Cyber security is vital to ensure critical railway systems are kept running.
At any given moment there could be a security issue that could develop into a safety risk, for example an attack on passenger information systems, which would result in platform overcrowding.
This is why ORR has been working in collaboration with the National Cyber Security Centre (NCSC) and the Department for Transport’s (DfT) Cyber Compliance Team to look at risks to the safe operation of software-based high integrity equipment.
We want to be prepared to manage any future risks and to support the rail industry.
This work is a positive step towards greater understanding how prepared we are and the importance of managing safety critical systems well to ensure the high levels of health and safety that the UK expects.
ORR is not the enforcing authority for cyber security issues in the railway industry, the DfT has the lead on the Security of Network and Information Systems Regulations. But the line between safety risks caused by poorly designed, operated and maintained software-based systems and cyber security is a blurred one that will depend on the circumstances.
We have worked with other regulators and railway industry experts to conduct a risk assessment and risk ranking exercise on systems. This has fed into our planning for future inspection work, enabling us to target our resource to look at the most likely risks.
Next year, we plan to look at two issues: failure to properly manage patching and modification; and failure to manage foreseeable obsolescence of software systems.
The NCSC is training our staff to improve skills for inspections and investigations into this area, with a trial of training taking place in December.
This collaborative work has allowed ORR and industry to be prepared for any future risks and give us the capability we need to support the industry. It helps us to highlight what the risks are and also allows NCSC to help protect the physical safety of our people through cyber security.