The Office of Rail and Road (ORR) has maintained a steady focus on cyber security for some time and its recent inspections show that attention increasing. One consistent message is the need for closer collaboration between cyber security and safety teams.
Operational technology sits where safety and service meet. IT systems can be interrupted by an attack or failure, which disrupts day to day work, affects revenue and harms reputation. They do not usually threaten operational safety or the physical integrity of assets.
In transport and infrastructure, an interruption, attack or failure affecting operational systems can change how equipment behaves and how people operate it. The risk profile is different and consequences can include asset damage, degraded protection systems and, in the worst case, harm.
Examples where cyber affects safety
Cyber events can have direct safety effects. A compromised passenger information system could display a false emergency message and trigger panic and unsafe crowd movement. Passengers might try to self evacuate, move against staff instructions or push through crowded areas, increasing the risk of slips, trips and falls in a panic and making it harder for staff to manage the situatio
A compromised ASDO logic could open doors on the wrong side, or open more doors than there is platform, creating a serious platform train interface risk. In practice that could mean passengers stepping down onto the track or into a large gap.
On-train CCTV could also drop out or show artefacts, weakening the response to onboard incidents and leaving evidence gaps. If footage is unreliable or unavailable, control and British Transport Police may be slower to understand what has happening, and post incident investigations may struggle to establish facts and learn lessons.
These examples show why controls must reduce risk and protect operational continuity, so crews and management can make confident decisions in service.
Information security and operational safety: the overlap
Cyber security is often linked with information systems, where the focus is on confidentiality, integrity and availability of data. That thinking still matters in rail, but on the operational side the picture is different. In the cab, On the train, availability and integrity of systems rise to the top, because a loss or change of either can directly affect how equipment behaves and how people make decisions.
Put simply: on IT systems we mainly worry about the data; on on-train systems we worry about what the system might make the train do.
This is where information security and operational safety meet. Cyber events that might be contained on business systems can become a safety risk when they affect train operation, monitoring or communication on a live railway. That is why cyber and safety teams must assess risks together and decide where controls and procedures need to change.
How we connect cyber and safety in practice
Railmind works with operators to make that connection, using a simple, structured approach that aligns with recognised best practice and meets ORR expectations, so operational systems stay safe, secure and available.
We help identify which systems are safety related, map realistic cyber scenarios into the safety case and use established tools such as CSM RA (Common Safety Method – Risk Assessment) and IEC 62443 in a way that works for operations, engineering and cyber teams. The result is clearer controls, procedures and training that support safe, secure and reliable day to day service.
What IEC 62443 brings
IEC 62443 is a family of standards for securing industrial automation and control systems across their lifecycle. It helps asset owners and suppliers to:
- segment systems into zones and conduits so that compromise is contained
- set security levels appropriate to the consequence of failure
- carry out risk assessments and select proportionate controls
- build security into design, operation, maintenance and change
For rolling stock, IEC 62443 gives a common language for engineers, safety specialists and cyber practitioners to discuss real hazards and decide practical controls.
Start with scenarios the whole team can test
An initial, IEC 62443-aligned risk assessment works well when it is scenario based.
In design, where there may be few known vulnerabilities, scenarios help the team imagine credible ways systems could be misused or fail.
On legacy fleets, the same approach shows how current connectivity, data flows and maintenance routines can introduce new risks or vulnerabilities.
Scenarios should be described in operational terms. For example: loss of communications to a subsystem, a malicious configuration change during depot maintenance, unexpected behaviour from a driver advisory system, or denial of service to passenger information.
Framing them this way gives mechanical, electrical, operations and cyber colleagues a shared language and creates a natural bridge into safety assessment.
Use HAZID to decide what really touches the safety case
If a scenario can change equipment behaviour or crew decision-making in a way that could affect people or protection systems, it may affect the safety case.
IEC 63452 is a new standard that will be published in 2026. If focuses specifically on cyber security that affects railways and recommends a combination of IEC 62443 risk assessment and the CSM-RA. HAZID (Hazard Identification) is a core part of CSM-RA process.
A HAZID workshop brings together rolling stock engineers, operations, safety and cyber specialists to identify hazards, causes, consequences and safeguards. Inputs include the scenario list, system architecture, maintenance procedures and operating rules. The workshop does three things:
- Filters scenario outcomes that do not touch safety, keeping them in the cyber risk register but out of the safety case
- Highlights where cyber events can create or worsen safety hazards
- Agrees actions to reduce risk to ALARP (as low as reasonably practicable), including technical, procedural and training measures
Typical actions include network segmentation, hardening maintenance interfaces, supplier assurance for software updates, change control for configuration, enhanced incident drills, and clear fallback procedures for crews and control centres.
People and procedures are controls too
On-train crew and control are key safeguards. Briefings should explain what a cyber-related failure looks like in practice, what immediate actions to take, how to escalate and how to continue service safely.
Management teams should rehearse these scenarios so decisions are confident and consistent. These materials also feed directly into business continuity and service recovery planning.
Bringing it together
Not every operational technology cyber risk affects safety. The aim is to find the ones that do, agree proportionate controls and prove these controls in live operation.
IEC 62443 provides the framework, scenario-based assessment makes the conversation concrete, and HAZID links outcomes to the safety case. With trained crews, prepared managers and robust process, operators can reduce risk to ALARP and keep services resilient.
If you would like a view of where your cyber and safety processes meet on rolling stock, we can run a focused review and leave you with a prioritised action plan and materials your teams can use straight away.
Ready to join cyber and safety? Contact us to book a short discovery call.