Skip to content

Countdown to IEC 63452

FEATURE ARTICLE

What the new rail cyber standard means for UK operators and suppliers

UK rail has spent the last few years operating against CENELEC TS 50701, the NIS Regulations and a growing amount of cyber guidance from the Department for Transport (DfT), the National Cyber Security Centre (NCSC), the Office of Rail and Road (ORR) and the Rail Safety and Standards Board (RSSB). TS 50701 in particular has become the main technical reference for managing cyber risk in railway systems, built around the EN 50126 / 62278 RAMS lifecycle and IEC 62443.

Now a new international standard is on the way: IEC 63452 “Railway applications – Cybersecurity”. It’s being developed using TS 50701 as a key input, with the aim of giving the rail sector a consistent, global framework for Operational Technology (OT) cybersecurity across all digital equipment and systems. 

Its scope covers standards for rolling stock, fixed installations, and management systems for railway operation, including signalling, communications, supervision, information systems, and their interfaces and environment. This applies across high-speed, mainline, metro, tram, freight and fully automated railway systems.

A consolidated draft has been issued for public comment, and the feedback is now being reviewed. Publication is currently expected around mid 2026.  Once adopted as EN / BS EN IEC 63452, it is widely expected to become the main technical reference for railway cybersecurity in Europe and the UK, gradually overtaking TS 50701 as the standard tenders and regulators refer to.

IEC 63452 is coming. It will be the benchmark for how the UK rail industry shows it is managing OT cyber risk. The real question for operators and suppliers is: how ready are we?

Our view is that many organisations already have important pieces in place, but relatively few could clearly explain today how those pieces line up against IEC 63452 without some focused work.

This article looks at:

  1. What IEC 63452 is and what it builds on
  2. What to expect from the standard
  3. What it means for operators
  4. What it means for OEMs, ROSCOs and technology suppliers
  5. Practical steps you can take now

This article is written for UK operators, ROSCOs, train builders and technology suppliers who want to understand what IEC 63452 is likely to mean in practice and how to get ready.

1. What is IEC 63452 and what does it build on?

An international standard for railway cybersecurity

The project brief for IEC 63452 is clear and tightly defined:

  • Create an International Standard for handling cybersecurity for railway systems across the whole railway system
  • Provide a consistent way to identify, monitor and manage cyber risk in railway applications, defining activities and deliverables over the lifecycle
  • Adapt the industrial IEC 62443 framework to the railway context, rather than invent yet another cyber model

The standard is being developed by a project team, with contributions from many international bodies. It is not a niche document for specialists, but a common framework for how railways specify, deliver and run OT cybersecurity.

Built on TS 50701, not replacing it overnight

IEC 63452 doesn’t start from a blank page.

CLC/TS 50701 remains the key European technical specification for rail cyber. It sets out requirements and guidance aligned with the RAMS (reliability, availability, maintainability and safety) lifecycle and is already referenced by operators, integrators and suppliers.

IEC 63452 uses TS 50701 as an input and foundation, turning much of that material into normative international requirements, while TS 50701 is expected to continue as a supporting/application document, especially for European regulation and guidance.

For UK duty holders and suppliers, this means existing work on TS 50701 and IEC 62443 is still relevant, but the bar will be clearer, and in some areas higher.

Rather than redesigning your approach, the priority is readiness: starting to map your current practices onto the emerging IEC 63452 structure and checking that the basics are covered. Organisations that do that mapping early are likely to find later compliance and assurance discussions more straightforward, because they can show how existing controls fit into the new framework.

2. What to expect from IEC 63452

The work done so far and the discussions we see across standards groups and the wider industry give a consistent picture of the framework and direction of IEC 63452.

In practical terms, organisations can expect IEC 63452 to focus on a set of recurring themes that run across the system and its lifecycle.

Whole system and lifecycle scope

IEC 63452 is intended to cover signalling and train control, rolling stock including connected subsystems such as diagnostics, passenger information, Wi Fi and comfort systems where they are in scope, fixed installations such as stations and depots, and the operational and maintenance systems that can affect safety, day to day operations or service continuity.

