Series of security standards IEC 62443

The international standard series IEC 62443 “Industrial communication networks - Network and system security” shows how to achieve IT security in automation. The range of topics spans from risk analysis, to requirements for secure operation and the secure development of products (security by design). As a result, IEC 62443 currently offers the best orientation guide for plant operators, machine builders and device manufacturers when it comes to implementing Industrial Security effectively.

IEC 62443 looks at five areas: the foundational Industrial Security requirements, the principle of zones and conduits, the security levels, the security lifecycle and the risk analysis.

Central to this is the procedure for a Security Risk Assessment, which can serve as the basis for defining tailor-made security measures. The interaction between organisational and technical measures is also emphasised. In a worst case, technical solutions alone lead to a false sense of security, as technical measures can easily be undermined by human behaviour. For example, a password only provides protection if it is also changed, not shared and not visibly attached to the device.

To meet OT security requirements, industrial automation systems require a defence-in-depth approach. Pilz uses its expert know-how to support machine manufacturers and operators with the implementation of organisational and technical requirements, particularly those of IEC 62443.

An Industrial Security concept and compliance with the standards and legal requirements significantly increases a company's cybersecurity, even at machine level. 

ISO/IEC TS 63074:2023

"Safety of machinery - Security aspects related to functional safety of safety-related control systems"

The central focus of this standard is the intersection between Safety and Security. As such it touches on the core of what the Machinery Regulation requires. When identifying security threats and vulnerabilities it uses the IEC 62443 series. It considers vulnerabilities in the safety controller that could be exploited by security threats (such as unauthorised access, malware or cyber attacks). The aim is to protect the safety functions so that they can actually apply their protective effect. A “defence-in-depth” principle is particularly recommended for safety.

The document defines use cases and applies appropriate threat models to them. This helps you to understand how Security threats can affect Safety. Other effects of a cyber attack are not explicitly considered.

ISO 27001 - Information Security Management Systems (ISMS)

NIS 2 deals with management of information security systems. Particular attention is paid to ISO/IEC 27001 because it is recognised worldwide as the de facto standard for information security and is certifiable. It specifies the requirements for an Information Security Management System.

We talk about information security and not IT security because all information must be protected, whether it is digital or analogue (handwritten, oral, visual), written on a piece of paper, or stored in the cloud. As a lot of information is processed using IT these days, IT security has a correspondingly important role to play.

Essentially, it’s about minimising information security risks in all areas within an organisation. So this also affects the means of production, such as machinery and OT networks.

If an organisation requires an ISMS in accordance with ISO/IEC 27001, due to external requirements (e.g. legal requirements or contractual agreements with the customer), or wants to implement one on its own initiative (e.g. to protect itself or in order to use a quality standard for public perception), it cannot ignore the subject of industrial cybersecurity.

That brings us full circle back to the standard IEC 62443, which currently offers the best framework for considering the subject of information security in the area of Industrial Security.

The rapidly increasing threat of cyber attacks, with the potential for immense economic damage, is leading to the worldwide introduction of legal frameworks, with minimum standards for companies, industrial plants, machinery and machine components to meet. Cybersecurity is a new requirement and an absolute must, particularly for critical infrastructures.

To reduce the risks, European lawmakers have introduced new sets of rules.

Machinery Regulation

The Machinery Regulation 2023/1230 was adopted in June 2023 and will be binding in all EU states following a transition period of 42 months. The Machinery Regulation concerns manufacturers of machinery or machine assemblies, i.e. producers (OEM = Original Equipment Manufacturer) and system integrators. In future, machine manufacturers must confirm that the machinery complies with the Machinery Regulation, including security aspects. These include protection against corruption, and measures to resist malicious attempts by third parties to create a hazardous situation. Compliance with the Machinery Regulation is formally confirmed in the Declaration of Conformity. A CE mark is applied to the machine as a visible sign. Machinery that does not satisfy the requirements of the new Machinery Regulation will no longer be allowed to be sold in the EU.

Pilz has been supporting machine manufacturers with the conformity process for many years, and in almost every area: safety concept, risk analysis and risk assessment, right through to the declaration of conformity. In future we will also look at security aspects.

Second EU Directive on Network and Information Security (NIS 2) 2022/2555

The new EU Directive for Network and Information Systems (NIS 2) regulates a uniform level of protection against cyber attacks for "essential and important" entities within the EU. In contrast to the Machinery Regulation, it describes cybersecurity requirements for companies, not machines. The directive contains different requirements for different areas, depending on how significant a company is for the economy (criticality). Companies in the energy supply or rail transport sectors, for example, have high criticality. Others affected by NIS 2 include plant and machine manufacturers with more than 50 employees or an annual turnover of more than EUR 10 million, including those from less critical sectors.

Companies must take technical, operational and organisational measures to manage the risks to the security of network and information systems. This includes, among other things, the training of managers and employees. It is important to consider not only the classic office IT, but also the OT area and therefore Industrial Security.

Cyber Resilience Act (2024/2847)

The Cyber Resilience Act (CRA) aims to improve the security properties of products with digital elements. It therefore concerns manufacturers and those placing products on the market. This also includes machine manufacturers. The CRA introduces mandatory security requirements into the whole product lifecycle. It requires a duty of care for the entire life cycle, which also includes the manufacturer’s obligation to provide software updates for the operator's patch management process over a period of at least 5 years, should a security vulnerability in the product come to light. The CE marking of products requires compliance with the CRA since it came into force. Thus the CRA supplements the NIS 2 Directive and the Machinery Regulation with the products’ security properties.