Towards the first railway cybersecurity international standard - why standards are important for secure railways

Cybersecurity standards, such as CENELEC TS-50701 and IEC 62443 are quietly at work, ensuring the robust security and resilient operation of our critical rolling stock and rail infrastructure. Standards are sometimes overlooked, but they are an important element in protecting our transport networks from potential cyber threats. 

Being at the forefront of shaping the first first railway cybersecurity international standard, hear from Eddy Thésée, VP of Cybersecurity Products & Solutions at Alstom, to understand the importance of adopting standards for rail companies. 

A new international standard for the railway industry

Cybersecurity standards are empowering the rail industry to better protect against cyber threats. The widely adopted IEC 62443 already provides a comprehensive framework for securing industrial automation and control systems, including rail networks, devices, and operations centers.

Despite its coverage, IEC 62443 lacks a proven track record for mixed distributed systems – an essential characteristic of railway systems - which is where the CENELEC technical standard, TS 50701, comes in to address the gaps. With TS 50701 laying the foundation towards the first railway cybersecurity international standard (IEC 63452), the future IEC 63452 standard will unify cybersecurity management in railway systems, tailored to the sector’s specific operational environment, building on top of the IEC 62443 series.

Why are cybersecurity standards important?

• Threat identification and risk assessment: Understanding vulnerabilities and prioritising mitigation strategies.
• Security controls: Implementing measures like network segmentation, access control, and intrusion detection.
• Incident response: Establishing clear procedures for identifying, containing, and recovering from cyberattacks.
• Patch management: Keeping systems updated with the latest security fixes.

“The new standards provide powerful tools for building a layered defense against cyber threats,” explains Eddy. “They offer a holistic approach that addresses vulnerabilities across the entire system, from trains to back-office IT and remote shared resources.”

Alstom, a key player in shaping the standards

Alstom recognises the transformative potential of industry standards and actively contributes to shaping them. Here are four ways that we leverage and interpret these standards to benefit rail companies. 

1. Future-proofing security: “Cyber threats are constantly evolving,” says Eddy. “The new standards are designed to be flexible and adaptable, allowing us to stay ahead of the curve and ensure long-term cybersecurity.” By adhering to these standards, rail companies can be confident their systems are built with future threats in mind.
2. Enhanced efficiency: Standardised security practices across the supply chain streamline communication and collaboration. This reduces integration costs, accelerates project timelines, and facilitates interoperability between different systems and vendors.
3. Best practice for security operations and maintenance of effective defense: At Alstom, we see the new standards as a way for rail companies to achieve a higher level of security awareness in their daily operations by driving a proactive security culture, where trainings and internal audits become a standard practice fortifying the company’s overall cybersecurity posture.
4. Building trust and transparency: Compliance with industry-recognised standards demonstrates a commitment to robust cybersecurity. This fosters trust with regulators, passengers, and other stakeholders, ultimately enhancing the reputation of the rail industry.

The future of cybersecurity standards

For rail companies seeking to capitalise on the efficiency and innovation of digitalisation, adopting these new standards is not just an option, it’s a necessity. Eddy concludes, “By making cybersecurity a core part of their digital transformation journey, rail companies can unlock the full potential of technology while safeguarding their vital networks and operations.”

The journey towards a truly secure and connected rail network starts with a seemingly invisible force: standards, to structure our industry, and regulations. By working together and embracing these powerful tools, the rail industry can build a future where security is not just an afterthought, but a cornerstone of progress.

ISO 27001 – Standard for information security management systems (ISMS).

IEC 62443 – Series of standards that define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS).

CLC/TS 50701 - Technical Specification introducing requirements and recommendations to address cyber security within the railway sector. TS 50701 has been offered to the IEC to become an international standard and is currently being developed as IEC 63452.