View by Author

Most Recent Articles

Modern train in evening light

IEC 63452 – railway sector cyber security standardisation and Australian relevance

By Published On: 3 February 2026Categories: Critical Infrastructure, Security

IEC 63452 is emerging as the dedicated global cybersecurity standard [...]

Share This Article:

IEC 63452 is emerging as the dedicated global cybersecurity standard for railways and is currently progressing through IEC voting, I’ve written about this previously including timeframes with an expected formal publication targeted around mid‑2026.  With Australia having recently adopted AS IEC 62443 as the national OT cybersecurity standard, the timing is ideal to consider whether IEC 63452 should also be endorsed nationally and how this would interact with AS 7770 (Rail Cyber Security) and existing rail cyber frameworks.

So, where exactly IEC 63452 is up to?

IEC 63452 is being developed under IEC TC9/PT 63452 as the successor to TS 50701 (Railway applications – Cybersecurity), extending and formalising a full‑lifecycle cybersecurity framework for railway applications. The draft is with National Committees for comment and voting, with forecasts indicating a consolidated publication of the first edition around mid – 2026, after which it is expected to supersede TS 50701 in Europe and become the global baseline for rail cyber.

IEC 63452, covers all railway environments which include:

  • Mainline
  • Metro
  • Trams
  • Freight
  • Fully automated systems
  • Rolling stock and fixed installations

Importantly, IEC 63452 builds directly on IEC 62443 concepts while tailoring risk management, roles and lifecycle controls to rail‑specific architectures, safety constraints and operational practices.

Why IEC 63452 matters for Australia?

For Australian operators, IEC 63452 offers a rail‑specific cyber standard that complements the horizontal AS 62443 series now adopted as national standards for OT security. It embeds continuous monitoring, structured vulnerability management and cyber assurance across the system lifecycle, matching the direction of both TS 50701‑based assessments and emerging expectations under European NIS2/CRA regimes that influence global supply chains.

Key implications:

  • Suppliers and integrators delivering to Europe will increasingly align with IEC 63452, making it a de‑facto requirement for global rolling stock and signalling projects.
  • Australian rail networks already referencing AS 7770 and IEC 62443 can use IEC 63452 to tighten the mapping between safety cases, operational constraints and cyber risk treatments for rail‑specific systems.

ARISO, Standards Australia and AS 62443

Standards Australia has now formally adopted the IEC 62443 series as AS 62443, positioning it as the primary OT cybersecurity reference for critical infrastructure sectors. The adoption relied on the IT‑006 and related national committees to confirm relevance, align with regulatory obligations (including the Cyber Security Act 2024) and ensure sector‑agnostic applicability.

For a body like the Australian Rail Industry Standards Organisation (ARISO), or an Australian rail cyber working group more broadly, the IEC 62443 adoption provides a useful precedent:

  • AS 62443 establishes the horizontal control framework and maturity expectations for OT and IACS security across industries.
  • IEC 63452 can then be positioned as the vertical rail application standard, mapping rail system roles and safety‑critical contexts back to AS 62443 security requirements and zones/conduits.

This combination allows Standards Australia to endorse IEC 63452 as an Australian Standard while clearly stating its relationship to AS 62443, avoiding duplication and providing a layered architecture of standards.

Questions ARISO should ask about national endorsement

If ARISO wishes to advocate for IEC 63452 to be endorsed as an Australian Standard (e.g. AS 63452), several strategic questions are worth posing to Standards Australia, government and industry:

  • Alignment and scope
    • How should IEC 63452 be positioned relative to AS 62443: as a mandatory rail application profile, a recommended guidance standard, or a fully co‑equal requirement for rail OT environments?
    • To what extent should IEC 63452 explicitly reference and rely on AS 62443 for foundational concepts such as zones/conduits, security levels and role‑based requirements?
  • Regulatory and policy fit
    • How can endorsement of IEC 63452 support obligations under the Security of Critical Infrastructure regulatory regime and the Cyber Security Act 2024, particularly for operators of national‑significance rail assets.
    • Should IEC 63452 be referenced in more formal future guidance from ONRSR, TISN, or sector‑specific cyber strategies as the primary rail cyber benchmark, alongside AS 62443 for broader OT controls?
  • Industry readiness and burden
    • What is the current maturity of Australian RTOs and suppliers against TS 50701 and IEC 62443, and what uplift would be needed to practically comply with IEC 63452 within a 3–5 year horizon?
    • How can endorsement be phased so that new procurements and major upgrades adopt IEC 63452 from day one, while legacy systems follow a risk‑based roadmap rather than a “big bang” compliance requirement or a retro fit approach which in my experience has not yielded the best outcomes for brownfield operations?
  • Governance and maintenance
    • Which Australian committee should own the ongoing review and localisation of IEC 63452 once adopted as an AS, and how will feedback from RTOs, OEMs and integrators be captured?
    • How will updates to IEC 63452, TS 50701 and AS 62443 be tracked and reconciled to avoid conflicts or overlapping requirements for asset owners and suppliers?

These questions can form the backbone of a consultation paper or position statement that ARISO uses to test appetite for endorsement across operators, OEMs, integrators, regulators and insurance stakeholders.

Why AS 7770 should also be reviewed

AS 7770:2018 is currently the primary Australian rail cyber standard, setting out requirements for RTOs to manage cyber risk across OT and IT used to operate the railway network. It predates both TS 50701 and the recent AS 62443 adoption and focuses strongly on risk assessment, protection of train control systems and embedding cyber principles into rail safety management systems.

In light of IEC 63452 and AS 62443, AS 7770 now raises important review questions:

  • Should AS 7770 be revised to reference AS 62443 and IEC 63452 as the normative technical baselines for control‑system and rail‑specific cyber controls, while AS 7770 itself focuses on governance, integration with safety, and Australian regulatory context?
  • Is there value in restructuring AS 7770 into a higher‑level rail cyber governance standard, with IEC 63452 providing the detailed technical and lifecycle requirements for assets, systems and suppliers?
  • How will Australian‑specific issues (regional operating practices, legacy signalling, regional and remote communications, sovereign hosting and DISP‑like requirements) be layered on top of IEC 63452 rather than handled in isolation?

For ARISO, a practical path may be to argue that any national endorsement of IEC 63452 should be coupled with a systematic revision of AS 7770, ensuring consistency and giving Australian rail a coherent, modernised cyber standards stack that links policy, safety, OT controls and rail‑specific technical requirements.

James Kambourian
By Published On: 3 February 2026Categories: Critical Infrastructure, Security

Categories

Subscribe

Subscribe to our newsletter and get the latest news and information from Anchoram.

Most Recent Articles

Author Profiles