If you have difficulty in submitting comments on draft standards you can use a commenting template and email it to admin.start@bsigroup.com. The commenting template can be found here.
Standards Development
This document provides a consistent approach to manage cybersecurity of railway applications in a railway system. It is applicable across all domains within the scope of CLC TC 9X, which includes railway networks (including highspeed lines, mainlines, and freight-lines), urban transport networks (including metros, tramways, trolleybuses, and fully automated transport systems), and magnetic levitated transport systems. It includes rolling stock, fixed installations, operational management systems (including supervision, information, communication, signalling, and processing systems) for railway operation. This document refers and adapts the relevant part of the EN IEC 62443 series of standards to the railway domain, detailing the cybersecurity management, zoning, risk management, supply chain management, cybersecurity requirements, cybersecurity assurance, as well as operational, maintenance, and decommissioning requirements. It outlines the cybersecurity activities and cybersecurity deliverables needed to identify, monitor, and manage cybersecurity risks within a railway application life cycle and in its operational environment (railway system) to a level tolerable by the railway duty holder. It also provides guidance on how to secure legacy system. Furthermore, this document provides guidance on coordinating and synchronising the cybersecurity activities with the generic reliability, availability, maintainability, and safety (RAMS) life cycle defined in EN 50126:2017, and provides criteria for application to other life cycles. Lastly, while this document does not provide safety requirements or constraints on the safety case for railway applications, it does offer guidance on the relationship between cybersecurity and safety.
The purpose is to add two European Informative Annexes as a complement of the IEC 63452 railway-specific standard, the first annex ZA will provide European equivalence of referenced standards and the second annex ZC will offer a set of cybersecurity recommendations and guidance to support alignment of railway applications with NIS2 and railway solutions with CRA requirements. Besides this a mapping is provided, which shows how the already existing deliverables and activities of EN IEC 63452 can be used to support the alignment to NIS2 and CRA: The NIS2 DIRECTIVE (EU) 2022/2555 lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market. To that end, this Directive lays down: (a) obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs); (b) cybersecurity risk- management measures and reporting obligations for entities of a type referred to in Annex I or II as well as for entities identified as critical entities under Directive (EU) 2022/2557; (c) rules and obligations on cybersecurity information sharing; (d) supervisory and enforcement obligations on Member States. The CRA REGULATION (EU) 2024/2847 lays down (a) cybersecurity requirements for placing in the market products with digital elements to ensure the cybersecurity of such products; (b) essential cybersecurity requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to those products with respect to cybersecurity; (c) essential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use, and obligations for economic operators in relation to those processes; (d) rules on market surveillance, including monitoring, and enforcement of the rules and requirements. The work will be based on the results from the IEC PT 63452 and give recommendations and guidance to support alignment of Railway Application to NIS2 and CRA requirements. The target users of these annexes will be the railway supply chain industry delivering in EU, and the EU Railway Duty Holders.
Required form fields are indicated by an asterisk (*) character.
You are now following this standard. Weekly digest emails will be sent to update you on the following activities:
You can manage your follow preferences from your Account. Please check your mailbox junk folder if you don't receive the weekly email.
You have successfully unsubscribed from weekly updates for this standard.
Comment by: