As stated in the note published by Adif, yesterday at 06:00 there were detected “intermitten failures in traffic management operating processes" that led "delays rail traffic [...] of Barcelona and Girona provinces and part of Tarragona and Lleida. The incidence has affected both main system and two redundants ones that are activated in case of incidents in the main system. This has led to momentary traffic stops, selective suppresion of trains and delays in the service". This incidence has made Adif to open an expedient to company that provides the technology for the Barcelona Centralized Traffic Control, Schneider-Telvent.
We have consider relevant to analyze this piece of news because it shows an issue LEET Security thinks that is essential in client-provider relationships: As service provided is a client responsibility, it is essential that the client has supervision mechanisms that allows her to reasonably guarantee that the provider is able to provide the quality expected by clients' users.
Considering that any system could suffer incidents and failures, and that any service is free of suffering an interruption, (mainly) critical services need to have tested backup mechanisms that allows its restore in suitable time according to the organization accountable for the service.
In this sense is essential that organizations that depends on third-party providers for service provision have mechanisms that go further of "simple" clauses in a contract and have ways to know if the provider has in any moment, along the service life, preventive and reactive controls to assure service provision according to agreed terms because, at the end, as we could see yesterday, when an incident happens, the reputation that suffer is the one of the service accountable organization.
So, if we, as Adif, have services dependent on third-party providers, we should make ourselves the following questions to minimize the possibility of incidents like the one commented previously:
- Have we communicate clearly the service requirements to the provider?
- Have we confirmed that the provider understand those requirements?
- Do we have mechanims to assure / supervise that the provider meets the requirements along the service life?
- Can we show due diligence in the selection and supervision of service provided by third-parties?
You can follow us on twitter.com/leet_security