What is cybersecurity compliance?
Nowadays, more and more companies face similar challenges across different industries, especially when it comes to safety-critical domains like Energy, Water Treatment, Railways, and others. This challenge is particularly noticeable across the European Union and Middle Eastern countries and sounds something like this:
“Is your product cybersecurity compliant?” or “Is your organization/product/solution compliant with IEC 62443 (and TS 50701 for Railways)?”
While we, as consumers, are happy, that more and more companies are requested to be compliant with cybersecurity standards, this can be quite a significant challenge. But, let me explain.
Where did everything start from?
In most cases that we have seen over the last years, when a customer requests a supplier to be compliant or demonstrate compliance with cybersecurity requirements, even the customer doesn’t fully understand what it means or how exactly it should be demonstrated. Cybersecurity compliance is a significant gap for most players across the market, even though it is required not only by consumers but also by governmental authorities. So, let's break down this topic and finally clarify what it means to be cybersecurity compliant.
When it comes to cybersecurity compliance, you will typically encounter a few well-known standards:
- IEC 62443 series – Security for Industrial Automation and Control Systems (#IACS): This is an international cybersecurity standard designed to protect IACS from cyber threats. It provides a framework for securing these systems throughout their lifecycle (both design and operational), addressing the needs of system operators, integrators, and component manufacturers. The standard is divided into currently 4 parts, each providing relevant requirements and recommendations, covering general security principles, policies and procedures, system requirements, and component security. IEC 62443 ensures that industrial systems in critical sectors like transportation, energy, and manufacturing are resilient against cyber-attacks, making it widely applicable for OT environments across various industries.
- TS 50701 – Railway applications – Cybersecurity: This standard has been accepted on a international level across the European Union and in several other countries, particularly in the Middle East and APAC regions. It focuses on cybersecurity for the railway domain, adapting principles from IEC 62443 to the specific needs of railways. It provides guidelines for protecting railway systems, including signaling, control, and communication networks, from cyber threats. The standard outlines security measures across the lifecycle of railway assets, from design to decommissioning. It applies to various stakeholders, such as infrastructure managers, system integrators, and manufacturers, ensuring that both fixed installations and rolling stock are secure. Over the past 2 years, this standard has served as the foundation for the development of IEC 63452, which is expected to be published and accepted internationally in the next couple of years.
- ISO 27001 – Information Security Management Systems: This is an international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive information, ensuring its confidentiality, integrity, and availability. The standard outlines a risk-based framework that helps organizations identify potential security risks, implement controls, and monitor their effectiveness. ISO/IEC 27001 applies to organizations across all sectors, enabling them to protect their information from threats such as data breaches, cyber-attacks, and insider threats. It is widely used to demonstrate a commitment to information security best practices and regulatory compliance.
Additionally, for the EU market, there is the NIS2 Directive, which came into force in 2023. Building on the original NIS Directive from 2016, this updated version focuses on improving the resilience of essential and important sectors such as energy, transport, health, and finance. The directive establishes stricter cybersecurity requirements, mandates timely incident reporting, and promotes cooperation among member states to respond effectively to cyber threats. It aims to ensure that both public and private entities are appropriately equipped to manage cybersecurity risks, strengthening the overall security posture within the EU. All EU Member States must transpose the Directive by 17 October 2024.
Where am I in cybersecurity compliance?
Let’s tailor our example to the Railway industry for simplicity. Typically, there are a few types of organizations that require cybersecurity compliance and are required to demonstrate it.
At the top of the “compliance hierarchy” are governments and authorities. These are typically the entities that push specific cybersecurity requirements down through the supply chain by initiating relevant laws and regulations, like the NIS2 Directive mentioned above, or GDPR, or by adopting generally recognized standards, such as IEC 62443, TS 50701, and others, at the national level (i.e., across the country).
Operators are the first “victims” of these improvements. They are the ones who buy and “operate” the final products from suppliers and system integrators. For Railways, these products are trains, of course, as well as the infrastructure (e.g., signaling, interlocking, fixed installations, passenger information systems, maintenance equipment, auxiliary systems, etc.). Operators are forced to be “cyber compliant” by the government and authorities to ensure passenger safety, reliability, and the non-repudiation of services and infrastructures that the nation relies on.
Manufacturers and Integrators, being the main suppliers to the operators, are the next targets in this chain. They have to deliver products and solutions according to governmental cybersecurity requirements and, sometimes, additional ones sourced from the operators.
At the same time, ensuring the robustness of cybersecurity measures for systems like rolling stock is not only challenging but also quite expensive. Thus, most manufacturers, especially those providing products globally, share this task with suppliers and system integrators. This means that when building rolling stock, manufacturers require train subsystems to already be cybersecurity compliant, reducing the resources needed to make the whole rolling stock cyber compliant.
And this “chain” continues from the higher to the lower hierarchical level, until it reaches specific components planned to be installed onboard the rolling stock or in the track-side rack units. At every level, the original requirements sourced from the top (i.e., government) can be complemented by additional ones, aiming to ensure the robustness of the solution.
How to achieve cybersecurity compliance?
The overall approach to demonstrating and ensuring compliance with cybersecurity requirements is similar for all “players” in the market. Sometimes, the only difference is your “target audience.”
When you are a component supplier, all you need to do is demonstrate that your component is compliant with the requested cybersecurity requirements. However, when operating at a higher level, the “game” becomes more complex because you rely on your suppliers. You must ensure that delivered components, subsystems, or systems are truly compliant to avoid problems with your Supply Chain Management.
In general, when aiming to achieve cybersecurity compliance, you should consider two aspects: technical and organizational.
From an organizational perspective, you should ensure that your company has identified, implemented, and successfully executed relevant processes that ensure the final product you deliver to your customer is compliant. This means that your products are designed, manufactured, tested, stored, delivered, maintained, and decommissioned with relevant cybersecurity measures in mind. At every phase of your product’s development and operation lifecycle, people need to know what to do to ensure its security. All of these processes must be verified and documented, ensuring traceability and the robustness of your security posture.
On the technical side, your employees must be able not only to define, test, and implement appropriate security measures, but also ensure they are efficient, avoiding unnecessary resource use, while being robust enough to guarantee compliance not only on paper but also in real life.
Lastly, the cherry on the cake, you should define, establish, and constantly manage relevant cybersecurity processes, such as vulnerability and patch management, incident response, review and update of the threat landscape, and risk levels for your product.
The good news is that all of this is defined in the standards mentioned above, and this is precisely why you are required to comply with them.
What should I do? Where to start from?
The answer is always the same—follow the standards. While standards can be cryptic and seem high-level, they contain all the necessary information you need to implement and maintain cybersecurity compliance for your product. At the same time, without a proper expert in your team, this can be a real challenge, leading to significant time and financial waste.
As a piece of advice, if you are operating in the Railway domain, it’s best to start by investigating sections 4 and 5 of the TS 50701 standard. Try to define your role within the Railway landscape and identify which processes already exist. Additionally, your safety engineers may recognize much of what is mentioned there. But be careful and don’t make a common mistake: safety and security, while sharing similar organizational approaches, objectives, and methodologies, are two different dimensions. Do not expect that your Safety Engineer or Validator, even with over 10 years of experience, can handle security as well—especially when it comes to Verification and Validation (V&V) activities. But that’s a topic for another discussion.
We are happy to help you comply with cyber security requirements. Just get in touch with us!