Working with the rail industry to respond to cyber security threats
22 March 2024
ORR ensures the rail industry operates in accordance with health and safety laws to protect passengers, staff and the public from harm.
With new software-based systems introduced to help with the operation of the network, new risks have emerged. Duty holders should manage their systems so that software design, operation, maintenance and cyber security risk is overseen in the same way as any other safety risk. It should form part of their wider Safety Management System.
Paul Appleton, Deputy Director for Railway Safety, recently spoke at a cyber security conference about the cyber security landscape in the UK rail industry, and ORR’s action to help get the rail network prepared.
ORR’s cyber security capability
We are constantly monitoring emerging risks and are building ORR’s capability in the Railway Safety Directorate to enable us to inspect and investigate railway companies in this area through developing an inspection tool and training our inspectors.
This tool covers these key areas: Leadership; Governance and Safety Management System; System Safety (Safety and Security) and Interfaces; Risk Assessment; System architecture – IT & OT; Supply chain; and Competence.
The tool includes 63 underlying questions to ask duty holders and assess indicators of good and bad practice. We are currently undertaking several inspections and expect to set out our findings in the Chief Inspector’s annual report next summer. The first test inspection on East Midlands trains, was in last summer’s Chief Inspector’s report.
ORR now also has a dedicated Digital Safety specialist inspector. A key part of their role will be highlighting these present risks to the rail industry.
Next steps
We are working with industry and the Railway Safety and Standards Board (RSSB) to develop standards in this space, such as the RIS Client Safety Assurance of High Integrity Software-Based Systems for Railway Applications and the RSSB cyber security BowTie model that is being developed.
Although we haven’t yet witnessed cyber security failures resulting in a rail incident we have seen them happen in other countries and industries – so it’s important to ensure ORR and the rail industry is properly equipped to deal with threats as it would be with any other health and safety risk.