It is being developed with a lifecycle view across all of this, from concept and design through delivery, acceptance and operation to modification and decommissioning, rather than focusing only on what happens at the point a system is first commissioned.

In this article we mainly draw on examples from rolling stock and fleet projects, but the same principles are intended to apply across signalling, fixed installations and the wider railway system.

Cyber security management

The standard will expect a clear cyber security policy for railway systems, a roles and responsibilities matrix so it is obvious who does what across operators, owners and suppliers, and an overall security governance plan showing how decisions are taken, escalated and reviewed.

Risk assessment and threat modelling

You can expect to see a requirement for a structured view of the threat landscape, initial high level risk assessments that are refined into more detailed analysis where needed, and a formal process for assigning security levels that reflect both the impact of failure and the likelihood of attack.

Cyber security requirements specification

IEC 63452 will want requirements to be captured in a way that can be traced, for example through a security requirements traceability matrix that links risks and security levels to specific functional and technical security requirements for systems and interfaces.

Design and implementation documentation

On the design side, the standard will call for documented cyber security design principles, configuration management records so you know exactly what has been built and deployed, and evidence that secure development practices have been followed, such as secure development lifecycle artefacts from suppliers.

Assurance and validation

IEC 63452 will look for clear cyber security acceptance criteria, test reports and audit logs that show how those criteria have been checked, and a way of bringing the evidence together into a coherent assurance story that can sit alongside existing safety and performance arguments.

Decommissioning and disposal

As systems are taken out of service, the standard will place emphasis on secure decommissioning plans and end of life risk assessment, making sure that residual risks are understood and managed and that data and connectivity are treated appropriately when equipment is retired or replaced.

Strong emphasis on continuous assurance and monitoring, not ‘one and done’

Taken together, these elements point to a shift from “build once, walk away” to continuous cyber security assurance.

Cyber evaluation and acceptance are structured across the lifecycle, with expectations around planning, handover and ongoing review, and with particular attention to how vulnerability management, incident response and end of life decisions are handled in practice.

This mirrors wider UK cyber policy, which increasingly focuses on resilience and operational visibility for OT environments rather than perimeter defences alone.

It also reflects a broader shift across critical infrastructure, where regulators are less interested in static compliance snapshots and more interested in whether organisations can stay secure and resilient over time, including as systems are modified, upgraded or decommissioned.

Risk management using zones and conduits

IEC 63452 has been developed to use the zones and conduits approach from IEC 62443 and apply it to railway systems.

In simple terms, it will ask you to be clear about the system under consideration and the functions that matter most. You then take an initial view of the risks and group equipment into zones where the systems have similar security needs, while identifying the conduits that carry data and control between those zones. Your initial risk assessment will help you set a clear target security level for each zone, for example between 0 and 4 in IEC 62443 terms.

The emphasis at this stage is on the consequences of a successful attack and the level of protection required, on the basis that attempts will occur, rather than on arguments about likelihood. Controls are added until the level of risk for that zone is acceptable.

Finally, you secure the boundaries between zones and manage the data flows along the conduits that connect them. In practice, that points to having up to date system architecture diagrams, security zoning views and an asset inventory that everyone can work from.

This should give operators and suppliers a more structured way to decide what needs stronger protection and to explain why particular controls are justified for a given system. For each zone you then carry out a detailed risk assessment. For a new system, or train, this should be done as part of design and then carried forward into operation, where it can include penetration testing and repeated periodically to ensure that controls remain effective throughout the system’s life.

Clearer responsibilities and a cyber security case

IEC 63452 places stronger emphasis on clear roles and more structured assurance. The standard describes how roles such as asset owner, integrator, maintainer and supplier share responsibility for managing OT cyber risk, and to bring the evidence from those roles together in a cybersecurity case, a structured explanation of how risks are identified, treated and kept under review over time.

For UK organisations that already work with safety cases and security informed safety, this should feel like an extension of familiar practice rather than a completely new concept, with cyber being handled with the same discipline that is already applied to safety.

