UK Railway Cyber Security Strategy
The Digital Railway Programme (DRP) has been involved in developing the UK Railway Cyber Security Strategy to ensure that all areas of the railway sector are aligned and proportionately managing their cyber security risks. This development was funded by the DfT, undertaken by RSSB, and has been released by the Rail Delivery Group, marking a significant step forward to implementing secure digital systems.
Within the Digital Railway programme, we have a well-established Security Management Plan, which shows how we implement security compliance within the national strategy using a mix of both Information Assurance and Systems Engineering processes to identify and manage our security risks.
Security Assurance Framework (SAF)
DRP has taken Network Rail’s SAF, which is a hybrid of Security Assurance, Systems Engineering and Safety based approach, through the ERTMS Security Board’s Cyber Security Steering Group. DRP gained significant momentum to adopt this framework across industry as the UK standard for identifying security threats, vulnerabilities, risks and mitigations on operational technology. This framework has DfT and industry support.
Once tested on Thameslink Traffic Management System (TMS), Power SCADA (Supervisory Control and Data Acquisition) and LNE route, it is expected to be approved and fast-tracked into publication as a UK RSSB standard.
DRP has been engaged with industry stakeholders around security for over two years. In this time, we have:
- specified security within ETCS and ERTMS requirements
- helped shape and align security strategies and risk management tools; and
- provided security awareness training to our industry partner engineering teams.
Over the coming months, we will commence SAF based risk assessments on deployed digital railway systems, including TMS, and the fully integrated M9 solution working with the Safety Assurance teams to ensure that the DRP can produce a robust Security Case for future railway.