RUs. • MISP allows for a rule-based filter to select what is required from feeds. This facility can be used within rail partners to target their analysis and can be used in a central instance to ensure selection of relevant information. • This model would need a. a) technical support, and b. b) threat analyst – this could then support a network of primary contacts in railways (IM/RU) shaped as SOC, CSIRT or other team form. • MISP clusters can even be coordinated within a company, and some railway actors are doing this, so coordination between companies would be made easier by following this model. • Adopting MISP would require support for smaller companies to adopt (e.g. via ENISA). • MISP allows automated usage of outputs, and so can be well integrated with company systems / processes. • The platform must be secure and tested to ensure control of data. • Cross organisational is not necessarily a big problem, so it should be kept simple but secure.