The Role of Safety Risk Management in the UK Rail Industry when Dealing with Cyber Threats

The Role of Safety Risk Management in the UK Rail Industry when Dealing with Cyber Threats

Nadim Choudhary

Ove Arup and Partners Ltd. Resilience, Security and Risk, London, UK

1 January 2018
| Citation



This study will review the literature available on cyber security strategies (generally and those specific to the railway) and compare these against safety methodologies to determine whether there are any overlaps and whether a common risk approach can be used. An assessment will be made on the evaluation of cyber threats in the absence of statistical/historical data and the merits in applying a quantitative approach including consideration of Cost Benefit Analysis (CBA). It is important to note that as the safety and security disciplines have developed independently of each other, the same words (e.g. risk, hazard, threat, likelihood, probability etc.,) have subtle different meanings. The goal of Risk Manage- ment seeks to present arguments and/or demonstrations to support assertions that the identified risks have been managed in a way which satisfies the organisation’s Risk Appetite and/or the principle of As Low as Reasonably Practicable (ALARP) and CBA.


cost benefit, cyber, RAM, reliability, risk management, safety, security

1. Introduction
2. The Threat
3. Role of Risk Management
4. Combining Safety, Reliability and Security
5. Analytical Tools
6. Conclusions

[1] RSSB – Cyber Security Strategy for Protecting Britain’s Railway – Draft version 0.7, 23 September 2016.

[2] BAE Systems Detica, The Cost of Cyber Crime, available at uploads/system/uploads/attachment_data/file/60942/THE-COST-OF-CYBERCRIME- SUMMARY-FINAL.pdf, February 2012 (accessed 28 February 2017).

[3] Four Cyber Attacks on UK Railways in A Year, available at four-cyber-attacks-on-uk-railways-in-a-year-10498558 (accessed 04 May 2017).

[4] Ascent Thought Leadership from Atos White Paper. The Convergence of IT and Operational Technology, available at (accessed 15

March 2017).

[5] Department for Transport, Rail Cyber Security, Guidance to Industry, February 2016.

[6] Preparation and Planning for Emergencies: Responsibilities of Responder Agencies and others, available at (accessed 15 January 2017).

[7] Health and Safety at Work etc Act 1974, available at (accessed 15 March 2017).

[8] A Four Step Risk Approach to Strategy Execution, available at (accessed 29 May 2017).

[9] Adams, John, Adam Smith Institute, London, 1999. The Management of Risk and Uncertainty – Risky Business.

[10] Railway applications. The specification and demonstration of reliability, availability, maintainability and safety (RAMS). Basic requirements and generic process, BSEN50126-1: 1999.

[11] Common Safety Method for Risk Evaluation and Assessment, Guidance on the Application of Commission Regulation (EU) 402/2013, March 2015, Office of Rail Regulation (ORR).

[12] Improving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework, available at (accessed 26 March 2017).

[13] ISO/IEC 27000 Family – Information Security Management Systems, available at (accessed 18 January 2017).

[14] ISO/IEC 27002: 2013, Information Technology – Security Techniques – Code of Practice for Information Security Controls, available at (accessed 15 April 2017).

[15] ISO/IEC 27002: 2013 Information Technology – Security Techniques – Code of Practice for Information Security Controls.

[16] How Safe is Safe Enough? available at (accessed 15 May 2017).

[17] Health and Safety Executive, Reducing Risks, Protecting People, HSE’s decision making process.

[18] Taking Safe Decisions – Safety Related CBA, available at (accessed 01 January 2017).

[19] Office for Nuclear Regulation. The Purpose, Scope and Content of Safety Cases, available at (accessed 04 Junuary 2017).