arrow
Back to Blogs

From Shaping Railway Cybersecurity Standards to Helping Bring Them to Life

Omar Benjumea
Omar Benjumea
Field CISO & Business Development

Over the past few years, I’ve had the privilege of being part of a journey that, in many ways, mirrors the evolution of cybersecurity in the rail industry itself.

It started during my time working with Knorr-Bremse and Siemens, contributing to CENELEC TS 50701 - officially published in June 2021 — the first comprehensive attempt to define what cybersecurity should look like in railway systems. At the time, this was a major milestone. For the first time, the sector had a structured, rail-specific framework, building on IEC 62443 and aligning cybersecurity with the RAMS lifecycle and safety processes.

But more importantly, TS 50701 was the beginning of a shift in mindset.

It introduced the idea that cybersecurity in rail is not just about controls or compliance - it is about lifecycle, risk, and integration into engineering processes. It forced the industry to start thinking in terms of cybersecurity cases, threat modelling, zoning, and traceability. It gave us a common language.

And yet, like any first version, it also had its limitations.

From a European specification to a truly global effort

One of the most fascinating evolutions I’ve witnessed is how TS 50701 became the foundation for something much bigger: IEC 63452.

While TS 50701 was primarily European in origin, IEC 63452 represents a truly international effort. Experts from across the world: Europe, the US, China, Canada, Japan, and many others, have come together to shape what will become the global baseline for railway cybersecurity.

This shift matters.

Rail is inherently global: suppliers, integrators, and operators work across borders, and so do cyber threats. Moving from a regional technical specification to a globally harmonized standard is not just a bureaucratic step - it’s essential for interoperability, supply chain security, and trust across the ecosystem.

IEC 63452 is not just an evolution of TS 50701. It is its globalization.

From guidance to clarity: making requirements actionable

Another major step forward is the level of clarity and structure.

TS 50701 provided a solid framework, but in many areas it left room for interpretation. That was both a strength and a challenge. It enabled flexibility, but it also made consistent implementation, and especially assessment, more difficult.

IEC 63452 significantly raises the bar here.

The new standard introduces:

  • Much clearer definition of roles and responsibilities across asset owners, integrators, suppliers, and maintainers
  • More structured and explicit cybersecurity requirements across the lifecycle
  • Detailed descriptions of expected deliverables (risk assessments, cybersecurity plans, incident management processes, etc.)
  • Improved system taxonomy, zoning models, and architectural guidance

In practice, this means moving from “what should be considered” to “what needs to be demonstrated.”

And that’s a big shift.

A step change in assessment and assurance

One of the biggest gaps in early implementations of TS 50701 was the difficulty in assessing compliance in a consistent way. IEC 63452 tackles this head-on.

It introduces for example:

  • Clear distinction between normative requirements and guidance, enabling more consistent verification
  • Structured cybersecurity evaluation and acceptance processes across the lifecycle
  • Continuous cybersecurity verification and monitoring requirements, not just point-in-time validation
  • Stronger linkage between risk management and cybersecurity operations

Even if it will not be perfect, the improvement from the TS is huge in this regard.

Expanding the scope: from design to operations (and beyond)

TS 50701 already introduced a lifecycle approach, but IEC 63452 takes it further and makes it more operational.

It explicitly covers:

  • Continuous monitoring and threat detection
  • Vulnerability and patch management
  • Incident response and recovery
  • Supply chain security
  • Secure decommissioning and end-of-life processes

This reflects a broader industry realization: cybersecurity does not end at commissioning. Railway systems live for decades. Threats evolve daily. The only viable approach is continuous assurance. IEC 63452 embeds that reality into the standard.

From contribution to implementation

Today, at Cylus, my focus is on a different,but deeply connected,challenge: how to actually implement all of this.

Because having a standard is one thing. Making it work in real railway environments is another.

TS 50701 and IEC 63452 define expectations across governance, engineering, and operations, but real systems are complex, heterogeneous, and constantly evolving. Demonstrating lifecycle security, maintaining traceability, and aligning operational behavior with security assumptions is not trivial.

This is where the real work happens:

  • Translating requirements into measurable controls
  • Gaining visibility into actual system behavior
  • Continuously validating that assumptions still hold
  • Supporting evidence-based compliance over time

From “why” to “how” — and now to “prove it”

Looking back, the journey from TS 50701 to IEC 63452 reflects a broader evolution:

  • First, we asked: Why does cybersecurity matter in rail?
  • Then: How should we approach it systematically?
  • Now: How do we implement it globally, consistently, and prove it?

With IEC 63452 expected to be published shortly after summer 2026, the industry is about to take another major step forward.

It brings together global expertise, sharper requirements, and a much stronger foundation for assurance and compliance. It turns cybersecurity from a conceptual framework into something that can be evaluated and trusted across borders.

Personally, it’s incredibly rewarding to be part of this journey, from contributing to the early definition of TS 50701 to now working on the IEC 63452 and having Cylus technology being able to help organizations to implement some of the existing requirements.

And if there’s one thing that stands out, it’s this:

Standards don’t secure railways. People, processes, and technologies do. But good standards make that possible by providing the right requirements and the needed guidance to implement them in the right way.

---

Interested in learning more about IEC 63452? Watch The Road to IEC 63452: Standardizing Rail Cybersecurity

Originally published
April 2, 2026
,
updated
April 2, 2026
.

Share this post

More from Our Blog
Understanding the TSA’s NPRM: New Cybersecurity Rules for Railroads
New Year, New Defenses: 2024's Rail Tech Cybersecurity Trends
New Year, New Defenses: 2024's Rail Tech Cybersecurity Trends
Staying Ahead of the New TSA Cybersecurity Directives with CylusOne
Staying Ahead of the New TSA Cybersecurity Directives with CylusOne