Skip to navigation Skip to main content Skip to footer
Case Studies

Case Study: Achieving Regulatory Compliance and Securing Digital Transformation for the Queensland Train Manufacturing Program (QTMP)

By NCC Group

04 March 2026

Case Studies Transport

Situation

Hyundai Rotem is leading the delivery of the rolling stock component of Australia’s State of Queensland Train Manufacturing Program (QTMP), a major initiative that will deliver 65 new six car passenger trains alongside two new rail facilities: 

•    A manufacturing site at Torbanlea on the Fraser Coast 
•    A maintenance/operations facility in Ormeau, Gold Coast. 

QTMP supports Queensland’s wider infrastructure investments, including the upcoming Cross River Rail project and preparation for the 2032 Summer Olympic and Paralympic Games. 

As part of its scope, Hyundai Rotem must demonstrate end to end compliance with major cyber security standards — specifically IEC 62443 and CLC/TS 50701 — for its new EMU fleet. 

NCC Group was engaged as Hyundai Rotem’s specialist cyber security partner. NCC Group also worked with Downer Group’s trusted, on-the-ground rail engineers to deliver the cyber risk analysis, assessment, testing, and assurance activities required across the program lifecycle.

Both the Hyundai Rotem and the QTMP teams massively appreciated the “safety first” approach the collective teams brought throughout the project. 

At a glance

Organization: Queensland Train Manufacturing Program (QTMP)

Industry/Sector: Transport

Situation: The project is a major rail construction program. The delivery required a detailed, compliance-based cyber risk assessments for two manufacturing facilities.

Challenges: Complex regulatory and standards, multi‑phase delivery, and multinational teams required slick coordination.

Solution: NCC Group’s rail transport security experts led structured assessments, design reviews, testing, and oversaw cyber compliance requirements.

Results: QTMP is meeting their compliance and rail construction objectives whilst preparing to host the Olympics in 2032. Other suppliers connected to the projects are improving their cyber resilience and upskilling their in-house security teams.

Challenges

The scale and importance of QTMP introduces several cyber security challenges:

  • Complex multi-phase delivery of new rolling stock, with cyber security needing to align tightly with safety and systems engineering processes.
  • Compliance with stringent rail standards (IEC 62443 and CLC/TS 50701) that require evidence based, traceable cyber controls across all lifecycle phases.
  • New rail manufacturing and maintenance facilities, requiring cyber secure integration of operational systems, IT/Operational Technology (OT) interfaces, and onboard train systems.
  • Multinational, complex stakeholder ecosystems, including government agencies, engineering partners, operational rail providers, and certification bodies.
  • The need for independent cyber security verification and validation, particularly for vulnerability assessments and penetration testing, without disrupting program timelines. 

Hyundai Rotem required a structured, standards aligned approach to cyber risk management that could integrate seamlessly with safety management disciplines and withstand regulatory scrutiny.

Solution

NCC Group set out to design and deliver a full cyber security lifecycle program tailored to QTMP. Activities spanned from early-stage system definition through to final validation and cyber security and safety case development.

System definition phase

  • NCC Group reviewed QTMP’s intended cyber security management plan to ensure alignment with international rail cyber security standards. 

 

Preliminary design phase

  • The team then reviewed and facilitated the Initial Risk Assessment (IRA).
  • Supported Hyundai Rotem in addressing feedback from the IRA.
  • Assisted in producing Zone & Conduit models and Security Level Targets (SL T). 


Detailed design phase

  • Conducted the Detailed Risk Assessment (DRA).
  • Elicited and refined cyber security requirements.
  • Updated and matured the IRA as design progressed.
  • Validated SLT and Zone & Conduit outcomes.
  • Reviewed the applied cyber security design for compliance and completeness.
  • Maintained full traceability of cyber security requirements for audit and certification readiness. 


Testing and validation phase

NCC Group served as an independent cyber security testing partner providing:

  • A vulnerability assessment
  • Penetration testing
  • Cyber security verification and validation activities
  • Production of a required ‘Cyber Security’ and ‘Safety’ Case to support certification, compliance and overall program assurance


Ongoing support and knowledge transfer

Across all phases, NCC Group and Downer Group jointly:

  • Advised Hyundai Rotem on the application and interpretation of IEC 62443 and CLC/TS 50701.
  • Provided knowledge management and cyber and safety capability uplift to Hyundai Rotem’s engineering and assurance teams. 

Result

NCC Group’s 20+ years of rail sector experience and deep cyber technical expertise was masterfully complemented by Downer Group’s engineering knowledge.  

At the end of the project, Hyundai Rotem and the QTMP were able to:

  • Gain a deepened understanding of rail cyber security standards and their practical application.
  • Achieve regulatory compliance, with a structured audit trail, across all design and assurance phases of the QTMP rolling stock program.
  • Strengthen their ability to implement cyber secure configurations, architectures, and controls across onboard and wayside systems.
  • Position Hyundai Rotem competitively for future international opportunities beyond QTMP, due to the robust ‘safety first’ approach to implementing new cyber security procedures and enhanced their overall organizational cyber skills and knowledge. 

The project establishes a scalable cyber security approach for rolling stock within Australia’s national railway — and sets a high benchmark for future digital rail programs.

 

Headshot photo of David Ludlow for NCC Group

“We’re incredibly proud of the cyber assurance NCC Group is providing a project as significant as the Queensland Train Manufacturing Program (QTMP). Modernizing and digitizing the State’s public transport infrastructure is a momentous task at any given time. But it’s even more special to be involved as Australia and Queensland prepares to open its doors to the world for the 2032 Summer Olympic and Paralympic Games.

The program requires large-scale collaboration, expert engineering, and a safety‑first mindset. Working alongside Hyundai Rotem and our local engineering partners from Downer Group, we’re embedding cyber resilience and compliance into every stage of the lifecycle. This project sets a new benchmark for how 21st century rolling stock programs can confidently and safely meet emerging cyber standards.

It’s a true embodiment of NCC Group’s purpose, which is to create a more secure digital future.”

David Ludlow | NCC Group Sr. VP & APAC Market Leader

NCC Group

NCC Group

NCC Group is a people-powered, tech-enabled global cyber security and resilience company with over 2000 colleagues around the world.

For over 25 years, we’ve been trusted by the world’s leading companies and Governments to manage and deliver cyber resilience. We're proud to deliver important and groundbreaking projects for our clients.

As technology and cyber threats continue to evolve, we remain relentlessly committed to our mission: working together to create a more secure digital future. 

We keep your cyber resilience on track.

Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about our work in the transport sector and discuss your business's unique challenges.

Get in touch