As an economically important segment of infrastructure, railways has always been on the radar of state-backed threat actors. As the recent incidents in Romania have shown, we have entered an era of opportunistic cyberattacks. This means that cyber defenders now have to be on their guard at all times and keep their shields up and robust to defend against any form of cyber aggression.    

The era of "security by isolation" and perimeter-based defense in the railway sector is officially over. As we move through 2026, the industry has now fully embraced the digital twin, automated operations management across divisions, FRMCS (Future Railway Mobile Communication System), and AI-driven predictive maintenance. The Internet of Things is in fact assisting railway operators across asset tracking, infrastructure management and more. However, this connectivity has also turned the railway network into a massive, distributed attack surface that could be compromised.

For railway operators and suppliers, CLC/TS 50701 (soon transitioning toward the global IEC 63452) is no longer a simple technical specification. Instead, it is a primer for ensuring robust cyber defense in an era characterized by complex cyberattacks and breaches.  

Before we move forward, don’t forget to check out our previous blog post on The 2026 Guide to ANSSI OT risk assessments, here.

The 2026 reality: Third-parties and the "agentic" threat

In 2026, we are seeing a shift in the nature of breaches. We have moved well past simple ransomware. Instead, now we are now facing supply chain sabotage and AI-driven social engineering. Threat actors are now pushing the boundaries of breaches like never before. Instead of simply waiting to strike, threat actors are now building up a path to a breach.

• The third-party tsunami: Recent breaches (reminiscent of the 2024 UK station Wi-Fi defacement) have proven that attackers don't need to break your firewall. They just need to compromise a subcontractor’s admin account or even a generic email ID. In 2026, your TS 50701 assessment must extend deep into your vendors' Software Bill of Materials (SBOMs) and bring in a higher level of extended asset, process, people and network awareness.

• Agentic AI attacks: Threat actors are now using a wide range of trained autonomous AI agents to probe railway OT (Operational Technology) networks for vulnerabilities in real-time. Such tools are now improving in terms of accuracy. This means manual, "once-a-year" assessments are fast becoming obsolete; continuous monitoring and action is the new baseline.

• Lack of uniform training and incident response capabilities: Due to a lack of standardization in both these critical areas both the timeliness and quality of response are impacted. This results in a wider spread of a breach and loss of more data.

Sector-specific challenges faced by railway operators

Railways face many unique challenges that traditional IT environments often do not viz., safety, security, and longevity.

• Safety vs. security: In the railways, security measures must never compromise functional safety (RAMS). A security "lockdown" that prevents an emergency signal from reaching a train is a failure, not a success.

• Legacy inheritance: Many systems running today were designed in the 1990s. Retrofitting TS 50701 requirements onto 30-year-old interlocking systems requires a delicate balance of "compensating controls" rather than simple software patches.

• Unencrypted signaling: As seen in the 2023 Poland "radio stop" incidents, unencrypted VHF frequencies remain a vulnerability. 2026 assessments are focusing heavily on the transition to encrypted FRMCS protocols.

How to conduct a TS 50701 assessment in 2026

A modern assessment of railway infrastructure is a multi-phased journey that aligns with the EN 50126 lifecycle.

The foundational risk formula used in these assessments remains:

Overall Risk = Likelihood times Impact

 In 2026, however, Likelihood is being re-evaluated due to the automation of exploits, often necessitating higher Security Levels (SL) than previously required. This means that by default you need to be at a level higher than where you are today. SL goals have to be revised every year by addition of more controls.

Selecting a vendor: Red flags vs. green flags

Don't just hire a "standard" IT security firm. Railway OT is a different beast.

• Green flags:

  • Domain Expertise: Do they know the difference between an ERTMS Balise and a standard IoT sensor?

  • Safety Awareness: They should speak the language of "SIL" (Safety Integrity Level) as fluently as "CVE."

• Red flags:

  • They propose "Active Scanning" on live OT networks (this can crash legacy signaling systems).

  • They focus purely on ISO 27001 without mentioning IEC 62443 or TS 50701.

A firm with extensive and specialized expertise in OT security is desirable.

The 2026 roadmap to compliance

Q1: The inventory reset

Conduct a full asset discovery and validation. In 2026, this includes "shadow OT" across unauthorized 4G/5G modems installed by maintenance crews for "ease of access."

