A 'white powder incident' is a phrase often applied to the discovery of a substance (solid or liquid) where the finder cannot eliminate the possible presence of a chemical or biological hazard. (Not all such hazards are white, or powders). An example of the concern is the series of Anthrax attacks in the US in 2001. That event caused a small number of deaths and large-scale disruption (because of the need for extensive decontamination).
The majority of white powder incidents in the rail environment (and elsewhere) have related to benign substances and were not accompanied by any kind of threat information. Examples of risk aversion have included concerns about spilt flour (from a shopping bag); spilt plaster (dropped by a builder); salt (spilt on a canteen table); liquid soap (found under a soap dispenser in a staff bathroom); white powder (found after the discharge of a powder fire extinguisher). In the absence of a specific threat, or any other credible reason to believe such discoveries are suspicious, the scenario should be dealt with under normal housekeeping arrangements.
Where the discovery is believed to be malicious (e.g. a threatening letter, observed suspicious behaviour, a face-to-face threat received by staff or passengers), it should be investigated by police, who will also give specific risk management advice. In the unlikely event of people having been exposed to a genuine hazard, any uncoordinated evacuation will spread the hazard further, contaminate more people and delay effective medical intervention. In the absence of people becoming unwell, evacuation should be limited to adjacent rooms/carriages and people kept near the scene. In the event of a small scale contamination, the blue light services (police first point of contact) should be called. If the substance is deemed toxic, the police will launch an initial operational response, drawing in colleagues from the other emergency services as appropriate.
Any electronic or cyber incident, which affects any critical engineering assets or engineering assets that perform a safety function should be reported to the Department for Transport (TICB@dft.gsi.gov.uk Telephone 020 7744 2870) and Office for Rail Regulation (Telephone 020 7282 3910), in a timely manner. Incidents reaching the threshold of 'Level 0 - Exceptional Occurrence' as defined in the Centre for Cyber Assessment (CCA) Cyber Incident Coordination Plan (CICP) should be reported immediately to CERT-UK by telephoning 01242 709311 or by emailing (Unclassified to: firstname.lastname@example.org ; and Restricted / Official Sensitive to: email@example.com ).
This does not preclude you from consulting the CERT-UK were you unable to manage the consequences of an attack alone.
Incidents that should be notified:
Deliberate or accidental destruction, alteration, disruption, or disclosure of asset software or data, resulting from device connections;
Successful unauthorised access or alterations to assets. (Unsuccessful attempts should be recorded locally for audit purposes and only notified if they are repeated or persistent);
Malware infection of assets. (Blocked infection attempts, e.g. detected and blocked by anti-virus software and procedural controls, should be recorded locally for audit purposes and only notified if they are repeated or persistent);
Theft of assets and asset data (including disclosure by social engineering) that may be used to further compromise the asset base, including engineering laptops, engineering asset user account credentials, engineering documentation. (Unsuccessful attempts should be recorded locally for audit purposes and only notified if they are repeated or persistent).
What does not constitute an electronic or cyber Incident: