When Software Goes Wrong - Regulations and Culture Change

Episode 9 is Part 1 of a feature in which Dr Emma Taylor talks about the 'NIS Regulations', what they mean for the industry and about what we in the industry need to do to comply with the regulations, to deliver a better, safer railway. She looks firstly at who should be concerned, and what we need to do to demonstrate compliance and avoid fines of up to £17m. What to do until we have a good body of precursors to digital incidents; and what aspects or operations should be considered as safety critical.

In episode 10 we talk about the human aspects, the culture change that will be needed to address digital safety threats.  The need for traditional design engineers to broaden their sphere of thinking, and to bring others into design conversations.  Emma also talks about the need to start thinking about reasonably foreseeable scenarios. For us all to start thinking about what could go wrong when you consider the digital components within your physical assets.

Listen to Part 1

Listen to Part 2

The topics that Emma talks about in part 1 of this episode include:

• Who in the railway should be aware of the NIS Regulations, and why. And about why design engineers for the physical parts of the railway may not be engaged with the aspects of digital safety. [1:44]
• What we should be doing until we have a body of knowledge about digital safety and a have built a good set of precursor indicators. [7:20]
• Is the railway's current definition of 'safety-critical' broad enough? And what risks could be brought about by breaking into a 'non-safety-critical' system. [9:30]

The topics that Emma talks about in part 2 of this episode include:

• The main barriers to developing an appropriate level of digital resilience. And the need to get to a place of common understanding between the designers of physical assets and the security specialists who understand the digital parts that make up the infrastructure and rolling stock. [0:36]
• What her experience in the Oil and Gas and Aerospace sectors tell us about what we ought to focus on to better manage digital safety risk. [7:12]
• What the industry should be doing to identify what could go wrong. And the importance of thinking about reasonably foreseeable scenarios. We can't have siloed thinking, we need system-wide collaboration and to include specialist digital safety engineers in the design process. [8:58]
• The scenarios that could happen if you don't start to think about digital safety until after the incident has happened. How wide the issue is that caused the incident. What could happen and who might be held responsible. [13:39].

Related resources: 

• National Cyber Security Centre
• Introduction to the NIS Regulations
• Introduction to the Cyber Assessment Framework
• Episode 6 - Digital asset integrity: one path to reducing railway risk: the blog page 
• Episode 6 - the podcast 
• Data & Information System Interface Committee
• ISO 61357 referred to in Part 2 is actually IEC 61357.
• Blog: let's keep listening—and reporting to maintain asset integrity 4-minute read
• Blog: asset integrity – eyes everywhere—is there untapped intelligence in CIRAS reports? 3-minute read
• Blog: asset integrity – it’s not all in the data—Qualitative data is important too 3-minute read.