Q2: SBOM and third-party audit

Review the Software Bill of Materials for all critical components. Validate that your vendors comply with the Cyber Resilience Act (CRA) requirements.

Q3: Gap analysis and remediation

Perform a formal gap analysis against TS 50701:2023. Implement "Virtual Patching" for legacy systems that cannot be updated.

Q4: Certification and continuous monitoring

Finalize your "Cybersecurity Case." Deploy an OT-specific IDS (Intrusion Detection System) such as Shieldworkz to move from static compliance to dynamic resilience.

The 2026 TS 50701 compliance checklist

Governance and system definition (The Foundation)

• [ ] Define the System under Consideration (SuC): Have you clearly drawn a perimeter around the assets (e.g., On-board, Trackside, or Control Center) being assessed?

• [ ] Asset Inventory 2.0: Does your inventory include "Shadow OT," legacy serial-to-IP converters, and all temporary maintenance laptops?

• [ ] Safety-Security Sync: Has a formal meeting occurred between the CISO and the Safety (RAMS) Engineer to ensure security controls don't trigger "fail-safe" states unexpectedly?

• [ ] Policy Alignment: Is your cybersecurity policy updated to reflect NIS2 requirements and the transition from TS 50701 to IEC 63452?

Zoning and architecture (With segmentation)

• [ ] Zone Mapping: Are critical signalling functions (e.g., Interlocking, RBC) logically and physically isolated from non-critical systems (e.g., Passenger Information Systems)?

• [ ] Conduit Analysis: Have you identified every data path (Conduit) crossing zone boundaries?

• [ ] Boundary Protection: Are firewalls or unidirectional gateways (Data Diodes) implemented between IT and OT zones?

• [ ] Wireless Hardening: For FRMCS or Wi-Fi zones, is encryption enforced at the link layer to prevent "Radio Stop" or spoofing attacks?

Risk assessment and Security Levels (AKA the strategy)

• [ ] Threat modelling: Have you performed a STRIDE or CSM-RA based risk assessment that includes "Agentic AI" threat scenarios?

• [ ] SL-T assignment: Have you assigned a Target Security Level (SL-T) of at least SL-3 for safety-critical signaling zones?

• [ ] Impact analysis: As I always ask. Have you quantified the impact of a breach not just in "data lost" but in "Train Kilometers lost" and/or "Passenger Safety risk"? Quantification of the risk and mapping it to a well understood metric helps employees, board and other stakeholders visualise the threat and risk.

4. Supply chain and third-party (The 2026 Frontier)

• [ ] SBOM verification: Do you have a Software Bill of Materials for every new component? Can you scan them for "Zero-Day" vulnerabilities automatically?

• [ ] Contractual "right to audit": Do your contracts with subcontractors (e.g., rolling stock maintainers) allow you to perform unannounced security audits of their remote access tools?

• [ ] Remote access lockdown: Is all third-party maintenance performed via a Secure Access Service Edge (SASE) or a "Jump Server" with Multi-Factor Authentication (MFA)?

5. Operational maintenance (AKA the long game)

• [ ] Vulnerability Management: Do you have a process to ingest VEX (Vulnerability Exploitability eXchange) files to prioritize which OT patches are actually critical?

• [ ] Incident Response: Is there a "Rail-Specific" IR plan? (e.g., Does the SOC know who to call at the Dispatch Center if a train starts behaving erratically?)

• [ ] The Cybersecurity Case: Have you compiled the "Cyber Case"—the body of evidence proving that all TS 50701 requirements have been met—ready for the Independent Safety Assessor (ISA)?

How to use this checklist

In 2026, "Compliance" is no longer a static document with ancient questions that you file away without giving it a second thought. TS 50701 is now the baseline for the Cyber Resilience Act (CRA) and even NIS2. If you cannot check off at least 80% of these items, your system may not only be at risk of a breach but may also face significant regulatory scrutiny including fines and "Stop-Service" orders from national rail authorities.

Lastly, key takeaway for 2026: Compliance is the floor, not the ceiling. A "compliant" system that isn't monitored is just a target waiting for the right AI agent to find it.

Need help with your TS 50701 compliance requirements? Talk to our expert.

More about our NIS2 compliance services.

Learn a bit more about Shieldworkz’ Incident response services

Test drive our OT security platform here.