The Office of Rail and Road (ORR) ensures that our railways are safely regulated. And with the railway becoming more digitised, cyber security has gained an increasingly prominent role in discussions around rail safety.
Northern trains targeted
In July 2021, a cyber-attack targeted Northern train’s ticket machines. These ticket machines cost £17 million to install. But shortly after installation, a ransomware attack meant they were offline for a week.
Our role
We are not the enforcing authority for cyber security issues in the railway industry. The Department for Transport (DfT) has the lead on the Security of Network and Information Systems Regulations.
Safety risks caused by poorly designed, operated, and maintained software-based systems are within the remit of ORR.
The line between these areas is a blurred one and depends on the circumstances, we work closely with the DfT and the NCSC to keep our railways safe.
Assessing risk
We have worked with other regulators and railway industry experts to conduct a risk assessment and risk ranking exercise on software-based systems.
This now forms part of planning for future inspection work, enabling us to target our resources to look at the most likely areas of risk.
Improving knowledge
Also, we have hired a company to work with us to develop a Risk Management Maturity Model (RM3) inspection tool based on the IET Code of Practice: Cyber Security and Safety.
They will be delivering new assessment criteria and a bespoke training programme for our inspectors.
Looking ahead
We must continue to work collaboratively with other partners across the rail industry to assess risk and keep on top of potential cyber threats by equipping our inspectors with the necessary training and knowledge.
By doing this, ORR will continue to contribute to Britain’s railway remaining one of the safest in the world.