Safety meets Cybersecurity
The new EU Machinery Regulation 2023/1230 was published on June 29, 2023. This results in mandatory implementation by January 20, 2027.
Machine manufacturers will have to make some changes before this date. One of the new requirements is protection against corruption, (OT security).
But what exactly does the regulation require? And how can manufacturers meet these requirements?
Operational technology (OT) refers to the hardware and software used to control and monitor machines. Machine designers must now address the issue of security.
This is because Annex III of the Machinery Regulation (MVO) contains the new section 1.1.9 entitled “Protection against corruption”, which formulates specific measures to protect machines against the corruption of the safety-related control system.
For example, it states that: “The machinery or related product shall be designed and constructed so that the connection to it of another device, ….. does not lead to a hazardous situation.”
These and the other provisions of EU Machinery Regulation 2023/1230 must be evaluated via the required risk assessment and controlled via risk-reducing measures.
Do standards already offer support with implementation?
While IEC 62443 focuses entirely on a holistic OT security concept, ISO 13849-1 and EN IEC 62061, which specialize in functional safety, have no corresponding regulations.
Two special standards for OT security requirements serve this purpose:
DIN CEN ISO/TR 22100-4 and DIN IEC/TR 63074.
Requirements of DIN CEN ISO/TR 22100-4
DIN CEN ISO/TR 22100-4 deals with the framework conditions for OT security in an industrial environment.
It is an important technical report for implementing protection against corruption in accordance with the new EU Machinery Regulation 2023/1230.
The technical report formulates specific measures to protect machines against the corruption of the safety-related control system,
either via the connected device itself or via any remote device that communicates with the machinery.
In addition to technical solutions, compliance with these requirements also requires a thorough risk assessment and the implementation of risk-reducing measures.
Guidelines from DIN IEC/TR 63074
DIN IEC/TR 63074 plays an important role in the implementation of OT security requirements as part of the new EU Machinery Regulation 2023/1230.
This technical report defines detailed policies and procedures that should be followed by machine manufacturers to ensure comprehensive protection against the corruption of the safety-related control system.
By following this technical report, manufacturers can minimize risks and increase the functional safety and access security of their machines, which in turn contributes to the successful implementation of the EU Machinery Regulation 2023/1230.
DIN IEC/TR 63074 provides designers with valuable guidelines and assistance in understanding and adequately fulfilling the necessary requirements for OT security.
Technical and procedural aspects of IEC 62443
IEC 62443 is an internationally recognized series of standards on the topic of “Industrial communication networks – IT security for networks and systems”.
The series of standards is divided into the areas of General, Policies & Procedures, and Systems & Components and describes both technical and procedural aspects of industrial cybersecurity.
A key feature of IEC 62443 is its focus on all roles that are relevant to the lifecycle of an industrial automation system.
These include component manufacturers, system integrators, service providers, and operators.
The series of standards therefore does not set out any specific requirements for the protection of functional safety, but rather considers the access protection of the entire machine or system.
The concepts of IEC 62443 include, for example, security levels as technical framework conditions for systems and components, which can be expressed or evaluated using four security levels.
The defense-in-depth approach should also be mentioned.
With this strategy, measures can be implemented on several levels.
This has the advantage that it is possible to compensate for the failure of individual measures.
There is also the Zones & Conduits method for network segmentation based on protection requirements or risk.
The ISO 2700x and IEC 62443 series of standards complement each other.
ISO 2700x deals with security management for the entire company, while IEC 62443 focuses on security concepts for industrial control systems.
Thorough risk assessment and careful implementation of measures
In summary, the new EU Machinery Regulation 2023/1230 is important and has a significant impact on machine manufacturers and their security requirements.
It has far-reaching consequences, as it focuses in particular on protection against corruption and ensuring OT security in industrial environments.
The IEC 62443 series of standards plays a decisive role in the implementation of the new Machinery Regulation.
It offers holistic concepts to take into account the security level, the defense-in-depth concept, and the Zones & Conduits method for network partition based on protection requirements.
ISO 2700x rounds out the series of standards.
The article also mentions two special standards for OT security requirements: DIN CEN ISO/TR 22100-4 and DIN IEC/TR 63074.
These technical reports define specific measures and policies for protection against the corruption of safety-related control systems. They thus create a bridge between functional safety and IT/OT security.
The standards and technical reports mentioned provide good support for manufacturers regarding the protection of their machines and the implementation of safe and secure operation.
By applying the standards correctly, manufacturers can help to ensure that industrial processes and systems are protected against cyberattacks and security vulnerabilities, which ultimately ensures the safety of employees, users, and the environment as a whole.
DIN IEC/TR 63074:2021-05 (VDE 0113-74:2021-05)
The standard deals with the topic of the “Safety of machinery – Security aspects related to functional safety of safety-related control systems”.
At a time when Industry 4.0 and the Internet of Things (IoT) are increasingly coming into focus, DIN IEC/TR 63074:2021-05 helps to ensure the trustworthiness and reliability of machines and systems.
By combining functional safety and cybersecurity, it lays the foundations for the future-proof design of safety-critical systems that meet the changing requirements of the modern industrial landscape:
- Convergence of functional safety and cybersecurity in safety-related control systems
- Protecting the physical safety of users and the integrity of systems from cyberattacks
- Identification of vulnerabilities and risks
- Evaluation of potential attack vectors
- Implementation of appropriate security measures
- Development of comprehensive security strategies
DIN CEN ISO/TR 22100-4:2020-12
The standard deals with the “Safety of machinery – Relationship with ISO 12100 – Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects”.
In view of advancing digitalization in the Industry 4.0 era and the increased use of the Internet of Things (IoT), DIN CEN ISO/TR 22100-4:2020-12 plays a decisive role in the design of trustworthy and safe machines.
By linking ISO 12100 and IT security aspects, it paves the way for future-proof, resilient systems that meet the changing requirements of the modern manufacturing landscape:
- Link between ISO 12100 and IT security aspects for machine manufacturers
- Protection against cyber threats in digitalized and networked machines and systems
- Holistic view of physical safety and IT security
- Identification of IT-specific risks
- Integration of IT security considerations into the development process
- Consideration of attack scenarios
- Implementation of appropriate protective measures for functional safety and IT security
- Development of resilient, future-proof machines and systems
