Working with the rail industry to respond to cyber security threats

22 March 2024
Cyber security risks are a real and present risk for the rail industry, with potential safety implications clear. That’s why the Office of Rail and Road (ORR) continues to work with industry to ensure it is properly equipped to assess, prevent and respond to cyber security threats and incidents.
Paul Appleton
Paul Appleton
Deputy Director, Railway Safety
Cover Image
Paul Appleton speaking at a rail Cyber Security conference

ORR ensures the rail industry operates in accordance with health and safety laws to protect passengers, staff and the public from harm. 

With new software-based systems introduced to help with the operation of the network, new risks have emerged. Duty holders should manage their systems so that software design, operation, maintenance and cyber security risk is overseen in the same way as any other safety risk.  It should form part of their wider Safety Management System.  

Paul Appleton, Deputy Director for Railway Safety, recently spoke at a cyber security conference about the cyber security landscape in the UK rail industry, and ORR’s action to help get the rail network prepared.

ORR’s cyber security capability

We are constantly monitoring emerging risks and are building ORR’s capability in the Railway Safety Directorate to enable us to inspect and investigate railway companies in this area through developing an inspection tool and training our inspectors. 

This tool covers these key areas: Leadership; Governance and Safety Management System​; System Safety (Safety and Security) and Interfaces​; Risk Assessment; System architecture – IT & OT; Supply chain; and Competence.

The tool includes 63 underlying questions to ask duty holders and assess indicators of good and bad practice. We are currently undertaking several inspections and expect to set out our findings in the Chief Inspector’s annual report next summer. The first test inspection on East Midlands trains, was in last summer’s Chief Inspector’s report

ORR now also has a dedicated Digital Safety specialist inspector. A key part of their role will be highlighting these present risks to the rail industry. 

Next steps

We are working with industry and the Railway Safety and Standards Board (RSSB) to develop standards in this space, such as the RIS Client Safety Assurance of High Integrity Software-Based Systems for Railway Applications and the RSSB cyber security BowTie model that is being developed. 

Although we haven’t yet witnessed cyber security failures resulting in a rail incident we have seen them happen in other countries and industries – so it’s important to ensure ORR and the rail industry is properly equipped to deal with threats as it would be with any other health and safety risk.