3. What this means for operators

IEC 63452 doesn’t sit in isolation. It will land in an environment where:

  • The NIS Regulations already require “appropriate and proportionate” security measures for essential transport services
  • A new Cyber Security and Resilience Bill is progressing through Parliament, tightening expectations on critical national infrastructure, including transport
  • DfT leads on NIS enforcement for rail, with ORR focusing on the safety implications of cyber risk, working with NCSC

Within that context, IEC 63452 will become the technical yardstick for “what good looks like” in OT cyber for rail.

For UK operators, that reinforces the message that OT cyber is now an operational and safety issue, not just something to hand to an information security team. It becomes part of the everyday language of safety, operations and engineering. For some organisations this will simply confirm what they are already doing; for others it will require a mindset shift.

Tenders, concessions and approvals will start naming IEC 63452

Once IEC 63452 is published and adopted, you can reasonably expect to see it referenced in:

  • Major fleet, signalling, depot and station procurements
  • Contracts and framework agreements with ROSCOs, OEMs and key suppliers
  • Safety and change control processes where cyber could impact risk

Even if IEC 63452 isn’t written directly into contracts, it is very likely to show up inside the internal rulebooks that operators, owning groups and government bodies use to govern projects and assets, for example in cyber policies, engineering standards, gateway criteria and assurance checklists.

The likely shift is from “do you consider cyber security?” to “show us how your approach aligns with IEC 63452”.

In our view, organisations who wait for that wording to appear in contracts before acting will find themselves on the back foot. It is easier to shape your own interpretation now than to scramble to meet one written by someone else later.

Legacy and mixed environments need a defendable strategy

The UK railway runs a mix of modern digital systems and older fleets and signalling designed with little or no cyber in mind.

The emerging material around IEC 63452 accepts that not every system can be brought to the same level. However, our reading is that it will expect a documented, risk-based approach for legacy systems and thoughtful use of zoning, compensating controls and monitoring where upgrades are constrained.

“Legacy” will still be a reality for years to come, but it will not be an adequate answer when ORR, DfT or NCSC ask how you are managing OT cyber risk.

Stronger expectations on supply chain control

IEC 63452 sets clearer expectations on supply chain cyber security, including how operators, integrators and suppliers share responsibilities for vulnerabilities, patching and incident handling. It will be reinforced by the Cyber Resilience Bill once it becomes an Act.

4. What it means for OEMs, ROSCOs and technology suppliers

For UK rail suppliers, including OEMs, ROSCOs, signalling and infrastructure integrators, onboard and trackside technology providers and specialist SMEs, IEC 63452 is likely to raise expectations but also create a clearer way to show that you are a mature and trusted partner.

IEC 63452 competence will set trusted suppliers apart

Customers at every level of the chain, from operators to ROSCOs and major programme integrators, are likely to look for suppliers who can talk fluently about TS 50701, IEC 62443 and IEC 63452 and explain where their products or services fit.

They will expect people who are comfortable using the language of zones, conduits, security levels and lifecycle activities when they describe a system or solution, and who can provide the right inputs to a cybersecurity case as part of project delivery alongside safety, RAMS and performance evidence.

Operators, ROSCOs and OEMs will want to see that you have thought through how your solution fits into zones and conduits, what security levels it is designed to support, how it is configured and maintained in service, and how it contributes to the overall cybersecurity case.

Suppliers who can do this in a clear and practical way will feel like lower risk partners in competitions for programmes, frameworks and long term support work. For smaller suppliers in particular, being able to meet larger organisations on their own terms on cyber can be a real advantage.

Different roles in the chain

Although IEC 63452 is still in development, the likely direction is that responsibilities are shared along the chain but are not the same for everyone. In the UK context, it is reasonable to expect responsibilities to fall broadly as follows.

