The UNECE R155 standard, officially known as UN Regulation No. 155, focuses on cybersecurity and cybersecurity management systems for vehicles. It requires automotive manufacturers to have a cybersecurity management system (CSMS). Main points of the CSMS are to manage the risks to the vehicle, by performing a threat analysis, mitigating the vulnerabilities, and managing third-party suppliers' risk as well.

The ISA 62443-2-1:2024 describes securitiy policy and procure requirements for asset owner/operators. The document acknowledges that an IACS can have a lifespan of 20+ years, therefore not all security requirements included will be applicable. The document doesn't require all of the technical security requirements to be implemented, instead it requires that organizations have policies and procedures that address these types of requirements. In some cases copensating measures will need to be implemented via policies and proceudres in place of the security requirements identified in this standard.

Framework of processes, activities, tasks—it’s a software lifecycle standard for safe development and maintenance of medical device software

​

​

The Cybersecurity Capability Maturity Model (C2M2) is designed to help organizations improve their cybersecurity capabilities and practices. (C2M2) covers various sectors that require robust cybersecurity measures. Providing structured approach to evaluating and improving how organizations improve cybersecurity practices, maturity levels, and implementation.

In an increasingly digitalized and interconnected world, where the maritime industry continues to adopt, at pace, new digital technologies, it remains imperative to focus on cyber threats and attacks that could compromise operations, safety and data integrity.

The Radio Equipment Directive (2014/53/EU) includes key cybersecurity provisions to ensure the security of radio equipment. Articles 3(3)(d), (e), and (f) focus on preventing the misuse of network resources, protecting personal data and privacy, and implementing measures against fraud. These requirements are particularly important for internet-connected and wearable devices, ensuring they are secure and effectively protect user data.

This may not be relevant to Cs2AI members as it targets consumer products.

The ISA/IEC-62443-3-3:2013 provides detailed technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1 including defining the requirements for control system capability security levels. These requirements would be used by various members of the industrial automation and control system (IACS) community along with the defined zones and conduits for the system under consideration (SuC).

The ISA/IEC 62443-2-4:2018 describes requirements for service providers that can be offered to the owner during integration and maintenance phases of a control system.

The IEC 62443-2-1:2024 describes security policy and procure requirements for asset owner/operators. The document acknowledges that an IACS can have a lifespan of 20+ years, therefore not all security requirements included will be applicable. The document doesn't require all of the technical security requirements to be implemented, instead it requires that organizations have policies and procedures that address these types of requirements. In some cases, compensating measures will need to be implemented via policies and procedures in place of the security requirements identified in this standard.

The ISA/IEC 62443 series of standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. ISA/IEC 62433 provides a common set of requirements that enables product suppliers to deliver reliable, secure, and interoperable devices and systems

Provides requirements and guidelines for managing cyber risks tailored for the oil and natural gas pipeline industry. The standard includes requirements that should be customized prior to implementation. The standard applies to SCADA, local control, and IOT solutions. It is not intended to be used for safety instrumented systems.

Mandatory Bulk Electric System (BES) cybersecurity regulations that apply to utility companies connected to the North American power grid.

The ISA/IEC 62443-4:2018 specifies the process requirements for the secure development of products used in industrial automation and control systems (IACS). The life-cycle description includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.

Describes systematic application of policies, procedures, and practices for hazard identification, risk estimation, evaluation, control, and monitoring throughout product life cycle

​

UL 2900-2-1, the UL Standard for Safety, Software The UL 2900-2-1 standard says it “applies to the testing of network connected components of healthcare systems,” including these: for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, was published and adopted as an ANSI standard in September 2017. The UL 2900-2-1 standard says it “applies to the testing of network connected components of healthcare systems,” including these:
* Medical devices
*Accessories to Medical devices
*Medical device data systems
*In vitro diagnostic devices
*Health information technology *
*Wellness devices

The Critical Infrastructure Maturity Model (CIMM) aims to provide a structured approach for organizations to evaluate their current maturity level in managing critical infrastructure and to identify areas for improvement. It focuses on enhancing the overall resilience and security of infrastructure that is vital to national security, economic stability, and public safety. CIMM typically defines multiple maturity levels, ranging from basic to advanced. These levels help organizations understand their current capabilities and set goals for improvement

The Transportation Security Administration (TSA) Pipeline Security Guidelines are a set of recommendations for pipeline owners and operators to develop security plans and programs. The guidelines include security measures for both physical and cyber security and are considered the industry standard.

In an increasingly digitalized and interconnected world, where the maritime industry continues to adopt, at pace, new digital technologies, it remains imperative to focus on cyber threats and attacks that could compromise operations, safety and data integrity.

​

The ISA/IEC 62443-4-2 standard specifies the technical cybersecurity requirements for components of Industrial Automation and Control Systems (IACS).

The ISA/IEC 62443-3-2:2020 establishes requirements for performing security risk assessments for system design.

The ISA/IEC TR 62443-2-3:2015(E) describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program.

The ISA 62443-1-1 is the first in the technical specifications created in the ISA/IEC 62443 series. It provides an overview of terminology, concepts, and models used throughout the ISA/IEC 62443 series and is foundational to information presented in other technical specifications, technical reports, and international standards included in the series.

ETSI 303 645 is the first global cybersecurity standard for consumer IoT products, creating a cybersecurity baseline for manufacturers which can help ensure cybersecurity is incorporated into IoT products from their design.

Standard developed by the National Fire Protection Association (NFPA) that outlines requirements for the installation, testing, and maintenance of fire alarm systems and emergency communication systems.

TSA designated freight and passenger railroads notified by TSA based on risk determination must establish and implement a TSA-approved Cyber Implementation Plan (CIP) that describes specific measures employed and the schedule for achieving the following outcomes as more fully described in Section III.A through III.E Develop a Cyber Assessment Plan (CAP) for proactively assessing and auditing cybersecurity measures. The Cybersecurity Assessment Plan required by section III.F.1