How to navigate IEC 62443 4-1 and 4-2 requirements: A guide for railway component manufacturers

The railway industry is in the middle of an industry-wide transformation. From ERTMS and automated signalling and locomotives, to predictive maintenance and super connected rolling stock, our systems are now smarter and more connected and available than ever. However, connectivity comes with a catch: a digital-first railway also has a digital-first attack surface that is ever expanding. Such an expansion may not even be appearing on the radar of cybersecurity teams defending the Operational Technology infrastructure.

On the other side, for manufacturers of railway components a list that includes the PLCs, HMIs, onboard controllers, and trackside units that form the backbone of the network the focus on cybersecurity aspects is now more than ever. Components should now be safe, secure and should never contribute in any manner to an unauthorized cyber intrusion or attack. 

This is usually where the IEC 62443 series of standards come into the picture. For those of you who are component manufacturers, two parts should draw your attention viz., IEC 62443-4-1 and IEC 62443-4-2.

Before we dive into today’s post, don’t forget to check our previous blog post on “Are your security controls ready for 2026?”

The unique railway challenge: Safety, security, and 30-year lifecycles

A generic IT security standard is never good enough? Because the railway infrastructure is unique and it is certainly not a data center. Besides that, there are a few other considerations, such as:

• Long lifecycles: Your components should be able to operate reliably for 2-3 decades, not the 3-5 years of an office PC.

• High availability: You just can't "reboot the system." Downtime in rail infrastructure doesn't just cost money; it can bring a company, city or even a country to grinding halt.

• Safety is right up there: A cyber-attack on a signaling system cannot be equated to a data breach; it's a potential safety catastrophe. Security and safety (like RAMS under EN 50126) are now inextricably linked. A cyberattack can manifest in a way that may lead railway operators to believe it was a malfunction.

• Lives are at risk: Railways transport people and any security risk can easily turn into a safety risk

Because of these unique needs and risks, European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) created the CLC/TS 50701. More specifically, CENELEC's technical committee TC 9X developed the standard for cybersecurity in railway applications. TS 50701 is now a gold standard for the industry. TS 50701 is built directly on the foundation of IEC 62443.

In summary, if you want to sell into the rail market, you need to understand 62443.

The process vs. product discussion: Decoding 62443-4-1 and 62443-4-2

The easiest way to describe these two standards is "how you build" versus "what you build."

• IEC 62443-4-1: This is the Secure Development Lifecycle (SDL) standard. It's about your process (how you do it).

• IEC 62443-4-2: This is the Technical Component Requirements standard. It's about your product (what you manufacture).

You can't have one without the other. A secure product (4-2) can only be built and maintained by a secure process (4-1).

IEC 62443-4-1: Securing the backend

This standard asks: Is your organization set up to build and maintain secure products? It doesn't look at your component's code; it audits your company's procedures. Key practices include:

• Security management: Do you have a product security officer? Do you train your developers in secure coding?

• Secure design: Do you perform threat modeling (like STRIDE) during the design phase?

• Secure implementation: Do you have secure coding guidelines and use static analysis tools?

• Verification and validation: Do you perform security-specific tests, like penetration testing and fuzz testing?

• Defect and patch management: This is critical for rail. Do you have a Product Security Incident Response Team (PSIRT)? What is your publicly stated plan for handling a new vulnerability? How will you deliver patches for a component you sold a decade and a half ago?

The takeaway for railway component manufacturers: A 4-1 certification proves to operators that you are a mature, long-term partner they can trust to support a component's security for its entire 25-year life.

IEC 62443-4-2: Securing the frontend

This standard defines the specific security features (or "ingredients") your component must have. It defines requirements based on four Security Levels (SLs), from SL-1 (protecting against accidental misuse) to SL-4 (protecting against nation-state attackers).

The standard groups these features into seven Foundational Requirements (FRs):

The Railway Takeaway: Your product must have these features "out of the box." An operator needs to buy your PLC for a level crossing and know it can be configured to meet the SL-2 or SL-3 requirements defined in their risk assessment.

A modest five-step roadmap for IEC 62443-4-1 and 4-2 compliance

The initial steps can sometimes feel overwhelming, but it's a logical journey and you have to make a start. Here is a practical roadmap for a railway component manufacturer.

Step 1: Scope and Gap Analysis

• Identify: Which of your products (new and existing) are in scope? Focus on anything with a network interface or configuration port.

• Analyze (Process): Conduct a gap analysis of your current development lifecycle against the 8 practices of 62443-4-1. Be honest. Where are the holes?

• Analyze (Product): Pick a target Security Level for your key products (e.g., SL-2 is a common target). Now, map your component's current features against the 62443-4-2 requirements for that SL. Where are the gaps?

Step 2: Build your Secure Development Lifecycle (IEC 62443-4-1)

• Foundation first: You must build the process first.

• Appoint: Designate a Product Security Officer/Team.

• Define: Create the missing policies. Start with the most critical:

  1. A secure coding standard.

  2. A mandatory threat modeling step in your design phase.

  3. A formal vulnerability management and response plan (your PSIRT).

• Train: Train your engineering, product, and QA teams on these new processes.

Step 3: Engineer your secure product (IEC 62443-4-2)

• Integrate: Feed the gaps you found in Step 1 into your product backlog and address them.

• Implement: This is the engineering work. Add features to meet the 7 FRs. This means adding secure boot, implementing user roles, creating robust audit logs, and hardening network services.

• Document: This is vital for rail. You must create the "Cybersecurity Case" documentation (a term from TS 50701). This includes secure configuration guides, vulnerability test reports, and a list of all security features.

Step 4: Verify, validate, and assess

• Test Internally: Your V&V team must now test for security. This includes vulnerability scanning, penetration testing, and fuzz testing.

• Engage Externally: To get certified, you will need an accredited third-party assessment lab (like TÜV, exida, Bureau Veritas, etc.). They will audit your 4-1 process and test your 4-2 product.

• Certify: The goal is a formal certificate (like an ISASecure or TÜV-certified) that you can show to customers.

Step 5: Maintain and respond (The Long Haul)

• Activate: Your PSIRT is now "live." You must monitor for vulnerabilities in your code and in third-party components (e.g., your Linux OS).

• Respond: When a vulnerability is found, your 4-1 process kicks in. You'll need to assess the risk, develop a patch, and communicate the fix to all your rail operator customers. This must be reliable for decades.

Conclusion: Security is the new market enabler

Achieving compliance with IEC 62443-4-1 and 4-2 is not just a technical hurdle anymore. Instead it is a core business enabler.

Rail operators are now adding this as a mandatory requirement in their tenders. They are shifting the security burden onto you, the manufacturer and you need to rise to the challenge. Being able to provide a 4-2 certified component, backed by a 4-1 certified process, moves you from just a "supplier" to a "trusted partner." It is the ultimate proof that your products are ready for the long, demanding, and secure future of the railway.

Talk to our IEC 62443-4-1/2 expert.