Firelink

VEGA provides a broad range of CESG CLAS security expertise to the Fire and Rescue Service’s (FRS) Firelink project, a key element of the UK’s Critical National Infrastructure.

The Challenge

Firelink is a Communities & Local Government-sponsored project managed by Mott MacDonald to replace the FRS radio communication system with the Airwave nationwide system. As a project, Firelink falls under the UK’s Critical National Infrastructure and will conform to Government security accreditation requirements.

Airwave was initially commissioned and used by the Police under an O2 contract. However, in an effort to aid interoperability and effectiveness between the UK’s three emergency services – Fire, Ambulance and Police – they are being migrated to the same radio system. The FRS therefore required a range of security activities to be conducted on an ongoing basis to ensure full Government compliance.

How VEGA helped

VEGA has been managing the Firelink Security Working Group (SWG) that oversees security of the Firelink system across the whole FRS in England, Scotland and Wales. The Firelink SWG also has links to the wider Airwave SWG which is attended by the primary users of the Airwave system.

VEGA’s specific support activities have included developing the Risk Management and Accreditation Document Set (RMADS) for the use of Firelink radios as the project rolls out, and incorporating a separate Risk Register that complies with the FRS working format.

All Airwave user organisations must apply to the Cabinet Office for a TETRA TEA2 user licence to use the Airwave system. The process VEGA implemented involves a briefing on the security requirements to ensure that the FRS senior management appreciate their security obligations, followed a few weeks later by a security audit to collect evidence of how the FRS intends to implement necessary security.

In addition, those FRS that have a direct Control Room connection into the Airwave WAN infrastructure are subject to a further process to demonstrate compliance with the Airwave Service Code of Connection for their IT systems, associated with their radio communications and Command & Control systems infrastructure. This process is based on compliance with ISO 27001.

The support VEGA provided included IT risk assessment (using formal policy methods, as well as adapting FRS techniques for business risk evaluation where appropriate), identifying system vulnerabilities and mitigating these by procedural / policy strategies, or technical solution architectures, taking into account the operational imperatives and emerging technologies. VEGA has assisted these FRS with their preparation and  submission of evidence of compliance, and organised the security audits for the Firelink Accreditor.

VEGA has also supported Proof of Concept and Customer Service Verification tests to verify that the system delivers all contracted requirements. VEGA has taken the lead on security features in the solution to provide assurance for the RMADS. For example, the Firelink requirement is for radios to be installed in vehicles securely and that a key pad can be locked to prevent unauthorised use.

The most important security feature of the solution is the ability to ’stun’ radios that have been lost or stolen which remotely disables them. The evaluation of the solution assessed whether it was compliant and usable in an operational environment by FRS personnel with minimum training.

Value delivered

VEGA’s greatest value to the Firelink project has been to provide a CESG CLAS security consultant with excellent good organisational and presentation delivery skills, which have been put to good effect in security briefings to both FRS senior management and local FRS custodians and RMADS development.

A key component to the RMADS is the Firelink Code of Practice which lays down the security requirements for the use of Airwave radios within the FRS. This is equivalent to System Operating Procedures (SyOps), but written in a way that can be easily adopted into FRS ’Service Orders’ to align with their normal day-to-day operations.

This has been followed up with individual security audits to support TEA2 User Licence applications, as well as a more in-depth ISO27001 style audit for those FRS in Scotland, Wales and London, where their Control Room makes a direct connection to the Airwave infrastructure. VEGA has an excellent appreciation of Government security policy and standards, which has enabled the project to successfully negotiate pragmatic solutions to issues with the Cabinet Office Airwave Accreditor on issues that would have been unacceptable to FRS’s day-to-day operations.

The outcome is that the project is confident that there are key personnel within each FRS that have a good understanding of their security obligations associated with using Airwave radio system, and are committed to the ongoing in-life implementation of security for the duration of Firelink’s deployment.

Testimonial

Firelink Engineering Manager, Richard Hewlett, said: “VEGA provided an excellent security consultancy service to the project. We are particularly pleased with the ability of the VEGA consultant to integrate with the project team as a whole, as well as their willingness to appreciate the significance of FRS’s operational / business requirements to develop pragmatic security solutions that proved to be acceptable to all stakeholders.”