As governments and organizations are issuing regulations and security directives globally, rail operators face new challenges - integrating OT cybersecurity requirements. Usually, only a few operators and authorities have OT professionals who can support the tendering process.
UITP’s “Practical guidance on cybersecurity: Requirements in tendering” report aims to provide guidelines and tools for rail operators and authorities, procurement officers, and CISOs/CIOs on integrating cybersecurity requirements in their procurement process for operational technology (OT) systems. It examines the regulation and legal framework, procurement process and specification framework, information security system specification, and cybersecurity technological specification and includes a quick reference guide for cybersecurity procurement.
The report, sponsored by Cylus, highlights the gap between the cybersecurity expectations of operators and authorities and the cybersecurity deliverables of vendors. It suggests that to eliminate this gap, both parties should have well-defined responsibilities, clearly stated through contractual arrangements that consider cyber expectations throughout the system's complete life cycle.
Based on the European standard TS 50701, the report adapts the standard to public transport environments and provides a legal, procurement, and specification processes framework. The report also provides examples of applying the standard to specific environments such as metro and bus rapid transit systems.
To learn more, download the report.