  • Operators and infrastructure managers are the primary duty holders in the UK context. They are expected to define how OT cyber risk is managed for the railway they run, to set overall requirements and acceptance criteria, and to make sure that projects, fleets and suppliers can show how they meet those expectations.
  • ROSCOs, as owners of much of the rolling stock, are expected to make sure that leases, modification programmes and maintenance arrangements reflect those requirements, and that their own supply chain can support the level of protection that operators and regulators will expect over the life of the assets.
  • Train builders will need to show that their designs have taken IEC 63452 principles into account and that they can meet both the standard and the specific requirements set by ROSCOs and operators for the build, integration and support of their fleets, including how products from OEMs in their supply chain are selected, configured and supported to maintain the required level of protection.
  • Technology providers and other suppliers are expected to demonstrate how their products and services fit into the zones, conduits and security levels that have been defined, how they can be configured and maintained securely in service, and what evidence they can provide into the overall cybersecurity case.

In our view, IEC 63452 is more likely to clarify these boundaries than to change them, by giving each party clearer language and expectations to work with. The main shift for suppliers is that it will be easier for operators, ROSCOs and OEMs to ask clear questions about cyber, and easier to compare which suppliers can answer them with confidence.

5. Practical steps to start now

You do not need to wait for the final text to start getting ready. The overall direction of IEC 63452 is clear enough to check how well your existing work is likely to line up. The real risk is not non-compliance tomorrow but discovering later that what you already do does not join up as well as you thought.

Map what you already do to IEC 63452 themes

Collect what you already have, such as NIS assessments and improvement plans, TS 50701 or IEC 62443 work, safety and RAMS processes, and supplier requirements or internal standards. Then set these against the main IEC 63452 themes: governance and programme, lifecycle activities, zoning and risk assessment, operations, monitoring and incident response, supply chain management, and cybersecurity case and evidence. You will usually find some areas are stronger than you expected and a few are noticeably thin. That is a good basis for a proportionate plan.

Be clear what you are responsible for

Whatever your role, it helps to be clear what you are actually responsible for when it comes to OT cyber. That includes which systems or products you are accountable for, which decisions you can make, and where you hand over to someone else. For operators, infrastructure managers and ROSCOs this will be at railway level. For OEMs and other suppliers it will be at asset, system or product level. Writing this down, even in simple form, makes it much easier to see where IEC 63452 work needs to happen and where you depend on others.

Pilot zoning and risk on a real system

Model the system, identify the zones and conduits, and carry out a structured risk assessment. Then compare your current controls with what IEC 62443 and TS 50701 already expect, and with the emerging direction of IEC 63452.

Use this as a learning exercise to see where the real gaps are and to build confidence in the methods. Operators and ROSCOs may lead this for existing rolling stock, while OEMs and other suppliers can apply the same approach in the design and upgrade of their own systems, products and solutions.

Review one major project against the lifecycle view

Take a current or recent project and look at it stage by stage. For each stage ask what evidence you could show if you had to demonstrate IEC 63452 style alignment tomorrow for concept, design, implementation, testing, handover and operation. Then note where the evidence is thin, for example around requirements, traceability, handover material or ongoing monitoring.

A short review like this often highlights simple changes, such as updating a template, adding a review step or strengthening handover content, that make later projects much easier to assure. It also encourages a mindset shift, by looking at OT cyber risk through a lifecycle lens and recognising that different risks can emerge at different points in the project, not only at the point where a system goes into service.

Where Railmind can help

If you are reading this and thinking “we can see IEC 63452 coming, but we are not sure how well we line up or how to explain our position”, you are not the only one.

Railmind can support UK rail organisations to:

  • Carry out an IEC 63452 readiness scan that maps your existing policies, controls and projects against the emerging standard, IEC 62443, TS 50701 and UK regulatory expectations.
  • Check how key fleets, systems, projects or products line up with those standards in more detail and pull together the evidence you need to show how OT cyber risk is being managed over the life of the assets.
  • Turn the findings into a practical readiness plan that fits your role in rail.
  • Help you pull together the documentation and evidence that shows how you meet the standard, in a form you can use with boards, customers and regulators.

Contact Railmind to arrange an initial conversation about IEC 63452 and your organisation. Move from “we know this is coming” to “we have a clear plan and are ahead of it.”

Get in touch

Disclaimer: All references to IEC 63452 are based on information available in the public domain. No confidential or draft content has been disclosed.